Skip to main content (press enter)

SA.502.177 section 01 Syllabus

Cybercrime and Cybercriminals

Syllabus Form Entrie(s) were copied on 04-09-2024 from SA.502.177.01.

Course Information

Course Information: 

Cybercrime and Cybercriminals
SA.502.177.01 ( 4.0 Credits )
Fall 2024 [SA Fall 24]
Description
This course explores cybercrime's complex and rapidly evolving world. The course is designed to provide students with a solid foundation in investigative techniques for understanding cybercriminals' actions, including their motives, tactics, and strategies. Students will gain a thorough understanding of the various roles and functions within cybercriminal organizations. In addition, they will learn the methods used to monetize stolen data and other ill-gotten gains. Through lectures, case studies, and hands-on exercises, students will develop the skills to investigate cybercrime threat actors and assess intelligence reports' reliability and relevance. Upon completing this course, students will understand the inner workings of the cybercrime landscape. They will also be able to make informed decisions when faced with complex cyber threats. This course is ideal for graduate students interested in cybersecurity, law enforcement, or intelligence analysis.Taught by Brandon Levene
Department: SA Security, Strategy, and Statecraft
College: Nitze School of Advanced International Studies

Instructor Information: 

Instructor

Course Schedule: 
Fall 2024 [Fall 2024]
Term Start Date: Thursday, 1-Aug-2024  Term End Date: Friday, 10-Jan-2025
Location and Schedule:  
Schedule Detail: [08-26-2024 to 12-02-2024, M 08:00 AM - 10:30 AM; Washington DC, 555 Penn 658]
CRN: SA.502.177.01.SA Fall 24

Course Learning Objectives

Course Learning Objectives (CLOs): 

  • Develop a broad understanding of the world of cybercrime, including the motives, tactics, and strategies involved.

  • Learn about cybercriminal organizations' different roles and functions and how these entities operate to accomplish their illicit objectives.

  • Gain insight into cybercrime's economic aspects by learning how cybercriminals monetize stolen data.

  • Students will be able to dissect real-world cybercrime breaches, identify the attackers' methodologies, and analyze the direct and indirect consequences for affected parties, thereby contributing to effective mitigation and response strategies.

Required Text and Other Materials

Books: 

No textbooks are required for purchase for this course. Please note that the course schedule section below lists all the course readings. 

For those of you interested in expanding your knowledge of the history of cybercrime and related disciplines, see below. Please note that the following readings are not mandatory for the course. 

  • "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground," by Kevin Poulsen.
  • "The Dark Net: Inside the Digital Underworld," by Jamie Bartlett.
  • "Spam Nation: The Inside Story of Organized Cybercrime - from Global Epidemic to Your Front Door," by Brian Krebs.
  • “The Human Factor of Cybercrime (Routledge Studies in Crime and Society)” by Rutger Leukfeldt, Thomas J. Holt 
  • “The Future of Crime and Punishment: Smart Policies for Reducing Crime and Saving Money” by William R. Kelly
  • “The Economics of Online Crime” Tyler Moore, Richard Clayton, Ross Anderson) https://www.aeaweb.org/articles?id=10.1257/jep.23.3.3
  • “Understanding Human Element In Cybercrime Is Key To Stemming The Problem” https://www.cybersecuritysummit.org/2017/07/06/understanding-human-element-in-cybercrime-is-key-to-stemming-the-problem/

Course Policies

Course Policies: 

Large Language Models and AI Assistants

Students using large language models and AI Assistants, such as OpenAI’s ChatGPT and Google’s Bard, as part of their research, must include a citation including which LLM/Assistant was used and a full exported chat log in PDF format, including all prompts and responses as an appendix submitted alongside their assignment. 

Students opting to use LLMs or AI assistants must include interpretations of generative AI output in their assignments, not the verbatim output of the models.

Late Policy

You are expected to contact your instructor in advance if you think you cannot meet an assignment deadline. However, if an assignment is late and prior arrangements have not been made with the instructor, the assignment score will be lowered ½ a letter grade for each day the assignment is late. 

