Threat Intelligence

You can also listen to this post in audio, press play!

According to figures from the National Cryptology Centre (CCN), a total of 82,530 incidents were detected in public bodies in 2020, of which 7,000 were categorised as being "very" dangerous, doubling the previous year’s figure.

In 2021 the National Cybersecurity Institute (INCIBE), at its Security Incident Response Centre, managed 109,126 incidents affecting citizens, SMEs and businesses in our country.

In Spain, these security incidents have been mainly perpetrated by state figures and cybercriminals, and the health crisis has favoured the increase in campaigns conducted by APT (Advanced Persistent Threat) groups against bodies linked to the health sector.

In recent years we have noticed that the boundaries between the different threat actors have become more blurred. The methods and tools that were previously merely a threat for a limited number of large organisations have spread to the market in general.

The ‘Shadow Brokers’ code dump, which meant the availability of advanced exploits to any criminal group, has enabled almost any actor to compromise an organisation’s assets through a highly sophisticated code.

The sector’s professionalisation, the consummation of cybercrime as a profitable activity, the continuation of Malware-as-a-Service (MaaS), the rise of phishing and BEC (Business Email Compromise) and compromised credentials, triple extortion in ransomware attacks or APT campaigns, not only focused on cyber espionage but also on financial extortion to fund other activities: the cyber threat landscape changes almost daily.

In recent weeks we have witnessed the emergence of bug bounty programs launched by ransomware groups, asking researchers to send out bug reports in exchange for rewards that could be as high as millions of dollars.

Given this current scenario, cyber intelligence becomes an increasingly necessary technique to proactively tackle and prevent cyber threats.

This discipline, developed in the military and in defence, is increasingly common in the private sphere, and not only in large multinationals.

It is increasingly a cost-effective investment as part of comprehensive cybersecurity services, as it provides greater knowledge of the attack surface, helping to identify the most valuable targets or how detected vulnerabilities can be exploited.

It allows one to think like an attacker, which are an organisation’s key assets and which set of data and business processes are vital. It also contributes to developing techniques to counter, identify and monitor as well as understanding the motivations, behaviour and profile of groups, actors and campaigns.

The cyber intelligences process consists of a series of phases (cyber intelligence cycle), and typically includes sharing of discoveries in threat modelling in specific technologies or industries: planning, compilation, processing, analysis, integration and evaluation. And in these phases, jointly with technology, the figure of the analyst is decisive.

But the number and complexity of cyberattacks will continue an upward trend, taking advantage of existing vulnerabilities and events that favour unpredictability and uncertainty.

The increase in the use of social media, both in the working world and in the private sphere, will mean greater exposure for businesses and organisations and, consequently, a challenge for their reputation and image as well as an increase in cases of corporate fraud or corporate branding theft.

At state level, state-sponsored and state-financed actors will continue to carry out their cybercriminal activities with mainly political objectives. Practices such as cyber espionage will continue to adapt and take advantage of technological advances.

Infoxication or information overload is one of the main obstacles in the information collection and filtering phase. The amount of disinformation present, deep fake techniques, the use of bots or the automation of social network interactions will continue to generate an unmanageable volume of information in the coming years.

Where, moreover, the credibility of sources will continue to be affected by bias and incomplete information. This is why the figure of the analyst with the ability to collect, filter, and analyse information will remain critical.

It is for all these reasons that cyber intelligence also requires the application of new technological advances to address current and future risks.

Big data, hyperautomation, artificial intelligence, blockchain analytics, the use of machine learning and risk intelligence give a glimpse of another future in the cyber intelligence landscape where we are heading towards managed threat intelligence.

All of these disciplines, already incorporated to a greater or lesser extent, will go a step further in both attributing and detecting cyberattacks, even before they occur.

Analysing the vast amount of information, monitoring and correlating it, will allow us to predict behaviours both individual and collective, disinformation campaigns or zero-day detection before they can materialise.

In parallel with the development and evolution of tools, techniques and processes, cyber intelligence continues to face the emergence of new challenges and threats characterised by a VUCA environment: highly volatile, highly uncertain, complex and ambiguous, which favours the sophistication of attacks perpetrated by state figures, cybercriminal organisations, terrorist groups and actors of cyber threats in general.

It is clear that a satisfactory defence of digital assets requires new methods, and organisations need a new, proactive approach to protect themselves by adapting their security controls to a complex and changing cyber threat environment.

t is not enough to react to an incident; environments are increasingly providing opportunities for attackers. All of this introduces a vast number of variables in possible methods of executing an attack as well as in new variations.

The current context and emerging trends lead us to conclude that advanced threat intelligence is becoming, and will become, indispensable in the coming years for any organisation and must be tightly integrated with security governance and management policies as well as with technology teams.