Presentation: Threat Intelligence Trends

On Thursday 30 May 2024, Ripjar hosted a webinar on Navigating Cyber Threats. The online event included a guest presentation and a discussion of the top cyber-security challenges in the current threat landscape. Ripjar’s Chief Product Officer, Gabriel Hopkins, chaired the panel which brought together:

Brian Wrozek – Principal Analyst, Forrester
Don Smith – Vice President Threat Research, Secureworks
Matt Chinnery – Pre-Sales Manager, Ripjar

Let’s explore some of the webinar’s highlights and key discussion points.

Opening the webinar, guest speaker Brian Wrozek outlined the top cyber-threats faced by the global business community in 2024, and the role that threat intelligence plays in addressing them. 

Brian began with a reminder that day-to-day cyber-threats such as ransomware and denial of service are pervasive, and never really go away. Beyond that ambient, ongoing threat, he pointed to a number of emerging concerns in 2024, grouping them into two broad trends:

The uncertainty created by false or unverifiable information, such as:

  • Narrative attacks
  • Deepfakes
  • AI responses

The increasing complexity of threat environments in which advanced technology installations create opportunities for misinformation to take hold. Complexity trends include issues relating to:

  • AI software supply chain
  • Nation state espionage

These emerging trends have been prompting firms to increase their security spending in recent years, with security leaders prioritising threat intelligence as a means to address emerging and future threats. Brian noted, however, that firms also allocate a significant portion of their cyber-incident response to the investigation phase, meaning that better threat intelligence capabilities could enhance both the efficiency and impact of their response.

With that in mind, many firms are focusing on threat hunting: the process of identifying areas in which a system may be compromised, and developing strategies to deal with that vulnerability. Effective threat hunting should have multiple objectives:

Primary objectives:

  • Finding previously undetected network intrusions
  • Verifying that there is no evidence of a successful attack
  • Enhancing a firm’s security controls

Secondary objectives:

  • Enhancing security team knowledge and skills
  • Demonstrating the complexity and maturity of the security solutions
  • Acquiring potential new security assets 

Brian stressed that threat hunting should result in firms being able to take tangible action – and so the intelligence that it provides must be complete, accurate, relevant, and timely to the needs of the commissioning firm. He added that expectations around cyber-security are also rising, and contributing to the need for threat-fighters to leverage as much expertise as possible, including from third-party data and networks. 

Responding to Brian’s presentation on threat intelligence trends, Don Smith zeroed in on one of the most specific threats on the landscape: ransomware attacks

Don made the point that the ransomware’s danger lies not only in its prevalence but its impact, since the ROI on a ransomware network intrusion is “maximised” in the sense that it “drives an entire criminal ecosystem”. Referencing the success of the recent Operation Endgame, the largest coordinated operation by European law enforcement authorities against malware botnets, Don emphasised the importance of ongoing disruption to that criminal ecosystem. As part of that disruptive effort, Don added that firms should focus on cyber-security fundamentals, such as applying timely patches for internet-facing software, fully implementing multi-factor authentication (including for admins and supply chain), and dealing with basic-commodity malware.

Don pointed to the need for firms to “extract salient learning” from the threat intelligence they gain from incidents, and use it to determine where they should be investing in controls or double-checking compliance. That constant strengthening is critical since cyber-criminals typically take “a scattergun approach” to their attack methodologies, with firms “self-selecting as victims through the state of their control frameworks.” 

Ripjar’s Matt Chinnery also focused on the pervasiveness of cyber-threats, warning that “everyone is a threat and everyone is a target” in the 21st century cyber-security landscape. Complicating the challenge further is the constant evolution of both threats and targets, which means that it often falls to security professionals to ”fit in with what the bad guys are doing”. Matt raised the importance of threat data, pointing out that many clients struggle to “make sense” of the sheer volume of information feeding in to their risk screening solutions, making it “difficult to ratify and justify and get to the root cause immediately.” 

He added that, while having enough information to address potential cyber-threats is critical, the quality of that information is just as important to defending against attacks. 

Gathering meaningful threat intelligence 

“Automation is absolutely key” to the threat data challenge, said Don Smith. Discussing his experience with Ripjar’s Labyrinth Intelligence over the last  5 years, he pointed to the value of the platform’s flexibility, a quality that allows his team to analyse vast amounts of risk data in seconds, and tailor “tens of thousands of indicators” to the specific needs of clients. 

