Cyber Threat Basics, Types of Threats, Intelligence & Best PracticesSecureWorks gives you an updated look at cyber threats, types of threats, intelligence, emerging threats and today's best practices for protection. By: SecureWorks
What is a cyber threat?
For a cybersecurity expert, the Oxford Dictionary definition of cyberthreat is a little lacking: "the possibility of a malicious attempt to damage or disrupt a computer network or system." This definition is incomplete without including the attempt to access files and infiltrate or steal data.
In this definition, the threat is defined as a possibility. However, in the cybersecurity community, the threat is more closely identified with the actor or adversary attempting to gain access to a system. Or a threat might be identified by the damage being done, what is being stolen or the Tactics, Techniques and Procedures (TTP) being used.
Types of cyber threats
In 2012, Roger A. Grimes provided this list, published in Infoworld, of the top five most common cyber threats:
- Social Engineered Trojans
- Unpatched Software (such as Java, Adobe Reader, Flash)
- Network traveling worms
- Advanced Persistent Threats
But since the publication of this list, there has been widespread adoption of several different types of game-changing technology: cloud computing, big data, and adoption of mobile devise usage, to name a few.
In September 2016, Bob Gourley shared a video containing comments from Rand Corporation testimony to the House Homeland Security Committee, Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies regarding emerging cyber threats and their implications. The video highlights two technology trends that are driving the cyber threat landscape in 2016:
- Internet of things – individual devices connecting to internet or other networks
- Explosion of data – stored in devices, desktops and elsewhere
Today, the list of cyber threats may look more like this, and cyber threats are typically composed of a combination of these:
- Advanced Persistent Threats
- Distributed Denial of Service (DDoS)
- Wiper Attacks
- Intellectual Property Theft
- Theft of Money
- Data Manipulation
- Data Destruction
- Man in the Middle (MITM)
- Drive-By Downloads
- Rogue Software
- Unpatched Software
Unpatched software, seemingly the simplest vulnerability, can still lead to the largest leaks, such as the case of Panama Papers.
Sources of cyber threats
In identifying a cyber threat, more important than knowing the technology or TTP, is knowing who is behind the threat. The TTPs of threat actors are constantly evolving. But the sources of cyber threats remain the same. There is always a human element; someone who falls for a clever trick. But go one step further and you will find someone with a motive. This is the real source of the cyber threat.
For example, in June of 2016, SecureWorks revealed tactical details of Russian Threat Group-4127 attacks on Hillary Clinton's presidential campaign emails. Then, in September, Bill Gertz of The Washington Times reported on another cyber attack on Hillary Clinton's emails, presumed to be the work of "hostile foreign actors," likely from either China or Russia. There currently exists a U.S. policy on foreign cyber threats known as "deterrence by denial." In this case, denial means preventing foreign adversaries from accessing data in the U.S.
But not all cyber threats come from foreign countries. Recently, Pierluigi Paganini @securityaffairs reported that police arrested two North Carolina men who are alleged to be members of the notorious hacking group called 'Crackas With Attitude' which leaked personal details of 31,000 U.S. government agents and their families.
Most Common Sources of Cyber Threats
- Nation states or national governments
- Industrial spies
- Organized crime groups
- Hacktivists and hackers
- Business competitors
- Disgruntled insiders
Cyber Threat Intelligence is Necessary for Enterprises
Advanced threat actors such as nation-states, organized cybercriminals and cyber espionage actors represent the greatest information security threat to enterprises today. Many organizations struggle to detect these threats due to their clandestine nature, resource sophistication, and their deliberate "low and slow" approach to efforts. For enterprises, these more sophisticated, organized and persistent threat actors are seen only by the digital traces they leave behind. For these reasons, enterprises need visibility beyond their network borders into advanced threats specifically targeting their organizations and infrastructure. This is known as threat intelligence.
