Making a Business Case for Cyber Threat Intelligence: Unveiling the Value Realization Framework

By Kaustubh Medhe, Head of Research and Intelligence at Cyble

Cybercriminal motivations rarely change over time. A typical cyberattack is carried out for one of the following reasons –

1. Illicit financial gain via disruptive attacks such as ransomware, denial-of-service (DoS) or cryptocurrency theft
2. Intellectual property theft or corporate espionage for strategic competitive advantage
3. Sensitive data exfiltration for geo-political supremacy
4. Influencing public opinion by propagating a false/biased narrative through misinformation or disinformation campaigns for achieving socio-political objectives

What changes, however, is the approach and the modus operandi for carrying out such attacks.

In 2022, Threat Actors (TAs) were observed targeting security technology vendors and service providers that enjoyed a certain degree of trust and confidence in the industry.

In January 2022, Okta, a leading cloud-based identity management provider, was targeted in a well-planned attack, where TAs compromised a computer system of a customer support engineer employed with Okta’s third-party IT services vendor. Using this as a pivot, the TA then swept Okta’s internal network to access confidential information. While the attacker managed to get access to internal communication and ticketing tools only for a limited period and could not access any significant critical information, the incident demonstrated the relative ease with which an attacker can get past security defenses by abusing the inherent trust that an organization typically places on its third parties.

In June and July 2022, TAs targeted employees of Twilio – a leading customer engagement platform provider, with a well-orchestrated SMS phishing and Vishing campaign to steal their user accounts, passwords, and OTPs (One-time passwords used as a second factor of authentication) to access the sensitive contact information of its customers. The TAs also managed to register and link their own devices with a few customer accounts.

In August and December 2022, LastPass – the leading provider of Password management software reported a breach, wherein the attackers were able to access and copy sensitive customer information, that included not only end-user names, billing and email addresses, telephone numbers, IP addresses, but also sensitive vault data including usernames, passwords, and secure notes etc.

NortonLifeLock, another password management software vendor, reported that nearly 6000 customer accounts had been compromised via a credential stuffing attack, forcing the company to enforce a password reset and advising users to implement two-factor authentication.

Cyble’s Darkweb Intelligence teams noticed several posts on cybercrime forums and the darkweb sites wherein TAs were seen soliciting access to cyber threat intelligence platform providers to get to their customers. Hackers also claimed to have successfully breached cybersecurity service providers offering security monitoring services, security assessment and penetration testing services, as well as data backup and recovery services. In addition, hackers were seen advertising the sensitive information of clients of victim companies on various cybercrime marketplaces and forums.

Recently, leading Cloud infrastructure and SaaS application providers such as Microsoft Azure and Atlassian have published detailed incident investigations wherein cyber TAs were seen bypassing the trusted SMS OTP based multi-factor authentication security by using stolen authentication cookies to login to the accounts of users. These user systems had been compromised using information-stealing malware.

Cyble’s Threat Research team also discovered TA communication on the darkweb , associated with malware and phishing services being offered for sale and claiming to be designed in a way to bypass OTP-based two-factor authentication mechanisms to compromise a target. Thus, OTP-based two-factor authentication is now being actively targeted and bypassed in advanced attack campaigns by skilled attackers.

In addition, Cyble’s researchers also encountered several posts on cybercrime forums advertising Extended Validation Code Signing certificates. These services enable criminals to digitally sign malicious code/binaries with digital certificates stolen from legitimate publishers to deceive the operating system and the anti-virus software into “trusting” these malicious binaries and allowing them to execute on the target’s computer system. Thereby, they allow cybercriminals to install malware by bypassing the software security and anti-virus security mechanism on the victim’s operating system.

By successfully attacking and bypassing “trusted” technologies and exploiting the trust relationship between organizations and their third-party service providers, TAs have now spawned a new trend that is expected to continue well into 2023 and beyond.

Our industry should brace for more such attacks in the future that target the trusted supply chain.

Social media has emerged as the next frontier for information warfare, with miscommunication and disinformation campaigns being routinely designed and launched to proliferate biased, false, or misleading information in masse to sway public opinion and cause financial, economic, or reputational damage to institutions and individuals. Coupled with the popularity of deep fake AI audio and video phenomenon, social media can amplify harmful content that could potentially have far-reaching ramifications for political regimes, the market performance of corporates, and personal reputations of people holding important positions in the public and/or private enterprise.

2022 saw glimpses of these risks materializing and causing widespread panic and confusion. A fake tweet from a Twitter account bearing the name and logo of Eli Lilly, the pharmaceutical company, announced that it was “making insulin free”. This sparked widespread panic that led to the stock price falling by 4.37%. The Twitter account carried a blue tick mark signifying the account’s authenticity, which further aggravated the confusion.

