This is the second blog in a series called, “What is Threat Intelligence?” The first blog in the series can be found here. Stay tuned for future installments in this series.
Maintaining a strong security posture requires developing and answering many questions specific to the organization. Many of these questions must be answered continually as situations and environments evolve. Will bringing in additional security solutions really provide that much more additional protection? Is it worth the cost to update each and every legacy system? Who are my adversaries and how might they attack me? Many organizations choose to tackle these questions and make more informed decisions with context from threat intelligence. This curated information is generally divided into three subsets:
- Strategic intelligence – who/why
- Operational intelligence – how/where
- Tactical intelligence – what
Strategic intelligence (who/why) is the 100,000 foot view, providing a big picture look at how threat and attacks are changing over time. Strategic intel may be able to identify historical trends, motivations, or attributions as to who is behind an attack. Who is attacking you and why? Who might attack organizations in your sector? Why are you within scope for an attack? What are the major trends happening? What kind of things do you need to do to reduce your risk profile? Knowing the who and why of your adversaries also provides clues to their future operations and tactics. This makes strategic intelligence a solid starting point for deciding which defensive measures will be most effective.
Strategic intelligence might include information on the following topic areas:
- Attribution for intrusions and data breaches
- Actor group trends
- Targeting trends for industry sectors and geographies
- Mapping cyber attacks to geopolitical conflicts and events (South China Sea, Arab Spring, Russia-Ukraine)
- Global statistics on breaches, malware and information theft
- Major attacker TTP changes over time
For example, if you are in the education sector, you may wonder what nation states and what groups you should be concerned about. Where do you need to focus your resources to reduce risk of an intrusion and theft of intellectual property? Or perhaps if you know you’re in an industry or region that is frequently targeted by the actor APT29.
Strategic Intelligence for the Education Sector
Academic networks typically possess diverse infrastructure with a relatively large volume of connected devices and high bandwidth, but are notoriously challenging to adequately secure and monitor, making them prime targets for actors interested in exploiting them. A variety of actors routinely target these networks, including Advanced Persistent Threat (APT) groups conducting cyber espionage and likely using institutions’ networks to launch attacks against third parties, financially motivated actors seeking to steal information and monetize it, and hacktivists and similar groups seeking to promote their messages and causes. We assess with high confidence that actors will continue to target the education sector for the foreseeable future due to the perceived value of the information stored on school networks, demonstrated ease of using network infrastructure for launching further operations, and the inherent difficulties administrators face in securing them.
- Cyber espionage continues to pose the greatest threat to the education industry. China, Russia, Iran and South Korea have demonstrated the capability and willingness to conduct extensive reconnaissance activity and espionage against educational entities.
- Motivations include strategic and business intelligence, economic advantage, regional interests, and monitoring citizens abroad.
- China–based groups and campaigns include APT22, Menupass Team, and unnamed groups.
- APT29, a cyber espionage actor with a Russia nexus.
- Beanie Team, a cyber espionage actor with an Iran nexus.
- Fallout Team, a cyber espionage actor with a South Korea nexus.
- We have also observed unknown cyber espionage actors targeting the education industry.
Strategic Intelligence for APT29
- APT29 engages in cyber espionage operations where the primary goal appears to be data theft. APT29s targets include Western governments, foreign affairs and policy making bodies, government contractors, universities, and media outlets. Based on available data, we assess with high confidence that APT29 is a nation-state sponsored group located in Russia.
- APT29 appears to have formidable capabilities, to include a range of custom developed tools, extensive command-and-control (C2) infrastructure that includes compromised and satellite infrastructure (via satellite service providers), and savvy operational know-how. Unlike many other Russian attack groups, APT29 continues to operate after they have been detected. APT29 has demonstrated a high regard for OPSEC, and is aggressive in continued operations and efforts to evade investigators and remediation attempts.
- APT29 appears highly interested in European government and foreign policy issues, with a significant emphasis on the Russia-Ukraine conflict. APT29 has targeted several Western national government and foreign policy entities, defense and government contractors, and academic institutions.
Using Strategic Intelligence
Strategic threat intelligence is built upon a huge body of knowledge and includes expert opinions and insights that are based on aggregating both operational and tactical intelligence from known cyber attacks.
There are many uses for strategic intel including, but not limited to, the following:
- Inform your executive leadership about high risk threat actors, relevant risk scenarios, and threat exposure in the public-facing technology sphere and criminal underground.
- Perform a thorough risk analysis and review of entire technology supply chain.
- Learn which commercial ventures, vendors, partner companies, and technology products are most likely to increase or decrease risk to your enterprise environment.
Next up – What is Operational Threat Intelligence?
Source: Honeypot Tech