Cyber Defense Archive - SITS

Threat Intelligence (TI), also known as Cyber Threat Intelligence (CTI), provides detailed and actionable information to help companies and organizations prevent and combat cyber security threats. TI includes detailed, actionable threat intelligence that enables security teams to take proactive action. TI can be used to take controlled and manual actions to prevent cyber attacks before they occur. In addition, the threat intelligence helps to detect and respond to attacks faster.

Why is Threat Intelligence so important?

Only with up-to-date and detailed information are security solutions, such as an endpoint detection and response solution (EDR), able to know which areas of a company network are currently in the focus of attackers before an attack occurs. In addition to EDR, NDR, SIEM or XDR solutions also use this data to improve their defense.

But good threat intelligence is not only important for security solutions. A company’s SOC teams and their threat hunters also use the detailed information to directly identify vulnerabilities in the company network and initiate suitable response measures. If a company relies on a managed SOC team, this team also uses threat intelligence.

Sources of Threat Intelligence

Security analysts create threat intelligence by collecting “raw” threat data from various sources. Next, they correlate and analyze this data to uncover trends, patterns and relationships related to actual or potential threats.

One platform that provides such information is AV-ATLAS, for example. It contains the analyzed threat data collected by AV-TEST experts and provided by the institute’s analysis systems. The basic version of the platform is accessible to everyone free of charge and shows an impressive selection of the available TI data. For companies, the system also provides threat intelligence feeds that can be linked to security solutions or used by Threat Hunter with appropriate tools.

As Maik Morgenstern, CTO of AV-TEST and a threat hunter himself, points out: “Good threat intelligence, for example in the form of IoC – Indicators of Compromise – is essential for security solutions and threat hunters when evaluating a potential incident. With the help of the TTPs – Tactics, Techniques, and Procedures – contained in the TI, an IT security defense strategy can be reliably planned and implemented.”

Other sources of threat intelligence are CTI reports, for example from AV-TEST, which describe the security landscape in short time intervals, in this case weekly, and report on attack campaigns by APT groups. However, reports covering long periods of time, such as Check Point Software’s 2023 Cyber Security Report, also provide important threat intelligence in an international summary. The report identifies trends, particularly vulnerable sectors, frequently used attack tools and tactics, as well as background information on network and cloud attacks. Less globally focused, but no less informative, is the current AV-TEST report “Cyber Incidents in Figures: The year 2023”, which is free to download.

What's in Threat Intelligence?

Some of the available threat intelligence feeds have different content. Some key components are:

  • Threats that affect companies: This usually involves current campaigns against specific branches, for example their supply chains, which are the focus of attackers and the way in which these attacks are carried out.
  • Threat actors: Background data on APT groups and other attackers can be used to develop defense strategies based on their previous actions.
  • TTPs – Tactics, Techniques, and Procedures: TTP provides information on techniques and tools used by attackers in their campaigns.
  • IoCs – Indicators of Compromise: This data identifies signals or suspicious processes that can be used to detect and identify a cyber attack.
  • Evaluated data streams and files: From a feed of dangerous URLs, for example, an endpoint security solutions is provided with EDR. Based on up-to-date information, this prevents a company’s employees from accessing dangerous websites or carrying out downloads classified as dangerous.
  • Vulnerability assessments: Information on new vulnerabilities for which there are no patches yet, but for which there is already a walkthrough or preliminary protective measures, such as blocking a network port or downgrading user rights.

The different types of Threat Intelligence

Experts often divide threat intelligence into three categories: strategic, tactical and operational. As these classifications are not standardized, the sub-items vary somewhat within the categories depending on the expert working on them. They are classically divided as follows:

  • Strategic Threat Intelligence: This analysis is highly summarized and is addressed to non-experts, such as board members. The focus is only on threatened areas. The analysis also focuses on current trends, which often originate from public reports. The analysis is a kind of risk barometer.
  • Tactical Threat Intelligence: The first practical steps are already taken and IoCs are used, for example, to check networks and prevent potential attacks. The information usually comes via a TI or CTI feed and is generally processed automatically.
  • Operational Threat Intelligence: This part refers to TI during and after an attack. Current information on the attackers’ tactics, techniques and procedures (TTP) is evaluated and used. However, conclusions also need to be drawn after the attack has been prevented, for example about attack targets: Were the attackers targeting specific data, and if so, which data? Or is the attack possibly only a test of the individual defense points and the real attack is still to come?