Evaluation and Grading

Grading Breakdown: 

Class Participation (Q/As, Discussions) - 20%

Analysis and Assessment of a Persona within a criminal organization - 20%

Midterm - 30% 500-750 words 

Final - 30% 750-1000 words

Grading Scale: 

A 94 - 100

A- 90 - 93

B+ 88 - 89

B 85 - 87

B- 80 – 84

C 70 - 79

F 70 and below

Grading standards:

The following rubric and justifications should give you an idea of what to expect given the level of effort and quality of your deliverables:

  • A Simply outstanding. So good, there is no room or need for improvement (rarely given). 
  • A-  Work meets all requirements with distinction, provides excellent and insightful analysis, succinctly written, and well-argued. 
  • B+ Very good work, that shows student’s competency, understanding of materials, addresses all requirements, but demonstrates some minor errors. 
  • B Good work – perhaps inconsistent level of effort, but addresses all assignments requirements. Minor mistakes, but none flagrant nor denoting failure of understanding of materials.
  • B- Pass. Effort of work addresses all requirements, but quality is poor, and lacks attention, rigor, and consistency.
  • C+ Pass. Work is sufficient but unsatisfactory, demonstrates flagrant mistakes, and/or failure to address assignment’s question. 
  • C Students showed extremely poor effort and quality of work. Minimal pass. 
  • D Failed class because work is not completed and/or submitted.
  • F Administrative failure.

Description of Major Assignments

Description of Major Assignments: 

Description of Major Assignments

 

Persona Analysis 

Value: 20%

Length: 3 Minute Presentation (in class)

Due Date: October 7th, 2024 by 7:59am

Summary: Students will select a threat actor persona from a pre-filtered list and analyze their role, potential contributions, and key relationships within the larger criminal organization. Students will present these results to their peers in a short form (not to exceed 3 minutes) briefing presentation.

Midterm

Value: 30%

Length: 500-750 words

Due Date: October 28th, 2024 by 11:59pm

Summary: Students will identify a subsector of the cybercrime ecosystem for study. This can include: 

  • Service providers
  • Distributors
  • Access Brokers
  • Hands-on-Keyboard Intruders
  • Monetization
  • Other: at the instructor's discretion

Within the chosen subsector, students will analyze trends and activities inclusive of the previous year and create a high-level intelligence report to brief a strategic-level audience.

Final

Value: 30%

Length: 750-1000 words 

Due Date: December 9th, 2024 by 11:59pm

Summary:  Analyze and assess a publicly reported breach; ensure that the motivations of the threat actor responsible are financial (vs Espionage). The target audience is a strategic-level reader who must understand the risks and outcomes. Students must select a topic by week 10 to provide ample opportunity for revision.

Course Schedule

Course Schedule Outline: 

Course Schedule

Session

Topic

Description

Reading

1

Foundations

  • A common language: Definitions and Types of Cybercrime
  • Scope: Primary focus areas for the class
  • The Big Picture: Key Concepts of the Ecosystem

Syllabus

Special Sauce: The Bespoke Specialization of Cybercriminals - Brandon Levene

https://www.youtube.com/watch?app=desktop&v=fjvXJO0Mprk

2

Modern Cybercrime in Context

  • Understanding the Growth of Cybercrime
  • Key inflection points and trends
  • Evolution of Monetization

GitHub - Blevene/Crimeware-In-The-Modern-Era

https://kumu.io/pancak3/cybercrime-ops-demo#cybercrime-ops-demo/fin7

3

Business of Cybercrime and Cryptocurrency Primer

  • Examining Cybercrime from a Business-Focused Lens
  • Horizontal and Vertical Integrations
  • Cryptocurrency and Cybercrime - Guest Speaker (40mins + 10min Q&A)

https://documents.trendmicro.com/assets/white_papers/wp-inside-the-halls-of-a-cybercrime-business.pdf

https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

4

Cybercrime Organizations

  • The Human Hierarchies in Cyber Criminal Organizations
  • The Social Dynamics of Cyber Criminal Groups

Selected, translated excerpts from “Conti Leaks” (PDF Provided)

https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/

https://www.cisecurity.org/insights/blog/the-conti-leaks-a-case-of-cybercrimes-commercialization

https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed/

https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships

5

The Psychology of Cybercrime: Pig Butchering, Romance Scams, Business Email Compromise, and Extortion

  • Understanding “low tech” cybercrime
  • Psychology of extortion and human emotion
  • Guest Speaker (40mins + 10 min Q&A)

https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf

https://darknetdiaries.com/episode/141/

6

Student Presentations

  • 3-minute Student-Led Presentations with up to 1-minute Q&A
  • Students will be responsible for analyzing a chosen excerpt of “Conti Leaks” chat logs and presenting findings and assessments.

