Huge sums of money have been invested in cyber security tools and operations, yet today’s security teams are still typically cash-strapped with limited resources.
Budgets are more focused on keeping operations going than on improving enterprise security, so the name of the game is prioritizing potential threats and focusing on the ones that really matter.
That’s why threat intelligence is a key part of any enterprise security program, helping you prepare for and detect attacks — whom you’re defending against, what motivates them, what tactics they’ll use and how you can spot an attack in progress.
As noted in DXC’s October Threat Intelligence Report, 3,816 breaches were reported in the first 6 months of 2019, and the average breach went undetected for 78 days. Understanding your threat landscape can prevent major damage to your operations and reputation.
Know your attackers
Attackers fall broadly into five categories: nation-state groups, hacktivists, cyber criminals, lone-wolf hackers and insider threats. Each group has different motivations and levels of sophistication.
Nation-state groups in Russia or China typically focus on projecting power in a region or gaining an economic or political advantage over a rival. These adversaries, often associated with advanced persistent threats (APTs), are the most sophisticated. Recently, Russian-backed APT28, also known as Strontium or Fancy Bear, exploited internet of things (IoT) devices, including VoIP phones, office printers and video decoders, to gain access to networks.
In contrast, hacktivists are ideology-driven and are more likely to use low-tech hacks or distributed denial of service (DDoS) attacks to disrupt and embarrass their target or gain publicity for a cause.
Threats can be obvious, such as the hack of Twitter cofounder Jack Dorsey’s Twitter account in September. Dorsey had been crusading against online hate groups when hackers hijacked his account and sent out pro-Nazi tweets. However, the 2016 hack of Nissan Motors’ website by hacktivist group Anonymous was oddly aimed at the Japanese whaling industry. Nissan had no ties to whaling, but the attackers knew a successful attack on a global manufacturer would generate global attention for their cause.
Cyber criminals, motivated by financial gain, use tactics including ransomware, card skimming, extortion and, lately, sextortion — threatening to reveal photos or the web browsing history of the victim’s online sexual activity in exchange for money or access to information.
Ransomware attacks are likely to come at the worst possible time, such as the beginning of a school year for school districts or the holiday shopping season for retailers. Local governments, with typically older systems and homegrown applications, are a major target. Over the past 6 months, cyber criminals used ransomware to lock down services in five U.S. states, 23 Texas towns, and 500 schools and colleges.
Magecart, an umbrella term for several groups that use similar payment-card skimming techniques, focuses on spreading its code to the greatest number of victims. For example, one group compromised online advertising companies in a ploy to distribute its malware across hundreds of subscriber websites, capturing payment information from end customers. Another arm used bots to infect 17,000 websites with improperly configured Amazon Cloud S3 buckets to steal payment card data.
A few security tips
Threat intelligence can’t tell you when and where the next breach will come, but it can help you prepare for and detect it. Consider these tips:
- Your biggest threat is probably not a highly sophisticated zero-day attack. Attackers have plenty of success with tried-and-true methods.
- Invest time to find the best technical indicator feeds and intelligence platform for your organization. Contextualized and relevant intelligence can help your security operations center contain attacks before they become a much bigger incident.
- Don’t overlook basic security hygiene. Track all IT assets, then patch and secure them against known threats.
- Invest in protecting the areas of your organization most likely to come under attack, using staff training, malware detection systems and multiple levels of controls for privileged accounts.
- Train your staff to recognize phishing attacks. With so many organizations moving to cloud services such as Microsoft Office 365, phishing campaigns are getting better at tricking users into sharing credentials on fake login pages. Better vigilance can prevent major data breaches.
For ongoing threat intelligence, subscribe to DXC’s monthly Threat Intelligence Report, a compilation of the latest threats, breaches, cyber crimes and nation-state activities. The report is part of DXC Labs | Security, which provides insights to the security industry.