Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape

One year ago, Russia invaded Ukraine. Since then, tens of thousands of people have been killed, millions of Ukrainians have fled and the country has sustained tens of billions of dollars worth of damage. Importantly, this marks the first time that cyber operations have played such a prominent role in a world conflict. Since the war began, governments, companies, civil society groups, and countless others have been working around the clock to support the Ukrainian people and their institutions. At Google, we support these efforts and continue to announce new commitments and support to Ukraine. This includes a donation of 50,000 Google Workspace licenses for the Ukrainian government and a rapid Air Raid Alerts system for Android phones in Ukraine, support for refugees, businesses, and entrepreneurs, and measures to indefinitely pause monetization and significantly limit recommendations globally for a number of Russian state news media across our platforms. One of the most pressing challenges, however, is that the Ukrainian government is under nearconstant digital attack. That’s why one of our most important contributions to date has been our ongoing work to provide cybersecurity assistance to Ukraine. Shortly after the invasion, for example, we expanded eligibility for Project Shield, our free protection against distributed denial of service attacks (DDoS), so that Ukrainian government websites and embassies worldwide could stay online and continue to offer their critical services. We continue to provide direct assistance to the Ukrainian government and critical infrastructure entities under the Cyber Defense Assistance Collaborative — including compromise assessments, incident response services, shared cyber threat intelligence, and security transformation services — to help the Ukrainian government detect, mitigate, and defend against cyber attacks. In addition, we continue to implement protections for users and track and disrupt cyber threats to help raise awareness among the security community and high risk users and maintain information quality. This level of collective defense — between governments, companies, and security stakeholders across the world — is unprecedented in scope. It is important then to pause and reflect on this work and our learnings one year later, and share those with the global security community to help prepare better defenses for the future. This report outlines our analysis of these issues and includes the following three observations, informed by over two decades of experience managing complex global security events

FireEye: M-Trends Report 2020

En ediciones anteriores de M-Trends, observamos que algunas cosas cambian, otras permanecen igual. Por ejemplo, M-Trends 2010 discutió cómo el phishing era el método más común y exitoso que usaban los grupos APT [Advance Persistent Threat (amenazas persistentes avanzadas)] para obtener acceso inicial a una organización. Eso no ha cambiado. Muchos de los estudios de caso en M-Trends 2020 también comienzan con el phishing, perpetuando la creencia generalizada de que las personas suelen ser el eslabón más débil de la cadena de seguridad

Hunting observable objects for indication of compromise

Shared Threat Intelligence is often imperfect. Especially so called Indicator of Compromise might not be well constructed. This might either be the case if the threat only appeared recently and recordings do not allow for construction of high quality Indicators or the threat is only observed by sharing partners lesser capable to model the threat. However, intrusion detection based on imperfect intelligence yields low quality results. Within this paper we illustrate how one is able to overcome these shortcomings in data quality and is able to achieve solid intrusion detection. This is done by assigning individual weights to observables listed in a STIX™ report to express their significance for detection. For evaluation, an automatized toolchain was developed to mimic the Threat Intelligence sharing ecosystem from initial detection over reporting, sharing, and determining compromise by STIX™-formated data. Multiple strategies to detect and attribute a specific threat are compared using this data, leading up to an approach yielding a F1-Score of 0.79

Cyber-Security Hazards in Society

Cyber-security hazards in society are viewed in the context of tensions, disasters, and development opportunities. The tension is essentially that between the physical and spiritual world as we know it and the challenge given by virtual cyberspace to this traditional understanding. The hazards can clearly cause disasters but can also create development opportunities. Beginning with a brief historical review of what is known, what is not known, and definitions of terms, the chapter moves on to look at the very different environments and difficulties created within cyberspace in the political, economic, social, technological, environmental, and legal arenas. Additionally, life, military, organizational, critical infrastructure, criminal, and moral hazards are explored. The analysis reveals some familiar, some surprising, and some unknown features of these hazards. The reluctant conclusion is that some form of regulation is required to ensure that society as a whole is protected from cyber-security hazards