https://github.com/curated-intel/Threat-Actor-Profile-Guide/blob/main/The%20Threat%20Actor%20Profile%20Guide%20for%20CTI%20Analysts.pdf

https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html

7

Communicating Cybercrime Intelligence

  • Distill TTPs from in depth reading [Reading for context]
  • Models for standardizing and organizing TTPs
  • LM Killchain
  • Diamond Model
  • ATT&CK
  • Dissecting TTPs to Build a Narrative
  • Identifying knowledge gaps and resolving them

https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

https://www.mitre.org/sites/default/files/2021-11/getting-started-with-attack-october-2019.pdf

https://apps.dtic.mil/sti/pdfs/ADA586960.pdf

https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/

https://thedfirreport.com/2023/03/06/2022-year-in-review/

https://github.com/curated-intel/CTI-fundamentals

https://www.documentcloud.org/documents/23834864-2023-dbir_full-report-final-1

8

Adversary “Training” Guide

  • Understanding Threat Actor Techniques and Their Propagation
  • Assessing Actor Capabilities

Translated Manual “Tokyo Leaks” (PDF Provided)

Interpretation:

https://blog.talosintelligence.com/conti-leak-translation/

https://www.fortinet.com/blog/threat-research/affiliates-cookbook-firsthand-peek-into-operations-and-tradecraft-of-conti

https://github.com/DISREL/Conti-Leaked-Playbook-TTPs/blob/main/Conti-Leaked-Playbook-TTPs.pdf

9

Simulation: KC7 Cyber

  • Students will use an instructor-selected module with an emphasis on pivoting and analysis

Intro to Pivoting and Analysis - KC7

Students will participate in a threat hunting exercise using synthetic security audit log data accessible via KQL.

Students *MUST* register and have a Microsoft email address in order to participate. Free, consumer accounts are eligible for accessing data.

10

Gameover: Operation Tovar

    • Focused Assessment of Large-Scale Technical Takedown Operation and Its Aftermath
  • TBD: Elliot Peterson, FBI (Operation Tovar Case Agent)

U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and “Cryptolocker” Ransomware, Charges Botnet Administrator | OPA | Department of Justice

11

Monetizing Intrusions: Breaches in Focus

  • Understanding the Human Cost of Stolen Data

2019 Baltimore Ransomware Attack:

https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html

https://www.vox.com/recode/2019/5/21/18634505/baltimore-ransom-robbinhood-mayor-jack-young-hackers

Kaseya:

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/

Costa Rica:

https://www.bleepingcomputer.com/news/security/how-conti-ransomware-hacked-and-encrypted-the-costa-rican-government/

https://www.wired.com/story/costa-rica-ransomware-conti/

MoveIT: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Accellion:

https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/

https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion

12

OSINT and You

  • Using OSINT Data in the Pursuit of Cybercriminals
  • Guest lecturer [Ben A] (40 min + 10 min Q&A)
  • Case Study: Applying Human-Centered Threat Intelligence to a Real-world Scenario

https://www.crowdstrike.com/cybersecurity-101/osint-open-source-intelligence/

https://securitytrails.com/blog/what-is-osint-how-can-i-make-use-of-it

https://inteltechniques.com/magazine.html

https://www.bellingcat.com/resources/2021/11/09/first-steps-to-getting-started-in-open-source-research/

13

International Responses to Cyber Crime

  • The Challenges of International Cybercrime Law Enforcement
  • Case Study: Legal Ramifications of Notable Cybercrime Events

https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya

https://www.cisa.gov/stopransomware/stopransomware

https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf

https://securityandtechnology.org/wp-content/uploads/2023/05/Ransomware-Task-Force-Gaining-Ground-May-2023-Progress-Report.pdf

Policies

Academic Policies: 

  • Student and Academic Handbook

    Student and Academic Handbook

  • Honor Code

    Enrollment at SAIS requires each student to conduct all activities in accordance with the rules and spirit of the school’s Honor Code and Academic Integrity Policy listed in The Red Book: SAIS Student and Academic Handbook. Students are required to be truthful and exercise integrity and honesty in all of their academic endeavors. This applies to all activities where students present information as their own, including written papers, examinations, oral presentations and materials submitted to potential employers or other educational institutions. By the act of registering at SAIS, each student automatically becomes a participant in the honor system. In addition, students accept a statement during registration acknowledging that they have read and understand the Honor Code obligations. Violations of the Honor Code and Academic Integrity Policy may result in a failing grade on the exam or course, suspension or expulsion.  

  • Plagiarism

    Plagiarism is presenting or using someone else’s ideas, words, or work as your own without giving appropriate credit to that person. Whether intentional or unintentional, plagiarism is a violation of the SAIS Honor code, to which all students are bound in all academic pursuits. Violations of the Honor Code can result in significant sanction, including grade reduction, course failure, and in severe cases, academic dismissal. 