Threat Intelligence Life Cycle

  • When security experts talk about the life cycle of a cyber threat, they mean a breakdown according to the following “threat phases”:
  • Planning
  • Collection
  • Processing
  • Analysis
  • Dissemination
  • Feedback

This process is not a once-only event, but should be run through repeatedly to ensure perfect and cost-optimized cyber defence.

In the “Direction” phase, it is important to set targets for threat intelligence, such as which parts of the company require special protection and what consequences an attack could have.

In the second phase, “Detection”, the data and IT structure areas that were identified as particularly at risk in the first phase are defined. In this phase, a company should decide on the data sources for its future threat intelligence, such as reports, blogs, CTI feeds from security providers or metadata from its own network, such as EDR or SIEM.

In the third phase, “Processing”, it must be clarified how the stream of information can be processed in a feasible way. Can available systems already process these feeds directly and do the SOC and threat hunter have the right tools?

Once this has been clarified, we move on to phase 4, “Analysis”. This involves evaluating the information and transforming it into practically usable findings. The results of this analysis also clearly show whether important security tools are still missing and whether the current security budget is sufficient.

Phases 5 and 6, “Distribution” and “Feedback”, use the actual findings of the threat intelligence lifecycle. The conclusions must be implemented within the various teams of a company, such as the SOC and the traditional IT department. However, the company management should also be involved in these phases. In the feedback phase, the responsible department and project managers must ensure that all phases have been implemented in a way that makes sense for the security requirements and objectives.

The IoT world is expanding and so are the security threats

The Internet of Things (IoT) is changing the world of business. Manufacturers are increasingly integrating advanced technologies such as cloud computing, data analysis and machine learning into their production workflows. The potential value created by IoT is already huge and continues to grow. McKinsey estimates that the IoT value creation rate could reach USD 12.5 billion worldwide by 2030. Highly specialized economic sectors in particular are currently experiencing the greatest benefits. From applications in medical technology, logistics and transport to solutions for smart factories, IoT is leading the way for a broader digital transformation that generates, stores, analyzes and transmits huge amounts of data across an ever-growing global network.

According to Palo Alto Networks, the rapid development and introduction of IoT technology is already transforming business processes. IoT devices probably already account for more than 30 percent of all devices in corporate networks today. The data collected from these devices provides a wealth of valuable information that enables real-time decision making and the build-up of accurate predictive models. In addition, the Internet of Things is a key enabler of digital transformation in organizations and has the potential to increase employee productivity, business efficiency, profitability and improve the overall workforce experience.

IoT security is becoming increasingly important - also for cyber criminals

The downside: Linking production facilities (Operational Technology = OT) with IoT technologies and other advanced solutions offers new targets for cyber attacks. After all, billions of networked devices create all kinds of potential vulnerabilities in companies. According to McKinsey, increasing connectivity has drastically increased the number of attack vectors. Before IoT, a large corporate network may have had to consider up to 500,000 vulnerable endpoints, whereas IoT can involve millions or even several million such points.

A recent report by Asimily entitled “IoT Device Security in 2024: The High Cost of Doing Nothing” shows just how big the threat posed by the use of IoT devices actually is. It analyzes emerging attack trends targeting IoT infrastructures and outlines possible consequences for companies that do not take adequate security measures. According to the report, already known vulnerabilities are among the biggest threats: 34 of the 39 most frequently used IoT vulnerabilities have been known for more than three years on average. Routers account for 75 percent of infected IoT devices, as they serve as gateways for accessing other nodes in a network. Security cameras, digital signage systems, medical devices and industrial control systems are also among the most frequently attacked devices.

Risks relating to the use of IoT in companies

Depending on the application, a security breach in an industrial IoT environment poses various risks. Starting with the disclosure of important information that is crucial for the operation of the company or the manufacture of a product, through damage to industrial control systems to the compromise of manufactured products. An example: An attacker gains access to the network of an auto-industry supplier and manipulates the machine settings of a brake component without being noticed. This can lead to the brakes suddenly failing under load. Both the material and immaterial damage to the company is almost impossible to quantify.

IoT is prone to vulnerabilities

Industrial IoT architecture refers to the collection of all IoT elements in smart factories. Although it differs from company to company, it always includes devices with sensors and actuators, network elements, databases, analysis tools and business applications. Each component poses specific security risks to the entire production environment.

As Palo Alto Networks explains, without resilient security, any networked IoT device is vulnerable to intrusion, compromise and control by malicious actors who break into the system, steal user data and crash systems. As more and more different IoT devices connect to the network, the attack surface increases dramatically. As a result, overall network security is decreasing in terms of the integrity and protection of the least secure device. Additionally to these challenges, 98 percent of all traffic from IoT devices is mostly unencrypted, putting confidential data at high risk.

