Darryl Crowe

Cyber Intelligence Plan

February 28th, 2022

CSOL-580 Intelligence

Professor Biedermann Jr
 Cyber Intelligence Plan

Contents

I. Executive Summary

II. Defining Cyber Threat Intelligence

a. Corporate America Intelligence

b. Government Intelligence

c. Interpreting Cyber Threat Intelligence

III. Security Tool Case Analyst

a. Threatlocker

b. Microsoft 365 Cloud Security Center

IV. Adversarial Assessment

V. Cyber Threat Intelligence Plan

a. Specific Threats

b. Threat Actor Intentions

c. Threat Actor Methodology

VI. Post-Mortem Report

a. Cyber Kill Chain

b. Case Study US Cellular 2021

c. Case Study Canva Security Incident 2019

VII. Recommendation
 I. Executive Summary

Cyber threat intelligence plan goes over the important factors which will assist the

organization to reduce the attack surface. The importance goes through recent events of what has

happened to similar organizations like this one. It allows for intelligence to be explained and

planned to better protect and secure organizational assets. Cyber Threat Intelligence plan is

supported by case studies along with a post-mortem break down of the Lockheed Martin Cyber

Kill Chain model to better support the plan in reducing the attack surface from a threat agent.

Understanding the intentions of a threat agent is just as important as the cyber kill chain, along

with how they would attack the company.

There are thousands of methods in which an attack can happen. Most of those are secured

through security patches, network appliances and other controls. The difference with this cyber

threat intelligence plan is to identify major threats to the organization that need immediate

attention to reduce the attack surface. Protecting end points from phishing emails along with a

zero-trust endpoint protection can protect a large majority of how breaches happen from threat

actors.

II. Defining Cyber Threat Intelligence

Defining Cyber Threat Intelligence, it is important to understand the history of threat

intelligence on a high-level overview. In 1947 the Nation Security Act was created to help fight

against the Russians through the cold war. This is highly important to know the birth of

communication, encryption, and decrypt of messages. In 1952 the NSA was created by merging

two military, Army and Navy, together for national security and intelligence. 1978 FISA was

created to assist with monitoring outside of the United States while keeping the US protected
through intelligence. It allows for surveillance and collection of foreign intelligence information.

2001 USA Patriot Act was created to further assist intelligence against terrorism. This was

sparked by the 9/11 attack on the United States. 2015 the Snowden Effect happened. As this is

not a real act, it is an important event that happened between the government intelligence

community and the private sector with what is communicated and how. This adjusted the trust

between private and public sector trust due to the actions of Snowden and the leak of information

to wiki.

A. Corporate America Intelligence

Corporate America defines cyber intelligence as the gathering of information, analyzing

the information, preluding the information to better benefit the company, and staying ahead of

the competitors. It is important to note that corporate America is in business for the money. They

will use any means of information that will benefit them over the next company. This is a

common practice within all corporations. Other information that is commonly gathered is cache

and browsing history from users as corporate America will target ads to that user in various other

websites and notifications. The information gathered is not always just information over the

competitor but how to gain a larger client base to sell their products too.

B. Government Intelligence

The government leaves the definition “intelligence” vague due to the fact of how

technology changes, methodologies change and experience changes. They have left it up to the

different departments, (CIA, DoD, etc.), to determine what fits best for their department. This

allows for flexibility and adoption of what works best from each department to strengthen cyber

protocols. Due to the Snowden effect, information is collected from vendors but not commonly
shared with vendors. Government switched to a least amount of information given is better to

prevent another Snowden effect.

C. Interpreting Cyber Threat Intelligence

There are a lot of different questions that need to be asked and answered before being

able to define cyber threat intelligence. Understanding the role, position and private or public

sector are things that only that individual can answer. This will assist in knowing how to better

define cyber threat intelligence. Both corporate America and the government have great

definitions on Cyber Threat Intelligence; if both can be combined it would create a new well

defined Cyber Threat Intelligence meaning.

Least amount of information given, different departments collaborating while listening to

different events through the intelligence community. This can benefit the company or the

government in making sure that the United States is safe, threats are mitigated, or company

makes money by making the right decisions. It is important to note that there are multiple

definitions to threat intelligence and staying active within the community will assist in defining

cyber threat intelligence.

