June 2016 – SurfWatch Labs, Inc.

Healthcare Databases for Sale on Dark Web, but What Else is Being Sold?

The recent theft and potential sale of various healthcare databases has once again put the sector at the forefront of cybercrime — and makes many wonder how their information is affected by criminal activity on the dark web. While healthcare-related data is not nearly as prevalent on the dark web as other sectors like financial services, SurfWatch Labs has observed a variety of items being offered up for sale in addition to this week’s headline-making healthcare databases.

As previously noted, common threat intelligence found on the dark web includes compromised credentials, stolen financial information, stolen intellectual property, threats stemming from an organization’s supply chain, and information on a wide range of hacking services and other cybercrime tools. These same categories also apply to healthcare organizations.

Over the past year SurfWatch Labs has observed direct healthcare breaches, third-party breaches that have impacted healthcare organizations’ employee accounts, fraudulent prescriptions, and other healthcare-related cyber threats.

What’s Being Sold on the Dark Web Now?

This week, several healthcare databases were put up for sale on the dark web by an actor going by the name “TheDarkOverlord” — along with a hefty price tag for that information.

On Monday, after previously posting three different databases that contain names, addresses, Social Security numbers, birth dates and some phone numbers of 655,000 individuals, the hacker told the Daily Dot that he was sitting on a “large” number of other databases. On Tuesday he followed through on that claim, adding for sale a database of 34,000 records from a New York Clinic as well as a health insurance database with 9.3 million patients, which he said was stolen using a zero-day vulnerability “within the RDP protocol that gave direct access to this sensitive information.” On Wednesday he again made headlines by naming one of the companies breached, Midwest Orthopedic Clinic in Farmington, Missouri, and said that the owner “should have just paid up to prevent this leak from happening.”

Healthcare_database2_cropped — According to the post, the 2GB file contains 9,278,352 records and is selling for 750 bitcoin (around $485,000), a far higher price than is typical for items sold via dark web markets.

A posting of more than 9 million records is on the extreme end of the price spectrum, and it could be that the actor is trying to spin up some media attention in order to better extort potential victims or drive future sales — if he is indeed sitting on many more databases to sell.

More typical of the type of healthcare-related information found for sale on the dark web is counterfeit documents and other identity information that can be used for different types of fraudulent purposes, including but not limited to medical. Although this information does not sell for hundreds of thousands of dollars and make national headlines, it is much more prevalent.

For example, fraudulent medical cards from around the world are available for approximately a few hundred dollars.

In the posting below, a vendor is selling a Quebec Medicare card template for $700. “Why is it so good?” the vendor asks rhetorically. “Because it has the latest security features, and is a valid photo ID. Most places will trust the Medicare [card] before they trust the DL [driver’s license] because almost no one makes them.”

Healthcare_Card2_cropped — The vendor is also selling driver’s license templates, but fraudulent Medicare cards are an easier option for the buyer, he wrote. With this card, all the buyer needs is a hologram overlay (which he conveniently also sells) and an embosser.

Likewise, non state-sponsored health cards are available. The listing below, from a now-defunct dark web marketplace, is selling a U.S. health insurance card for $40.

Why? “These are to provide proof that you have health insurance in the United States,” the seller wrote, adding that an insurance card like the one provided is an excellent way to round out a fake identity. “If a fake ID is questioned, this can be pulled out to back it up and eliminate any question. [It] may save you. In addition it may be used as a secondary form of ID to open up a PO box under a false identity.”

Insurance cards like the one for sale here have a variety of cybercriminal uses ranging from direct medical identity theft to verification purposes in order to perpetrate other forms of fraud.

Some items for sale on the dark web leverage physicians’ identities. The posting below is from a vendor who is currently selling a signed California drug prescription form from a medical group with six different doctors. “These are REAL doctors Rx Scripts, from a REAL CA medical practice,” the vendor wrote. “These are extremely hard to come by.”

The form, which includes up to three prescriptions, is selling for $75, and the vendor will even fill out the script for an extra $100 if the buyers are unsure how to do so.

Healthcare_prescriptions_cropped — “The form contains Doctors Names, DEA numbers, and CA license numbers,” the listing reads. “These are signed prescriptions you can fill out yourself for pharmaceuticals in CA, I would like to get rid of these ASAP.”

