The TechnologIST, May edition

Happy Monday!?I'm Sophia Mauro , Deputy Director of Strategic Communications at IST. This month, join me in discussing?our latest report on mapping threat actor behavior in the ransomware payment ecosystem?with author Zo? Brammer , hearing about the latest IST updates, including?team CATALINK's?workshop on nuclear risk reduction in London and the #RansomwareTaskForce celebration of two years of implementation and impact, and learning about the Strategic Balancing Initiative from Katherine Schmidt , the newest member of the IST team.?

The following is a preview of our latest newsletter. To subscribe and make sure you don't miss the full story, click the link below:?

Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot?

In our?May 2023 Ransomware Task Force Progress Report, we conclude that despite significant progress against the original 48 Ransomware Task Force recommendations, “ransomware remains a major threat to both companies and civil society, with reports of increasing numbers of attacks against organizations in Latin America and Asia.”?

In 2022, ransomware impacted 2,025 educational institutions, 290 hospitals, and 105 local governments in the United States.?

Credit:?Emsisoft

Central to our ability to mitigate this threat is understanding how actors are carrying out these financially-motivated attacks–and what entities are involved throughout the process.?

As attackers move from the ransomware attack itself to ransom negotiations, payment, obfuscation, cash out, and resourcing as they ready for the next attack, these actors are encountering entities with specific visibility into each component of the ransomware ecosystem and producing information at each point. Taken together, accurate depictions of this information and visibility can illuminate concrete actions that could add friction to the ransomware process, thereby reducing the profitability of ransomware and disincentivizing its use.?

In November 2022, IST published?Mapping the Ransomware Payment Ecosystem, a first step towards this goal.?Now, we are releasing?Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot?to dive deeper into the entities commonly leveraged by ransomware actors as they prepare for and carry out attacks.

I spoke to Zo? Brammer, author of the mini-pilot, about her findings:?

Q: What is a ‘mini-pilot’? How did you go about conducting it??

A: "We created the mini-pilot to overlay actual threat actor behavior on the original ransomware payment ecosystem map. “Mini” indicates the bounded nature of this exercise – it’s specific to ransomware threat actor behavior – and “pilot” indicates the nature of the exercise – to test the validity of our theoretical map.?

To conduct this mini-pilot, I collected data from a blockchain analytics company, an incident response company, and several security researchers. I ensured the data was adequately anonymized, for example by removing all references to specific ransomware groups and other identified entities. Once I gathered cases of ransomware attack pathways to work with, I overlaid this data on the existing ecosystem map to highlight tools, services, and entities leveraged by threat actors to carry out their attacks."?

Q: What did you find through your investigation of threat actor behavior? How does this relate to the overall ransomware payment ecosystem??

A: "In conducting the mini-pilot, we found that threat actors leverage many tools and services that aren’t directly involved in facilitating ransom payments, including but not limited to cloud service providers, hosting providers, domain registrars, and tooling providers. This underscores the importance of many of the entities depicted in the original map; these entities have the potential to achieve technical visibility into critical information that may help thwart attacks or claw back ransom payments. Ultimately, the mini-pilot findings suggest that there may be a wealth of potential disruptive opportunities, not just for entities directly involved in ransom payments, but by other entities in the ecosystem."

Q: Walk me through the above, pictured portion of the map - what is happening, and how is it relevant??

A: "In developing the mini-pilot, we added a resourcing phase to the map, between cash-out and attack. This portion of the map depicts the truly cyclical nature of these attacks. After victims pay a ransom and threat actors obfuscate their profit, the actors dump their proceeds into cryptocurrency wallets. In developing this mini-pilot, it became clear that threat actors often use the currency in these wallets to pay for tools and services acquired during the resourcing phase, which are in turn used to build out attacker infrastructure and prepare to carry out the next attack. This graphic depicts that process. In my view, this underscores one of the crucial takeaways from this mini-pilot: it may be possible to design disruptive opportunities that leverage the cyclical nature of the ransomware ecosystem by targeting critical pieces of threat actor infrastructure and other tools and services they rely on to prepare for and carry out attacks."

Q: In November 2022, IST and the Cyber Threat Alliance published the?Cyber Incident Reporting Framework, which outlines what a model reporting framework could look like. How does the mini-pilot relate to this work??

A: "Cyber incident reporting is critical to creating a comprehensive picture of the threat we’re facing. Without reporting, our view of the ecosystem and the threats we face remains patchy. We need comprehensive reporting in order to generate an accurate understanding of threat actor targets and tactics, techniques, and procedures. Reporting is one avenue by which to ensure that relevant information is shared, and when further disseminated, can enable other entities to disrupt the ecosystem by helping paint a full picture of the threat as it unfolds. Through the map, which highlights the entities that could voluntarily report or otherwise share relevant information, we see the benefit of cyber incident reporting.

Additionally, the mini-pilot underscores the potential for information sharing opportunities beyond reporting between entities in blue on the map. Each entity sees a piece of the picture. The mini-pilot suggests that opportunities currently exist to better leverage threat actor information to frustrate ransomware attacks."

“This mini-pilot indicates that there may be a range of opportunities to add friction for all entities depicted in the ransomware payment ecosystem map, and that disrupting this ecosystem requires not just a multistakeholder approach but a strategic one. By centering threat actor behavior, it may be possible not only to disrupt the ecosystem, but to predict where these actors will move as the ecosystem tightens its grip on illicit activity.”

- Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot

Updates from IST

Gaining Ground: Two Years of Implementation and Impact

On May 5, the Ransomware Task Force and partners from across industry, government, and civil society gathered for a day of action on the current status of the ransomware threat, the Ransomware Task Force’s efforts, and what’s to come. The event featured a fireside chat with Acting National Cyber Director Kemba Walden and 7 panels on topics ranging from the ransomware data ecosystem and the drivers behind the illicit #crypto ecosystem to efforts to drive international and domestic counter ransomware collaboration.?Watch the livestream.?

IST announces new partners, funding to advance the Future of Digital Security for 2023

IST announced over $2.29 million in funding for 2023. New donors joining the Ransomware Task Force, together with $1 million in additional support from the William and Flora Hewlett Foundation Cyber Initiative, and a total of $1 million from Craig Newmark Philanthropies for 2023 will transform our ability to advance the Future of Digital Security.

Team CATALINK hosts Track 1.5 workshop on crisis communications resilience in London

On May 3, the?IST CATALINK Team hosted a two-day workshop in London?with policymakers, scholars, diplomats, and technical experts from across the world. Participants explored whether current crisis communications channels and capabilities available to nuclear states are sufficient in today's multi-polar world.

IST in the News

Spotlight on Ransomware Task Force’s Gaining Ground

“Two years after a coalition of cybersecurity companies, public sector organizations and federal agencies came together to form the Ransomware Task Force at the nonprofit Institute for Security and Technology, these digital crimes remain an ongoing and serious problem with attacks seemingly increasingly severe,”?writes CyberScoop ’s Tonya Riley .?

WaPo Editorial Board: More information needed to tackle ransomware?

Despite progress against the threat of ransomware, obstacles remain,?according to the Washington Post’s Editorial Board. Citing the May 2023 Progress Report and event, they say, “There are ways to ameliorate these obstacles — and, perhaps not so coincidentally, they line up with task-force recommendations.”?

Advancing operational collaboration is a must, says Megan S. ?

DarkReading’s Nate Nelson spoke with Megan Stifel?about efforts to tackle ransomware going forward. Her priority is advancing operational collaboration: "We need to be...closely integrated while also respecting privacy and civil liberties in leading these investigations and showing that a rule of law based approach to combating this type of cybersecurity risk [—] ransomware is a successful one."?

Marc Rogers on a shared responsibility model for OSS security

Marc Rogers outlined the idea of a shared responsibility model for open-source software security. “You can't have three people in Nebraska who build a very cool software product getting the lion's share of the focus from billion-dollar corporations. It's not realistic, and it's not going to solve anyone's problems.”?Read more from GovTech’s Jule Pattison-Gordon .

Katie on the National Defense Science and Technology Strategy

The 2022 National Defense Strategy (NDS), released last October, set out U.S. Department of Defense (DoD) priorities and called for the construction of “enduring advantages” for the U.S. defense ecosystem. On May 9, DoD followed up on NDS priorities with its National Defense Science and Technology Strategy (NDSTS), which expands on how DoD can invest in technological innovation as a major element of economic competitiveness and national security.

Katherine Schmidt, Associate for Geopolitics of Technology at IST, laid out the strategy’s top lines, provided important context for its release, and summarized her takeaways in our latest Strategic Balancing Initiative Fact Sheet.?

I spoke with Katie for more on the fact sheet and her ongoing work in the Strategic Balancing Initiative:?

"As we mention in the Fact Sheet, the NDSTS is not novel; it builds on decades of efforts to modernize defense acquisitions and research and development of new technologies. The NDSTS and other similar strategies do, however, help set the tone for future public-private engagement as well as guide existing initiatives. At the highest level, understanding U.S. government priorities and opportunities related to critical technology innovation is key to successful private sector engagement with the government: industry can better communicate how its technologies enable identified critical capabilities, ultimately better positioning it as a partner.?

These communication gaps are exactly what the IST Strategic Balancing Initiative (SBI) team is focused on remediating. We look forward to further engagement with both Silicon Valley and Washington, D.C. on the challenge–and opportunity–of fostering American technological innovation. Stay tuned for future work from SBI!"

What We're Reading

Want more tech and security content? Check out some of the ISTeam's favorite pieces from the past month:?

• In the aftermath of two recent DOJ press releases announcing operations against cyber criminals,?what is the status of ongoing efforts to disrupt the ransomware ecosystem?
• OpenAI, the company behind popular AI chatbot ChatGPT,?announced a data breach in the ChatGPT system?that exposed titles and initial messages of active users’ chat history. The breach raises concerns that?chatbots have quickly become a new prime target?as an attack vector.?
• So-called ‘Singularists’ believe that AI is an existential risk to the human race.?“I worry that singularists are focusing the world’s attention in the wrong direction,” writes Timothy Lee.?
• By calling for unification with Taiwan “at all costs,”?Tong Zhao worries that public and policy elites in China?are hurtling towards the brink of war.?
• New research has devised an algorithm?that can listen to satellite signals and pinpoint physical locations on Earth “with unprecedented accuracy.”?

The?Institute for Security and Technology?designs and advances solutions to the world’s toughest emerging security threats. It is a nonpartisan, nonprofit network based in the San Francisco Bay Area dedicated to solving critical international security challenges through better technology and policy.?Donate today to support our mission.

Thanks for reading The TechnologIST!?To be sure you don't miss the next edition,?subscribe here.