Fighting the Good Fight Protecting Customers
Unpatched Supply Phishing Ransomware software chain attacks
Wiper attacks Advanced persistent threats Data/IP theft
Spyware/ Malware
Malvertising Drive by downloads Man in the middle
Credential DDoS compromise Botnets Rogue Cryptomining software Our job is protecting your network Talos is the threat intelligence group at Cisco. We are here to fight the good fight — we work to keep our customers, and users at large, safe from malicious actors.
Community Detection Research
Vulnerability Research Global Outreach & Discovery
Threat Intelligence Engineering & Interdiction & Development
Incident Response Why trust Talos?
Actionable Intelligence
Unmatched Collective Visibility Response Unmatched Vulnerability Discovery Visibility Network Web
To stop more, you have to see more. Threat Traps Endpoint • The most diverse data set • Community partnerships • Proactively finding problems Data Sharing Cloud Unmatched visibility is built on relationships Email Actionable Research Intelligence
Security controls are best served by Actionable data that lets tools respond to Intelligence Telemetry immediate threats. • Rapid coverage Industry Partners • Distillation and analysis • Threat Context It’s not detect and forget, it’s detect and analyze. Open-Source Intelligence Incident Response Collective Response
The ability to bring rapid protection to close off multiple attack vectors instantaneously is crucial • Breadth: See once, protect everywhere • Depth: Response and interdiction drives continuous research Policy Informed & Protection Analysis • Scale: Delivering portfolio-wide protection, in real-time NotPetya: The Costliest Cyber Attack in History
Unmatched Actionable Collective Visibility Intelligence Response
AMP Gathering IOCs Field engagement
Highly destructive Ukraine Cyber Police Shipped protection supply chain attack Cyber weapon targeting Snort rules Snort rules the general public One of the costliest Blogs cyber attacks in history
Consumable IOCs
Product maturation From Unknown to Understood
Unmatched Actionable Collective Visibility Intelligence Response
Product Endpoint Detection & Response Endpoint Mobile Security Telemetry Multi-Factor Authentication Data Sharing Firewall & Intrusion Prevention Network Web Security SD-Access Vulnerability Discovery Secure Internet Gateway Cloud DNS-Layer Security Threat Traps Email Security
Incident Response on Retainer Incident Services Emergency Incident Response Response Insights On Demand Threat Briefing: Disinformation Key Points
Russia and China have Common tactics include Three of the most become major players in leveraging state media, common strategic goals global disinformation government agencies, and for disinformation operations, while Iran is internet “trolls” and bots. operations appear to be steadily building its political influence, disinformation amplifying social capabilities. divisions, and controlling domestic narratives. Key Points
The private sector and Marketing firms and government lack a cybercriminals have sought to comprehensive counter monetize disinformation, strategy, with U.S.-sourced selling it as a service to content and foreign nation-states and bad actors influence providing their via both legitimate business own unique challenges. transactions and underground criminal forums. Assessments
Talos assesses that nation- Given the low cost and high We also expect to see states will increasingly look to impact of social media deepfake technology becoming incorporate disinformation disinformation campaigns, bad an increasingly common and operations as part of their actors will almost certainly challenging problem in the strategy to advance foreign continue to use social media months and years ahead. policy and national security platforms as a primary method objectives. for promoting their narratives. Definitions Disinformation The intentional spreading of false information with the intent to deceive
Misinformation The unintentional spreading of false information that is not meant to cause harm
Definitions Propaganda Can be disinformation; used to promote a political goal or view
Satire Content that portrays an individual or event in a way that ridicules the subject by using humor, sarcasm, irony, and exaggeration Actor Profiles Russia
Strategic Goals Tactics
• Maintain global influence and regional hegemony • State media
• Ensure regime stability • Intelligence services
• Secure its geographic security by acquiring more • Private companies territory • Internet trolls • Counter Western influence • Automated bots China
Strategic Goals Tactics
• Ensure the Party’s legitimacy • Carried out by Party, state, and non-state actors
• Increase global influence • State media
• Become world leader in advanced technologies • Funding and influencing foreign think tanks
• Establish sovereignty over disputed areas • Social media operations
• Prevent adversaries from constraining China • “50 Cent” internet commentators Iran
Strategic Goals Tactics
• Deter U.S. influence in Iranian affairs • IRGC-operated media outlets
• Counter isolationist policies imposed by the West • State media
• Support specific U.S. policies favorable to Iran • Legitimate social media accounts used by govt. officials • Anti-Saudi, anti-Israeli, and pro-Palestinian themes • Fake news sites and social media accounts
• Significant anti-Trump messaging Homegrown disinformation is a growing problem in the United States
Actors can take advantage of democratic free speech liberties
