Customer portal
Category

Opinion

"Cyber
Opinion

What is Cyber Threat Intelligence?

by Ben Hurst
July 13, 2022

You may have heard of the term “Cyber Threat Intelligence”, sometimes abbreviated as “CTI”. 

The term is often thrown around with little to no explanation, so, what actually is CTI? It’s always useful to know what an acronym means 🙂

The origin of the term can be traced back to 2009 in reference to research on the Tactics, Techniques, and Practices (TTP) of APT 1. 

Traditional threat intelligence, meaning the collection and dissemination of intelligence of emerging and reoccurring threats, was a key part of the intelligence apparatus during the Cold War. 

However, traditional threat intelligence is a very general term, referring to intelligence on anything from nation-states to small guerrilla insurgent groups. 

The rise of Advanced Persistent Threats (APT) forever changed the threat intelligence landscape. 

Like any other covert action, a nation-state sponsored cyber attack is designed to cause as much damage as possible, while maintaining plausible deniability for guilty parties. 

Threat intelligence on these APT groups became known as Cyber Threat Intelligence. 

CTI analysts analyse the tactics, techniques, and practices of these groups. They collect everything from the groups’ malware to their chat logs to build a full profile for defensive purposes. 

Since the rise of APTs in the mid-2000s, the field of CTI has had to  evolve and adapt to new threats and attack styles. Threat actors less sophisticated than APTs can now emulate many of the tactics APTs use. 

As a result, CTI has had to expand to collect intelligence on these groups as well. CTI is now not only crucial for governments, but also private organisations and businesses. 

2021 saw a 1,885% increase in ransomware attacks. This was an unprecedented increase with the healthcare industry alone reported a 775% increase in cyber attacks. 

CTI is not only for large businesses either, roughly 60% of ransomware attacks target businesses with less than 500 employees. However, building a CTI team is easier said than done. Collecting intelligence on relevant threat actors is often a time consuming and expensive task. 

What we see time and time again is the “it won’t happen to us” conversation which can then turn into…

Why didn’t we know about this?! 

The question posed by the CEO or MD when there has been a data breach.

Here at SOS Intelligence, it’s our mission to provide cyber threat intelligence that won’t break the bank and is accessible. You don’t need a big team to use it.

Our Open Source Intelligence (OSINT) tool automatically collects and aggregates data from the top cybercriminal forums, including some private forums. 

Using the web UI or the custom API, you can set alerts for keywords like emails or usernames. If a keyword is posted on one of the many forums we monitor, you will get an immediate alert via several communication channels. 

Using our OSINT tool you will have the capabilities of a full CTI team, minus the overhead and head count.

Save yourself the headache and risk, let SOS Intelligence be your eyes and ears in the dark world cyber criminals have built online.

Cyber Threat Intelligence is clearly an essential pillar of a modern defence strategy, but don’t take our word for it. Let’s look into a case involving CTI…

LAPSUS$ – A Study of Cyber Threat Intelligence Successes

There is no better case study of modern Cyber Threat Intelligence than the case of the international hacking group known as LAPSUS$. 

LAPSUS$ was first noticed in early December of 2021 when the group compromised systems belonging to the Brazilian Ministry of Health. This attack was a classic extortion attempt and would pale in comparison to LAPSUS$’s later attacks. 

It took the Brazilian government more than a month to make a full recovery, the attack effectively halted the roll out of Brazil’s COVID-19 vaccine certification app; ConectSUS. 

Over the next few months LAPSUS$ would go on to breach several more companies, including Impresa, a Portuguese media company and Vodafone Portugal. LAPSUS$’s first 5 attacks took place in quick succession, in just 3 months. 

The group exclusively targeted Portuguese localised companies leading many CTI researchers to suspect the hackers were located in Brazil or Portugal. Members of the group solidified this suspicion, using slang like “kkkkkkkkk” the Portuguese equivalent of the English slang “hahaha”.

LAPSUS$ member using Portuguese slang in Telegram chat

LAPSUS$ was put on the map after the attack on the Brazilian Ministry of Health garnering headlines like “Lapsus$: The Hot New Name in Ransomware Gangs” and “Watch Out LockBit, Here Comes Lapsus$!”. 

