WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
February 20, 2024
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
In the past few weeks, the Lapsus$ threat group captured the security community’s attention with a series of brazen and controversial cyber attacks against some of the world’s largest organizations, including Microsoft, Okta, and Samsung. These attacks resulted in sensitive data being leaked on their Telegram channel, thus granting the group a significant notoriety boost in the cybercriminal community.
In our recent blog titled “Meet Lapsus$: An Unusual Group In The Cyber Extortion Business”, our analysts described how this group emerged in December 2021 and how they conducted their criminal operations. Lapsus$ initially appeared to be financially-motivated and solely focused on Latin American organizations; however, they swiftly changed their tactics in the early weeks of January and began targeting global corporations on an unprecedented scale.
After studying this group’s activity for the past few months, we began to question our assumptions on what was motivating Lapsus$. Is it possible that money isn’t Lapsus$’s main drive? Are we observing a false flag operation orchestrated from a foreign power? What might be the factors driving this group to behave in such an unpredictable way?
To answer these questions, I organized a Structured Analytic Technique (SAT) exercise for our own Photon Intelligence Team, permitting a deep dive into this group’s activity and reviewing our assumptions in a critical and organized manner. Keep reading the blog to learn about the key findings stemming from this exercise!
A classic SAT definition states that these techniques are “mechanisms by which internal thought processes are externalized in a systematic and transparent manner so that they can be shared, built on, and easily critiqued by others.” In essence, these exercises can support professionals in limiting their cognitive biases, review the available evidence, and address the problems associated with unaddressed assumptions.
Right now, there are dozens of SATs you can choose from when deciding how to best tackle a certain analytical problem. SATs are divided into six categories based on their main objective: organization, exploration, diagnosys, reframing, foresight, and decision support. Identifying the right technique that fits your team’s needs is crucial to ensure that the exercise returns the information you’re seeking and offsets the cognitive biases you’re worried about.
Given that our intelligence requirement was based on reassessing our initial assumptions and reviewing the evidence available, I started looking for an SAT that would help our analysts to diagnose and reframe our perspective on Lapsus$’s motivations. After evaluating our needs, capabilities, and time constraints, I’ve picked an SAT called “Team A/Team B” to accomplish our goals.
This technique is a contrarian technique that opposes two (or more) views or competing hypotheses about a specific phenomenon. This approach can help opposing teams to recognize the merit in the other group’s perspective while giving equal attention to both sides. For this reason, this SAT exercise can even end up narrowing down the difference between the two opposing views, thus granting a more comprehensive and nuanced perspective on the studied subject.
But how does this work in practice? The first thing I did was create the two teams while being mindful of balancing their area of expertise, their soft skills, and other internal factors. Subsequently, one captain from each team was selected to represent their team’s point of view and provide a presentation on the day of the exercise. Finally, I created a small jury whose main task was to question the presentations’ robustness and provide further research directions during the exercise.
On the day of the exercise, the two teams came armed with their glorious slides and an army of memes to discuss their findings and hypotheses. This is another key point that I’d like to make: SATs are a powerful analytical tool but they’re also an outstanding team building exercise that doesn’t need to weigh on your analysts’ shoulders too much. Try and make it fun and interactive, the result will be even better!
One of the key points identified by Team A—which supported the idea that Lapsus$ is a financially-motivated threat group— is that a significant part of its observed activity is consistent with other cybercriminal groups. Gaining access to their victims’ networks and then threatening them to release sensitive data is a common tactic shared with notorious ransomware groups, such as Conti, LockBit, and other cyber extortionists. Additionally, in a post on their Telegram channel, Lapsus$ actually stated they would be only driven by profit, and to have no political inclinations whatsoever . However cybercriminals’ words should always be taken with a pinch of salt, and the statement has been contradicted by additional posts made by the group.
Some questions remain open though. Why haven’t we seen any evidence of ransomware being deployed on their victims? And most importantly, why is there no evidence of any financial transaction being paid from their victims? Observing Lapsus$’s way of communicating with its followers via their Telegram channel, the group appears to be pretty confident and often brags about their successes. Why have they never communicated any ransom received? These questions remain unanswered and fuel the hypothesis that there may be more to this group than just money.
After reviewing the evidence presented by Team A, the second team delivered a brilliant presentation trying to convince the rest of the attendees that Lapsus$ is primarily motivated by political or ideological reasons.
The main point put forward by Team B is that we haven’t observed any evidence of a payment directed at Lapsus$—this is a highly unusual observation when compared to other financially-motivated cybercriminals. On top of that, some of the tactics used by Lapsus$ indicate that spreading chaos and causing disruption may be this group’s primary motivations. These actions may well be in line with politically or ideologically-motivated threat groups aiming to damage the reputation of their victims. Some examples include the release of stolen data before any negotiation is put in place with their victims, as well as their use of a Telegram channel to interact with their followers and expand their communication reach.
However, Team B also had to deal with their own lack of evidence. Maybe we don’t have concrete evidence on Lapsus$ being financially-motivated, but we also can’t guarantee that they’re doing these attacks for political or ideological reasons. Sometimes the lack of evidence is just as important as the evidence itself. For this reason, the discussion stemming from the two presentations paved the way for a third possibility that may explain Lapsus$’s actions: the “lulz”.
After reviewing all the intelligence available on Lapsus$ and critically questioning our own assumptions on their motivations, the two teams narrowed their distance and started discussing a third possibility. Lapsus$ didn’t really seem to fit in any of the traditional boxes we use to categorize threat actors. So what if these cybercriminals are mainly moved by an irreverent desire to make fun of their victims and expand their reputation in the criminal world?
After all, we know for a fact that prestige and notoriety are key factors for cybercriminals. Several of the tactics observed in this group seem to align with this possibility. The derisive use of their Telegram channel to ridicule their victims—in addition to picking the next victim by interacting with their followers—suggest an attitude towards overt actions that result in additional “noise” and publicity for their threat group. Lapsus$ has also been observed zoombombing the calls of incident responders working for their victims, in a further attempt to poke fun and make mischief for their targets.
If this hypothesis is confirmed by future Lapsus$’s activity, it will potentially even expand the threat posed by this group. By being opportunistic and somewhat irrational in their victim targeting, Lapsus$’s next move is potentially more difficult to forecast as the group seems to escape any traditional categorization.
Attribution is undoubtedly one of the most complex endeavors that any cyber threat intelligence teams can attempt to do. Having limited visibility into the internal workings of a group requires security teams to be creative and rigorous at the same time in order to connect the dots. However, understanding the motivations and capabilities of threat groups can go a long way in supporting defensive strategies.
Structured Analytic Techniques like Team A/Team B represent an excellent occasion for intelligence and security teams to get together and reason around complex issues in a structured and rigorous manner.
The blog you just read is a summary of the discussion we had in the office. If you want to know more about this exercise, make sure to check this ShadowTalk episode where we go through the discussion and findings of this SAT.
That’s not enough? If you’re now interested in monitoring how the Photon Intelligence Team is tracking Lapsus$ and other threat groups, take a seven day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here, or sign up for a demo.