Fighting Protecting Customers

Unpatched Supply Phishing Ransomware software chain attacks

Wiper attacks Advanced persistent threats Data/IP theft

Spyware/ Malware

Malvertising Drive by downloads Man in the middle

Credential DDoS compromise Botnets Rogue Cryptomining software Our job is protecting your network Talos is the threat intelligence group at Cisco. We are here to fight the good fight — we work to keep our customers, and users at large, safe from malicious actors.

Community Detection Research

Vulnerability Research Global Outreach & Discovery

Threat Intelligence Engineering & Interdiction & Development

Incident Response Why trust Talos?

Actionable Intelligence

Unmatched Collective Visibility Response Unmatched Vulnerability Discovery Visibility Network Web

To stop more, you have to see more. Threat Traps Endpoint • The most diverse data set • Community partnerships • Proactively finding problems Data Sharing Cloud Unmatched visibility is built on relationships Email Actionable Research Intelligence

Security controls are best served by Actionable data that lets tools respond to Intelligence Telemetry immediate threats. • Rapid coverage Industry Partners • Distillation and analysis • Threat Context It’s not detect and forget, it’s detect and analyze. Open-Source Intelligence Incident Response Collective Response

The ability to bring rapid protection to close off multiple attack vectors instantaneously is crucial • Breadth: See once, protect everywhere • Depth: Response and interdiction drives continuous research Policy Informed & Protection Analysis • Scale: Delivering portfolio-wide protection, in real-time NotPetya: The Costliest Cyber Attack in History

Unmatched Actionable Collective Visibility Intelligence Response

AMP Gathering IOCs Field engagement

Highly destructive Ukraine Cyber Police Shipped protection supply chain attack Cyber weapon targeting Snort rules Snort rules the general public One of the costliest Blogs cyber attacks in history

Consumable IOCs

Product maturation From Unknown to Understood

Unmatched Actionable Collective Visibility Intelligence Response

Product Endpoint Detection & Response Endpoint Mobile Security Telemetry Multi-Factor Authentication Data Sharing Firewall & Intrusion Prevention Network Web Security SD-Access Vulnerability Discovery Secure Internet Gateway Cloud DNS-Layer Security Threat Traps Email Security

Incident Response on Retainer Incident Services Emergency Incident Response Response Insights On Demand Threat Briefing: Disinformation Key Points

Russia and China have Common tactics include Three of the most become major players in leveraging state media, common strategic goals global disinformation government agencies, and for disinformation operations, while Iran is internet “trolls” and bots. operations appear to be steadily building its political influence, disinformation amplifying social capabilities. divisions, and controlling domestic narratives. Key Points

The private sector and Marketing firms and government lack a cybercriminals have sought to comprehensive counter monetize disinformation, strategy, with U.S.-sourced selling it as a service to content and foreign nation-states and bad actors influence providing their via both legitimate business own unique challenges. transactions and underground criminal forums. Assessments

Talos assesses that nation- Given the low cost and high We also expect to see states will increasingly look to impact of social media deepfake technology becoming incorporate disinformation disinformation campaigns, bad an increasingly common and operations as part of their actors will almost certainly challenging problem in the strategy to advance foreign continue to use social media months and years ahead. policy and national security platforms as a primary method objectives. for promoting their narratives. Definitions Disinformation The intentional spreading of false information with the intent to deceive

Misinformation The unintentional spreading of false information that is not meant to cause harm

Definitions Propaganda Can be disinformation; used to promote a political goal or view

Satire Content that portrays an individual or event in a way that ridicules the subject by using humor, sarcasm, irony, and exaggeration Actor Profiles Russia

Strategic Goals Tactics

• Maintain global influence and regional hegemony • State media

• Ensure regime stability • Intelligence services

• Secure its geographic security by acquiring more • Private companies territory • Internet trolls • Counter Western influence • Automated bots China

Strategic Goals Tactics

• Ensure the Party’s legitimacy • Carried out by Party, state, and non-state actors

• Increase global influence • State media

• Become world leader in advanced technologies • Funding and influencing foreign think tanks

• Establish sovereignty over disputed areas • Social media operations

• Prevent adversaries from constraining China • “50 Cent” internet commentators Iran

Strategic Goals Tactics

• Deter U.S. influence in Iranian affairs • IRGC-operated media outlets

• Counter isolationist policies imposed by the West • State media

• Support specific U.S. policies favorable to Iran • Legitimate social media accounts used by govt. officials • Anti-Saudi, anti-Israeli, and pro-Palestinian themes • sites and social media accounts

• Significant anti-Trump messaging Homegrown disinformation is a growing problem in the United States

Actors can take advantage of democratic free speech liberties

Alt-right groups and ultra-conservative media outlets push fake content to drown Domestic Cases out legitimate news

