Q&A: What Does a Cyber Threat Intelligence Analyst Do? (Part 1)

As cybercrime continues to grow and evolve at a rapid pace, organizations are faced with difficult decisions in finding solutions to this problem. Deploying security tools to combat cybercrime is a crucial part of this dilemma, but this brings with it the herculean task of attempting to process massive amounts of data in order to keep up in the game defending against cyber-attacks.

In order to get the most up-to-date and accurate cyber threat intelligence, SurfWatch Labs employs talented analysts with a focus on threat intelligence. These threat analysts are the backbone to a new and developing field of cyber threat intel, providing valuable information to organizations that go well beyond identifying threats.

“Being a threat analyst often requires being a chameleon or wearing many hats,” said Aaron Bay, chief analyst at SurfWatch Labs. “You need to be able to understand the technical side of security, navigate among the various hacker and cybercrime forums on the dark web, understand business risk, and then distill all of that information into valuable intelligence that can be easily understood by business executives. It’s not an easy role, but it is one that is becoming increasingly important to organizations.”

We spoke with Bay to get some insight about the role of a threat analyst and how cyber threat intelligence can benefit organizations.

Tell us a little bit about being a threat intelligence analyst.

Being a threat analyst feels a little bit like a cross between a weatherman, an interpreter and someone trying to find a needle in a haystack. It’s not just about knowing the latest attacks and staying up on the latest jargon. There is a lot of translation that has to take place to get that information to the decision makers in such a way that they can actually make a decision based on it. So being able to speak “cyber” but also being able to translate that to someone who is not a cyber person takes some work as well. Powerful Google-fu is also helpful in this position; even though Google is not the only source, knowing how to find data using it and other tools is invaluable.

Describe your typical day.

Aaron Bay, Chief Analyst at SurfWatch Labs

My typical day is probably a little bit different than most cyber threat intel analysts. Because SurfWatch Labs focuses on the bigger picture, we aren’t typically gathering the latest signatures from the latest malware or putting together snort rules for all the new bad stuff that’s been detected by various sensors or honey pots.

I spend a lot of time reading blogs, Twitter, various forums and general Web searching. To support SurfWatch Labs’ customers, a lot of my focus is on them: what they’ve said is most important to them, things they want to stay aware of, constantly looking for information that may be of interest to them in general, keeping track of that and reporting it to them, and then getting their feedback on what we’ve told them to tailor our internal processes so that we constantly evolve and stay current with their needs, as well as stay current with the threats out there.

Is being a cyber threat intel analyst mostly about IT security?

Firstly, I think the term IT Security is becoming archaic. When it is used, the person who hears it or uses it has a preconceived notion about what IT Security is. Computers and routers and switches and firewalls and all things traditionally associated with IT security come to mind. But our businesses and our personal lives have become so connected and dependent on technology, that just calling it “IT” seems to leave out things that should be included, but aren’t.  I have to say that I am not a fan of the term “cyber” or “cybersecurity,” but I can understand the reason for having a new term that’s a little more ambiguous.  

Credit cards used to just be numbers printed on plastic read by zip-zap machines until magnetic strips were created and used to save information in a way that could be read by a computer and transmitted via telephone back to your bank. Forty years later, those are being replaced by sophisticated memory cards that keeps your information encrypted. Do you consider your credit card to be IT? You should. Credit card fraud has been around as long as credit cards, and the more IT we throw at the problem, the more it becomes an IT security problem. I know that banks and organizations like Visa consider this an IT security issue, but most people still do not, I would assume. And that’s just one example.

For a Cyber Threat Intel Analyst to do their job correctly, they need to understand that it really is about IT security, but the scope is usually bigger than most people realize. The analyst needs to be aware of that, but they need to help their employer or customer understand that as well.

What is one of the biggest things to understand about cyber risk?

Typically, cyber threats enter an organization by way of something every user touches: browsing the web, reading their email, opening files, etc. Traditional IT security has been tasked with solving that. But that’s not the only way cyber threats can harm an organization. As soon as you do business with another organization, the scope of your risk increases. You have to send and receive information from them, send and receive money from them. This information is at risk if one organization protects it less than the other. If pieces of the business are outsourced, whatever that is, it’s now at risk to however that third party protects its business or its infrastructure.

