M+E Daily

Significant ransomware attacks continue to seemingly make headlines every week as media and entertainment (M&E) and other companies battle the major threats posed by advanced persistent threat (APT) groups, Chris Taylor, director of the Media and Entertainment Information Sharing and Analysis Center (ME–ISAC) and director, content security at Skydance, said at the 6th Dec Content Protection Summit (CPS).

During the panel session “APT Groups: What are They and Why Should You Care?” Taylor discussed what groups are behind most of the attacks, how many attackers are out there, and more during a quick introduction to some of the most active attackers on the Internet.

First, he noted that ME-ISAC is an “intel fusion centre” whose entire job is to “bring in data from as many different places as possible, do some level of analysis on that data and then provide the data to all of you in the form of machine feeds, emailed alerts, write-ups on who the threats are and how they’re affecting you.”

ME-ISAC, which all Content Delivery & Security Association (CDSA) members qualify to join, tracks the “atomic indicators of what is going on when a new piece of ransomware comes out” and studies the different IP addresses or domain names that he explained will “help us identify that piece of malware and then be able to turn that into block rules in your firewalls or your antivirus products to help you defend yourselves from those pieces of malware or other tools that are going to hurt you.”

ME-ISAC  also runs a research and analysis centre where intel analysts study all of that data and build out trends on which attackers are the “most prolific” and what tools are more likely to attack us next year based on this year’s trends, he said.

ME-ISAC also meets with and brings in data from federal government agencies, and does training and outreach, such as speaking at conferences like CPS, he noted.

The APT Challenge

Moving on to APTs, Taylor said: “I’ve got easily about an hour’s worth of content and I’ve got about a 20-minute slot” to provide it.

“We track who the bad guys are out on the internet and then we roll up dossiers on who those attackers are,” he said, noting, “you see this in the movies all the time, when somebody pulls out that little file folder and they’ve got their picture and the background story on who they are and where they went to school as a kid.”

All of the individual atomic indicators combined in an attack “help give us clues as to who the attacker is behind that breach and, once we’re able to properly attribute an attacker to an incident, then we start building up that dossier of who” the attacker is and what motivates them, he explained.

The “Advanced” part of APT “refers to the fact that these attackers are very, very advanced in their skillset about how they attack targets,” he said, adding: “There’s a gradient scale to this. Some of the attackers are incredibly skilled. Some of them are idiots who are just really well financially motivated to go do bad things. That they’re all classified as “advanced” refers mainly to the methodologies they use and “how they attack you, not necessarily what tools they use to attack you,” he explained.

The attackers’ tools are “quite frequently, incredibly simple – commodity stuff you can go download off the internet yourself,” he said, adding: “The methodology that they follow for breaching is why they are successful target after target, after target…. What we’re referring to when we talk to them as being ‘Advanced Persistent’ hints to the fact that we keep seeing the same attackers over and over again, hitting multiple targets or the same target multiple times [and] the fact that they’re determined and they will keep coming back enough that we bother to name them and talk about them.”

The attackers ME-ISAC is targeting are those “who wrote the malware; it’s the person who gained access to your system and then delivered that malware,” he said, adding: “It’s the person who profits from that ransomware being on your systems. This is an entire industry of bad guys. It’s not a single guy sitting in his mom’s basement as you have frequently heard in various movies and news media. This is organised crime. This is an entire industry of multiple people working together.”

Around 2006, “when I was doing this type of intel work for the federal government, we had somewhere between 12 and 15-ish groups that we had bothered to name because we were seeing them frequently enough,” he went on to say.

That grew to about 60 groups and, “right now, I’m tracking over 430,” he said, adding: “These threats are growing. They’re not going away.”

Some of the groups are state sponsored, which means they are employees of a federal government that means to do us harm,” he noted, adding they are very often linked to the Russian or Chinese governments.

Presented by Fortinet and produced by MESA, CDSA’s Content Protection Summit is sponsored by Convergent Risks, Richey May Technology Solutions, GeoComply, Signiant, Verimatrix, Shift Media, EIDR and EZDRM.