WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
When Tolkien first sat down to write Lord of the Rings, he probably never imagined it would go on for over 1,000 pages. The same can also be said for network defenders tackling ransomware attacks. Years ago, I distinctly remember saying that ransomware would never catch on…how wrong I was. As we near the halfway point of 2021, ransomware continues to play an increasingly dominating role in the cyber threat landscape. Here at Digital Shadows (now ReliaQuest), we have produced over 800 intelligence updates on ransomware in 2021 so far. If things carry on at that rate, we’ll be at nearly 2,000 for the year. That’s at least 2,000 victims of a ransomware attack in a single year. And the actual figure will be much higher as many victims will have paid the ransom to avoid publication of their data.
One of the most significant ransomware events of 2021 was the attack on US fuel giant Colonial Pipeline, two weeks ago, by the operators of the “DarkSide” ransomware. Other notable attacks include a “Babuk” ransomware attack on the Metropolitan Police Department of Washington DC, the “Conti” ransomware attack on Ireland’s Health Service Executive, and an attack on insurance giant AXA by “Avaddon” ransomware after they stated they would be removing reimbursements for ransomware payments. I’m a great believer in the famous adage “prevention is better than cure.” So, with that in mind, I thought I’d take the opportunity to discuss how the intelligence cycle can help prepare organizations for a ransomware attack.
The intelligence cycle is a vital part of any threat intelligence capability. It is used by military and law enforcement analysts around the globe. It is the name given to the process that many analysts will follow to convert information into assessed intelligence. The intelligence cycle has its fans: It provides a straightforward method for new analysts to follow. Those more experienced analysts can also use it as a basis to build upon. It is a helpful framework that provides consistency amongst intelligence peers.
While the intelligence cycle is a good model, putting it into practice can be tricky. Decision-makers rarely give detailed intelligence requirements to an analyst. In addition to this, they will often make decisions before knowing the outcome of the tasked analysis. In a perfect world the collection and analysis phases of the cycle run in two defined parts, but in reality it is more common for them to be run in parallel. An analyst may also need to repeat the collection and analysis phases several times before moving on to the dissemination phase.
Regardless, the intelligence cycle is a good starting point that network defenders can move through to understand the risks to their business from a ransomware attack. Moving through the cycle can help assess the likelihood their organization will be targeted in a ransomware attack, identify the likely ransomware type behind the attack, and create defensive and preventative recommendations.
The first stage of the intelligence cycle is direction. You might see online that differing versions of the intelligence cycle have “planning” and “direction” separated into two sections of the cycle. For me, the term direction covers all aspects needed at this point in the cycle; receiving direction and planning how to meet that direction must be done before collection can commence.
The direction phase is when you need to define and agree on intelligence requirements. These are the questions you will be seeking to answer throughout the cycle. Intelligence requirements for a network defender wanting to know more about the threat to their business from ransomware attacks could include:
Once agreed upon, intelligence requirements should then be transferred to an intelligence collection place (ICP) which provides structure to the collection of information. It allows an analyst to identify the information or knowledge they already hold to meet the intelligence requirements. Consequently, it will also help analysts identify when they don’t already have the answer—their intelligence gaps—and plan how to fill those gaps. It’s helpful here to consider the sources of information you will likely use during the collection phase of the intelligence cycle. And if you don’t have a way to access the information you need, now’s the time to plan how you will get it. Suppose part of your ICP relies on collecting information from a third party; it is a good idea to engage with those parties early to avoid unnecessary delays. ICPs should be updated regularly to track progress and identify barriers to delivery at an early stage.
Direction, arguably, is the most crucial stage of the intelligence cycle. This stage is where you get to know how to meet your manager or client’s needs— if direction is not defined and agreed upon properly, the work you put in throughout the rest of the cycle could all be for nothing. It’s also important to agree to a delivery timeline with your client and understand what your intelligence will be used to inform. This will all help to tailor how you approach and complete the task.