Additionally, the dark web is often associated with illegal drugs – and for good reason. Reporting on dark web markets such as Silk Road tends to focus on hard drugs; however, prescription drugs are readily available. They can be purchased from a variety of sellers on nearly every dark web marketplace.

Healthcare_drugs — This vendor is selling a wide wide range of prescription drugs in different dosages.

Utilizing Cyber Threat Intelligence

In addition to the postings from open marketplaces shown above, there is information to be gained from the private cybercriminal forums and markets on the dark web. As more researchers and law enforcement turn to the dark web for intelligence gathering purposes, cybercriminals have begun to take more precautions. Some markets require a referral to gain access. Some require a user fee. This chatter, both the public postings and more restrictive groups, can provide important insight into the most active cyber threats facing your organization.

For example, SurfWatch Labs has previously observed certain forum members requesting health insurance records from specific companies – presumably to assist in perpetrating insurance fraud as one actor was specifically looking for “high cost treatments.” Knowing which actors are targeting an organization, what those actors are looking for, and other chatter around potential cyber threats can be invaluable when it comes to planning, budgeting and implementing a company’s cyber risk management strategy.

This type of dark web threat intelligence provides direct insight into the malicious actors that target healthcare organizations, and it goes beyond the big ticket items that generate news headlines and spark a national conversation. Those stories are important, but in many ways the dark web shines a light on a cybercrime problem that is much more insidious: death by a thousand cuts.

With so many different threats out there, knowing which threats to focus on is critical. In many ways cybersecurity is simply about effective prioritization, and to that point, cyber threat intelligence and the dark web is a vital aspect.

What Sensitive Information is on Your Organization’s Old Drives?

I heard a story yesterday about a friend’s nephew that lost his SD card from his smartphone. The SD card contained data on his games, pictures, and pretty much everything else he used his phone for. He searched everywhere for this SD card until it finally dawned on him where it was.

Turns out, the SD card was in his old smartphone that he traded to a cellular store for a newer phone. Honest mistake, right?

It was an honest mistake, but it is also a symptom of a bigger issue.

Data recycling can lead to big problems, problems that most people are unaware of. For many people that are looking to get rid of electronics, they probably go through a few basic steps to get rid of data such as a factory reset or manually erasing any data they see. However, this won’t get rid of all the data contained on the device.

In a study conducted by Blancco Technology Group, it was found that 78% of hard drives examined in the study still contained residual data that could be recovered. The study focused on 200 used hard disk drives sold on eBay and Craigslist.

What is this data? Well, let’s start with photos (with locations indicators), personal information, Social Security numbers and other financial information.

Perhaps more alarming, about 11% of studied devices contained company information such as emails, sales projections, product inventories and CRM records.

Unfortunately for organizations, this is another way neglectful actions on the part of human beings can cause a data breach or other malicious activity. People make mistakes all the time, and these unintentional mistakes can have severe consequences.

Erasing Computers, Tablets and Phones

Going through all your devices and making sure they are clear of any data can be a chore (especially if technology is not your thing). There is good news: the Internet is full of information that can help you solve this problem.

Obviously, there are different devices that hold your data and the steps taken to get rid of that data will be different. Below are some helpful links that can guide you through erasing all the data from a device:

USA Today: 3 simple ways to delete your data for good: This article from USA Today talks about steps you can take on Windows computers to delete data from the hard drive. The latest version of Windows covered in the article is Windows 8. It does offer information for Windows 7 OS and below.
BT: Selling your computer? How to wipe your PC with Windows 10: This article from BT shows you how to erase data from a hard drive with a Windows 10 OS. It will also show you how to reinstall Windows 10 for when and if you decide to sell the device or give it to a friend or relative.
ZDNet: Securely wiping an Android smartphone or tablet: Android devices are the most popular on the market, so this article covers the data erasure issue for many people with an Android OS smartphone or tablet.
Apple: What to do before selling or giving away your iPhone, iPad, or iPad touch: This is a page from Apple support detailing what a user must do in order to erase their data.
Apple: What to do before selling or giving away your Mac: This is the data erasure process for Mac computers.