Cyber threat researchers can begin by knowing a background profile of assets beyond the network border and being aware of offline threats such as those reported here by Luke Rodenheffer of Global Risk Insights. They should then monitor mission-critical IP addresses, domain names and IP address ranges (e.g., CIDR blocks). This can grant advanced warning while adversaries are in the planning stages. With this enhanced visibility, you can gain improved insight into ongoing exploits, identification of cyber threats and the actors behind them. This allows you to take proactive steps to defend against these threats with an appropriate response.
SecureWorks Counter Threat Unit (CTU)™ is made up of a team of professionals with backgrounds in private security, military and intelligence communities, and has been publishing threat analyses since 2005. The CTU uses threat visibility across thousands of customer networks to identify emerging threats as well as many other resources including:
- Attack telemetry from clients
- Malware samples
- Public & private information sources
- Website monitoring
- Social media
- Communication channels used by threat actors
- Security community
- Government agencies
Data from these sources is fed into a threat intelligence management system that distills threat indicators such as:
- Attack signatures
- Domain names
- Host names
- IP addresses
- File names
- Registry data
- Catalogued malware
Threat indicators are then enriched with contextual Meta data to identify how they relate to threat actors and attack methods. The system then helps researchers identify relationships that would be impossible to find manually. Their research reveals who is attacking, how and why. This information then leads to actionable insights, such as:
- What does the threat mean?
- How do you resist?
- What action should you take?
Intelligence knowledge-sharing occurs among leading cyber threat organizations, in both the public and private sectors. SecureWorks considers these to be the most informed and active organizations and is in constant communication with them. A partial list of these organizations is provided below:
- Forum of Incident Response and Security Teams (FIRST)
- National Cyber-Forensics & Training Alliance (NCFTA)
- Microsoft Active Protections Program (MAPP)
- Financial Services Information Sharing and Analysis Center (FS-ISAC)
- National Health Information Sharing & Analysis Center (NH-ISAC)
Cyber Threat Level
A Cyber Security Index (or threat level indicator) can be found on a variety of publicly available sources. Some of these indexes such as CyberSecurityIndex.org are updated via monthly surveys. Others such as NH-ISAC Threat Level or MS-ISAC Alert Level are updated more frequently based on shared global threat intelligence.
Most of these indexes follow the same format as the original SecureWorks CTU Cyber Security Index. It is evaluated daily by the CTU and updated as appropriate based on current threat activity. A reason provided for the index's current status will typically include reliable and actionable information about a threat targeting software, networks, infrastructures or key assets.
While the primary decision point for the Cyber Security Index is a "Daily Security Roundup and CSI Threat Level" discussion, the CTU can make decisions (with input from other senior security personnel from our Security Operations Centers, our CISO and other individuals) at any time day or night, depending on what events we see occurring or imminent.
When there is significant debate on what threat activity corresponds to which Cyber Security Index level, the CTU will utilize the criteria in the Cyber Security Index definitions in making decisions. The CTU takes a very serious and judicious approach when determining the Cyber Security Index.
The SecureWorks Cyber Security Index was previously published publicly, but is now only accessible to clients via the customer portal.
CTU research on cyber security threats, known as threat analyses, are publicly available. Of course, these are only released after the information is no longer helpful to the threat actors behind it. It is important not to show your cards when hunting down threat actors.
Threat advisories announce new vulnerabilities that can lead to emerging incidents. These are published as soon as possible in order to help anyone better secure their devices or systems.
Best Practices for Defense and Protection
Today's best practices for cyber security are a hybrid approach. Keeping up with rapid advancements in cyber threats roles that go beyond what is feasible for an in house security team to provide.
In-House IT Security Efforts:
- Strong end user education – compliance based practices for handling data, recognizing phishing attempts and procedures to counteract human engineering attempts
- Up to date software
- Firewall and anti-virus*
- IDS/IPS* – network intrusion detection and intrusion prevention systems
- Security event monitoring*
- Incident response plan*
Security Partner Efforts:
- Penetration testing and vulnerability scanning
- Advanced threat monitoring of endpoints
- Always up to date threat intelligence
- Emergency incident response staff and investigators on call
*If resources are not available in-house, any of these efforts can be pushed to a managed security services provider.