For the most part, the inner workings of threat actors and knowledge around Cyber Threat Intelligence is an incredibly specialised expertise. There are constant sensationalised news articles around the latest data breach, yet this isn’t usually enough to grab the due attention of most organisations with business interests, let alone people like me when I previously never took these things seriously.
That was my worldview before engaging in a Cyber Threat Intelligence piece at Turnkey; cyber space felt like a distant world – a known unknown that was unlikely to affect my life. Why would anyone want to attack me? The reality is, anyone with data stored online is vulnerable, and with many people in similar mindsets to myself pre-Turnkey, a lot of us are unsuspecting, unknowing, walking targets.
My Cyber Threat Intelligence piece at Turnkey stepped through 3 levels, each becoming more in-depth and requiring more specialised knowledge.
Firstly, it involved researching the types of threat actors that are currently active, what their aims are, what they’re motivated by, and the entities they are targeting.
Secondly, what kinds of attack vectors they use and how they gather personal information to make them effective and persuasive.
Finally, the technical methods they use; the VBA code and Powershell backdoors, which is where my ability to understand was stunted at abstract ideas and I came to the realisation that this barrier is exactly what threat actors have taken advantage of.
Application designers have consistently focused on creating simpler graphical user interfaces to enhance the ‘user experience’, which really actually tries to bridge the gap between complexity and simplicity. They want to feed technology to us in the most consumable way possible so that people can engage with technology more, without having to understand it more.
This kind of relationship can be seen with threat actors and their chosen method of attack. Highly sophisticated and well-funded groups are choosing to use one of the seemingly least complex attack methods – spear phishing. This could be emails with attached files that contain malware or links that prompt you to input your credentials.
Threat groups are designing increasingly seamless emails, with legitimate signatures, logos and information. An email appearing to be from Amazon asking you to log in to track your package that you had just ordered yesterday could catch anyone off-guard.
This is when I started to believe I was becoming paranoid and proceeded to check and double-check the emails coming into my work and personal inboxes.
As the way we interact with technology changes and evolves, we must be aware that the ways to protect ourselves should also change – it would take some more time, effort and understanding. Internet safety is no longer making sure firewalls are in place and forgetting the rest, and it is no longer just warning kids not to talk to strangers online. It is something that should be integrated into the education system and constantly reinforced through cyber awareness campaigns to be effective.
Today, it’s largely about the ability to identify false graphical interfaces that may be trying to scam us, but a couple of years later, it could be a new method of attack. The dynamic nature of technology makes it ever more important to understand why threat actors could target you, since their motivations are more likely to be the factor in this shifting game of cat-and-mouse that stays constant.
Organisations also have a responsibility to understand why they could be the target of attack and which threat groups are most likely to focus on them for the well-being of the business, as well as the employees. The necessity of robust Cyber Threat Intelligence practices can be seen during the coronavirus pandemic.
Threat groups have been taking advantage of the vulnerabilities that have surfaced, from us at home, perhaps feeling stressed and more likely to click on a face-mask link, to hospitals and research labs struggling to manage the influx. The key risk mitigation and impact reduction in these scenarios is anticipation and knowledge gathering (the CTI part).
For example, a hospital during a pandemic could conclude that threat groups with political motivations are more likely to attack them to cause civil unrest before major political decisions. If this threat group was found to use spear-phishing as the main vector of attack, controls can be put into place at an earlier stage to lower the risk of a breach. This can include training employees on cyber awareness, utilising phishing campaign tools and maintaining and tracking cyber-education progress.
We are in an era where technology makes the world go round whilst users having no visibility to what goes on behind the scenes. The scenario is not unlike the lack of accountability the major banks have had with our money in their savings accounts. Is this a cyber version of a financial crisis waiting to happen if we fail to heighten our cyber awareness? With my new understanding of the online threats we face, I’ve decided my double-checking of emails is justified – after all, you can’t be paranoid if the threats you’re facing are real.