Some of this even just comes in the form of what software a business chooses to use for its customer portal, where customers can post questions or the business otherwise interacts with its customers. Any vulnerabilities in that software or where that software is hosted translates to risk to the primary organization. Again, none of this is meant as a reason not to function this way, only as a way to say that these risks need to be understood and monitored. As new threats or attacks or vulnerabilities are discovered, an organization needs to be made aware of them so actions can be made to mitigate or remove them.

What are some cybersecurity trends you are seeing as a threat analyst that are concerning?

The biggest trend I am really starting to see is the continuation of cybercriminals using cyber means to make money.  They steal credit card numbers, people’s personal identities, and the profits from these crimes and frequency of attacks continues to grow. Ransomware is now growing. It’s not growing because people think it is funny to do. It’s growing because people are making a lot of money off of these attacks. In these attacks, cybercriminals don’t care about obtaining information from our computer. All they care about is getting you into paying them money to get back your information. This is a scary trend, because it is really working.

Denial-of-service is still going on; people will pay to conduct denial-of-service attacks or pay ransoms to have these attacks stopped. It will be interesting to see what attack shows up next in an effort to make money.

To encapsulate that trend, it is becoming a lot more organized. In years past, the traditional “organized crime” groups were the only ones really making money off of cyber attempts. Today, however, all parts of cybercrime are becoming more accessible, and as it becomes easier a lot more people are going to be doing it.

Along that vein, attacks that produce the most results are of course going to trend. Ransomware as I mentioned, but a lot of businesses are getting better at detecting and eliminating threats … but don’t quite understand or monitor threats coming from their third-party suppliers, so attacks will start to come from that angle.

What is your biggest fear as a threat analyst?

My biggest fear is people not taking this information seriously or people not thinking it is useful information. I am fearful that people view this information as no big deal, viewing it as just another report and moving on. I hope that companies feel this information is useful, and it is taken seriously instead of thinking they don’t need the information anymore. Some of that could be that an organization doesn’t quite have a mature enough cybersecurity program so it can’t properly digest and protect against what an analyst may be telling them. The failure of the analyst to correctly translate risks and threats and trends into something meaningful could also contribute to the message being lost.

In the next post, Aaron shares his thoughts about how cyber threat intelligence can help your organization.

Despite Drop In Frequency, PoS Data Breaches are Still a Threat

In 2014, point-of-sale (PoS) data breaches against mainstream retail stores like Target and the Home Depot were primary talking points in cybersecurity. In 2016, PoS data breaches haven’t garnered as much attention, with threats like ransomware and more sophisticated phishing attacks taking up the mantle of the leading concerns in cybersecurity.

Over the last two years, the amount of chatter around PoS breaches has dropped dramatically.

Point of sale chatter
The chart above shows all PoS-related CyberFacts from June 2014 – May 2016. Outside of a rise in CyberFacts starting in October 2015 the amount of chatter concerning PoS breaches has remained low. 

PoS breaches still occur, but the frequency of attacks, as well as the targets, have changed. In 2014, department stores were impacted the most by PoS data breaches. Since that time, cybercriminals have turned their attention towards hotels, restaurants and bars. In many instances, a hotel had an associated restaurant or bar’s payment system compromised. The payment card breach against Starwood properties is one example of this activity.

POS chatter by group
Cybercriminals have shifted to new targets with regards to PoS breaches. While Department Stores were a top trending target in 2014, since then, cybercriminals have shifted their efforts to breaching PoS systems at Hotels, Motels and Cruiselines. 

New EMV Standards Having an Impact on PoS Cybercrime

Back in October 2015, the United States implemented new EMV standards aimed at protecting against PoS cybercrime. Many big retail stores have adopted the technology, which has helped thwart the amount of payment card cyber-attacks against them.

There have been well-documented problems so far with EMV, from customers not having access to chip-enabled cards to retailers offering customers the option swipe their card rather than force them to use the Chip-and-PIN technology.  Perhaps the biggest problem with the EMV shift is the amount of retail companies that simply do not offer customers payment terminals that accept the new Chip-and-PIN cards.