As the Blancco Technology Group noted, many organizations struggle when it comes to securing the data on old drives.

“One of the more troublesome challenges is related to wiping the data from them when employees leave the company, the drives hit their end of life or the data itself needs to be removed to comply with IT policies and security regulations,” the report read.

Ensure your organization has a clear policy in place so that — unlike my friend’s nephew — you’re not scrambling later and trying to figure out the source of sensitive information being compromised.

How Threat Intelligence is Used in the Real World – Customer Interview

I recently had the pleasure of sitting down with Larry Larsen, Director of Cyber Security at Apple Federal Credit Union, to learn about the cybersecurity challenges they face and how threat intelligence fits into their overall approach to risk mitigation.

Larry explained that his primary objective is two-fold: to protect member information and assets, and to protect Apple FCU’s organizational information. With increasing complexity around cyber, he discussed with me the need for threat intelligence to become more apparent. Beyond just blocking threats, he wants to understand what attackers are trying to do so he can prepare as best as possible. And while there are many sources of open source threat information, intelligence takes it a step further by correlating patterns of behavior that the cybersecurity team at Apple Federal Credit Union uses to guide their efforts and anticipate threats before they occur.

When it came to discussing how they use the intel from SurfWatch Labs, Larry said that it has “led to direct changes in Apple FCU’s infrastructure due to emerging threats we would not have known about as quickly if we did not have that pattern analysis and comprehensive picture.”

In this 5 minute clip, you can learn about how strategic and operational threat intelligence are used throughout the organization – beyond just the cyber team – to prepare for impending threats and reduce risk.

The “IT Middle Class” and the Growing Skills Gap

One of the cyber challenges that has long faced organizations is the IT skills gap, and as cybercriminals have widened their focus and moved down the food chain to target more small and medium-sized businesses, that problem has become more pronounced. This is particularly true for what Confer founder and VP of products Paul Morville describes as the “IT middle class.”

“You’ve seen this massive acceleration in terms of people who need to worry about security, people who have to acquire talent in that area,” said Morville, who was a guest on this week’s Cyber Chat podcast. “It’s only getting harder.”

That “democratization” of who is being targeted is the biggest driver behind the often-reported skills gap, Morville said. More businesses than ever are in need of security professionals, and there’s just not enough talent to go around.

The Growing IT Middle Class

The numbers back up those assertions. According to a 2015 analysis of Bureau of Labor Statistics numbers, the demand for IT security professionals is expected grow by 53 percent through 2018, and a 2016 ISACA report found that 62 percent of those surveyed stated their organizations have too few information security professionals.

In addition, the ISACA report noted:

Finding talent can take a long time: More than half of organizations require at least three months to fill open cybersecurity positions, and nine percent could not fill the positions at all.
Most applicants do not have adequate skills: Fifty-nine percent of respondents said that less than half of cybersecurity candidates were considered “qualified upon hire,” up from 50 percent a year prior.
Security confidence is down: Only 75 percent of respondents reported that they were comfortable with their security teams’ ability to detect and respond to incidents, down from 87 percent a year prior.

In many ways the problem of the cybersecurity skills gap is defined by this growing IT middle class, as Morville noted:

Currently, the largest organizations — such as mega-banks and the military — have the resources to excel at IT security. … Just one tier down from this elite group, it’s a different story. … Under these circumstances, security teams are forced to rely on security tools that are outdated, siloed and inefficient. These tools allow too many attacks to get through, are often disruptive to users, and offer no post-incident value.

Organizations at the top of their industries devote a lot of resources and manpower towards security, but that drops off “really fast” when you start moving down market, Morville said.

Addressing the Gap

Finding the right candidate can be challenging because — as others have said — security professionals often have to be a chameleon and wear many different hats.

“When you look at a security person, they’re part engineer, they’re part researcher, they’re part operational in nature, they’re partly a police officer,” Morville said. “You can’t go to a university right now and study that. There’s very few programs that are specialized in this area.”

He added, “I think the more we can do in terms of feeding more people with this skill set into the funnel, the better off we’ll be.”

But finding people to stop the bad guys is only half the equation, Morville said. The other half is doing so in a way that frees up resources. That’s where security tools need to improve to make sure they’re helping organizations become more efficient.

