Senior Product Manager Bob Stasio of IBM i2 Safer Planet was keynote speaker for Cyber Security Summit 2016. Prior to joining IBM, Mr. Stasio worked in threat intelligence programs at Bloomberg and global financial firms. He also has deep government experience having served at NSA’s Cyber Center, U.S. Cyber Command, U.S. Army’s Signals Intelligence Corps, the FAA, and NASA. Bob served as a U.S. Army officer, and is a recipient of numerous military awards, including the Bronze Star and Global War on Terrorism Expeditionary Medal. He also is a Truman National Security Fellow, Brookings Institution Council on U.S. and Italy fellow, and serves on the advisory board of multiple startups. He holds a Master’s degree and certifications in Intelligence Studies and Network Protection.
Mr. Stasio’s presentation, Leveraging Intelligence, Visualization, and Analytics to Fight Advanced Cyber Threats, emphasized the importance of achieving a longitudinal perspective in analyzing what happened.
“You have to be able to see the forest for the trees,” he said.
When an incident occurs it’s essential to determine if it’s only one in a series of events. Is there a pattern?
Many in the cyber security industry tout information-sharing as a key to detecting and preventing attacks. Mr. Stasio warned that industries and companies that work as silos, walled off from those around them, are not ideally positioned to mount a robust defense.
Cyberattack techniques are becoming commoditized, he said, citing a case that focused on the financial sector. A group of disaffected investors that came to be dubbed Fin4 operated from a New Jersey base. Before they were caught, the group amassed immense ill-gotten gains using stolen insider trading information, Stasio said.
A New York Times writer who covered the case wrote: “In all, 32 traders and hackers reaped more than $100 million in illegal proceeds in a sophisticated and brazen scheme that is the biggest to marry the wizardry of computer hacking to old-fashioned insider trading.”
The rogue investors hired hackers in Ukraine to launch spearfishing campaigns to convince identified financial executives to update their passwords in settings where the hackers could capture the passwords. Outsourcing information capture in this scam reinforces that techniques are becoming commoditized. Some individuals broke into publishing companies and stole quarterly financial news releases containing sensitive performance data that would be very useful before publication to anyone who could use the private information to select investments.
False identity scams are on the rise, both online and in person. Men appeared at a branch bank in UK, introducing themselves as IT professionals, and managed, over time, to transfer out millions before they were stopped. The device they used to perpetrate their crime was made for a cost of about $30 from parts readily available on eBay, he said. This illustrates the asymmetrical nature of cyberattacks today where a small, inexpensive tool can penetrate and siphon off assets from a much larger entity. The same dynamic is at work in Iraq where a cheap device can be transformed into a deadly IED.
Stasio noted that “80 percent of the threat is commoditized and easily blocked.”
The remaining 20 percent is causing the majority of the problem, especially when nation-state actors are involved. It’s the part that requires cyber analysis to understand the nature of the incident that’s coming. Cyber analysis is a new discipline and profession with three subcomponents, he explained. The components are information security, intelligence analysis and forensics science. The discipline is formed to enable the practitioner to factor in numerous diverse data types into a cohesive integrated multi-dimensional analysis.
A header in Stasio’s presentation introduces the data sources, “what we are looking at,” as people, events, locations, objects, structured and unstructured data, deep and Dark Web data, external data and social networks to provide the input to be analyzed. A tandem header “what we are looking for” shows that investigators are seeking to find networks, relationships, or anomalies in geography, timing, or sequencing.
Rather than fixating on a single incident, Stasio’s approach seeks to find related precursor events to associate the data and explain what’s happening. The process can be broken down into four goals and challenges.
Hidden threats hiding in the network, how do I find the signals in the noise?
Where should analysts look, how to find a needle in a stack of needles?
Given a lack of actionable intelligence, how do leaders make decisions?
Too much data, too many sources, how do I put the picture together?