Despite the problems, EMV has positively impacted PoS cybercrime. However, due to the increased security, cybercriminals are turning their attention to other, more lucrative attack vectors. In 2016, phishing and ransomware attacks have both trended highly.

Latest PoS Data Breaches and Malware

However, cybercriminals haven’t completely turned away from attacking payment terminals. To date, SurfWatch Labs has collected information on 23 industry targets related to PoS data breaches.

In what is probably the most recent of those breaches, security researcher Brian Krebs has reported fraudulent activity involving the Texas-based restaurant chain CiCi’s Pizza. In this event, a cybercriminal posed as a “technical support specialist” for the company’s PoS provider, which allowed access to payment card data. This social engineering technique is one way cybercriminals can circumvent EMV (assuming CiCi’s Pizza utilized these payment terminals).

The old-fashioned malware attack vector is still being utilized as well to conduct attacks on PoS systems. New variants are still being created and continue to evolve. Some of the latest PoS malware families to make headlines include:

  • TreasureHunt PoS
  • AbaddonPOS
  • Multigrain
  • FighterPOS
  • FastPOS

With EMV implementation taking place at new retail locations daily, the amount of PoS-related data breaches is bound to decrease. Protecting customers at the point of physical payment is paramount to retail operations, but organizations can do more. Social engineering and phishing attempts are among the biggest threats facing organizations today, and Chip-and-PIN won’t protect against this threat. Deploying physical security features like firewalls is obviously important, but educating employees about phishing and social engineering tactics is arguably just as important a cybersecurity strategy.




Top 5 Items for Sale on the Dark Web, and What Businesses Can Learn From Them

In April 2016, the dark web market Nucleus went offline. Before its disappearance, Nucleus had become the number two most popular market on the dark web, hosting tens of thousands of listings for a variety of illicit goods and services. The debate continues around why Nucleus vanished; however, it was just one of the many different markets where users could go to anonymously purchase credentials to customer accounts, stolen payment card data, pirated software, counterfeit currency and goods, malware, hacking services and more.

pic 1
Screenshot of Nucleus Market before it went offline in May.

Knowing this can be quite useful to businesses and threat researchers. It can be leveraged for valuable cyber threat intelligence including the kind of data being bought and sold by cybercriminals, tools and services that are commonly used, and vulnerabilities that are being actively exploited. Most importantly, the dark web provides much needed context. But with the huge number of threats out there, some legitimate and some not, where should organizations focus their resources? Threat intelligence from the dark web can help provide businesses with that important insight. With that in mind, here are five of the most common items for sale on the dark web, and how that information can help organizations combat cybercrime, according to SurfWatch Labs data.

1.Stolen Credentials

Although a wide variety of cybercrime-related items are for sale on the dark web, stolen credentials are among the most prevalent. When looking at the most popular dark web market in 2016, credentials trade accounts for nearly a quarter of the data collected by SurfWatch Labs. Cybercriminals initially get this information by using phishing messages, malicious applications, and other methods to get malware such as keyloggers installed on victims’ devices. These stolen usernames and passwords often end up for sale on the dark web where other malicious actors then use them for a variety of purposes. Although online banking accounts are a natural target, other types of credentials readily available for purchase include employee and personal email accounts, social media accounts, eBay and PayPal accounts, and other popular services such as Netflix, Uber, and more.

How this can help your organization: With the huge number of data breaches and stolen credentials out there, it is likely that some employees have had their usernames and passwords compromised, and in many instances those include work-related email addresses. Monitoring the dark web for stolen credentials related to your brand and your employees can allow you to educate users, prevent fraudulent logins and stop a future attack from spreading.


pic 2


2. Fraud and Stolen Identities

When a point-of-sale data breach occurs, that stolen payment card information often ends up for sale on various dark web markets. Cybercriminals act very quickly to monetize those accounts. The longer a stole card is on the market, the less valuable it becomes due to the likelihood of it being tied to a data breach, theft, or other fraud — and cancelled by the bank or cardholder. Other items for sale related to fraud include counterfeit documents such as passports and driver’s licenses as well as personal information needed to open lines of credit such as Social Security numbers, dates of birth and other identifiers. Like traditional crime, cybercrime is largely driven by money, and fraud and stolenidentities have traditionally been the go-to methods for turning a quick profit. However, it is not just the occasional thugs perpetrating these acts. It is often professional cybercrime rings run by gangs in other countries that have been perfecting their techniques for years.

