Smoking out the threat actors

A glimpse behind the curtain with threat intelligence

Identify attacks before they happen, or at least before they cause serious damage. This is one of the primary objectives of cyberdefence. Threat intelligence is the solution of choice for assessing the current threat status – a challenge in itself.

Text: Andreas Heer, Pictures: Swisscom
12 October 2023

Data-driven threat detection can bring greater visibility into the cyberthreat environment and proactively identify attacks. Find out more in the white paper.

It takes an average of 200 days to identify a successful cyberattack. According to the IBM Cost of a Data Breach Report 2023(opens in new tab), this mean time to identify (MTTI) has an impact on costs. The sooner a breach is detected, the lower the risk of damage and the lower the associated costs.

If it takes such a long time to detect an attack, shouldn’t companies automatically assume that their infrastructure has already been compromised? This is the premise of the Assume Breach mindset. It requires a holistic approach because preventive measures alone are simply not enough. Both detection and response must be enhanced to identify attacks as early as possible and minimise damage.

But how do companies find out if their defences have been breached or whether an attack is imminent? This is where threat intelligence (TI) and, as appropriate, threat hunting (TH) come in, delivering targeted information and research, and actively searching for signs of a breach.

Assess the current status with threat intelligence

Threat intelligence takes a three-pronged approach. From a strategic perspective, it focuses on cybercrime trends as well as the wider social and political context, which can all influence the activities of the different actors. From a tactical perspective, attack patterns are analysed with a view to improving cyberdefence at an operational level.

The current threat status is not always clear. For example, financially motivated ransomware attacks are often not targeted; they find victims by exploiting a known and unpatched security vulnerability. “The threat actors who make the headlines are not always the biggest threats,” says cybersecurity specialist Jakub Rutynowski, threat intelligence advisor at Swisscom. “We have to try and understand the actors and their motivation to work out whether we are a potential target.” This also includes finding out whether there are any groups away from the headlines that are intensifying their activities in the background. It's a major challenge, and often, the context only becomes clear in retrospect: was a particular ransomware attack ‘purely’ financially motivated or was it, in fact, a targeted attack by state-backed actors in an attempt at cryptocurrency extortion or with a view to using the exfiltrated data for espionage? The actual motivation is not always obvious.

“The important thing is to consider information about current attacks in the context of your own company,” Rutynowski adds. “Ask yourself, are we similar in terms of organisation or infrastructure, and could we therefore become a target? And, most importantly, are we prepared?”  

Trawling the dark web

According to the IBM report referenced above, phishing and stolen or compromised credentials were responsible for 16% and 15% of breaches respectively. The dark web is often used as a platform for trading stolen or compromised information. Credentials are offered for sale by Initial Access Brokers in forums and marketplaces. And business documents captured during a breach are often published and sold on the leak sites of the ransomware operators.

Such information is relevant for companies to be better able to assess the current threat status. But these searches are virtually impossible to perform manually. “With many marketplaces, you have to 'earn' access first,” Rutynowski explains. “And you often need to combine information from several sources to identify the time and location of an infection or breach.”

This work can be significantly simplified using digital risk protection solutions, which relieve companies of much, if not all of the time-consuming manual work, thereby accelerating the search for data leaks on the dark web. Jakub Rutynowski admits the task is still challenging: “The large and changing number of marketplaces and channels on messengers such as Telegram makes it difficult to find the information you are looking for.”

Multi-pronged cyberdefence the key to success

If a company wants to proactively defend against cyberattacks or at least detect them at an early stage, it needs a package of detection and incident response measures. The combination of threat intelligence and threat hunting helps to identify possible attacks and vulnerabilities in your own cyberdefence. Threat intelligence provides information to the threat hunters on the signs to look out for.

Through this interplay, the threat hunters are thus reliant on threat intelligence, says Jakub Rutynowski: “In the case of requirements-driven threat intelligence, our role, for example, is to identify the specific current threat status.” The results can then be incorporated in the incident response and related processes. As well as improving an organisation’s security posture, such proactive measures can also shorten the time it takes to identify an incident and thus reduce the cost of a data breach, according to the IBM report.

More on the topic