“I put a lot of burden back on the security vendor community in terms trying to create products that, as I said, become more of a force multiplier.”

As SurfWatch Labs chief security strategist Adam Meyer wrote, there is a huge difference between being actionable and being practical, and tools and intelligence need to be more practical. This means security tools should help free employees from low-level tasks so that the employees organizations do have can better utilize their time, Morville said.

“Everybody is just always looking for new security people — people to add to the team. It’s hard to find people, and it’s hard to train people, and it’s hard to retain people.”

For more, listen to the full conversation with Confer’s Paul Morville about the skills gap, how it’s affecting the IT middle class, and what security vendors, businesses and others can do to help address the problem.

Podcast: Hackers Get Political, Massive Cryptocurrency Theft and Password Woes Continue

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 74: Hackers Get Political, Massive Cryptocurrency Theft and Password Woes Continue:

Cybercrime and politics crossed paths yet again as a data breach at the Clinton Foundation was revealed as part of a wide-reaching campaign. A massive cryptocurrency theft led to tens of millions of dollars in potential losses for The DAO. Acer is notifying users of a breach at the company’s e-commerce site. And banks continue to be targeted with DDoS attacks. A variety of companies are also reporting secondary breaches stemming from the breaches at LinkedIn and others, keeping the issue of password reuse in the spotlight. Researchers highlighted a variety of malware this week including PunkeyPOS, DED Cryptor, RAA ransomware, Magnit and GozNym. The FBI released updated stats on business email compromise scams, and surprise, it’s only getting worse. Legal news includes financial institutions filing a lawsuit against Wendy’s, Home Depot filing an antitrust lawsuit against Visa and MasterCard over chip-and-signature issues, the SEC warning of a man hacking accounts to make unauthorized trades, and a $950,000 privacy settlement with the FTC. Also, some people are not too happy about a Game of Thrones spoiler service.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

BEC Scams Continue to Plague Businesses

In a year where ransomware is receiving massive amounts of attention, there is another threat that continues to grow – Business Email Compromise (BEC) scams. The FBI has issued two warnings about this threat in 2016. The first warning was bad enough, with the FBI estimating BEC scams have accounted for about $2.3 billion is losses from 17,642 victims. Unfortunately, the latest warning has increased these figures.

The FBI is now saying that money lost from BEC scams is over $3 billion dollars, with more than 22,000 victims falling prey to this attack.

“The BEC scam continues to grow, evolve, and target businesses of all sizes,” the FBI warning read. “Since January 2015, there has been a 1,300% increase in identified exposed losses.”

The warning went on to say that victims of BEC scams have appeared in all 50 U.S. states as well as 100 countries throughout the world. Another noteworthy piece of information is where the money lost in these scams is ending up.

“Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong,” the alert read.

In most cases, a BEC scam attempts to portray an email or request as being urgent, placing pressure on the recipient to act fast without asking questions. The email is often sent from a legitimate looking source — such as a high-ranking company official or a bank that works with the company — which further eliminates questions from the recipient.

Money is the ultimate goal of a BEC scam. Many cases involve attempting to create a scenario where a money transfer takes place. The 2015 tax season demonstrated a new method for BEC scams — W-2 data theft.

Tax fraud was abundant in 2015. In many of these documented events, a BEC scam was used to compromise company W-2 information.

“Fraudulent requests are sent utilizing a business executive’s compromised email,” the FBI alert stated about BEC data theft scams.

“The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident.”

The alert from the FBI pointed out that BEC scams aimed at obtaining data first appeared during the 2015 tax season.

Employees are the primary targets of BEC scams. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.

Organizations Overwhelmed, “Literally Lose Track” of Sensitive Data

Many businesses cannot keep up with the plethora of sensitive data that’s being created and shared by their organization, and as a result they may face increasingly stiffer fines as new regulations and laws are passed to protect that data.

That’s according to John Wethington, VP of Americas for Ground Labs, a security company focused on helping organizations monitor their data.

“Simply put, there’s so much data being generated every single day that these organizations — they literally lose track of it,” said Wethington on SurfWatch Labs latest Cyber Chat podcast.

