Cyber Defense eMagazine May 2019
Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
QIDs from associated metadata, the inquiry can reveal the location, associates, aliases, and true<br />
identities of malicious actors. Just as important, artifacts can also provide insight into past, present and<br />
future activities.<br />
Use case #1: Oleksandr Ieremenko<br />
In 2016, the U.S. Department of Justice secured a guilty plea from a New Jersey man who was part of a<br />
complex insider trading scheme that exploited confidential information stolen from three separate<br />
business news wire services. Prosecutors alleged that the scheme netted tens of millions in illegal profits.<br />
The indictment also identified the still-at-large technical mastermind who hacked into the business<br />
wires—a Ukrainian citizen named Oleksandr Ieremenko<br />
Mining the indictment for names, email addresses, online handles and other identifiers, we were able to<br />
run a series of PAI queries just on Ieremenko. Obviously, we already had a true identity to go on, but the<br />
query was fruitful for several reasons. First, we learned a lot about Ieremenko’s associates. While these<br />
malicious actors weren’t indicted, learning who they were and where they operated gave us a better<br />
context for understanding the types of malware and tools Ieremenko typically sought to secure. In turn,<br />
that information turned up a lot of useful information about Ieremenko’s skills, capabilities and past<br />
targets. We were even able to assess, with a high degree of confidence, what sorts of targets and<br />
schemes Ieremenko was working on before, during and after the indictment.<br />
Use case #2: The Iranian Professor<br />
Using an email address associated with a spear-phishing campaign, we ran a PAI query. As it turned out,<br />
this hacker employed sloppy tradecraft by failing to more fully obfuscate QIDs associated with the creation<br />
of the email address. While sloppy tradecraft may sound like a lucky break, the key point is that hackers<br />
are human. They make human mistakes because they’re lazy, careless, poorly trained, pressed for time,<br />
etc. These mistakes leave behind artifacts that analysts and investigators can exploit.<br />
In any case, our PAI query told us that the hacker was an Iranian professor. With her true identity, we<br />
were able to discover her location, associates, and develop information about her activities, past, present<br />
and future. Just as important, we were able to reduce the likelihood that we were meant to discover her<br />
true identity as part of a false flag operation.<br />
Unfortunately, this hacker hasn’t been brought to justice—and likely won’t be. Nevertheless, her identity,<br />
area of operation, skill-level, and modus operandi provides a powerful check on her operations going<br />
forward.<br />
123