While these headlines were catchy, the articles themselves offered no insight into the tactics or motivations of the group. At the time, many thought LAPSUS$ was just like any other ransomware/extortion group, financially-motivated with the goal of encrypting or exfiltrating data and holding it for ransom. 

However, LAPSUS$’s next attack would challenge everything we thought we knew about LAPSUS$. On February 25th 2022, GPU chipmaker Nvidia announced it was investigating an “incident” that knocked some of its systems offline for 2 days. 3 days later LAPSUS$ announced “We hacked NVIDIA” on their telegram…

NVIDIA hacked

 LAPSUS$’s breach of Nvidia was, no doubt, a big deal, but what was far more interesting were their demands. 

More often than not, hacking groups fall into one of 3 motivational categories: financially-motivated, ideologically-motivated, or state-sponsored. Up until the Nvidia breach LAPSUS$ fell squarely in the financially-motivated category, but their unusual demands for Nvidia changed this fact. 

Instead of demanding money or selling the data to the highest bidder, LAPSUS$ demanded Nvidia release their GPU drivers as open source software. Naturally, Nvidia refused to release their code. In response LAPSUS$ would leak some source code from Nvidia on in their Telegram group, but nothing all that interesting or noteworthy. 

Less than 2 weeks after the Nvidia breach, LAPSUS$ announced they had compromised Samsung. The attackers stole roughly 200 gigabytes of data which included some source code for the Samsung Galaxy. 

By this point, threat intelligence researchers were keenly aware of LAPSUS$’s tactics, techniques and procedures. CTI analysts drew up models of how LAPSUS$ operates, giving defenders insight on how to avoid a possible breach. 

Intrusion Analysis Diamond model for LAPSUS$

Continuing their attacks on large tech companies, LAPSUS$ compromised Microsoft. Again, the group started exfiltrating source code. 

LAPSUS$ was able to download the partial source code for Bing, Bing Maps, and even some Windows code. However, Microsoft CTI researchers were able to halt the download before it could be completed. LAPSUS$ mentioned in a public Telegram chat how they were able to access Microsoft systems before the data exfiltration had finished. 

LAPSUS$ chat about MS

Microsoft’s threat intelligence team had been monitoring this chat and was able to stop the exfiltration in real-time. That’s something even advanced EDR software can’t do. While LAPSUS$ would never admit their mistakes, one member did acknowledge the download was interrupted.

A close call for MS

LAPSUS$ would soon after be exposed to be led by a teenage boy out of the United Kingdom who was arrested with six other teenagers associated with the group. Many still suspect there may have been a member located in Brazil, but as of now, this has not been confirmed. 

The LAPSUS$ affair is an excellent showcase of how Cyber Threat Intelligence can protect your organisation from advanced and emerging threat actors.

The SOS Intelligence toolkit can provide you and your company the capability to monitor threats like LAPSUS$. Just as Microsoft leveraged CTI analysis to minimise damage of the LAPSUS$ attack, your organisation can use our CTI tools.

The SOS Intelligence toolkit includes advanced CTI tools capable of monitoring both Dark Web and Clear Web hacking forums and chats. Protect your assets from sophisticated threats today by checking out the SOS Intel toolkit.

Would you like to discover how SOS Intelligence can help you mitigate the cyber threats?

Click the link below to book a call: https://tinyurl.com/sosinteldemo

FAQ

What is Cyber Threat Intelligence?

Cyber Threat Intelligence or CTI, is the process of collecting and analysing threat actor’s behaviours. CTI analysts build profiles of known threat actors by investigating their Tactics Techniques and Procedures (TTPs).

How is Cyber Threat Intelligence used?

Network defenders use profiles as well as the TTPs collected by CTI analysts to make informed decisions on how to protect their network. 

Threat actors will often reuse attack vectors on many targets. When CTI analysts discover these attack vectors, they pass on the information to defenders. 

Cyber Threat Intelligence provides the defenders the ability to fight existing and emerging threat actors. 

What is a CTI framework?