III. Security Tool Case Analyst

Security tools are commonly used to better protect information systems. Using the

correct tools can make a difference between protection or false hope in which a breach occurs.

Zero trust endpoint protection with the use of Microsoft 365 security center will be the biggest

impact point of security as users make up most breaches in which happen. Making sure that

phishing emails or malicious attachments are sandbox, tested then removed is an automated
method to protect users’ mailboxes. While Threatlocker doesn’t allow anything to be installed

unless the administrator allows for it to install.

A. Threat Locker

“News of an Iranian hacker duping certification authority Comodo  into issuing digital

certificates to one or more unauthorized parties has caused an uproar in the IT community,

moving some critics to call for Microsoft and Mozilla to remove Comodo as a trusted root

certification authority from the systems under their control (CSOOnline 2022)”. This is one

method in which an attacker can gain unauthorized access to a machine via the certificates

that websites use. With the recent exploit of Log4J which exploits a java logging within

various programs can be a second way for attackers to get into a system. The manpower required

to create and monitor a zero-trust endpoint solution would cost too much upwards near $210,000

for 3 employees. Using a vendor can reduce the amount of time in which the security team needs

to focus on to protect the network and endpoints through zero-trust. Threatlocker is a strong

zero-trust endpoint software that works below the kernel layer to ensure to protect end points

from extension hacks, viruses being installed or anything executable that is not whitelisted to be

stopped or requested to be approved including the installation of fake certificates.

The Gap

Threatlocker is a zero-trust endpoint protection that blocks anything to be installed that is

not whitelisted. This helps to mitigate any rogue employees in the future along with protecting

the endpoints from fake certification hacks, browser extension hacks and more. Programs are

scanned with the metadata of the program along with the program hash, certificate, and signature

along with multiple scans from multiple databases. This will assist in securing the company
assets while employee’s work. The log4J exploit would not be able to have been executed if it

did get onto the network as Threatlocker would have blocked the asset. The zero-trust endpoint

protection will fit into the zero-trust network scheme that is implemented.

Threatlocker TCO/ROI

Threatlocker Cost Breakdown

Per endpoint $2.00

Per month $200.00

Per Year $2,400.00

Threatlocker provides a CyberHero where they will permit programs after research for

the company. This will save on the time needed to allocate team members to resolve any issues.

Threatlocker saves on the cost of hiring another team to monitor the network and endpoints for

software. Log4J was blocked by Threatlocker before anyone could exploit the java or deliver

payloads to endpoints to a malicious server. This program will assist in creating a fully

functional zero-trust network without having to hire more desktop support agents saving the

company at least $210,000 per year based on hiring 3 employees at $70,000 per year.

Maintenance cost and Operational costs will be zero as the vendor takes care of those situations.

The return on investment would be approximately two weeks. Taking the cost of 1

additional employee salary of $70,000 divided by 52 weeks totals out to be $1,346 per week,

making the second week when the year has been paid for. It reduces the cost of labor in which is

needed to monitor endpoints without the cyberhero along with saving labor costs on developing,

programming, and implementing the security control into the environment.

Threatlocker would be a vital asset to implement into any company. It protects against

anything that tries to install that is not permitted. Using location paths, hash values and the

intelligence of multiple antivirus databases, it will analyze and report back the likely threat of the

program. Creating a zero-trust network also needs to include the endpoints that attach to the

network not just the network itself. Being able to save resources, time, and money to implement

Threatlocker which would take approximately 30 seconds to install, 2 minutes to log in and set

CyberHero to on and 2 weeks of Threatlocker learning mode, it would be beneficial to the

organization to stay protected as best as possible.

B. Microsoft 365 Security Center

Microsoft security center is primary email security defense. Using this as a primary

defense, with Threatlocker as a secondary endpoint protection. Reducing the attack surface of the

organization has turned from a vision to an implementation feature of the organization.