“The data is constantly being moved and shifted around. It’s being put in a variety of different formats, stored in a variety of different locations,” he said. “I think the average individual doesn’t see behind the scenes and understand all the hands that touch their data for a variety of different reasons.”

Do You Know Where Your Data Is?

That lack of insight is leading to data breaches caused by both mistakes within the organization as well as external actors such as cybercriminals and hacktivists.

Although data storage and data use has shifted over the past few years — more cloud services, more sharing, more tools to extract and analyze information — cybersecurity has often lagged behind that shifting approach.

If an organization isn’t closely monitoring that sensitive information, they may be in for a rude awakening, Wethington said.

“Much like a child, you have to constantly keep an eye on them otherwise they’re going to wander off somewhere you’re not going to expect, and the same thing with the data. It’s going to wander off somewhere, you’re not going to expect it to be there, and then you’re going to find yourself in trouble.”

Evolving Regulatory Landscape

That lost data may lead to larger fines and penalties as new regulations such as the EU’s General Data Protection Regulation (GDPR) come into effect and organizations have to deal with issues such as the right to be forgotten.

The GDPR, which goes into full effect in May 2018, comes with a considerable increase in potential monetary fines for those that don’t keep personal information protected: up to 4% of firms’ total worldwide annual turnover.

The global regulatory environment is “rapidly changing” as governments try to create different ways to compel organizations to maintain data security, Wethington said. As a result, organizations are trying to understand what new regulations such as GDPR will mean for them.

He added, “It’s going to be an interesting couple of years ahead of us.”

Listen to the full conversation with Ground Labs John Wethington below:

About the Podcast
Throughout 2016 we’ve seen numerous data breaches related to businesses being unable to properly monitor and protect their data. As Ground Labs VP of Americas John Wethington put it, organizations simply cannot keep track of the growing amount of data they have. However, new regulations such as the EU’s General Data Protection Regulation come with stiff penalties for those organizations that do not protect the sensitive data they collect.

On today’s Cyber Chat we talk with Wethington about why businesses are having trouble monitoring that data, how they can improve, and what the future holds for data security.

Podcast: DNC Hacked, Espionage Makes Headlines, and Updates on CISA and Net Neutrality

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 73: DNC Hacked, Espionage Makes Headlines, and Updates on CISA and Net Neutrality:

This week’s trending cybercrime events include Wendy’s announcing its point-of-sale breach is significantly larger than previously reported, a breach at the Democratic National Committee and theft of Donald Trump opposition research, and a nearly 8-million strong breach at Japan’s top travel agency. The University of Calgary also joined the growing list of organizations that have made sizable ransomware payments, and file sharing service iMesh became the latest company to face a massive breach of user records. Advisories include more dark web dumps, a variety of espionage-related headlines, the apparent demise of the Angler Exploit Kit, and updates on malware, including ransomware targeting smart TVs. Trending legal stories include a hearing on the 6-month-old Cybersecurity Information Sharing Act, a ruling in favor of Net Neutrality, and a $1 million Morgan Stanley fine. Also, the once maligned Healthcare.gov website now ranks among the web’s most trustworthy sites.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Cyber-Espionage Making Headlines Over Past Couple Weeks

Over the last week, at least five separate cyber-espionage-related news events have made headlines ranging from attacks against governments to company-related targets. The primary goal of cyber-espionage is to uncover company or government secrets, such as military plans, blueprints, or coveted intellectual property. SurfWatch Labs has collected CyberFacts on exactly 300 targets tied with espionage so far this year.

In 2016, central government is the top trending industry target of cyber-espionage.

Espionage Targets — *In 2016, Central Government, which includes nation-state level government organizations, is the top trending target associated with espionage.*

Several groups have appeared in SurfWatch Labs’ data concerning espionage in 2016. Group 27 – a cyber-espionage group linked with the Seven Pointed Dagger malware campaign that utilizes a remote access Trojan known as Trochilus and has ties to Asia – is the top trending espionage actor in 2016.

Espionage Actors 2016 — *Group 27 is the top trending espionage actor so far in 2016.*

Recent Espionage Activity

As mentioned above, there have been five espionage-related events that have made headlines over the last week.