A Cyber Threat Intelligence framework is an organisational tool for CTI analysts. There are many CTI frameworks, one of the most popular being the MITRE ATT&CK framework.

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Source: https://attack.mitre.org

Why is Cyber Threat Intelligence Important?

Much like a physical conflict, cyber conflicts need proactive intelligence for good defence. 

Cyber criminals often use forums and chat rooms to communicate with each other. Infiltrating these groups can provide great insight into upcoming and ongoing cyber attacks. 

With the shocking increase of ransomware attacks, proper threat intelligence has become imperative. Ransomware groups are tracked and monitored day and night by CTI analysts. Analysts then alert defenders to a possible breach or upcoming attack. 

Who do cyber criminals target?

The cyber criminal atmosphere is constantly evolving, but most cyber criminals fall into one of three categories. 

First, you have your typical financially-motivated cyber criminal. These threat actors are motivated by one thing and one thing only; money. 

They will scam, hack, and steal anything or anyone for money. In fact, sometimes they scam other cyber criminals! 

The second category is the ideologically-motivated threat actor. Often dubbed hacktivists, these cyber criminals care less about money and are motivated by a political cause. Prime examples of “hacktivist” style hacking groups are “AgainstTheWest” or “Anonymous”. 

The third and most dangerous category is the state-sponsored threat actor. These threat actors work directly or indirectly for a nation-state. 

State-backed threat actors have almost unlimited resources as well as legal protection provided by their government. CTI analysts classify these groups as Advanced Persistent Threats or APTs. 

While not every APT group is state-backed, all state-backed groups are APTs. For cyber criminals, their motivation is the key behind who they target. Financially-motivated cyber criminals often target businesses both small and large. 

Ideologically-motivated threat actors tend to target governments, institutions, or individuals who they deem political enemies. State-backed threats have very specific targets given to them by whatever nation-state they work for. These targets often control vital systems, i.e. energy companies or defence contractors.

Photo by Philipp Katzenberger on Unsplash

"MSSP
Opinion

Why MSSPs need Cyber Intelligence from SOS Intelligence

by Amir Hadzipasic
June 16, 2022

The Dark Web is a vital source for Cyber Threat Intelligence. Dark Web networks have been utilised by cyber criminals for more than 20 years. Longer than you may think.

They provide a deep insight into the world of online criminals.

For MSSPs and CTI researchers this means the Dark web must be closely monitored for new and ongoing attacks. 

Scouring the Dark Web is no easy task, and very difficult without proper software and a large team of researchers. 

The Dark Web is a vast territory made up of multiple networks using many network protocols for anonymous communication.

The most used Dark Web network, known as The Onion Router or Tor, consists of more than 7,000 relays and 3,000 bridges. This supportsa hefty user base of roughly 3 million users. These users use Tor to access one or more of the 40,000 services on the Tor network, transmitting more than 20 terabytes of data daily. 

So, the million dollar question is…

How does one index and analyse such a vast network in an affordable and time efficient manner? 

This is where SOS Intelligence comes in. We help MSSPs help businesses and organisations sleep easier at night by providing accessible cyber-threat and dark web intelligence with real time alerting. It’s a highly configurable threat intelligence solution.

Our Dark Web toolkit is capable of indexing the Tor network quickly and efficiently. 
The SOS Intel Dark Web toolkit is a “Turnkey” ready-to-go solution for MSSPs and CTI researchers, offering in-depth data on onion services. 

Our toolkit includes the Tor networking mapping tool known as “DARKMAP” plus the Dark Web search tool “DARKSEARCH”. We also have the Open Source Intelligence tool “OSINT SEARCH”. These are accessed via a custom API and a web dashboard where you can manage your alerts and keywords for CTI. 

We understand time limitations MSSPs and CTI researchers have. SOS Intelligence’s mission is to provide a service that is both affordable and accessible. Our entire Dark Web toolkit can be set up and configured in mere minutes!

We are your eyes and ears online, even in the darkest places.

Written by Ben Hurst.