The Gap

Microsoft security center provides extra security tools and mechanisms. Phishing policies

can be created within the security center. The purpose is to remove attachments from the email,

place it into Microsoft’s sandbox system, then execute it to see if it changes any system

configurations within the system. If it does not change the attachment is sent to the users,

otherwise it is deleted from the system. Security center also scans for malicious code that could

be hidden within files like word documents with macros or pdf files. Using the security center to

secure email for all users within the organization will reduce the chance of a breach due to

phishing/spear phishing or malware/ransomware.

Threatlocker Cost Breakdown (based on 100 users)

Per endpoint $12.00

$57.00 (only need 1 for global admin)

Per month $1257.00

Per Year $15,084

Microsoft provides a lot of different products in which an organization can chose from.

The domain needs to hold 1 E5 license which will come with defender, compliances, governance

and so on over the domain. Cost is $57.00, while each of the other users need only business

premium for $12.00. Microsoft security center can then be configured for the domain which will

protect the email boxes from most of the phishing and malware attempts on the organization. It is

important to note that nothing is 100% but being able to minimize the attack surface is the

primary goal with a secondary defense to create a defense in depth.

Recommendation

Purchasing the needed license as mentioned above and configuring the SaaS software

will reduce the attack surface of the organization. Most breaches happen due to employee’s lack

of knowledge or training. Being able to reduce the chance that an employee can click on a

malicious file or type in their credentials into a spoof website will reduce the chances of a breach

to happen on the organization. Email is the primary method in which a hacker starts their attack.
 IV. Adversarial Assessment

Accenture is an MSSP company that provides various technology solutions for clients

that need IT support. Accenture is a direct competitor to Computer Support Team based on

location of clients; the type of technology that is used along with the type of clients that are

served. Support is always needed to make sure that clients are protected, and infrastructure can

be fixed to keep the clients running safely. This analysis will go over the technology in which

Accenture uses for their website, email domain, employees of different positions along with

content of new technologies that Accenture is assisting companies to protect and service.

How Accenture is Competition

Accenture provides a lot of services and are world-wide with their services. They also

perform in the same geographical location as Computer Support Team. The managed services

and security services are in direct correlation with the NOC, SOC and other advanced zero-trust

services as Computer Support Team.

Accenture Services

Accenture provides different services from desktop support to full security solutions for

their clients. Accenture focuses on the following services that are in direct competition with

Computer Support Team Inc:

 Managed Application Security

 Managed Cloud Security

 Managed Digital Identity

 Managed Security Risk

Accenture Future Services

Accenture is looking deeper into the blockchain technology. They are currently heavily

hiring employees to fill positions of security, along with blockchain architectures. It can be

presumed that they are looking to create a layer 2 between the blockchain and applications that

are being used on that blockchain. Given circumstances of Ethereum being hacked back in

August 2021, this type of advancement will be extremely profitable for their success in the

future.

Accenture Executive Team

Position Name Email

Website Technology:
Javascript Libraries JQuery 3.5.1
Web Frameworks Bootstrap 3.3.7
JavaScript Frameworks JQuery 3.5.1
CDN Amazon CloudFront 1.10.4
Tag Managers Adobe DTM
MXToolBox.com
MX Records:
Proofpoint – email filtering and security tool. Governance compliant including HIPPA.
 DNS Lookup – 170.248.56.19
DKIM – A type record
Technology security -Google Dorking
Threat hunting, preemptive to keep their clients secure. Constant research
https://vulners.com/threatpost/THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6
Innovative technology with blockchain security technology acting as a L2 to L1 blockchains.
https://www.accenture.com/us-en/service-blockchain-security

Accenture Viability of Threat

Accenture trade on the New York Stock Exchange with the symbol: ACN at a price of

around $15.00 per share. With the advancement they are trying to reach with blockchain and web

3.0 the amount per share is estimated to almost triple or more within the next year. Accenture has

multiple other exchanges that they trade on but are foreign and not relative to reporting. SEC

filings goes into detail of the quarterly report and financial information of their assets, estimated

at $22,974,153 in 2017. The SEC report can be located at the following link:

https://www.sec.gov/Archives/edgar/data/1647339/000164733917000026/acnholdings-

20171130x10q.htm. It goes into detail of the quarterly report and financial information of their

assets, estimated at $22,974,153 in 2017.