North Korea Hacks South Korea

In February 2014, North Korea began targeting about 140,000 computers throughout several South Korean defense contractor firms and government agencies. The attack was discovered back in February of 2016.

Companies that were not defense contractors were also targeted, such as SK Holdings group and Korean Air Lines, but it appears no data was actually obtained. According to researchers, about 95% of the data obtained in the attack by North Korea was defense related. One of the most coveted pieces of information that was obtained were blueprints for the wings of F-15 fighter jets.

North Korea has denied any involvement concerning cyber-espionage attacks on South Korea. However, evidence obtained from these attacks have been traced back to the North Korean capital Pyongyang.

Russians Hack Network of Democratic National Committee

Two separate hacker groups with ties to the Russian government have infiltrated the network of the Democratic National Committee. The names of both groups have been lovingly named “Cozy Bear” and “Fancy Bear.”

The attacks took place at different times. Cozy Bear first infiltrated the database in the summer of 2015 and was monitoring email and chat communications, while Fancy Bear appeared last April and targeted opposition research files. The Fancy Bear group was able to obtain information held on Donald Trump. Information held on Hillary Clinton and several other GOP political action committees were also targeted.

New Sofacy Campaign Targeting U.S. Government

A Russian-linked cyber-espionage group — known as Sofacy — sent a spear-phishing email to a U.S. government official from a compromised computer belonging to another country’s Ministry of Foreign Affairs. The email had a malicious attachment that, if opened, would have loaded two DLL files on the official’s computer.

One of the files contained a Carberp malware variant of the Sofacy Trojan of which the group’s name is derived. The group has also been called Fancy Bear — which is tied to the Democratic National Committee hack — APT28, Sednit, Pawn Storm, and Strontium.

The good news in this attack is that it was full of mistakes. First of all, the RTF document attached to the email didn’t show any content, which immediately pointed to something being wrong. Also, old IP addresses and C&C server domains were used from past campaigns, which was another flag that this email was malicious.

Mofang Chinese APT Group

The Mofang Chinese APT cyber-espionage group has been around since 2012. The group is identified through their ShimRat malware and is unique from other APT groups because they exclusively use social engineering tactics to target computer networks, not exploits. More specifically, the groups’ attack vector of choice is spear phishing.

The bulk of activity displayed from this group has been against the Myanmar government. The group has also been spotted targeting companies in the United States, Canada, Germany, India, and Singapore. Attacks from this group have continued throughout 2015.

Former IBM Employee Charged with Economic Espionage

On Tuesday, a former Chinese employee from the tech company IBM was charged by U.S. authorities with economic espionage for allegedly stealing source code from the company and handing it to the Chinese government.

Xu Jiaqiang, the defendant, offered the code to undercover U.S. FBI agents posing as tech company officials that were seeking software for their company. Jiaqiang was also intending to provide this source code to the Chinese National Health and Planning Commission where he was previously employed.

Jiaqiang’s indictment also brings with it three counts of economic espionage and three counts of trade secret theft. In total, he faces a maximum of 75 years in prison if convicted of all charges.

Q&A: How can Threat Intel Help Your Organization? (Part 2)

Cyber threat intelligence offers an in-depth look at the potential threats and attack vectors facing an organization. Each organization is different, and in these differences there are a variety of ways cybercriminals can exploit a company. Security tools such as firewalls and antivirus software protect against several of these threats, but they cannot protect an organization from everything. This is where cyber threat intelligence plays a crucial role.

Threat intel gives an organization the ability to identify threats, understand where any lapses in security have already occurred, and gives direction on how to proceed concerning these vulnerabilities. This is a lot of information for any organization to handle on their own, especially since the cyber landscape continues to change.

“The field is constantly growing and evolving; there is no shortage of cyber information, which means it can be very easy to get overwhelmed with it,” said Aaron Bay, chief analyst at SurfWatch Labs. “We sometimes forget to take a peek at what is going on with the rest of the world.”

Yesterday we talked with Bay about the role of the cyber threat analyst. Today we finish our conversation, and focus on how threat intelligence can help organizations.

Why does a company need to implement threat intelligence on top of their existing security?