Various attacks on industrial IoT aim to compromise the security of different elements of the IoT ecosystem, such as network communications, IoT and OT software and applications, and physical devices. DDoS, device hijacking or spoofing and man in the middle attacks are just some of the security issues in this context. The consequences of a single cyber attack vary depending on the target, but the most common and dangerous is the disclosure of sensitive data. The table shows the most common IoT attacks and their impact on OT factories.

IoT attack risks at a glance

Attacks Effects
Hardware
  • Reverse engineering
  • Physical tampering
  • RF jamming
  • Denial-of-sleep attack
  • Side-channel attacks
  • Counterfeit hardware
  • Access to sensitive information
  • Data flow control
  • Resource destruction

 

 

 

Software
  • Malware, Ransomware, Spyware
  • Bot/botnets
  • Blended threats
  • Rootkits
  • Forced deadlock
  • Exploitation of trusted identifiers
  • Code injection
  • Brute-force attacks
  • SQL injections
  • Disclosure of sensitive data
  • Interruption of data
  • Software rendered unusable
  • Blocking access to files
 

 

Communications
  • DoS/DDoS attacks
  • Eavesdropping (sniffing and spoofing attacks)
  • Man-in-the-middle attacks
  • Session hijacking
  • DNS tunneling
  • Port scanning
  • Protocol manipulation attacks
  • Jamming
  • Traffic analysis
  • Sinkhole attacks
  • Network flooding and overload
  • Data theft
  • Unauthorized access to databases
  • System crashes
  • Malware tunneling

Achieving security in the IoT

IoT devices are dedicated objects that perform a limited number of actions. For example, they establish a connection to a network and transmit and receive data. Typical examples of IoT devices in companies include barcode scanners, smart light bulbs and security cameras as well as measurement and control sensors. IoT devices differ from IT devices such as computers in that they generally only have one specific task. In addition, many do not support software updates and security patches. If a vulnerability is found in software or firmware, it is difficult to protect them from exploitation and compromise. Another difference is that IoT devices often also appear unnoticed in a network. In addition, their unique network behavior is problematic for administrators who are more accustomed to managing laptops and desktops due to their specialized design. For these reasons, it is mandatory that all organizations evolve their cyber security measures and take proactive steps to address this increasingly complex IoT/OT threat landscape.

The key IoT security safeguards

The following actions from the SITS IoT security checklist are essential to implement an effective security strategy and mitigate the risks associated with IoT/OT threats:

  • Implement zero trust architecture
  • Maintain an overview of all devices
  • Proactively identify vulnerabilities
  • Check all data traffic
  • Set up real-time monitoring
  • Ensure regular updates
  • Detect outdated devices
  • Perform security risk assessment
  • Establish an industrial demilitarized zone (IDMZ)

Conclusion IoT Security

The introduction of IoT and OT devices offers companies significant benefits, but also poses major risks. A modern zero-trust approach is required to efficiently and securely manage IoT and OT devices at scale. Managers must also consider cybersecurity at all organizational levels by introducing security policies, implementing protection mechanisms and training their employees. If you are looking for a reliable partner to advise and support you in protecting your IoT systems, SITS is here to help.

In October 2023, 72 local authorities in southern Westphalia, Germany, suffered an IT meltdown. During the night, hackers attacked the communal IT service provider using ransomware. In addition to the administrations, the systems at schools also failed. Trade fair company Messe Essen suffered a similar attack, also threatened by ransomware:  Cyber criminals hijacked the ticket store and stole personal data such as addresses and emails. An effective security network can take the fear out of serious ransomware attacks.

Ransomware - the definition?

Its name already explains what makes ransomware so dangerous: this malicious software (malware) blocks access to computer systems or files until a payment (ransom) is made. The software normally encrypts the files on the victim’s device so that they are no longer accessible. In order to get the decryption key for the captured information back, companies, authorities or organizations have to pay the hackers a ransom.

What makes ransomware so dangerous?

According to the German Federal Office for Information Security (BSI), there were more than 2,000 vulnerabilities in software products in 2023. This is an increase of 24% compared to the previous year. 66% of all spam emails were hidden cyber attacks. According to the BSI, ransomware is the top threat for companies and authorities in particular. On average, 775 emails containing malware were intercepted in German government networks every day during the reporting period. In addition, an average of 370 websites had to be blocked from access every day due to malware.