That screening capacity includes performing quality assurance against client telemetry from the past 24 hours, along with other checks and balances, to ensure the client’s security operations centre (SOC) isn’t adversely impacted, and domains like Amazon.com aren’t inadvertently put into a protective block list. “There is absolutely no way that you can do threat intelligence these days without having automation to orchestrate the researcher playbook,” Don said. 

Understanding a new generation of hackers

Exploring the threat of “different attack groups”, Gabriel Hopkins brought up the issue of a new type of bad actor: “nihilistic young hackers with very, very different motivations” to their predecessors. Don characterised this group as “the Minecraft generation of young, Western-located cyber-criminals who have a unique combination of skillsets”. He added that this new type of hacker has not only the technical expertise to carry out cyber-attacks but the “social engineering” skill and eloquence to exploit the human vulnerabilities of a target network. 

Brian noted that the motivation of this new kind of hacker is fundamental to their threat, with groups perpetrating attacks for reasons beyond the financial,  and targeting critical infrastructure as much as corporate assets. “In the past, there was almost an honour among the threat actors,” he said. “They didn’t target things like nuclear power plants or the healthcare industry. Now it seems all that’s changed. Anything’s a target.” 

Don underlined that difficulty. “The motivations change,” he said. “One day they’re an affiliate of a ransomware gang. Another day, they’re stealing crypto wallets. Another day, they’re doxxing or swatting their friends. Very, very unpredictable.”

The novelty of this emergent hacking trend adds to the danger it poses, Brian argued. Since critical infrastructure targets haven’t had to contend with the level of cyber-threat they now face, they are now years behind their corporate counterparts in terms of their investment in, and maturity level of, cyber-security. He suggested that while nation state actors were once held back by a sense of mutual financial threat, the new generation of hackers doesn’t face that same constraint. 

The importance of threat intelligence to threat hunting

Brian illustrated the advantages of leveraging threat intelligence during a cyber-attack, describing an instance in which he was able to use a TTP approach (tactics, techniques and procedures) to identify a specific threat actor, inform the security response, and ultimately eliminate the threat. Don pointed out that threat hunting also plays a critical role in the effectiveness of cyber-security frameworks, emphasising the investigative value of hunting exercises, which not only prevent attacks but increase client confidence and create better business outcomes. 

Picking up on that point, Brian noted that threat reports help justify budget decisions by demonstrating the requirements, and limitations, of a particular security system, and ultimately supporting the opinions of compliance officers. 

The value and functionality of AI and machine learning

Brian suggested that AI tools are contributing to the effectiveness of threat intelligence. For example, generative AI queries phrased in simple English are replacing the archaic query language required in previous security frameworks, speeding up incident responses and threat hunting activities, and even simplifying the search process to the point that junior analysts can be better involved. Similarly, generative AI tools are capable of creating human-readable summaries and reports from unstructured threat intelligence data, making the screening process quicker and easier to validate. 

Following on from Brian, Don recommended caution around the more open-ended applications of AI, including requests for generative AI tools to report on specific threat actors. He pointed out that, even when producing quality, informative threat intelligence “98% of the time”, generative AI is vulnerable to hallucinations and firms should be wary of that potential outcome. “They’re trained to sound like they know the answer,” Gabriel added, “even when they don’t.” 

The risks associated with AI cyber-security are being addressed by regulators. Brian pointed to the recent release of a number of AI Risk Management Frameworks – from the US’ National Institute of Standards and Technology (NIST) and the Cybersecurity & Infrastructure Security Agency (CISA), and the UK’s National Cyber Security Centre (NCSC) – which firms should use as a jumping-off point when developing their own AI security protocols.

Final thoughts

Gabriel closed the webinar by asking the panellists for key takeaways from the discussion:

Matt focused on the need for specifics, suggesting that in order to acquire actionable security data, firms need to know exactly “what it is you’re trying to get” from their threat intelligence. He also stressed the need for users to be mindful of generative AI since, as much as security teams can use AI tools for good, threat actors may also be able to use them maliciously. To that end, users should stay on top of their security responsibilities, enabling dual-factor authentication, patching regularly, and preparing for the unexpected. 

Don emphasised the importance of perspective when dealing with the changing threat landscape. “There is an awful lot of turbulence for very little flow,” he said, suggesting that while information security incidents may appear to vary over the short term, over a longer timescale we see consistency across TTP and “the learning remains fairly solid.”  

Finally, Brian urged security leaders to strike the right balance between implementing foundational security controls and taking the time to understand new threats, solutions, and technologies. Finding that balance not only offers protection from existing and emerging cyber-threats, but helps firms keep pace with competitors in a rapidly changing risk landscape.

Read on with Ripjar here!