Most organizations still have not fully grasped that fighting a defensive action against organized cybercrime is no longer sufficient and that, to have truly effective security, they must take the fight to criminals.
According to a study conducted in June, “Threat intelligence: Eyes on the enemy,” by threat intelligence firm Cyber Risk Analytics (CRA), vulnerability priority is the chief use of threat intelligence for 70 percent of the study’s respondents; 65 percent of those respondents also stated that they are starting to use threat intelligence to aid them with reactive incident response. By contrast, proactive measures still rank low on the list of primary uses for threat intelligence where most organizations are concerned, with 50 percent of respondents using threat intelligence for threat hunting and 46 percent, fewer than half, using actionable threat intelligence providing advanced warning against future attacks.
By gaining advanced warnings of pending attacks, companies can foresee and protect themselves against the most serious and carefully planned incoming attacks. Ransomware gangs such as LockBit frequently operate with a streamlined efficiency more usually associated with large legitimate corporations, often using nation-state-level malware. Only by having actionable real-time intelligence of incoming and planned attacks can organizations protect themselves against professional cybercriminal groups, who are often physically located in jurisdictions such as Russia outside the reach of Western authorities.
According to research firm Gartner: “Threat intelligence is evidence-based knowledge (e.g., context, mechanisms, indicators, implications, and action-oriented advice) about existing or emerging menaces or hazards to assets.”
The problem for many organizations is not amassing threat intelligence; even if they do not possess the relevant skills in-house, numerous cybersecurity firms are willing and able to supply up-to-the-minute threat intelligence. The sheer volume of threat intelligence becoming available is overwhelming for most organizations and their in-house security teams as the criminals’ tactics, techniques, and procedures (TTPs) constantly change as larger criminal groups compete.
Ransomware attacks quickly multiplied during the pandemic, and the number and severity of successful breaches are still rising. Before March 2020, there were four major ransomware groups operating at any one time, and today, cybersecurity firm Cyberint calculates that there are around 20. Competition has become fierce among ransomware groups. While LockBit 3.0 replaced Conti in 2022, newcomers such as BlackBasta, BianLian, and new-kid-on-the-block Royal are now all furiously competing for LockBit’s crown in 2023.
Growing competition means that the new players all bring new TTPs and increasingly advanced attack methods. Companies in all sectors should, for example, be aware of a new generation of AI-driven spear-phishing attacks now coming their way. Using services such as FraudGPT, an AI service for criminals that mirrors legitimate Microsoft-powered Chat GPT, even unskilled and barely literate cybercriminals can craft compelling emails full of accurate personal references with an innocent-looking weaponized link attached. Some attacks are also sector-specific aimed at, for example, financial services or airlines.
By amassing actionable threat intelligence regarding the latest TTPs and incoming threats, companies can best prepare themselves for attack. However, the CRA study is evidence that most firms have yet to adopt the cybersecurity industry’s current strategy of using intelligence-driven proactive cybersecurity to stay a step ahead of the cybercriminals.