It is the mixture of financial motivation and destructive power that makes ransomware so dangerous. In addition, hackers are constantly developing ransomware attacks and increasingly sophisticated techniques are being used, including new encryption methods, anonymous payment systems such as cryptocurrencies and social engineering. You need to be prepared for these risks:

  • Data breaches: Sometimes attackers threaten to release sensitive data if a ransom is not paid. This can lead to data breaches, fines and legal liability for the affected company.
  • Financial damage: Ransomware attacks can affect individuals, companies and organizations financially, as they are often forced to pay a ransom to regain access to their files. Caution: There is no guarantee that the decryption key will be released or that the decryption will actually work, even if the ransom is paid.
  • Disruption and loss of time: Ransomware attacks can significantly disrupt operations, resulting in downtime, loss of productivity and image reputational damage.
  • Rapid spread: Ransomware can spread fast across networks and devices, infecting multiple systems within an organization or between different companies. It can affect companies, countries and critical infrastructures worldwide and cause widespread disruption.

Some examples of how ransomware infects computers are malvertising (malicious advertising on legitimate websites), phishing emails (with dangerous links or attachments) or exploit kits that automatically exploit vulnerabilities in software, operating systems or network services. There are also drive-by downloads (compromised websites that automatically download ransomware onto the systems of website visitors).

What types of ransomware exist?

There are various forms of ransomware that differ in the nature of their attack vectors and behaviors:

  • Locker ransomware: With this lock screen type, access to the computer or special functions of the operating system is blocked.
  • Encrypting ransomware: Files are encrypted on the infected system using strong encryption algorithms.
  • Master Boot Record (MBR) ransomware: It infects the MBR of a computer, which can lead to the operating system no longer starting properly.
  • Mobile ransomware: This malware targets mobile devices such as smartphones and tablets. It can distribute itself via infected apps, malicious links or drive-by downloads, encrypting personal data and blocking access.
  • Network ransomware: It spreads within a network and infects multiple computers or servers. Shared network resources, vulnerabilities in network protocols or unsecured remote desktop connections are the gateway for hackers.
  • Dox or leakware: Attackers threaten to publish stolen or encrypted victim data if no ransom is paid. This form of ransomware aims to blackmail victims by publishing sensitive information instead of just denying access to files.
  • Ransomware as a Service (RaaS): Cyber criminals even offer ransomware kits as a subscription. Using ready-made tools, even technically inexperienced people can initiate ransomware attacks.

How do you identify and combat ransomware?

Early detection of ransomware is crucial to minimize the impact on your system and your data. You should pay attention to the key points here:

  1. Use reliable antivirus and anti-malware software!
  2. Use behavior-based detection: There are behavior-based detection techniques that identify ransomware based on its actions rather than its signature. This includes monitoring system behavior for unusual file encryption patterns or attempts to change system settings.
  3. Educate employees about the risks of ransomware and sensitize them to report suspicious activity on their systems. This will enable IT and security teams to respond more quickly to potential ransomware infections and reduce the impact.
  4. Use mechanisms to identify anomalies. This could be a sudden increase in file encryption activity, unauthorized access attempts or unusual network traffic patterns.
  5. Use file integrity monitoring tools to track changes to files and directories.
  6. Analyze network traffic for signs of ransomware communication, such as connections to known command and control servers used by ransomware operators. Intrusion Detection and Prevention Systems (IDPS) help to block suspicious connections in real time.
  7. Monitor user activity on your network to identify unusual actions.
  8. Deploy Endpoint Detection and Response (EDR) solutions that provide real-time visibility into endpoint activity and enable rapid response to potential threats.
  9. Implement SIEM solutions that collect and analyze security event data from multiple sources across your network. SIEM platforms can be used to correlate events, identify potential security incidents and facilitate response to ransomware attacks.

Information: The German Federal Office for Information Security (BSI) has published some tips on how to defend against ransomware attacks. The key aspects that companies should cover in their security strategy include patches and updates, remote access, measures for emails and macros, the execution of programs, virus protection, administrator accounts, network segmentation, backups and a data protection concept, network drives and an emergency plan for the "worst-case scenario" (all systems in the network are encrypted and a blackmail letter has been received).

When it comes to threat hunting in cyber security, conversations often slide into a wave of technical terms such as IoA – Indicator of Attack, IoC – Indicators of Compromise or TTP – Tactics, Techniques and Procedures. The terms are of course important, but they say little about the concept behind threat hunting and what this technique is all about.

Who are the Threat Hunters?

