The vital role of threat intelligence in today’s cyber defences

Before I joined the threat intelligence and investigations team at BT, I spent 25 years in law enforcement leading teams tackling the fight against organised crime.

So I speak from experience when I tell you that, in terms of cybercrime, the basic principles never change.

Threat actors are still trying to gain access to the most prized possessions of people and businesses, whether that’s cold hard cash, data, intellectual property or inside knowledge they’ll use for geo-political influence or commercial gain.

It’s a cold, hard truth that you won’t win a fight against those intending you harm without intelligence. As Donald Rumsfeld famously said when US Secretary of State for Defence, cyber security is all about the knowns and the unknowns. There are known knowns (the things we know), the known unknowns (where we feel we have a gap in our knowledge) or the unknown knowns (a zero-day vulnerability; the things we have seen and have yet to truly understand). I spend my working life bringing people, processes and technology together to get a helicopter view of all issues to enrich our picture of the most virulent emerging cyber threats and threat actor groups. 

So what are we seeing now?

Consistent attack methods demand outstanding cyber hygiene

Although the trend for demanding money continues to grow, the tactics used to deliver the payload or network access remain relatively consistent. Phishing, insider threats and exploiting poor network security are the most likely forms of attack you’ll come up against. Your strongest defence is making sure your staff have excellent cyber hygiene — that they understand why it’s so important and are vigilant all the time. This will create a human firewall at the very edge of your network. 

Without an active human firewall, the recent hacking plot that offered a Tesla employee $1 million to plant malware at the company’s Gigafactory could have succeeded.

Everyone throughout your organisation needs to be on the alert, but it’s worth calling out that we know threat actors will target certain role holders. Not only the Executive positions, as seen in previous Whaling attacks, but also a wider community of differing ‘Personas’ because the threat actors will attempt to target anyone into performing specific actions that will give access to the business’ crown jewels.

Beware the threat-actor meeting of minds

Historically, malicious code was designed and delivered by the same individual or group but now there’s a much more open market where, for a price, malware is available for others to use. There’s an increasing trend for groups to come together; for threat actors to join forces and use the power of collaboration for mutual benefit. They’re joining together to carry out attacks, but also to provide the infrastructure to obfuscate the true launch site and nature of the attack. We see this at an organised crime level and also at a nation state level. In 2019, for example, we first identified definite links between the Lazarus cybercrime group and a Russian criminal group (TA505) when they worked together to exploit banking networks. Other nations have been widely accused of using cyber attacks to fund their government. For example, the 2016 cyber heist that used the SWIFT network to illegally transfer close to US$ 100 million from Bangladesh Bank.

A spike in ransom denial of service attacks

New tricks and methods emerge every day, showing the importance of understanding the known unknowns and the unknown unknowns. It only takes one small mistake by one person to cause significant harm to the organisation.

Something to watch out for are Ransom Denial of Service (RDoS) attacks, where someone threatens to deliver a DDoS attack unless a ransom is paid. It’s the equivalent of blockading the road outside your delivery depot and threatening to stop people passing unless payment is made. The wide availability of easy to use ‘stressor’ tools makes this an option for even the least knowledgeable of threat actors. Simple, but effective, these attacks don’t have to get hold of your data; they can just disrupt your operations. In many cases, no actual attack is carried out. To defend against RDoS attacks, monitor your traffic and events so you can pick up on the early presence of abnormal traffic. You’ll then be able to divert operations around the attack vector, while monitoring the original attack and its sources. 

Threat intelligence that protects

In summary, we all need to remain vigilant if we’re to stay one step ahead of the ‘enemy’. It’s essential to assume nothing, question everything and verify all. To find out more about how our threat intelligence services can help get in touch with your account manager.

Or why not improve your insight right now by signing up to our daily security headlines alerts? We include the key stories that our security analysts are gathering, our evaluation of what’s going on, as well as updates on the nature of the threats we face, and the range of potential attack strategies.