Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
In the current era of self-isolation, remote work, and constant tweets offering epidemiological hot takes, now is the perfect time to get off social media and tuck into a good box set.
Don’t just take my word for it. Disney, Apple, and Netflix have all reduced their streaming quality to deal with the increased demand for streaming. Yet, despite the abundance of series and movies at our fingertips, it can often be surprisingly difficult to choose the right one.
Of course, the correct choice is always The Wire, a delightful subversion of the traditional cop show genre and the undisputed G.O.A.T. of television. Whether it be its interweaving plot lines, richly complex characters, or a screenplay rooted in reality, it’s a box set that really does have it all. It is no surprise that the five series epic has been dubbed the “visual equivalent of a Dickens novel” and described as one of the most significant pieces of art in the last few decades by none other than former President Barack Obama.
Unfortunately, the world of cyber threats continues to evolve during the COVID-19 pandemic. Therefore, there is no shortage of threat actors (or pesky managers) preventing employees from binge-watching TV shows, no matter their critical acclaim.
The good news, however, is that The Wire holds plenty of lessons for infosec. The business case for watching it should, therefore, be easy enough to justify.
Interested?
If The Wire should have taught us anything, it was that neat categories rarely exist. The show excels in demonstrating how the line between the good guys and the bad guys is a blurry one indeed.
Take Jimmy McNulty, a cop who will stop at nothing in his attempt to lock up criminals and protect the streets of Baltimore. McNulty undoubtedly possesses various admirable traits, many of which could apply to an Infosec professional. His doggedness, passion for the cause, and relentless work ethic would all be welcome attributes in a budding cyber threat intelligence (CTI) analyst.
Yet, McNulty is also perfectly willing to lie, cheat, and even drive drunk. Rather than regarding the law as sacrosanct, McNulty is all too willing to bend it to suit his interests. As a policeman who should be setting an example to society, his conduct leaves much to be desired.
It’s not just the good guys who are multifaceted as The Wire also highlights the diverse nature of criminals. For example, the drug kingpin Avon Barksdale was all too happy to donate to a local community boxing club in need while his partner-in-crime Stringer Bell worked relentlessly in an attempt to legitimize their criminal operation. Or say Omar Little – while well acquainted with blowing off peoples’ heads with a 12 gauge shotgun, Mr. Little nevertheless has integrity in buckets, a disdain for swear words, and a clear moral code.
The Baltimore criminal collective also maintained broader community principles. For instance, the various drug dealing crime families upheld a Sunday truce that prohibited the use of violence against rival gang members on the day of the Sabbath.
This blurred line between the good guys and the bad guys also applies to infosec.
While the significant majority of the cybersecurity community have put out excellent content on the threats related to COVID-19, a minority have not covered themselves in glory in how they have reacted, and even capitalized, on the crisis. Crucially, now is not the time to push F.U.D. (fear, uncertainty, and doubt) at a time when organizations require practical advice and a clear sense of what they should be on the lookout for.
Likewise, it is also important to remember that cybercriminals are people too—many of whom will also be scared for their loved ones. While some cybercriminals will undoubtedly see COVID-19 as an opportunity, others would find the idea of capitalizing on the pandemic morally reprehensible. Indeed, it has been encouraging to see prominent ransomware groups stating that they do not intend to target healthcare organizations during this time and will even provide a free decryption tool to any healthcare organizations that they inadvertently affect. Digital Shadows (now ReliaQuest) has also observed cybercriminals expressing solidarity with countries severely affected by COVID-19 and discouraging others from profiting off the pandemic.
The charitable side of cybercriminals also exists outside of pandemics. In one extraordinary example of forum justice observed on the Russian-language Antichat, a user explained that they needed money to pay for their father’s cancer medication. Antichat administrators eventually arranged a “whip around” among forum members that raised $700 for the medical treatment.
On the tough streets of Baltimore, reputation is everything. It cements your standing on the criminal ladder and establishes your trustworthiness within the broader community.
Brother Mouzone encapsulates the importance of reputation — a New York enforcer who is also a voracious reader of high-brow magazines. Despite being in the grubby business of killing people and protecting drug empires for a living, Brother Mouzone takes his self-presentation seriously and is always in a suit and bow tie.
Both his reputation and that of his clients are sacrosanct for the New Yorker. It was the word and status of the Barksdale operation that meant Brother Mouzone was willing to work with them in the first place. Likewise, when framed for a murder he did not commit, Brother Mouzone immediately refuses a pay-off to keep him sweet. This is because breaking your word is a crime that goes beyond business.
Reputation is equally crucial for cybercriminals. Establishing a good reputation is arguably even more critical for criminals online.
As argued by University of Oxford academic Dr. Jonathan Lusthaus, if a criminal does not truly know who they are dealing with, it makes it difficult to assess their trustworthiness or to retaliate should dealings go sour and agreements need to be enforced. This creates a large trust deficit, beyond even that common among conventional criminals, and could destabilize cybercriminal transactions.
Online personas and nicknames, therefore, provide a crucial function in helping cybercriminals build their reputation. They provide at least some level of assurance around the product that they are selling (whether that be stolen data, credit card numbers, or malware).
Within the cybercriminal underground, reputation helps to explain the enduring popularity of forums. Forums provide a crucial platform for facilitating communication and cooperation amongst cybercriminals. Forums such as Exploit have been around for a long time and remain popular despite there now being more ostensibly secure alternative forms of communication, which are harder for law enforcement to disrupt. Their history drives the popularity of many criminal forums.
