Threats to the Aviation Sector

Stu Solomon, iSIGHT PartnersVice President, Technical Services and Client Operations

2

iSIGHT Partners200+ experts, 16 Countries, 24 Languages, 1 Mission

www.isightpartners.com

Global Reach ThreatScape® - Adversary Focused Intelligence

Research: threats, groups; determine/capture motivation and intent

Analysis: Fuse knowledge across methods, campaigns, affiliations, historical context

Dissemination: Deliver high-fidelity, high-impact, contextual, actionable insights

Proven Intelligence Methodology

Cyber Crime

CyberEspionage

Denial-of-Service

Enterprise

Hacktivism

Industrial Control Systems

Mobile Vulnerability and

Exploitation

3

iSIGHT PartnersFormal Process Rich, Contextual Threat Intelligence

www.isightpartners.com

1. Research Team submits data based on collection

requirements set by analysts and customers – tagged with

source veracity

2. Analysis Team applies a best-of-breed methodology

to fuse all-source intelligence into validated

reporting linked to indicators

3. Customer feedback and ad-hoc requests for

information complete the loop of a dynamic

information collection process

iSIGHT Partners Analysis Team

iSIGHT Partners

Customers

Research Repository

• Human Intelligence

• Open Sources

• Community Engagement

• Underground Marketplaces

• Technical Sources

iSIGHT Partners Research Team

Todays Global Threat Landscape

Active & Global– Transcends Geographies and Sectors

Multiple Motivations– Cyber Crime, Espionage,

Hacktivism, Destruction, etc.

Low Barriers for Entry– Actors use tools that work; not

necessarily sophisticated methods

– Open marketplace providingcapabilities

Structured & Vibrant– Ecosystem providing better tools,

infrastructure, sharing ideas and methods, pooling resources

www.isightpartners.com 4

5

The Threat Focus TrapCross-Over Attacks

Zeus Trojan:– Most Popular Credential Collection Malware– Originally Created by Russian Cyber Criminals– Cross-over to Cyber Espionage – Multiple benefits

DarkComet & University of Washington– Key logging trojan affiliated with cyber espionage campaigns

with a nexus to Iran– Cross-over to cyber crime – Ultimate goal: compromise financial credentials or personally

identifiable information (PII) to perform fraud or identity theft

www.isightpartners.com

6

Multiple

Adversary

Motivations

Aviation Sector Threats

www.isightpartners.com

Cyber Crime

Hactivism

CyberEspionage

7

Cyber Espionage

www.isightpartners.com

Competitive Advantage– Targets aviation and aerospace

engineering firms– Locates intellectual property for

commercial or military advantage Locational Info of Dissidents

– Travel dates and location information on individuals of interest

Cyber Espionage

8

China: National Priorities and Targeting

www.isightpartners.com

1. Internal SecurityA. Maintaining the regimeB. Separatist/Splitists

2. External SecurityA. Regional threatsB. Global securityC. Military modernization

3. Economic GrowthA. Energy Development and ConservationB. New-Generation IT IndustryC. Biology IndustryD. High-End Equipment ManufacturingE. New Energy

9

Chinese Teams – Conference Crew

www.isightpartners.com

Highly focused on Defense Industrial Base Identifiable by unique malware/infrastructure Targeting of US and Taiwan Uses conference attendee lists

– Military events– Vendors lists

10

Cyber Crime: Credential and Identity Theft

Airline-Themed Phishing– Fake offers for discounted airline

tickets– Lures for the installation of credential

theft malware Monetization Method

– Airlines abused as a cash-out function to support other criminal schemes

– Actors may compromise airline systems directly

www.isightpartners.com

Cyber Crime

11

Targeted Lures

www.isightpartners.com

AIAA materials used to entice recipients to click on malware embedded emails

Asprox malware campaign Credential theft

12

Hacktivism: Harassment

Hacktivists may target aerospace engineering firms for the promotion of ideological/political beliefs

Commercial aviation is generally less affected by this type of actor

www.isightpartners.com

Hacktivism

13

Hacktivism: Disruption & Destruction

Terrorism– This remains theoretical at this time– Control of aviation industrial control

systems could be used to enable kinetic attacks

– Hacktivists engage in information gathering

Conduct an attack Monitor persons of interest

www.isightpartners.com

Hacktivism

14

ADS-B Vulnerabilities

www.isightpartners.com

The Automatic Dependent Surveillance-Broadcast (ADS-B) system is subject to spoofing attacks.

Multiple spoofing operations possible:

– Scenario 1: An ADS-B system could be spoofed to generate a false hijacking code, one that could then be rescinded and creating a conflicting picture.

– Scenario 2: An ADS-B spoofing operation could generate a screen full of fake (ghost image) aircraft heading toward a private jet, while a regular radar signal from the vicinity of the jet shows a perfectly normal situation.

15

Additional Risks

Availability of 3rd Party Information– The Impact of Published Vulnerability

Research Common set of standards,

international policy– Shared responsibility between

governments, airlines, airports, and manufacturers

Access Control– Insider Threat– Part of an ecosystem; Internet

connectivity Balance Safety and Securitywww.isightpartners.com

16

Challenges to the Aviation Industry

www.isightpartners.com

Many victims of economic espionage are unaware of the crime until years after loss of the information– Inadequate or non-existent monitoring and incident response

to even detect activity Most companies don’t report intrusions in fear it could tarnish a

company’s reputation Won’t accuse corporate rivals or foreign governments of stealing

its secrets due to fear of offending potential customers and partners

Hard to assign monetary value to some types of information Many CIOs don’t focus on cyber security and are unaware of the

true threats

17

Lessons Learned From Other Industries

Establish strong information sharing protocols

Drive Public/Private Partnership

Enable a culture of (Information) Security

Change the conversation to include business context

Employ basic information security hygiene

Continuously seek to understand the evolving threat

Recognize that you are not unique

Understand third party connections

Agree on standards and support them as a community

www.isightpartners.com

18

iSIGHT Partners

Questions?

Website: www.isightpartners.com

E-mail: ssolomon@isightpartners.com

Information: info@isightpartners.com

www.isightpartners.com