Photo by Markus Spiske on Unsplash

"SOS
Opinion

SOS Intelligence is sponsoring EMF Camp 2022 and you can win tickets!

by Amir Hadzipasic
March 31, 2022

We have always been a huge fan of EMF Camp and are delighted to be a Gold Sponsor for this year’s camp! 🙂 Plus, most importantly, you can win one of four tickets by entering our competition! Please read on…

For those of you who don’t know, EMF Camp, is a pretty special and unique:

Imagine a camping festival with a power grid and high-speed internet access; a temporary village of geeks, crafters, and technology enthusiasts that’s lit up by night, and buzzing with activity during the day. Thousands of curious people will descend on our friendly open space to learn, share, and talk about what they love.

EMF Camp
An amazing event!

So, I get you’d like to know how you can win don’t you?! Well, it’s simple.

Click the link below and pop in your email address. You also need to follow us on Twitter and Linkedin, links below. That’s it!

Click here to enter your name and email address.

Follow us on Twitter here.

Follow us on LinkedIn here.

We have four tickets up for grabs and we will be randomly drawing four winners w/c 16th May. We will be then getting in touch with the winners to organise your tickets.

A few admin details – the competition is to win one of four tickets. We won’t be covering travel or accommodation so you will need to organise that yourself. Closing date is Friday 13th May at 6pm.

Good luck!

All attendees need to follow the EMF Code of Conduct.

Terms and conditions can be found here.

"MI6"/
Opinion

MI6 to work with more tech companies

by Amir Hadzipasic
November 30, 2021

In his first speech as the new MI6 boss, Richard Moore has made it very clear that they need to work with innovative technology companies to help protect the UK in the future. He spoke at The International Institute for Strategic Studies today.

“I cannot stress enough what a sea change this is in MI6’s culture, ethos and way of working, since we have traditionally relied primarily on our own capabilities to develop the world-class technologies we need to stay secret and deliver against our mission”.

Guardian
Richard Moore

He emphasised how we are living through times where adversaries are feeling emboldened and have greater than-ever resources. He said how our world is being transformed by digital connectivity, increases in data and computer power.

He said he is paid to look at the threats and he said that the cyber attacks are growing exponentially.

His mission as Chief is to oversee the modernisation of MI6 and investing in the skills that they need in the digital age and partner with the right people and companies to help them stay ahead of our adversaries.

What we do here at SOS Intelligence, Dark Web Threat Intelligence plays a small, but important role in enabling companies and organisations to monitor what is happening on the Dark Web.

Focus on cyber threats

MI6’s focus on cyber threats is nothing new. They explicitly list this on their website:

The world increasingly interacts digitally through cyber space. Alongside the many benefits, it leaves individuals, organisations and governments open to cyber risks. These include the possibility of hostile cyber intrusions or attacks against the UK and the UK’s interests. The National Security Strategy identifies this as one of the four main areas of security risk to the UK.

Working as part of a cross-government effort, including GCHQ and it’s National Cyber Security Centre (NCSC), MI5 and law enforcement, SIS provides secret intelligence to help protect the UK from current and future cyber threats. These can come from a range of cyber actors, such as malign states, terrorists and/or criminals.

MI6
"SOS
Opinion

SOS Intelligence featured on BBC website

by Amir Hadzipasic
July 21, 2021

The headline is a scary one, but absolutely accurate.

How your personal data is being scraped from social media

Joe Tidy, Cyber security reporter, BBC News

Joe Tidy recently got in touch after we published our blog post last week, An investigation into the LinkedIn data sale on hacker forums.

We spoke at length about the data sale and the conflicting theories of how it was sourced. Joe has now written up his news article which you can read here and where we were featured.

The chief executive and founder of SOS Intelligence, a company which provides firms with threat intelligence, Amir Hadžipašić, sweeps hacker forums on the dark web day and night. As soon as news of the 700 million LinkedIn database spread he and his team began analysing the data.

Mr Hadžipašić says the details in this, and other mass-scraping events, are not what most people would expect to be available in the public domain. He thinks API programmes, which give more information about users than the general public can see, should be more tightly controlled.

“Large-scale leaks like this are concerning, given the intricate detail, in some cases, of this information – such as geographic locations or private mobile and email addresses. 