Having security tools such as firewalls and antivirus software is critical; you have to have them. If you don’t have these tools, you are already at a disadvantage. These security tools are paramount, but the information derived from them can be overwhelming. From what I have seen, a lot of time companies will simply buy these tools, plug them in and forget about them. From a threat analyst perspective, what we do when we give companies information about threats affecting their industry is show them the known mitigation of the threat. We can only lead the horse to water; we can’t make it drink. But if we can give organizations enough pertinent information where they are asking, “Does my defense actually protect us against this?” that goes a long way.

A lot of the time companies are putting up boundaries to stop threats from getting in, but they might not necessarily know when information gets out. They may be breached, and their information could have been compromised. They could also be attacked at a point they weren’t protecting such as point-of-sale systems. A bank has credit and debit cards, and the bank itself is usually pretty well protected against direct attacks. All of that can be defeated by a skimmer on an ATM. Knowing these attack vectors and knowing this is another way cybercriminals can get to your customers’ data can really help mitigate risks. If we as threat analysts are looking for these attack vectors and alternative methods, then we can help an organizations be better prepared and protected against threats.

Cyber threat intelligence is a relatively new avenue in cybersecurity. Are companies seeing value in this?

Cyber threat intelligence is still a growing field; it is definitely still evolving — as it should be. Threats are evolving, so this field that focuses on these threats is evolving as well. I think, for the most part, everybody is doing the best job that they can. It’s hard for a business to feel like they are getting a return on their investment from IT security in general. When you get that big win, when you catch something that no one else caught, either protecting some data or helping stop something before it became a big deal, then it is easy to see the value of it. For companies, as long as everything is working, the people who make decisions about IT and their infrastructure don’t necessarily want to know what goes into keeping everything running. They just want it to work. If everything is working, it is easy to not respond and spend money on keeping everything running. In their mind, everything is working. It appears that not much has to be done to keep things running, why would they spend more money on it?

How can companies providing cyber threat intelligence improve?

If there is a way to improve our field it is really just to work together as a community to make sure companies understand the value of cyber threat intelligence. I feel like we are doing a good job, but I feel that the industry isn’t ready for the message. These companies are being attacked left and right, and it feels like all we are doing is showing up and telling them they need to be doing security better. To actually translate everything that is going on, distill it and focus it on the company specifically is really the best approach. I am glad that SurfWatch Labs is going down this road. Showing companies why they need to care about this information that is being presented to them is very valuable.

I also think that internally, for our customers, we sit between business operations and the IT department. We aren’t just supporting IT security or just enabling compliance with the various IT regulations a business must adhere to. A Cyber Threat Intel Analyst should be assisting the translation between business units — and the various IT and cyber risks they face — and helping them understand sometimes how two separate threats are actually part of a larger threat against the company. I believe that is when we can really show our value.

For example, let’s say an attacker breaks into a company and steals credentials to the gaming platform that is hosted by that business. The network defense team should detect that and stop it. If a new attack is being used that has never been detected before and no signatures have been created for it yet, it’s possible the attack may go unnoticed. Soon after this undetected attack, separately, your cyber threat intel analyst discovers that someone dumped some credentials to your game on the dark web or is selling them. If that credential dump is only passed on to a third group such as customer service in order to reset accounts, but the network defense team isn’t made aware, then the source of the leak may not be plugged. Or if the developers are not notified, and the vulnerability came from a bug in the software that the company created, then again the problem will still be there.

What are some of the achievements cyber threat intelligence has accomplished. Is it changing the game?

It is changing the game for sure. Some of the big wins cyber threat intelligence has gotten comes from exposing malicious activity in general. When you can find those hidden gems and expose what is going on those are the big wins. Seeing the new carding efforts and all the things that are going into combating organized crime is very rewarding. The big ones are of course things like uncovering STUXNET, and all of the pieces that went along with that. The Mandiant APT1 report I think spawned a whole new movement with regards to CTI, some good some bad, but it got a lot of people to sit up and take notice, and that’s really what we want.

Final thoughts?

We talked about how new the field of cyber threat intelligence is, but that is also exciting. Being in a field with all of this different stuff going on makes cyber threat intelligence a very exciting field to be a part of and stay focused on. I look forward to the future.