At the end of October, dozens of US hospitals were compromised in a series of apparently co-ordinated ransomware attacks. The disruption these caused to healthcare organisations currently battling Covid-19 was morally reprehensible, but sadly not an uncommon sight. The truth is that certain ransomware groups today are operating with a sophistication that a few years ago would have been the preserve of only state actors and a select few organised cybercrime gangs.
Improving our threat intelligence capabilities is the best chance we have of understanding, disrupting and mitigating the business risks that the cyber threat landscape poses. This will not only require buy-in from chief information security officers (CISOs) and boards, but changes to the threat intelligence industry itself.
What have we learned?
By volume, the majority of the threats seen on a daily basis are automated, commodity attacks— “spray-and-pray” efforts designed to catch out organisations and individuals who have obvious gaps in their defences. The real threat to businesses, however, comes from more targeted approaches, such as the “human-operated” or “hands-on-keyboard” activities seen in the evolution of ransomware attacks in recent years, and the motivated and persistent targeting of state-backed threat groups.
Ransomware operators have found a number of ways to get scale and speed in their attacks. Scanning for exposed Remote Desktop Protocol (RDP) logins, and exploitation of vulnerabilities in networking services are two popular techniques for gaining access; tried-and-tested approaches using phishing emails also remain prevalent. Off-the-shelf pen-testing tools such as Cobalt Strike and “living off the land” techniques are used to blend in and move laterally. This allows the operators to stay undetected, providing the time needed to exfiltrate large amounts of data for “double extortion” attacks, and deploying ransomware across the victim estate. Recent cases have shown that these attacks can move from “end to end” in a matter of hours.
While the limelight of the threat landscape has been dominated by ransomware in 2020, a number of other developments have been taking place. State actors have diversified their interests, and while sectors such as government and defence remain key interests, healthcare and Covid-19 responses have occupied a greater portion of their tasking.
Furthermore, “hacker-for-hire” groups such as Dark Basin have come to the fore in 2020. Such activity is increasingly commonplace, with groups such as these tasked to obtain login credentials and network access to targets in a range of sectors.
What can be done?
Security experts often talk about the need for IT hygiene: best practices like prompt patching, endpoint security and multi-factor authentication. These certainly play an important role, and the steps outlined by the National Cyber Security Centre (NCSC) and the government’s Cyber Essentials scheme are a great place to start. Yet best practice security will only get you so far, and time has also shown us how difficult it can be to “do the basics right” without leaving gaps.
To proactively enhance threat defence, you need to understand the tactics, techniques and procedures (TTPs) of those seeking to harm your organisation. Threat intelligence is therefore a strategic necessity for a growing number and range of organisations – including those who may not traditionally have thought of themselves as targets of motivated attackers. When done effectively, threat intelligence allows CISOs to be more proactive about security, stopping attacks before they’ve had a chance to cause serious reputational or financial damage. Threat intelligence can also help to improve resilience, for example by enabling security teams to prioritise patches based on which vulnerabilities are being currently exploited.
An industry-wide challenge
However, there are some industry challenges which threaten to undermine the organisational ability to reap these kinds of strategic benefits. On the supply side, the glut of threat intelligence offerings on the market – few of which offer a comprehensive range of capabilities – means those that can afford to buy multiple overlapping solutions, while smaller peers aren’t able to get complete coverage.
On the consumption side, many users of threat intelligence find it challenging to optimise their solutions. The result can be response teams chasing the wrong leads, or being flooded with alerts which they can’t prioritise. In some cases, the data itself is too old to be useful.
Many in the industry are calling for more intelligence sharing. If systems were free and open to all comers, they could be infiltrated by nation states and cyber criminals. On the other side, if barriers are put up around intelligence sharing organisations, those without economic clout may be left at a disadvantage. There are also persistent concerns that too much sharing could damage brand reputation.
These are difficult problems to solve, but one initiative offers some prospect for positive change. The Intelligence Network is a BAE Systems-backed body focused on safeguarding society in the digital world by changing the way we think about cyber security. Its 2,000+ global members include cyber and financial crime professionals and industry influencers committed to creating a safer society. We have already ear-marked seven crucial areas for change by 2025, and Understanding Adversaries is right at the top of the list.
By working together, we are confident we can drive change within the threat intelligence industry to improve our ability to understand adversaries, and make further progress in stopping them.