During the early days of the Ukraine-Russia conflict, a video portraying the President of Ukraine exhorting his people to lay down arms and surrender also emerged on social media and received much media attention. While the seemingly real looking video was quickly dismissed to be a creation of AI technology, it did trigger serious conversation and debate around the risks of misuse of deep fakes for sowing the seeds of distrust and suspicion and their potential for business and reputational damage to large corporations and enterprises.

Several organizations reportedly fell prey to smishing or vishing scams that involved a scamster creating a fake social media account or a chat messenger profile carrying an image of a senior executive or the CEO and coercing gullible employees into effecting a fraudulent wire transfer or a gift card transaction on their behalf.

Cybercriminals are increasingly adopting novel techniques that synthesize social media, artificial intelligence, and personal communication technology to target their victims via a highly personalized attack that aims to exploit the implicit trust relationship between brands, personalities, and individuals.

Several organizations have jumped on the proverbial digital transformation bandwagon exhorting their IT and software development departments to “move fast and break things”. Open-source software underpins most such digital initiatives. With active communities of open-source software developers that freely share code and packages via public code repositories and also offer altruistic technical support, software teams almost always turn to code re-use from various third-party sources such as GitHub and Node Package Manager (NPM) for accelerated code development.

While the availability of “ready to use” open-source software is a boon for rapid development and for meeting aggressive go-live deadlines, such methods unfortunately expose organizations to hidden software supply chain security risks.

Since late 2021 and throughout 2022, security researchers have reported several incidents where cyberattackers were found to have “poisoned” thousands of npm packages with malicious code designed to silently steal credentials, access tokens, API keys, install botnets or execute cryptocurrency mining software on developer systems as well as development/production servers. Such stolen information is then invariably used to launch a follow-up attack on the infected organization.

Because thousands of npm packages are being published monthly and used by over 60% of software developers, it is one of most lethal and stealthy attack vectors that can be used to launch mass scale attacks and compromise multiple organizations.

While network and endpoint security solutions have achieved decent adoption and penetration within the industry, the importance of software security and secure software development processes is lost on the average organization. As a result, software security lags the cyber threats that have evolved to take advantage of the general neglect and ignorance when it comes to securing the software development life cycle.

As is evident, the threat landscape is changing rapidly, and cyber adversaries have now turned to weaponizing trust and ignorance to target their victims with sophisticated tactics.

How can organizations counter such risks?

A few key initiatives that organizations can take to identify and manage such risks include –

1. Drawing up an inventory of trusted technologies and third parties and conducting a risk assessment to understand their exposure in the event that the trusted technology or supply chain partner were to be breached.
2. Designing and testing incident response plans to assist the organization to resume operations or recover securely in the event of a trusted attack.
3. Conducting organization-wide security awareness and training programs that educate staff on identifying and responding appropriately to newly emerging cyberattack campaigns designed to abuse trust.
4. Implementing multi-factor authentication mechanisms to prevent the risk of account compromise.
5. Reviewing and strengthening security configurations of their SaaS vendors
6. Reducing sensitive data sprawl to minimize the risk of data exposure from a breach.
7. Instituting a software security life-cycle program to identify the prevalence of risks due to open-source software and the necessary processes to secure the software supply chain.

Finally, organizations that wish to implement proactive cybersecurity should consider partnering with a cyber threat intelligence service provider to help stay up-to-date with evolving adversarial tactics and techniques. Actionable and timely information shared by threat intelligence providers can be used by information security leaders to make prudent risk-based security decisions and to implement critical policies or technical controls to reduce the likelihood of a similar attack from affecting their operations.

About the Author

Kaustubh Medhe – Head of Research and Intelligence at Cyble

Kaustubh Medhe is a security and privacy leader with over 2 decades of experience in information security consulting, audit, fraud risk management and cyber defence operations.

At Cyble, he leads Research and Cyber Threat Intelligence Services for clients globally.

Kaustubh is a Fellow of Information Privacy (IAPP) and holds the CIPP/E and CIPM credentials.

Kaustubh has executed and led information risk management programs for some of the largest clients in banking, insurance, retail and oil and gas industry in India, US, APAC, and the Middle East.

Prior to joining Cyble, Kaustubh was instrumental in setting up and operationalizing a threat intelligence enabled cyber defence centre at Reliance Industries, for one of the largest conglomerates globally with over 250K employees and 50K globally distributed assets (on-premises and the cloud).

Kaustubh was also associated with global managed security services providers such as Paladion (now ATOS) and Happiest Minds Technologies, where he led their Cyber Security and SOC Practice.

Cyble (YC W21) is a leading global cyber intelligence firm that helps organizations manage cyber risks by utilizing patent-pending AI-powered threat intelligence. With a focus on gathering intelligence from the deep, dark, and surface web, the company has quickly established itself as one of the pioneers in space. Cyble has received recognition from Forbes and other esteemed organizations for its cutting-edge threat research. The company is well-known for its contributions to the cybersecurity community and has been recognized by organizations such as Facebook, Cisco, and the US Government. You can visit the company website at http://www.cyble.com.