Cyber Threat Intelligence — understanding cyber threats and leveraging intelligence to prevent them
You can listen to AustCyber’s podcast ‘OzCyber Unlocked’ here: https://bit.ly/3zDFytV
Cyber Threat Intelligence
Cyber threat intelligence sharing is a clear priority for the Australian Federal Government, with $35 million allocated to the Cyber Enhanced Situational Awareness Response package (CESAR). But, if Australia really wants to make strides toward fighting ransomware attacks against its critical infrastructure, it’s going to take more than government initiatives — it’s going to take an understanding of your business environment and an education about the threats it’s exposed to.
Andrew Slater, Director of Aushield, says “Cyber Threat Intelligence (CTI) is any piece of tactical operational information that we can consume or gather. It helps provide context and understand what the risks are to an organisation from a cyber threat perspective”. Brett Williams, Lead Solutions Architect APAC & Japan at Flashpoint, argues that you can use CTI to “make decisions and act upon them; for example understanding your assets and understanding who may or may not be attacking you, which then allows you to narrow your operational focus and understand where you need to focus your intelligence.” Similarly, Glenn Maiden, Director of Threat Intelligence at Fortinet believes CTI is useful for organisations to prepare, prevent and identify cyber threats before they cause any damage.
Core to understanding the threat itself, is understanding the activities, plans, signatures and behaviours of the threat actors. From a cyber perspective, open sources of threat intelligence could be an IP address, URL or domain name that attackers have used in their infrastructure. Or, it could be an associated email address with a phishing attack, a link, a subject, a registry key modified and put in malware, file names, DLL’s — the list is exhaustive.
Williams says “time is critical when it comes to any potential data breach or exposure. More often than not, the dark web is the first place these things are discussed, or the first indicator that a breach might appear.” At Flashpoint, the biggest thing Williams observes is people’s credentials being exposed. The second biggest thing they’ve seen is the recruitment of insiders by threat actors, trying to find someone inside an organisation or a disgruntled insider who’s willing to go into forums and offer data for sale. The threats are everywhere, meaning organisations need to be aware that they can stem from inside the business as well.
The formalised national security has been dealing with issues pertaining to threat intelligence for years, but the rest of the economy is playing catch up. Dave O’Loan, Cyber Security Specialist at AARNet says “when considering the potential of an attack, the value of threat intelligence sharing is the awareness. It’s the ability to understand that contextualisation of what the threat might be. The more people, groups or companies that share this information, even if it’s not the full picture, the more likely other individuals are to pull on the thread and know where to look for more information.”
Michelle Price, CEO at AustCyber says “we really are experiencing a shift in the level of collaboration, particularly across the industry and how multinationals and local companies collaborate with each other. At AustCyber, we’re very proud to have invested in AARNet and Cybermerc with their infrastructure, and being able to provide that as a benefit into a broader collaboration piece with multinationals. This is a significant benefit to this country and to the countries we find as trusted partners in this game.”
When thinking about collaboration, that’s something that also stems across to the cybercrime sphere. Williams says “what’s well-observed is that they’re getting very organised and well-coordinated and starting to work together. There used to be a lot of separation between the various gangs, but now there is plenty of collaboration and we can broadly refer to it as a service. You don’t need to be a ransomware expert; you can just buy it as a service and deploy it into your targets.
“There’s also been a consistent shift in the adoption of communication technologies used by threat actors. Traditionally, we talk about deep and dark web forums and marketplaces, and these are still big in the space, but with increasing restrictions and censorship across social media, social channels are getting a lot of use by threat actors.” Williams concluded. While the restrictions may impact threat actors, it’s important to remember there are no border closures when it comes to cyber threats.
Leaning into education for prevention
When looking at the critical infrastructure in place in Australia, Maiden notes that the Government is becoming a lot more aware, and a lot more bullish in calling out these attacks, which he hopes will lead to a greater level of resilience across the board and across the macro-level surface of the attacks threatening the nation. But in Australia, we’re still trying to figure out where we stand on the issue of paying a ransom or not; it’s a lively discussion in the industry but one that the Government is obviously very nervous about, given the range of regulatory issues it lends itself to.
Williams weighs in and says “where I’ve seen ransomware being paid, it ends up being a business decision. They need the business back online, they need to stop the data leaking, they don’t have backups in place and therefore don’t have prevention and recovery plans in place.” He doesn’t agree with it from one side, but on the flip side of the coin, he can see why businesses have to do it — particularly if they don’t know how they’re going to recover or don’t have an action plan in place
Maiden says “if there is one message we can get out there, it is that for these attacks, prevention is the only cure.” O’Loan agrees, “my personal view is that paying ransom can potentially open a business up to a second attack. It’s common for threat actors to think if an organisation has paid once, they’ll do it again.” It stems back to cyber hygiene: putting backups in place, looking at who’s got administrative access to what systems, thinking more broadly about how to protect your systems and so on.
Slater believes there’s a lot of work to be done to work on education around the prevention message. “Aushield deals with a lot of Australian SMBs who have had their data put online for sale or been ransomware. When you’re talking to an employer who has 10–50 staff and spent the last decade of their life building a business, it’s hard to tell them not to pay thousands to get their data back, and beyond that, it’s dangerous to keep paying. Australian small to medium businesses account for approximately 35% of Australia’s GDP, spanning across a range of industries, it’s a huge threat to the broader economy these IT threats are causing.
Price says “There is a definitive return on investment when you view cyber hygiene as an investment, not a cost. It’s an investment and a protection against being ransomed. There are many organisations, even those with a reasonable degree of cyber maturity that still struggle with issues of this nature.”
Traditionally, we’ve been very secretive when it comes to intelligence. We’ve got to be more open about these criminals. There is nothing special about ransomware that has attacked one company down the road to you — they’re not targeting a particular industry and they’re not doing it discreetly. The techniques are always similar. According to Slater, “education, collaboration and sharing of information is really key. As professionals, we have a responsibility to help educate people, to collaborate on threat intelligence and to share it in a timely manner. Knowledge is power; you can buy widgets for anything, but if you don’t understand your environment and business, you won’t understand where your risks are. It all comes back to education.”
Learn more about how cyber threat intelligence in AustCyber’s podcast ‘OzCyber Unlocked’: https://bit.ly/3zDFytV
You can visit www.austcyber.com to learn more about cyber security.