For instance, reputation is a central principle for many of the prominent Russian-language cybercriminal forums operating today, many of which have a long pedigree. The status of these established cybercriminal forums—and the prestige associated with being a forum member—is attractive to many threat actors. Linking to a profile on a hallowed forum is an almost failsafe way for cybercriminals to prove their credibility and legitimacy.
Within these forums, reputation also goes a long way for individuals. When one of the administrators of the prestigious DamageLab forum, Sergey Yarets (also known by the username Ar3s), was arrested in December 2017, the remaining members of the forum team closed the site down to protect the forum’s members. Many months later, the former administrator of Exploit forum purchased a partial back-up of DamageLab and reopened and rebranded the forum by leveraging the reputation they acquired during their time at Exploit.
Under the new name of XSS, the rebranded forum has flourished, despite users being acutely aware of the dangers of operating on a platform associated with an individual known to law enforcement agencies. Yarets, now released from prison, holds a legacy role on XSS and has recently even been appointed as a moderator of Exploit. The prestige and longevity of DamageLab outweighed the potential negative implications of restoring a defunct forum. At the same time, Ar3s’s experiences with the law are often called upon by other forum members, and his opinions are highly valued.
The Wire also brings a dash of gritty realism to investigative operations. Rather than a Dr. House epiphany, catching criminals involves a lot of time, unglamorous and repetitive police work, and going down rabbit holes that often don’t pay off.
Much of this also applies to malicious cyber campaigns. When we think about the pantomime villains of infosec—advanced persistent threats—the industry tends to focus on how sophisticated these actors are, including the use of a flashy new zero-day exploit, or deployment of a rarely observed MITRE ATT&CK technique for example. However, the persistence of a threat actor is equally essential. Just like good police work, a stubborn and relentless threat actor is likely to find an opportunity eventually. Rather than just technical wizardry, cyber campaigns are often a game of unglamorous abrasion.
Investigations in The Wire also piece together various strings of often tenuous information. While none of these bits of information are a smoking gun on their own, it is their cumulation that eventually produces the satisfying “gotcha” moment that puts a criminal behind bars.
Just as Baltimore’s finest catch criminals through this process, criminals investigate us using the same methods online.
Many cyber campaigns begin with extensive reconnaissance operations. Threat actors will gather as much detail on a target individual or organization as possible to conduct convincing social engineering campaigns through relatable phishing emails or to scope out the type of systems and devices that targets are using.
Again, much of this actionable information is pieced together from seemingly innocuous aspects of an individual’s online footprint. For example, a selfie taken by an employee and uploaded to their public social media page could have telling pieces of information to a trained eye. With a work badge, a laptop screen, and personal information like a mobile phone number and picture of a cycling hobby could provide all the information a threat actor needs to get initial access.
There are frequent references to “the game” within The Wire—i.e., the unwritten rules, codes, and processes of Baltimore’s institutions. The game is underpinned by a Darwinian logic—a kill or be killed mentality inherent to the drug trade.
The game is remorseless. Despite the toils, arrests, and deaths, the game continues. Drug dealers will be imprisoned, cops will continue to bust safe houses, and political scheming will launch new law and order policies. The game offers a pessimistic view of institutions and their ability to change the reality on the streets fundamentally. At the heart of the game is a story of regeneration and the enduring nature of the drug trade.
In many ways, the game mirrors the cybercriminal ecosystem. Police and security services have been highly active in targeting criminal messaging services, marketplaces, and automated vending carts (AVCs). For example, the prominent Dark0de forum was rendered offline by an FBI-led operation in 2015 while an international law-enforcement coalition took down Infraud in 2018, a half-billion-dollar operation selling hacking and fraud services.
Yet, the cybercriminal game plays on.
Despite both arrests and takedowns, criminals quickly migrate to new sites. For example, many threat actors would have hardly noticed when Torum entered the cybercriminal scene in 2017. It wasn’t until the disappearance of the popular KickAss forum two years later that threat actors started looking for an alternative, and the forum rose to prominence. By October 2019, Torum’s membership numbers had shot up to 43,559―a 639-percent gain in just eight months―and the number of posts on the forum had skyrocketed from 6,096 to 61,395
An overarching theme of all five seasons of The Wire is the perils of performance metrics. Time and time again, public institutions are inhibited from doing good and important work due to a remorseless obsession with hitting absolute numbers.
For example, rather than doing in-depth investigations that would lead to arresting key drug kingpins, an obsession with boosting crime stats ahead of an election led to the police pursuing low-level (and mostly meaningless) arrests instead.
Much of this can also apply to cybersecurity and threat intelligence in particular.
There is no shortage of data in cybersecurity, and most organizations don’t need any more of it. There is ultimately little value in intelligence solutions that vomit data, publish irrelevant incidents, and regurgitate indicators of compromise without context.
Crucially, CTI must provide actionable insight that focuses on providing practical solutions and advice that can be readily consumed and integrated by intelligence consumers.
CTI can and should complement a variety of security and functions. For instance, tactical threat intelligence can complement an organization’s vulnerability management approach; operational intelligence can feed into a security operations center, while strategic intelligence can integrate into a company’s broader risk management processes.
With the parallels between The Wire and cybersecurity, practitioners should ensure that they devour all five seasons as soon as possible. More importantly, however, those that think Breaking Bad is the better series need to take a long hard look at themselves.
To stay up to date with our threat intelligence blogs and updates, subscribe to our list below.