    Johns Hopkins offers a self-paced online course that will help students learn key skills for avoiding plagiarism. It contains a series of brief pretests, interactive modules, and a final post-test to check your knowledge. We encourage you to enroll at the following link: Avoiding Plagiarism Online Course

  • Students with Disabilities - Accommodations and Accessibility

    Johns Hopkins University values diversity and inclusion. We are committed to providing welcoming, equitable, and accessible educational experiences for all students. Students with disabilities (including those with psychological conditions, medical conditions and temporary disabilities) can request accommodations for this course by providing an Accommodation Letter issued by Student Disability Services (SDS). Please request accommodations for this course as early as possible to provide time for effective communication and arrangements.

    For further information or to start the process of requesting accommodations, please contact Student Disability Services at SAISDisability@jhu.edu

  • Attendance

    Students are expected to attend all class meetings of their enrolled courses with the exception of fully online asynchronous courses, where synchronous live meetings may be optional. In the case that a student is unable to attend a required class meeting, the student should notify the faculty member in advance. Notifying a faculty member prior to an absence is a minimum courtesy and does not absolve the student of any negative consequences or grade deductions from missing a class, assignment, due date, or exam. Students should consult the syllabus and instructor for specific course attendance policies.

    In the case that a student must miss a class due to an outside extenuating circumstance, such as a medical issue, the student must contact the Office of Student Life. The student may be asked to provide documentation concerning the reason for the absence. A prolonged absence may necessitate a student’s withdrawal from a course or courses. Absences related to religious observances will be handled according to the appropriate guidelines.

    Students who do not attend courses during the first two weeks of the semester may be required to defer enrollment to a future term or take a leave of absence.

    Students may not attend a course for which they are not registered, either for-credit or as an approved auditor. 

  • Johns Hopkins Student Assistance Program

    The Johns Hopkins Student Assistance Program (JHSAP) is a professional counseling service that assists enrolled students at the Washington, DC campus with managing problems of daily living, such as stress, relationships and other demands that might affect their emotional well-being. JHSAP is a confidential resource that can help identify stressful situations and problems and support students in addressing them. JHSAP services focus on problem solving through short-term counseling. The program is fully sponsored by the university and provided to the student at no cost. For more information or to schedule an appointment, visit the JHSAP website or call 866.764.2317. Students at SAIS Europe should contact the Director of Student Affairs for services available at that campus.

  • Netiquette Guidelines for Online Courses

    For online course "Netiquette" guidelines, please click here.

  • Title IX

    The Sexual Misconduct Policy and Procedures (“SMPP”) apply to cases of sexual misconduct, which includes sexual harassment, sexual assault, relationship violence, and stalking. Complaints of sexual misconduct are processed pursuant to The Johns Hopkins University Sexual Misconduct Policy and Procedures. Questions regarding this Policy and these Procedures and any questions concerning Title IX should be referred to the University's Title IX Coordinator. Telephone: 410.516.8075, TTY: Dial 711, email titleixcoordinator@jhu.edu.

  • Student Code of Conduct

    Becoming a member of the Johns Hopkins University community is an honor and privilege. Acceptance of membership in the University community carries with it an obligation on the part of each individual to respect the rights of others, to protect the University as a forum for the free expression of ideas, and to obey the law. Students are required to know and abide by the University Student Conduct Code. It is important that you take a few minutes to read, review and know the Code before arriving on campus as your academic success is enhanced when you are member of a respectful, safe, and healthy community.

    Complaints asserting Conduct Code violations may be initiated by: (1) The Assistant Dean for Students Affairs or designee; (2) a student; or (3) a member of the faculty or staff. The Assistant Dean for Student Affairs or designee has responsibility for administering matters initiated under the Conduct Code.

    We urge individuals who have experienced or witnessed incidents that may violate this code to report them to campus security, the appropriate Director of Student Life or the Assistant Dean for Student Affairs. The university will not permit retaliation against anyone who in good faith brings a complaint or serves as a witness in the investigation of a complaint.

  • Guidelines for Recording Class Meetings

    Faculty often record class meetings with students in attendance to make them available for review afterwards or for students who were not able to attend. The choice to record a meeting is a decision made by the instructor. Likewise, the choice to identifiably participate in a recorded meeting is a decision made by the student because these recordings are subject to the Johns Hopkins Intellectual Property Policy.

    Class meetings recorded by the instructor may be shared with students in the class for educational purposes related to this class. Students are not permitted to copy or share the recordings, transcripts, and/or chat logs with others outside of the class.

    Read the complete policy at Guidelines for Recording Class Meetings.

Generated by HelioCampus on 9/8/2024 at 9:27:39PM