Some fake content is picked up by mainstream sites and pushed to larger audiences

Pizzagate and Black Lives Matter Political Influence Case Study: Russian influence in 2016 U.S. Presidential election

• Long-lasting payoffs in line with Russian foreign policy • More divisive American population • U.S. withdrawal from international treaties and institutions • Fractured U.S.-Europe relations • Increased cooperation between U.S. and traditional adversaries • Diminished U.S. role on the international stage

• Primary goals • Damage Hilary Clinton’s presidential campaign • Undermine the U.S. democratic process • Later on, Russia developed a preference for

• Tactics • State media portrayed Clinton negatively • Hundreds of social media accounts impersonating real and fictitious Americans • Fake accounts purchased ads to promote staged political rallies • Russian intelligence informed and enabled the influence campaign Strategic Objectives and Case Studies Amplify Divisions Case Study: COVID-19 Russia China Iran

• U.S. using bioweapons to • Promoted China’s success in • COVID-19 is a U.S.-made spread the virus rapidly controlling the virus bioweapon • Blamed the U.S. for virus • Criticized U.S. response • Accused Western media of outbreak • COVID-19 is a U.S.-made spreading lies in Iran • Russia’s response has been bioweapon • Touted Iran’s success in fighting better than the West • Took advantage of European virus • Messaging in line with other disunity in early weeks of • Mocked Trump’s response to disinformation operations pandemic pandemic against American science and • Some storylines heavily pro-China medicine Control Domestic Narratives Case Study: Exploitation of Black Lives Matter Movement Russia China Iran

• Portrayed U.S. as hypocrite • Justified China’s suppression of • Emphasized U.S. racial for supporting former pro-democracy movement in discrimination and police force protests in former Soviet bloc Hong Kong • Discredited international criticism countries but not BLM • Offered sympathy for U.S. of 2019 Iranian crackdown on • Accused Democrats of stoking protesters protests unrest to overthrow Trump • Cast U.S. as hypocrite for support • Supported U.S. protesters • Mocked the U.S.’ mishandling for Hong Kong protests but not • Pushed theme that racism and of the protests BLM discrimination are main themes of • Amplified photos/videos of Western culture excessive police force Facebook Groups Case Study Facebook Groups

• What are they? • How are they being abused? • Case Study: – Looked at political groups – Focused on Biden – Associated w/ Texas • Results from < 5 mins of searching Challenges

• Already shown in takedown • Can be used to create additional groups • Currently only looking at public data • Private groups could be problematic Disinformation as a Service Disinformation as a Service

Archimedes Group UReputation New Wave/New Waves

• Israeli firm • Tunisian firm • UAE and Egyptian firms • Spent $800,000 on Facebook • Operation Carthage • Accounts had 13.7 million ads • Influenced elections in multiple Facebook followers • Accounts had 3 million African countries • Anti-Qatar and anti-Muslim followers Brotherhood narratives • Targeted audiences in multiple countries Known Disinformation Campaigns Disinformation services are highly customizable

Costs vary from several hundred dollars to Disinformation hundreds of thousands of dollars as a Service Cybercriminal The Russian underground has the lowest-priced Underground Forums fake news services, with prices remaining steady since 2017

Threat actors leverage aged accounts, write their own blogs, and can often get articles published Industry and Government Response Industry and Government Response

U.S. Government International Efforts Industry

• Proposed legislation, but no • Recommendations are often • Slow shift in social media laws passed high-level, lack action points and platforms taking steps to flag or • Ongoing struggle between measurable output remove false information government and tech • Few proactive measures • Platform enhancements companies to find common • Some efforts aimed at fact- • Significant changes result from ground checking, identifying legitimate public outcry or financial pressure content • E.U. tasked online platforms to provide monthly reports Cisco’s Fight Against Disinformation Cisco’s Fight Against Disinformation

Duo Labs Talos

• Black Hat – “Don’t @ Me: Hunting Twitter Bots at • Four-year election security study (2016-2020) Scale” • Interviewed state, local, federal officials • Better understand disinformation stemming from • Conducted independent research fake accounts and botnets • Observed state’s election planning • Discovered ways the bots evolved to evade detection • 2017 Fake News Challenge • Botnet’s structure and organization • Tested how various machine-learning • Shared findings with Twitter techniques performed in identifying fake news on the internet Outlook Outlook Key Judgements

Nation-states will Social media Deepfake technology There are some increasingly look to platforms will remain will become an encouraging incorporate one of the most increasingly common developments that disinformation effective ways for and challenging point to increased operations as part of actors to create and problem in the months public awareness their strategy to spread disinformation and years ahead about disinformation advance foreign policy and national security objectives blog.talosintelligence.com @talossecurity