How this can help your organization: Many point-of-sale data breaches aren’t discovered until the stolen payment card information shows up for sale or fraudulent charges begin occurring on enough cards to pinpoint a source of the compromise. By finding the stolen information sooner rather than later, retailers and financial institutions can shorten the shelf life of stolen cards and reduce potential losses.

pic 3


3. Intellectual Property

Media piracy is a popular practice on the dark web. Stolen ebooks, music, movies and other forms of entertainment are sold at a fraction of the cost — with none of the profits going to the creators. In addition to piracy, even more damaging forms of intellectual property are bought and sold on the dark web. This may include source code, stolen customer lists, trade secrets and other sensitive data stolen from organizations. A report by the Commission on the Theft of Intellectual Property stated that stolen intellectual property costs the United States as much as $300 billion each year, and the Center for Responsible Enterprise and Trade estimates trade secret theft costs between one and three percent of the GDP of advanced economies. Not all of that is sold on the dark web — much of it is nation-state espionage — however, of all the items for sale on the dark web, intellectual property tends to be the most impactful and have the most long-term consequences for organizations.

How this can help your organization: Finding intellectual property such as source code for sale on the internet is a significant cause for concern. Unlike payment card information, which can be stolen from a variety of locations, intellectual property is a likely indicator of either an intruder gaining access or an insider selling valuable information. Media piracy, which is the most common form of intellectual property for sale, can lead to a significant loss of income, particularly if that item finds it’s way onto popular torrent sites where users freely share stolen material.

pic 4


4. Supply Chain Threats

Effective threat intelligence should include all the cyber risks facing an organization, including risk faced by third-party partnes and vendors. Vendors may have their own credentials or intellectual property for sale on the dark web, or there may be relevant vulnerabilities that are being actively exploited by malicious actors. Those potential issues may move down the supply chain and impact other organizations along the way. For example, in April 2016 SurfWatch Labs threat intelligence analysts uncovered a breach into web hosting provider Invision Power Services, whose customers include professional sports leagues as well as major media and entertainment companies. A malicious actor indicated plans to infect those brands’ users with malware. Although these incidents are often not the direct fault of those companies, the fallout from customers, investors and regulators does tend to fall directly at the feet of those organizations.

How this can help your organization: Vendors and the supply chain are among the most common causes of data breaches, yet they’re often a blind spot when it comes to an organization’s cybersecurity practices. Having insight into potential issues not just within your organization, but with your partners can help to give a more complete picture of your organization’s risk and help alert you to any potential issues before they make way down the supply chain and into your business.

pic 5


5. Hacking Tools and Services

In addition to stolen items, malicious actors can purchase many different types of hacking tools and services. One popular market actually began by specializing in selling zero-days and other rare exploits. For example, one user was previously selling a new way to hack Apple iCloud accounts for $17,000. Other items for sale include exploit kits, keylogging malware, phishing pages, remote access Trojans, hacking guides and more. The cybercrime tools purchased may even come with subscription services, easy-to-use interfaces, technical support and other features often associated with legitimate software. In addition, cybercrime services are for sale including distributed denial-of-service attacks, doxing and help hacking accounts. The cybercrime-as-a-service model has segmented the market so that actors can specialize in their own field, whether that is running a botnet, creating exploit kits or stealing credentials. All types of cybercrime tools and services are available — for a price.

How this can help your organization: Knowing what tools are readily available and popular can help organizations defend against common attack methods. In addition, new exploits that are put up for sale or modifications to existing tools can provide insight into how cybercriminals are evolving their attacks in order to evade detection. This context, combined with other dark web threats, can help provide the necessary threat intelligence to help effectively guide your organization’s cyber risk management strategy.

pic 6

Top Dark Web Markets: With Dream Market You Can Be a Criminal Too!

Two weeks ago we talked about the disappearance of Nucleus Market and how many of its former users have moved to AlphaBay, the unquestioned leader in terms of current dark web activity.

This week we turn our attention to Dream Market, the second most popular dark web market of 2016, according to SurfWatch Labs’ threat intelligence data.