The next phase of the intelligence cycle is, naturally, collection. Time to put your ICP into practice! Collection should include a wide variety of information sources. Sources can generally be divided into two; open and closed. Open source information is data or information available to the general public. In contrast, closed sources are not freely available to the public.
The most common type of open source information is that found on the internet. The surface, deep and dark web will all come under the banner of open source information, as will the information gathered by a Freedom of Information request. So while it is a plentiful collection source, it can lead to information overload. Sticking to the original intelligence requirements is vital to ensure the collection of information is refined and targeted.
Digital Shadows (now ReliaQuest)’ Threat Intelligence library is an excellent source of information on ransomware types and their operators. We regularly publish new ransomware threat profiles and ensure our existing profiles are updated promptly to include the most up-to-date information. These profiles contain information on the sectors and geographical areas most targeted by the different ransomware types. To do this, we actively track the activity on approximately 25 ransomware data leak websites (used by ransomware operators to leak the details and data of their victims who do not pay a ransom demand).
All Digital Shadows (now ReliaQuest) intelligence is aligned to MITRE ATT&CK, including the tactics and techniques of prominent ransomware types. Some of the most common MITRE ATT&CK techniques used by ransomware groups are:
We also have an excellent research paper on initial access brokers (IABs), which you can read here. IABs are a popular resource for ransomware operators when seeking to gain access to a network. These individuals sell access to victim’s networks on cybercriminal forums. From there, ransomware operators can buy and exploit that access. However, following the attack on Colonial Pipeline, forum administrators have banned any content concerning ransomware to avoid unwanted law enforcement attention. Whether that will impact the way ransomware operators gain initial access to networks remains to be seen.
To end this section, remember to ask yourself these important questions;
If the answer to these questions is yes, store that information securely for when you are ready to move onwards through the intelligence cycle.
While some argue that direction is the most critical phase of the intelligence cycle, others make a strong argument for analysis to take pole position in the importance stakes. This is the stage when analysts get to flex their analytical muscles and use their skills to transform information into intelligence.
To do this, analysts might use their intuitive judgment, but this can cause problems. Using our judgment may make any outcome less reliable as we are all susceptible to bias. Intuition shouldn’t be avoided entirely, though. Coupled with using a structured analytical technique, an analyst’s experience and intuition can be a real asset. It’s why those of us who have been around longer provide some pretty good insights every now and then.
Structured analytical techniques are good for overcoming our biases and providing consistency and transparency within analysis. For analysts needing a quick outcome, a method like SWOT can be an easy win. If you have a lot of event data, then geospatial and temporal analysis can be helpful tools. These techniques map geographic and time data, respectively, providing analysts with a visual representation of data making patterns easier to spot. For example, geospatial analysis is how the 1854 cholera outbreak in Soho, London, was narrowed down to one contaminated water pump. That water pump is still there to this day—thankfully, it doesn’t dish out water anymore.
For those with more time, you might consider using analysis of competing hypotheses (ACH) or the Cone of Plausibility (CoP).
ACH provides analysts with a platform to consider alternative hypotheses to a problem, rating the evidence for each hypothesis as they go, as either consistent or inconsistent. As analysts move through their chosen hypotheses, they can adjust their belief in a hypothesis based on the credibility of that evidence. At the end of this consideration, analysts choose the most likely hypothesis based on it being the outcome with the least inconsistency. ACH encourages critical thinking and basing decisions on the available evidence. However, the criteria for hypotheses can be inconsistent across analysts and can leave room for subjectivity.
The CoP technique provides analysts with a tool to make future predictions, which we are asked to do quite a lot. The technique involves considering different possible outcomes and comparing those outcomes.
The “Probable Future” would occur if current patterns and trends continued without intervention or unexpected influence. But the CoP does take unexpected developments into consideration – enter the “WildCard” option. These options are the outer limit of what could occur. Wildcards allow analysts to think freely and develop worst-case or even outlandish scenarios. “Preferable Future” is where analysts can consider the best case or the opportunities that exist. The cone helps analysts consider all possible options and assess, using judgment and evidence, which is most likely to occur.