Alt-right groups and ultra-conservative media outlets push fake content to drown Domestic Cases out legitimate news
Some fake content is picked up by mainstream sites and pushed to larger audiences
Pizzagate and Black Lives Matter Political Influence Case Study: Russian influence in 2016 U.S. Presidential election
• Long-lasting payoffs in line with Russian foreign policy • More divisive American population • U.S. withdrawal from international treaties and institutions • Fractured U.S.-Europe relations • Increased cooperation between U.S. and traditional adversaries • Diminished U.S. role on the international stage
• Primary goals • Damage Hilary Clinton’s presidential campaign • Undermine the U.S. democratic process • Later on, Russia developed a preference for Donald Trump
• Tactics • State media portrayed Clinton negatively • Hundreds of social media accounts impersonating real and fictitious Americans • Fake accounts purchased ads to promote staged political rallies • Russian intelligence informed and enabled the influence campaign Strategic Objectives and Case Studies Amplify Divisions Case Study: COVID-19 Russia China Iran
• U.S. using bioweapons to • Promoted China’s success in • COVID-19 is a U.S.-made spread the virus rapidly controlling the virus bioweapon • Blamed the U.S. for virus • Criticized U.S. response • Accused Western media of outbreak • COVID-19 is a U.S.-made spreading lies in Iran • Russia’s response has been bioweapon • Touted Iran’s success in fighting better than the West • Took advantage of European virus • Messaging in line with other disunity in early weeks of • Mocked Trump’s response to disinformation operations pandemic pandemic against American science and • Some storylines heavily pro-China medicine Control Domestic Narratives Case Study: Exploitation of Black Lives Matter Movement Russia China Iran
• Portrayed U.S. as hypocrite • Justified China’s suppression of • Emphasized U.S. racial for supporting former pro-democracy movement in discrimination and police force protests in former Soviet bloc Hong Kong • Discredited international criticism countries but not BLM • Offered sympathy for U.S. of 2019 Iranian crackdown on • Accused Democrats of stoking protesters protests unrest to overthrow Trump • Cast U.S. as hypocrite for support • Supported U.S. protesters • Mocked the U.S.’ mishandling for Hong Kong protests but not • Pushed theme that racism and of the protests BLM discrimination are main themes of • Amplified photos/videos of Western culture excessive police force Facebook Groups Case Study Facebook Groups
• What are they? • How are they being abused? • Case Study: – Looked at political groups – Focused on Biden – Associated w/ Texas • Results from < 5 mins of searching Challenges
• Already shown in Roger Stone takedown • Can be used to create additional groups • Currently only looking at public data • Private groups could be problematic Disinformation as a Service Disinformation as a Service
Archimedes Group UReputation New Wave/New Waves
• Israeli firm • Tunisian firm • UAE and Egyptian firms • Spent $800,000 on Facebook • Operation Carthage • Accounts had 13.7 million ads • Influenced elections in multiple Facebook followers • Accounts had 3 million African countries • Anti-Qatar and anti-Muslim followers Brotherhood narratives • Targeted audiences in multiple countries Known Disinformation Campaigns Disinformation services are highly customizable
Costs vary from several hundred dollars to Disinformation hundreds of thousands of dollars as a Service Cybercriminal The Russian underground has the lowest-priced Underground Forums fake news services, with prices remaining steady since 2017
Threat actors leverage aged accounts, write their own blogs, and can often get articles published Industry and Government Response Industry and Government Response
U.S. Government International Efforts Industry
• Proposed legislation, but no • Recommendations are often • Slow shift in social media laws passed high-level, lack action points and platforms taking steps to flag or • Ongoing struggle between measurable output remove false information government and tech • Few proactive measures • Platform enhancements companies to find common • Some efforts aimed at fact- • Significant changes result from ground checking, identifying legitimate public outcry or financial pressure content • E.U. tasked online platforms to provide monthly reports Cisco’s Fight Against Disinformation Cisco’s Fight Against Disinformation
Duo Labs Talos
• Black Hat – “Don’t @ Me: Hunting Twitter Bots at • Four-year election security study (2016-2020) Scale” • Interviewed state, local, federal officials • Better understand disinformation stemming from • Conducted independent research fake accounts and botnets • Observed state’s election planning • Discovered ways the bots evolved to evade detection • 2017 Fake News Challenge • Botnet’s structure and organization • Tested how various machine-learning • Shared findings with Twitter techniques performed in identifying fake news on the internet Outlook Outlook Key Judgements
Nation-states will Social media Deepfake technology There are some increasingly look to platforms will remain will become an encouraging incorporate one of the most increasingly common developments that disinformation effective ways for and challenging point to increased operations as part of actors to create and problem in the months public awareness their strategy to spread disinformation and years ahead about disinformation advance foreign policy and national security objectives blog.talosintelligence.com @talossecurity