Start your day with intelligence. Get The OODA Daily Pulse.

Social Engineering Remains the Coin of the Realm for Ransomware Gangs (or APTs- Advanced Persistent Threats)

We have been on the social engineering (aka Human Risk Management or Human Engineering beat for a while – providing resources to our readership and the OODA Network regularly.  Those resources are compiled here for individuals or organizations who want to follow up on some of the ideas presented in the 60 Minutes segment.  We encourage follow-up and reviewing your threat vectors and vulnerabilities vis a vis the social engineering threat.  There are plenty of pragmatic implementation resources here – especially in the OODAcast conversations with OODA affiliates who are the experts on the social engineering threat), which are a call to action.  

For the uninitiated, the 60 Minutes segment was also a great primer on what the cybersecurity community knows all too well—that good old-fashioned social engineering (a hustle or a con—like some of the stunts Sinatra and the gang pulled in the original Ocean’s 11) remains the main point of entry for most large-scale ransomware hacks. Can someone say the Podesta emails (a fake password change email from the IT department)? Or Stuxnet (which came down to, in the end, someone unwittingly walked into the Iranian nuclear facility with a USB drive with malware on it).   

 

Mainstream media is the end of the line for specific OODA Loop themes and research areas. As much as we use scenario planning methodology and the OODA Loop for our information filtering and curation, ideally, we are not learning anything startlingly new in the New York Times, the WP, or the WSJ.  60 Minutes is an interesting case.  They have devoted a few segments to AI and covered Quantum Science fairly recently.  They have perfected making complex, challenging information accessible and sensible, with well-thought-out What Next? Questions throughout the segment.  So, we were not surprised at the quality of their recent segment on the ransomware epidemic, Scattered Spider’s attack on the MGM Grand, and a few other properties on the Las Vegas Strip last year.  They hit all the major plot points and the strategic implications – which mirrored our coverage to date.  As much as we all pine for validation, it was rewarding to be in sync with the information covered in the segment. It was also great to see a vehicle for the broad exposure of the concepts of social engineering to the general public – as it definitely suffers from a few cognitive biases  (‘that won’t happen to me/you only see that stuff in a spy novel or a Hollywood political thriller). 

FBI and CISA Release Advisory on Ransomware Gang (Scattered Spider) Behind the Recent MGM Attack

This joint FBI and CISA advisory is essentially an update on the activity of the ransomware gang Scattered Spider, which was attributed to the MGM attack in September of 2023.

Scattered Spider

Summary

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023.

Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.

The FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of a cyberattack by Scattered Spider actors.

Download the PDF version of this report:  A23-320A Scattered Spider

The MGM Cyberattack Should be a Wakeup Call for Corporate Boards: Will they hit the snooze alarm again?

Our research and tracking of the global information war and the dramatic increase in ransomware attacks over the last three years have been indicating, for some time, that more attacks were coming and that corporate boards and their directors should prepare. The MGM ransomware attack makes this point well. Details here.

After the Impact of the Change/United Healthcare Ransomware Attack, HHS Bolsters Healthcare Cybersecurity Initiatives

The ransomware epidemic is starting to feel like one continuous incident report and a growing national security concern – not to mention the dormant “ghost in the machine” capabilities that have already been positioned in the U.S. internetwork (by nation-state and non-nation-state players alike) as part of a strategic plan for a larger act of cyber war in the future. Following is a tick-tick (no pun intended) of the recent attack on the Change/United Health Group, which has been attributed to the Russia-affiliated ALPHV/Blackcat ransomware group. 

Government Agencies are in the Fight Against Chinese Human Targeting and Cyber Espionage. Will it be Enough?

Every year, we make a point of returning to a few social psychology, organizational behavior, and human behavioral psychology factors, namely how your organization should integrate the threat of human targeting and social engineering into your overall company culture and cybersecurity strategy.  This post is an update from the frontlines, offering some assurance that the feds are doing some serious blocking and tackling – using formal prosecution and criminal accountability as a deterrent across the public and private sectors.  Recent offensive and defensive tactics from the Justice Department, the Department of the Treasury, the State Department, and a CISA/FBI/NSA joint advisory are summarized here, followed by a black swan, worst-case scenario analysis.  

Cyber Defense Insights and Resources for the Corporate Board (Human Risk Management, Social and Human Engineering)

In the shadow of the recent MGM Cyberattack (and other recent ransomware attacks in U.S. and in the Pacific Islands), cyber defense is in the spotlight.  Specifically, what role should corporate boards play in human risk management, as well social and human engineering defenses?  Following are OODA Loop resources on these cyber threats, addressing the question of whether “the human factor” is properly addressed at the company culture level  – or is it purely an IT operational concern? 

Emerging Tech Talent, Human Targeting, Cyber Workforce Development, STEM Stay Rates, and National Security

Amidst our research on exponential innovation and national cognitive infrastructure protection, it is easy to take a purely technology-based perspective and neglect the human factor:  the role of trained talent and future innovators in building the technology and platforms to solve the most pressing problems and address future risks, opportunities, and threats.  The OODA Loop Talent Superpower Strategy (The Human Factor) Series of posts over the course of this year is designed to track, research, and synthesize these vital strategic issues:

Additional OODA Loop Resources 

For further OODA Loop News Briefs and Original Analysis on these topics, go to: 

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: The simultaneous occurrence of numerous disruptions complicates situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its methods of data collection, assessment, and decision-making processes for more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Track Technology-Driven Disruption: Businesses should examine technological drivers and future customer demands. A multidisciplinary knowledge of tech domains is essential for effective foresight. See Disruptive and Exponential Technologies.

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.