V. Cyber Threat Intelligence Plan

Through the time frame of January 1st, 2022, and February 6th, 2022, several alerts have

come through within Microsoft security center identifying threats to employee’s email box.

These are classified into high (red), medium (blue) and low (orange) threats.
(Microsoft Security Center (2022). https://security.microsoft.com)

Analytics of the data will allow for these categories to be broken down deeper to better

understand where the attacks are happening and how they are happening within the client’s

domain. These categories can be labeled as followed with 1 worse and 3 not as much of a risk.

Ransomware Phishing Stale Password Stale Account Software Patching

1 2 3 3 2

A. Specific Threats

Ransomware: Ransomware has the potential to encrypt company data and hold it for ransom

until a company pays the fee. Macaw ransomware discovered in October 2021 does just this via

email. “This human-operated ransomware employs the usual ransomware techniques of data

encryption and exfiltration (Microsoft.com 2022).” Maccaw exploitation activity can run

multiple different queries including inside the MSBuild.exe being used a LOLBin query.

Phishing: Phishing email is a constant concern as it takes multiple forms. It can take the user to

a fake website which then downloads payloads of malware, or it can also have the user input

their credentials into the system. Once this happens, the threat agent can gain access to their

mailbox along with anything else in which that user has permission levels granted.

Stale Accounts and Passwords: Stale accounts and passwords are accounts/passwords that

belonged to an employee that is no longer there, and the administrator never disabled or changed
the password. This can leave an open door for a threat agent to gain access to company

information. If that stale password gets publicly known on the dark web due to it never being

changed, there is a higher potential for the account to be breached.

Software Patching: Outdated software that is end of life will no longer receive security updates.

These updates are crucial to making sure that software security is kept up to date. Exploits into

services like outlook.exe on version 2004 will not have the same security needed to protect it

within today’s world. Making sure that the latest versions are being used will keep vulnerabilities

within the software to a minimal.

B. Threat Actor Intentions

Darkside (malware designer against Colonial Pipeline) had intentions of receiving as

much money as they possibly could for the oil company. They used various styles of attacks to

achieve their goal of encrypting data and holding it for ransom. From phishing attacks to brute-

force password attacks, even SQL injections against VPN networks backdoors where able to be

installed within the system. “Once inside Colonial Pipeline’s network, the attackers escalated

privileges by exploiting a Zerologon vulnerability and more. With the access, DarkSide then

used PowerShell and Certutil to deploy and execute the ransomware attack across the network

(globalsign 2021).”

C. Threat Actor Methodology

Threat actors use many different methods to attack their targets. Ranging from social

engineering attacks including phishing emails or phone calls. Phishing emails will redirect the

user to another site where malicious payloads can be downloaded to the machine or asking for

credentials to be entered in to “view” the site. From there even if just the username is typed in,
brute-force attacks can be used to break the user’s password. Threat actors use these capabilities

for some type of gain. The intent can range but not limited to money, destruction of company

assets, personal gains, political stances or more. For Darkside attack on the colonial pipeline it

was about the money. Other attackers have used their capabilities in for a political stance against

the company for example the 2011 and 2014 attacks on Sony and their networks. Most

commonly, it is for money while destroying company assets.

Example: “Once inside Colonial Pipeline’s network, the attackers escalated privileges by

exploiting a Zerologon vulnerability and more. With the access, DarkSide then used PowerShell

and Certutil to deploy and execute the ransomware attack across the network (globalsign 2021).”

VI. Post-Mortem

Post-mortem reports are one of the best methods to learn from incidents that have

occurred. It helps to show the attack surface in which an organization has that was exploited so

the organization can take more advanced steps to better protect it. Using the Lockheed Martin

Cyber Kill Chain while doing a post-mortem report will show the steps in which a threat agent

uses to attack a system. It gives insight into the intentions of different threat agents while also

showing the best point of breaking a breach. Through the two incidents below, US Cellular and

Canva, each is unique in their own way. Canva was a special type of attack in which was

completely different as it was stopped in the middle of the breach.