“To most people it will come as a surprise that there’s so much information held by these API enrichment services. 

“This information in the wrong hands could be significantly impacting for some,” he said.

Amir Hadžipašić, BBC News

We’d be very interested to speak to anyone who thinks they’ve been impacted by this.

Sadly, the vast majority of people won’t be aware that this can happen and also won’t be aware when a leak occurs. This is precisely where SOS Intelligence comes in.

We offer a free plan for anyone which takes seconds to set up and always monitoring of the email address you use on the Dark Web. What are you waiting for? You can sign up here.

"The
Opinion, The Dark Web, Tips

How Does the Dark Web Work? An In-Depth Guide (2021)

by Amir Hadzipasic
June 10, 2021

This is the authoritative 2021 guide to the Dark Web

If you are looking to understand:

  • The Dark Web basics
  • Where did the Dark Web come from?
  • What’s driving the growth of the Dark Web?
  • What activities take place on the Dark Web?
  • Which Dark Web threats can impact my organisation?
  • How to protect organisations from Dark Web activity?
  • What does Dark Web Monitoring do?

Then this guide will provide you with all of the answers you need.

Chapter 1: The Dark Web basics

What is the Dark Web? 

The Dark Web is a peer-to-peer interconnected network of computers that use the Tor Protocol, commonly known as the Tor browser.

Tor uses the top-level domain .onion which takes its name from the method of routing the Tor network’s users.

Anonymity is maintained by building a circuit each time a user tries to connect to a certain .onion domain.

The circuit becomes a multi-layered encryption chain, with each layer unwrapping the next one until it gets to its destination. Hence the reference to an onion.

This method ensures that the relaying nodes on the network between sender and recipient never know who the other one is. They only know the next layer as they unwrap it.

It provides 100% anonymity whilst on the network.

The Dark Web is essentially the containing of that encrypted traffic within the Dark Web itself.

Is the Dark Web 100% anonymous?

There are only 2 places where you can breach Dark Web anonymity.

Either the client end before you transmit data onto the Tor network or via the other end using an Open Relay.

Anyone can download and install an Open Relay and capture information then pass it out onto the internet if the data hasn’t been sufficiently secured within itself.

Chapter 2: Where did the Dark Web come from?

The Tor Project is an open-source foundation that was started as a US Navy research project.

It was originally part of the National Security Agency, a national-level intelligence agency of the United States Department of Defense.

It’s likely that it predates its official launch by a number of years.

The early development of the .onion protocol was designed to allow spies to communicate with each other and contact their commanders via the internet in as safe and secure a manner as possible.

For it to work properly, they needed a sufficient number of nodes in order to allow traffic to pass anonymously.

Too few nodes would simply allow adversaries to intercept and attack their encrypted data.

So (the story goes) the Tor Project was started as a free open source project to encourage widespread use.

It has become increasingly popular over the years and undergone a number of significant iterations since its release in 2002.

Chapter 3: What’s driving the growth of the Dark Web?

The Tor Project quickly gained users thanks to its advanced anonymity properties.

Let’s face it, you build a road and people are going to start driving on it.

Yet here’s the thing:

There are numerous key global events that have seen spikes in growth of Tor.

These include the following:

  • Government clampdowns on file sharing following successful lobbying by Hollywood and the music industry forcing ISPs to block access to torrent hosting websites
  • Key political moments such the Arab Spring in 2010

Meanwhile, various Hacking Communities began using it because it became the ‘cool thing’ to do.

Chapter 4: What activities take place on the Dark Web?

Most of the activity taking place on the Dark Web is as dull and trivial as the rest of the Internet.

In truth, for all its negative connotations the Dark Web shouldn’t be something to be afraid of.

Of the 95,317 sites we currently track, less than 5% are flagged as having potentially abusive content on them.

However:

There is also a significant amount of fraud taking place here, along with a percentage sharing abusive content.

The biggest threat to organisations comes in the form of Ransomware.

What is Ransomware?

Ransomware is the process of hackers encrypting and stealing sensitive company and customer data then ransoming it back to the organisation for profit.