A Quick Look at Dream Market

The places where cybercriminals go to sell their illicit goods and services are constantly changing. This is due to a combination of exit scams that rip off buyers, law enforcement disrupting operations, and a healthy paranoia that may lead those running certain markets to close up shop before getting caught. Dream Market has been around since November 2013 — a significant achievement in the ever-evolving cybercriminal scene. At two-and-a-half years of age, it is the oldest existing dark web marketplace, and that longevity has helped it to establish a certain level of trust among its users.

Although most dark web markets sell a wide variety of items, certain sites tend to attract specific types of listings over others. For example, when we wrote about AlphaBay, we focused on the problem of stolen credentials, the market’s most popular practice tag, according to SurfWatch Labs’s data.

When looking at Dream Market, credentials trade is much less popular. Instead, the most popular type of listing involves crimeware.

This heat map is colored by the most popular cybercrime practice tags found on each market, with red signifying a higher percentage of listings. Interestingly, the three most popular markets this year all have a different focus: carded account trade for the now-defunct Nucleus Market, credentials trade for AlphaBay, and crimeware trade for Dream Market.

Although Dream Market’s popularity is growing, some users have reported occasional issues accessing the market since Nucleus went offline. This may be due to the influx of former Nucleus users or — as has occurred in the past — DDoS attacks from competitors trying to disrupt the user base.

Crimeware Trade and “Sophisticated” Cybercriminals

There’s a perception that cybercriminals are growing increasingly sophisticated. This is driven home by the fact that nearly every company’s PR team rolls out the “we were victims of a sophisticated cyber-attack” line after each incident. It’s true; the cybercrime-as-a-service model has allowed for advanced techniques to be more readily available to the average hacker. However, the root causes of data breaches and other cyber incidents tend to remain relatively unsophisticated.

When looking at the many listings on Dream Market related to crimeware trade, it’s clear that not everyone is a criminal mastermind performing million dollar wire fraud or business email compromises scams. In fact, many crimeware items for sale on Dream Market and elsewhere aren’t malware like remote access Trojans or keyloggers at all, but rather basic guides on how to perform simple, low-level thefts.

For example, there’s the below vendor who’s selling a guide on how to scam a major retailer for in-store credit. This “dead serious” scam has even been used to make money to take dates out for drinks and to get a tank of gas. Your satisfaction is guaranteed!


Are you hungry? You won’t be anymore if you follow this other vendor’s advice on scamming a popular pizza chain. Get unlimited free pizza.


Or are you an aspiring fraudster looking for someone to take you under their wing? For just the low price of $2.99, you can learn how to take advantage of this company’s obvious security flaws, handy smartphone application, and no-questions-asked refund policy. The vendor even claims it’s legal!

Dream_Scam2 - Copy

Or maybe you’ve hit hard times and need a few bucks. No worries! This vendor has a guide that’s “perfect for those in financial instability situations.” Just purchase some of the many bank account credentials that are advertised with enticing balances, and pair those with this handy step-by-step tutorial to cash them out — no knowledge necessary.


Or maybe you hear about all these tools used to discover vulnerabilities and hack businesses, but you don’t know how to use them. There are plenty of guides for those without technical knowledge.


Of course, real malware, tools and hacking services are for sale, along with stolen credentials, pirated media, counterfeit documents and more.


Although it’s fun to look at some of the over-the-top salesmanship and scams for sale on Dream Market and others, it is important to note that those low-dollar fraudulent charges, while not enough to make news headlines, do have a significant impact on the companies they’re targeting and the individuals they’re ripping off.

Also, the fact that potential criminals can have their hands held throughout the whole process of cybercrime — from phishing to malware to cashing out funds — is a growing concern. As we wrote in SurfWatch Labs’ 2015 Year in Review, “This separation of the technical aspect of cybercrime has widened the pool of potential hackers and lessened the knowledge gap that previously separated groups of malicious actors.”

There is no need to build an exploit kit or point-of-sale malware from scratch. Simply purchase the latest tools complete with customer service and technical support. Need a phishing page or information on a company’s employees? Buy one of the many guides on social engineering. No time for that? Simply hire one of the many services to do the technical legwork for you.