I’ve used the word “likely”a lot in this section, but what does “likely” mean in an analytical context? Analysts frequently use the language of uncertainty in their analysis, which comes from a tool called the uncertainty yardstick.
Like most of the topics I’ve discussed throughout this blog, the yardstick has its positives and negatives. Similar to structured analytical techniques, the uncertainty yardstick provides analysts with a common language to use when assessing how probable an outcome is. It removes the subjectivity I referred to earlier when discussing ACH and provides a common understanding of a threat. However, the chance of an outcome being a “realistic possibility” is between 25 and 50 percent. That’s quite a big difference, really. We discuss the language of uncertainty in more detail in one of our previous blogs: Uncertainties in the language of uncertainty.
In the context of defending against a ransomware attack, how can these techniques help? After identifying which groups frequently target your operating sector, using analytical techniques could allow you to assess the likelihood of one of those groups specifically targeting your organization. Next, you could determine the likely outcome of that attack and whether data exfiltration would occur. You could also consider the risk of further attack based on the MITRE ATT&CK techniques used by that group. Some like to remain in a network for extended periods and use their access to conduct additional attacks.
At the end of your analysis, it’s a good idea to provide some recommendations to your customer. What do you think they should do with your information, based on all the options you have considered. Perhaps this will include updating the ransomware response playbook to ensure creation of multiple data back-ups and storing them separately. Or updating network defenses to protect against the new techniques ransomware operators are using. Whatever the recommendation, always back it up with analysis. That way, you will deliver a stronger position, and dealing with questions or criticism will be simple – it’s all there in the analysis.
Once the analysis is complete, the next phase of the intelligence cycle is dissemination, or in other words, delivering your findings to the customer. At this point, it’s time to consider the best format to deliver those findings and recommendations. Depending on the original task and who your customer is, would a verbal or written briefing be best? Should it be short and snappy, or long and detailed?
It is critical to ensure that all of your hard work is disseminated to your customers in the best way to suit their needs. Reports should be written using straightforward, easy-to-understand language, avoiding any jargon that might confuse the message. Intelligence reports should also be delivered on time while ensuring that information is provided to customers securely; speed should not supersede security. This is particularly important if dealing with a sensitive, ongoing matter. Following good practice during the dissemination stage of the intelligence cycle will contribute to the overall success of the intelligence product and boost your reputation as a capable analyst.
Finally, review completes the intelligence cycle. This part of the process is when an analyst can evaluate their work and gain feedback from the customer of the report. However, review can often be overlooked when working in a busy environment. Analysts may feel that they simply don’t have the time to review all work they deliver, but review breeds improvement.
Reviews can be held with the customer to ensure that the product met their expectations and requirements. If it didn’t, it’s critical to find out why so that you can improve for next time. Even if it did push all the right buttons, having feedback conversations is still a helpful exercise; there is always room for improvement, and sharing thoughts with someone who has different knowledge and experience could elicit ideas that otherwise may never have crossed your mind.
Reviews can also be held internally, covering similar ground to an external review. However, in an internal review, we might look at the analysis conducted and question how accurate it was, whether the proper techniques were used, and how the process can be improved. The importance of feeding this information back into the intelligence cycle cannot be understated. Collecting feedback is redundant if you don’t act on it. Processes can be streamlined, analysis techniques can be refined, and customer interaction can improve.
In summary, while the intelligence cycle is not perfect, it is a useful tool to guide analysts, old and new, through the production of assessed intelligence reporting. If you want to learn more about intelligence then Securing the State by Sir David Omand (ex-GCHQ head) is an excellent introduction. Likewise, if you want to know more about structure analytical techniques then Richards Heuer’s 1999 paper, Psychology of Intelligence Analysis is a must read.
Conversely if ransomware is your thing and you are interested in learning more, we recommend a 7-day free trial of Threat Intelligence with SearchLight. SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) clients receive real-time, actionable intelligence updates regarding ransomware activity, including analysis from our team of global analysts and intelligence on new posts to ransomware data leak sites across open and closed sources.