A. Cyber Kill Chain

Understanding the Lockheed Martin Cyber Kill Chain is vital to understanding the attack

surfaces in which the organization needs to protect. Each phase has gone through on the white

paper goes over the importance and briefly what they do. Seeing the kill chain makes it easier to
understand the simple process of what a threat agent will go through as they attack the system. If

you think like a hacker or understand the process in which a hacker will think, it will make it

easier to defend against those types of attacks or even conduct internal audits to protect against

the attacks.

“Looking back at NotPetya, Woodcock said it served as a wakeup call that not all cyberattacks

are targeted and that organizations can find themselves the unintended victims of these events –

businesses shouldn't approach their cyber defenses as if hackers will specifically target them

because in some attacks you could simply end up as collateral damage (ZDNet 2019).”

The organization may not even be the target, but because of doing business to business and

having that trusted relationship, the organization can up as collateral damage just as Maersk was

to M.E. Doc. (Lockheed Martin (2022). [IMG])

January 4th, 2021; US Cellular was breached by attackers. US Cellular is self-claimed as

the 4th largest wireless company in the United States. “Hackers targeted a handful of U.S.

Cellular store employees who had access to its customer relationship management (or CRM)

software (Mathews L. 2021).” Data that was stolen from the company consisted of phone

numbers, customer names, addresses, PIN’s, and plan information of various clients within the

companies CRM. This information is enough for more attacks to happen by hacking into the SIM

of one of those clients’ phones to cause more damage. The attacker’s intent was to cause as much

damage as possible while trying to collect a paycheck by selling the information on the dark web
to the highest bidder. The Lockheed Martin cyber kill chain helps to identify the post-mortem of

the attacks.

Reconnaissance

The threat agents used reconnaissance before preforming their attacks. Methods of

phishing emails along with social engineering phone calls were used to gain access through

malware to remote access the computers. Four targets were selected at a retail store in which the

threat agents pursued. Once convincing the employees over the phone using social engineering

tactics, they sent a phishing email with a malicious software that the employees were able to

install onto the computer system. It allowed for shell terminal along with key logging to gain

credentials needed to access the company CRM database.

Weaponization

The threat agent was able to trick the employees to install the malicious software onto

the computer to be able to further access the system and network attached. The malicious

software was weaponized to gain access.

Delivery

“The data breach notification says, "since the employee was already logged into the

customer retail management ("CRM") system, the downloaded software allowed the

unauthorized individual to remotely access the store computer and enter the CRM system under
the employee's credentials.” (Nikki A. 2021).” The payload was delivered through phishing

email after the social engineering attacks to the employees.

Exploitation

Once the employees where working, the hackers where able to use their credentials which

were authorized to the CRM. Background shell commands where able to be ran so the employee

would not know what is going on.

Installation

The malicious malware was designed to attack one machine without communicating to

other devices. It was a single target threat against the company. Threat agent was able to have the

employees install the software from an email.

(C2) Command & Control

For two days the threat agents were able to extract approximately 407 clients of US

Cellular. They used background shell commands to extract data from the company which they

then proceeded to place up on the dark web to sell the data. The threat agents were able to gain

access to the CRM via the employee’s credentials as they were logged into the system. The

remote-control malicious software never closed the session and designed to recommunicate with

the system upon bootup. MFA codes where able to be retrieved as the threat agents were about to

get into the sim card and receive text messages with the MFA codes.

Actions on Objectives

US Cellular was able to spot the malicious software installed on the system after two

days. In most cases threat agents stay within the system for 100 days or more. US Cellular
preformed the right actions of reporting it to the local attorney general along with changing

passwords, credentials, and other information of the users. They were also able to send a notice

to inform the users that were affected from the breach.

C. Case Study Canva Security Incident 2019

On May 24th, 2019, Canva was breached. There was a total of 4 million Canva accounts

that where affected. Passwords where stolen, partial credit cards were read along with decrypting

OAuth tokens and encrypted passwords. The hacker or hacker group goes by the name

GnosticPlayers which is also responsible for other breaches like DubSmash, MyFitnessPal and

more. Interestingly, “the attack was discovered and stopped by Canva while it was still occurring.

Canva had immediately shut its database servers on detecting the attack (Dutta S. 2020).”