Not all threat hunters have the same tasks when searching for new waves of attacks or evaluating codes, scripts and classic data and database analyses. Roughly speaking, there are four groups, with the first three providing more data that threat hunters in companies also use as thread intelligence:

  • Evangelists: Although these experts are not direct threat hunters, some of them have an excellent overview of the current IT threat landscape for decades and know how to interpret data that has already been analyzed. They provide important data material that becomes thread intelligence data. One example of this is computer security expert and threat hunter Mikko Hyppönen. He was already hunting down attackers online and analyzing their data when all these terms had not yet been defined. It is worth following his talks and presentations. His predictions, even for many years into the future, unfortunately come true all too often, such as his early quote on IoT: “if it’s smart, it’s vulnerable”.
  • Researchers: At many universities, teams of experts are conducting research and threat hunting by investigating what is possible with new technologies and which methods attackers are currently using and will use in the future. The American MIT CSAIL and the Fraunhofer Institute SIT are at the forefront here.
  • Heads: Some specialists do not want to be officially known, but are only in contact with each other and exchange information. The Check Point Research team is somewhat better known, describing in its blog how it first conducts threat hunting and then analyzes the exact sequence of a malware attack in all its steps. For example, how an attack on a mobile device management system – MDM – took place. The team first presented the tactics and then tracked the attack step by step. The documentation shows the scripts, codes, ports and tools used. However, institutes such as the AV-TEST Institute also engage in active threat hunting. AV-TEST uses its own analysis engines for this and produces a lot of information as “Threat Intelligence” (TI) through its data stream and preliminary analyses – the basis for threat hunting.
  • SecOps experts: This largest group is the real pillar of daily threat hunting. They benefit from the analyses of the evangelists, researchers and heads. These experts work in many SecOps departments of security vendors and service providers that offer managed SOC as a service. Many detection systems produce data streams with anomalies that are first analyzed using machine learning (ML) or AI. The important remainder, the actual threat intelligence, is then used for investigation and threat hunting. Through continuous evaluation, the specialist teams identify vulnerabilities and pass them on as detection data. This ensures the appropriate defense against exploits, classifies vulnerabilities or initiates countermeasures to attack campaigns.

Threat Intelligence - TI - the source of threat hunters

Simply explained, threat intelligence is the collection of all information that threat hunters use to investigate anomalies. Asking the CTO and threat hunter Maik Morgenstern from AV-TEST, it is clear that “threat hunting cannot work without good threat intelligence from various sources and IT security tools”.

Such a data stream can be assembled from many parts. If threat hunters work in a company’s SecOps, for example, they use all the data provided by the local security tools. In addition to network protocols and structural data on the IT infrastructure, this includes data from an EDR, XDR (with NDR) or SIEM solution. The tools know the IT structure and record all data transfers in the network, recognize software dependencies and their communication in the network, from the client PC to the cloud application.

Threat hunters usually check conspicuous processes, anomalies or research vulnerabilities based on indications or previously published vulnerabilities. At best, these are already described as CVE (Common Vulnerabilities and Exposures) in a published database. Expert Maik Morgenstern from AV-TEST knows a practical example to illustrate this: “If, for example, it is known that a current malware campaign uses port 777 for communication after an infection, a threat hunter can also carry out checks to see whether his company may be affected and thus track the attack. However, they can also prevent damage by monitoring the port more intensively or even blocking it preventively.”

First threat hunter, then forensic expert

Threat hunters are constantly checking their own network for anomalies or other suspicious activities. To do this, they use threat intelligence, the knowledge gained from current incidents that have occurred elsewhere. If they find the processes, executed files and accesses they are looking for, they usually pass this important information on to the incident response team, which stops the attack. EDR, XDR (with NDR) or SIEM solutions help here again, as they can be used to quickly roll out comprehensive network rules and other actions and ensure further monitoring. Only once the attack and all access has been contained do forensic experts come into play, as they are the better analysts for dangerous scripts, codes or malware used for the attack.

Why threat hunting is important for CISOs and CTOs

  • Threat Hunting gives you a better overview of the current threat landscape in the company’s own network. If a threat or attack is identified, the incident response team and final forensics continue.
  • Threat hunters not only use existing IT security analysis systems, such as EDR, XDR (with NDR) or SIEM solutions that work together with endpoint security. They can also train systems, implement rules and thus reduce attack vectors.
  • Threat hunters are usually well networked and therefore have deep insights into forums that potential attackers use to exchange information. Threat hunters search the darknet, where criminals often trade stolen credentials or other company data. Such research can also uncover a data loss or cyber intrusion that no one has yet noticed.
  • Every CISO and CTO should spend ten minutes threat hunting themselves, for example by taking a look at Shodan.io, a search engine for Internet-connected devices with IP addresses. If you search there for “VMware vCenter” servers that are vulnerable without a patch via port 443, Shodan presents over 1,700 vulnerable servers in the test. Is your company on the list?