Let’s look at this in more detail in the next chapter.

Chapter 5: Which Dark Web threats could impact my organisation?

In June 2017, the chief technology and information officer for Maersk, a Danish shipping and logistics giant, returned from his honeymoon to discover that the company has suffered a major malware attack.

The attack on its IT systems was so bad that the company was virtually unable to operate, even to the point that its ship’s captains were forced to navigate the globe using paper and pen.

4 years later and the company is still remediating, estimated costs to date are as much as £300 million.

No one is sure whether this attack was Ransomware gone wrong (no public request for payment has been made) but the damage to its business continues to be felt to this day.

The different types of Dark Web attack

The Dark Web enables hackers to remain anonymous whilst providing them with a marketplace to force you as the victim to pay to have your data decrypted.

It gives them a foothold, a place where they can publicly advertise to the world all of the organisations they have hacked.

This data often includes intellectual property, financial information, and customer data and is usually placed on the Dark Web and made free to download until the organisation pays to have it removed.

These are very professional operations with call centers, helplines, and live-chats. Some of them even provide a ‘Get 1 File for Free’ service to prove that the decryption works.

Human Driven Ransomware

This term describes when a group of hackers come together and plan an attack. This would often involve them having a good look around your network before they begin encrypting specific files and servers.

They typically look to exploit vulnerabilities in your network and appear to be reasonably agnostic when it comes to sectors and industries.

Victims could be a dental surgery or multinational aerospace company. The primary motivation is getting you to pay for your encryption keys.

Another way into your systems is via ‘phishing’.

This could involve an IT employee’s credentials are stolen and where the company doesn’t have sufficient protection to prevent the hackers from gaining access to the system.

Ransomware Trends

Ransomware is developing and maturing into a more industrialised activity, with a much greater trend towards automation.

A lot of Ransomware programmes will automatically send your encryption keys off to an onion domain that is spun up just for you, gaining access through something as simple as a Word or Excel document that executes a Macro in the background.

The Macro will then automatically begin to encrypt your data and spin it out onto the Dark Web.

Apart from disabling Macros, patching applications to keep things up-to-date, not opening docs you aren’t sure about and using good security software there isn’t much more you can do.

At present we are aware of between 26-30 active ransomware groups.

If you find yourself on a Ransomware site, there is nothing you can really do except pay and begin remediating.

However, police forces are active on the Dark Web looking to take down operations and have had some success. Dutch police were recently so pleased to have taken down one botnet network that they even posted about it as themselves on a hackers’ forum.

Chapter 6: How to protect organisations from illegal Dark Web activity?

Protecting your organisation from hacking and Ransomware is a difficult task, especially when a concerted hacking campaign coupled with human error comes into play.

If as an IT Professional and/or diligent CTO you have done everything within your power to secure the network and Ransomware still finds its way through a lot of it will simply come down to bad luck.

Hackers work hard to ensure that they are fully undetectable and use dynamic systems that generate malicious downloads on the fly, making it difficult to defend against these types of attacks.

The priority then becomes managing the fallout and particularly the PR as best as you can.

A data breach quickly moves from being an IT problem to a business problem. If you can show that you have behaved competently and done as much as you can there is a chance to come out of it looking better.

Our Dark Web Monitoring tool supports you in this process by providing early warnings of any Dark Web activity around your brand.

SOS gives you awareness, time, and context by letting you know if your information is out there; what information that is; and who is talking about it.

Having these instant alerts can be very reassuring, giving you time to react with the full knowledge of just how big your exposure is.

Now we’d like to hear from you. Have you been affected by any of the issues raised in this guide? Do you have any concerns around data breaches and threat intelligence?

Please get in touch if you need to find out more using the contact info below. And if you’ve found this information helpful, please feel free to share it on your social networks!

1 2 3 4
Recent Posts
Recent Comments
    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from - Youtube
    Vimeo
    Consent to display content from - Vimeo
    Google Maps
    Consent to display content from - Google
    Spotify
    Consent to display content from - Spotify
    Sound Cloud
    Consent to display content from - Sound
    Save