The good news? All of the information and tools available to those wannabe hackers can be leveraged by organizations as well. This dark web threat intelligence can help us better understand the relevant cyber threats facing organizations, their supply chain and their customers.

Next week we’ll look at another dark web market to see what intelligence we can learn.

Podcast: Massive Myspace Hack, Cryptoworm Warnings and Breach Lawsuits Continue

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 72: Massive Myspace Hack, Cryptoworm Warnings and Breach Lawsuits Continue:

This week saw more news about password breaches as 427 million Myspace passwords and 65 million Tumblr passwords were put up for sale on the dark web. Scrum.org announced a potential data breach stemming from a vulnerability in third-party email server software. TeamViewer faced a DDoS attack and what the company claims are false accusations that it suffered a data breach. Australia’s NSW Trainlink halted its online reservation system due to a compromise. Pakistan’s Zameen real estate was hacked and had its entire database allegedly posted online. Trending advisories include warnings of a potential cryptoworm known as ZCrypt, the dormant FrameworkPOS campaign resurfacing, and Kovter malware targeting Fortune 500 companies by escalating from low-level adware to more advanced threats. The FBI also warned of data breach victims being extorted, and there was a vulnerability discovered in the popular WordPress Jetpack plugin. Legal stories include developments in the Anthem, CareFirst and Kroger breach lawsuits as well as warnings from the UK’s IOC and the largest ever arrest of Russian hackers. Finally, one apartment complex found a controversial new way to get Facebook likes.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Intentional or Not, Insider Threats Remain a Huge Risk to Businesses

Insiders are one of the most dangerous threats all organizations face, as the players involved in these attacks usually have easy access to an organization’s resources. Taking a look at the recent $81 million bank heist from the Central Bank of Bangladesh, the FBI suspects that this attack was an inside job, with several people who work for the bank playing a key role in the theft. If this attack was perpetrated by insiders — such as employees at the bank or with SWIFT — it would be one of the biggest insider attacks ever conducted and would further validate the dangers of an insider threat to an organization.  

However, not all insider threats have malicious intent.

Some of the easiest and most harmful ways an organization is compromised through insider activity is simple human error. In April the Federal Deposit Insurance Corporation (FDIC) was the victim of a potential data breach after a former employee left the agency with a file containing personal information from 44,000 customers.

This wasn’t the first time FDIC employees have mishandled customer information. In May the FDIC’s chief information and privacy officer Lawrence Gross was called to testify before the House Science, Space and Technology Committee to discuss seven instances of employees accidentally downloading customer details as they were leaving the company.

SurfWatch Labs’ Insider Threat Data

Insider Activity 2016
The FDIC has the most CyberFacts tied to insider activity in 2016.

The motivation for insider data breaches varies, but company data tends to be the most affected, according to SurfWatch Labs’ data.

Insider Activity Tags
Data is the most sought after target from insider threats, with employees naturally being the most common insider threat actor. 

Legal Ramifications of Insider Theft

On May 27, 2016, the U.K.’s Information Commissioner’s Office (ICO) issued a warning to employees about taking client records to a new company. In the warning, the ICO referenced an incident involving a former waste disposal employee who took client information with him to a new job that was a rival company.

The information contained data on clients such as contact details and purchase history. Mark Lloyd, the former employee of Acorn Waste Management, emailed the contacts list from his previous business account to his personal account. Lloyd’s actions violated the U.K.’s Data Protection Act, leading to a guilty plea from Lloyd and costing him over 700 Euros in fines.

Steve Eckersley, the head of enforcement at ICO, provided the following warning to employees about mishandling client records:

“Employees need to be aware that documents containing personal data they have produced or worked on belong to their employer and are not their to take with them when they leave. Don’t risk a day in court by being ignorant of the law.”

Lloyd’s actions were clearly to bring new clients to a rival business, but his actions had bigger implications than simply stealing business from his previous employer. By sending these contacts to his personal email server, Lloyd compromised the information of these customers.

Organizations face many problems protecting data, and a malicious insider could be the biggest of those threats due to employees knowing proprietary information and often having legitimate access to sensitive data such as customer lists. Most employees are loyal, and though the most egregious data breaches involving malicious insiders have a tremendous impact to the victimized organization, it is the every day errors committed by these loyal employees that leave a company the most vulnerable.