As an intelligence analyst, it’s paramount that you stay on top of what’s happening in the world around you. To further inform our own research and develop our skills, we often read lots of different blogs and news sources every week throughout the month. 

We’re continuing this series to showcase some of the brilliance outside of Digital Shadows (now ReliaQuest) and our take on some of the stories out there.

Stefano: Taking a Peek at the Cyber Surveillance Industry

I will admit it. In the last couple of months, I’ve been reading a lot about zero-day vulnerabilities and offensive tools for upcoming Digital Shadows (now ReliaQuest)’ research on vulnerability intelligence. For that reason, right now, I’m incredibly interested in the legal and illegal industry that drives the development and selling of such tools to nation-state countries. That’s why when I saw that the American think tank the Atlantic Council published a new report on this topic, I scraped my old contribution to this blog and wrote these paragraphs. 

The report is based on a dataset built with data collected at both ISSWorld and international arms fairs over the last twenty years. The Atlantic Council researchers do a great job in shedding light on an issue that is often overlooked due to the nature of this industry. In fact, while press coverage tends to focus on few companies such as NSO, this paper provides a critical overlooked into a far more crowded environment,

One of the key findings of this report is that multiple firms operating from Europe and the Middle East have been identified selling cyber surveillance tools to both NATO and its geopolitical adversaries. Although legit from a private company perspective, this action risks causing severe national security concerns to every party involved in these transactions. Additionally, according to the paper, the current “pay-to-play” model adopted by this industry is doomed to create a worrying pattern of cyber weapons proliferation. 

Policymakers are currently struggling to recognize and respond to this thorny issue. Regulations and limitations on the import/export of such technologies have failed to limit this industry significantly. Western countries should therefore adopt a more assertive approach to rein in companies selling sensitive tools to their adversaries. During times when cyber diplomacy isn’t receiving phenomenal results, a tougher stance may well obtain better ones.

Read more here.

Rory: Bipartisan moves in the US to strengthen cyber incident response

In a bipartisan amendment, four members of the United States Senate have proposed an addition to the 2022 National Defense Authorization Act (NDAA) which, if passed, would force entities operating in critical infrastructure to report cyberattacks and payments made to ransomware gangs to the Cybersecurity and Infrastructure Security Agency (CISA). The amendment would also force civilian federal agencies to report to CISA. The amendment, however, does not cover suspected cyberattacks; only confirmed instances. If successful, the victims will have 72 hours to report attacks; but this also has a caveat. Businesses, state and local governments, and not-for-profit organisations will have to report ransomware payments to federal authorities within 24 hours.

Bipartisan support suggests a political consensus regarding the need for swifter responses to cyberattacks; however, it could be argued that the amendment does not go far enough. Notably, it does not prevent ransomware payments; cybercriminals attacking their targets will continue to conduct this kind of activity for as long as victims pay up. However, a greater focus on ransomware in the last 12 months indicates more US policy is likely in the pipeline. Although we can’t say whether ransom payments will be banned, we do know that the US Government is becoming increasingly concerned with the situation. The 10 million dollar bounty for information on DarkSide, for example, shows an intent to hunt down those responsible for attacks against US critical infrastructure. For the time being though, if the amendment is successful it is likely to make it easier for US decision makers to get abreast of ongoing ransomware operations. 

Read more about it here (and also catch our CISO’s opinion).

Sean: So You Wanna Share Intelligence, Huh?

Some of the biggest conundrums that occur in any intelligence organization is the need to share information, or the need to acquire needed information. Sometimes it’s TLP:RED information, and the caveat effectively shuts down any sharing outside or getting your hands on it. Or it’s proprietary information derived from specific rules or systems that are not approved for third party release. Or the information itself points to your own customer or internal systems that it introduces a security risk on its own. 

Not to fear, fellow security nerds, because there are some ways things can be shared. Joe Ariganello over at Anomali wrote about this a couple of months ago, which included some best practices and other things to think about if you’re going the sharing route. There are definitely valid concerns to sharing information outside of your own organization, but luckily there are some frameworks and technologies that are on your side.

If you decide to go the sharing route, according to Joe, it’s best to figure out what the processes are, what kinds of data are being shared, the data sources, and the overall objectives of the program, among other considerations. Indicators of compromise (IOC) are usually the easy wins, but it may also be beneficial to share specific, observed attack behaviors that might help another SOC out there. Information might be shared within an ISAC (information sharing and analysis center) or an ISAO (instead of a center, it’s an organization), or it could be a small informal working group among vendor organizations, customers, industry peers, or partners. It may even be a formal organization, such as the Cloud Security Alliance; or among law enforcement or government agencies.

Recognizing that adversaries are out there with nearly unlimited resources and without the same constraints the private or public sector puts on themselves at times, sharing information can only bring more allies to the fight. As Caesar said in the 2011 classic Rise of the Planet of the Apes, “Apes together strong.” There’s no need to go it alone when you have others out there fighting the same battle. 

Read more about it here.

The Digital Shadows (now ReliaQuest) Difference

This is the stuff us analysts love to do: Researching and learning more about the myriad threats out there, and contextualizing them with the world around us. We love cyber threat intelligence!

Find out more about the intelligence we provide in SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) with a 7-day test drive, or contact us to schedule a demo to learn more about your use cases and how intelligence might make a difference for you.