GnosticPlayers then proceeded to contact journalists to let them know about the attack to gain

credit for the attack. GnosticPlayers intent was to gain fame for hacking along with trying to sell

the information on the dark web for profit.

Reconnaissance

GnosticPlayers had performed reconnaissance on the webservers of Canva. Canva was a

startup company using the AWS servers. Little information is known, speculation to the attack is

how weak the passwords where and basic cybersecurity practices where not followed like MFA.

Weaponization

GnosticPlayers was able to exploit webserver cross scripting, brute force and gained

access to Canva database. As far as what else is known these where the only tactics in which the
threat agent attacked the system. No other software was installed or weaponized against the

organization.

Delivery

During the delivery phase of the kill chain the database was taken offline as monitors

went off identifying abnormal activities. During this phase the threat agent was able to gain

access and download millions of user data from the database.

Exploitation

Exploiting the webservers allowed GnosticPlayers to gain access to the database.

However, the attack was quickly stopped due to security measures that where in place. Even

though is one of the quickest stops of a live breach, the database was able to be downloaded as

the files were small.

Installation

No malicious software was installed as it was web based.

(C2) Command & Control

The breach was stopped by Canva’s engineer in the middle of the attack. GnosticPlayers

was able to download and the database. He/They proceeded to decrypt OAuth tokens and user

passwords. Publicity was the intent along with advertising the user information for the dark web

to make profitable gains.

Actions on Objectives
 Canva was able to stop the attack in the middle of the breach. Using Lockheed Martin

Cyber Kill Chain, the engineers took the database offline as it was accessed through the

webserver. Damage control took place from Canva as GnosticPlayers took to social media along

with ZDNet tech media. Canva originally reported less data loss then what was lost (139 million

originally reported, while 4 million was stolen). GnosticPlayers decrypted the information and

tried to quickly sell the information online.

VII. Recommendation

There are a lot of different threats that hang over organizations. The most common leads

back to employees and emails. Being able to create a zero-trust endpoint management system

using a vendor like Threatlocker would assist in resolving the issue of executables running on the

system and spreading to anything attached to the network. Utilizing the Microsoft security center

will allow protection against most malicious URL’s and files that come in via e-mail. These are

most common to trick users to click on them to install the malicious software. These actionable

security measures will reduce the attack surface of the common by over 50% given the

circumstances of how many employees and the content of the emails that are sent through the

system daily. A timeline of 30 days can be set to make sure that the goal to protect the endpoints

and email is achievable within a realistic time. Export of each of the mailboxes can then be

matched to the computer user and used as a grid to make sure that each computer has been

touched and protected properly as tracking is important for accuracy and results. Using SMART

elements like these will better protect the organization while reducing the attack surface.
References

Nikki, A. (2021). USCellular Data Breach: Hackers Gained Access to Users’ Personal Data,

Pin Code, Billing Statements, and More. Tech Times.

https://www.techtimes.com/articles/256503/20210129/uscellular-data-breach-hackers-

gained-access-users-personal-pin-code.htm

Mathew, L. (2021). Hackers breach U.S. Cellular Customer Database After Scamming

breach-us-cellular-customer-database-after-scamming-employees/?sh=4b50b018c818

Dutta, S. (2020). Decrypting Canva’s Security Breach That Affected 139 Million User Accounts.

CodeBurst.io. https://codeburst.io/inside-canvas-security-breach-that-affected-139-

million-user-accounts-78467e315681

Threatlocker (2022). Software vendor for zero-trust endpoints. https://www.threatlocker.com/

Grimes, A. “The real security issue behind Comodo Hack” CSOOnline.

https://www.csoonline.com/article/2623707/the-real-security-issue-behind-the-comodo-

hack.html

Microsoft Security Center. (2022). Threat Insights: Maccaw ransomware.  

Microsoft.com. https://security.microsoft.com/threatanalytics3/b1ee13d9-0128-4f35-914c-

ce157b81cc8f/overview

Krigman, A. (2021). Cyber Autopsy Series: Colonial Pipeline. GlobalSign by GMO.

https://www.globalsign.com/en/blog/cyber-autopsy-series-colonial-pipeline