Understanding the ins and outs of threat intelligence can be complicated for an organisation. If your business is anything but cyber, it’s understandable to be overwhelmed by terms like ransomware, cryptocurrency, and DDoS attacks, especially in relation to your systems and assets. That’s okay.
But, to solve a problem (and trust us, cyber risk is a major, growing problem), you need to understand the terms involved, how they relate to each other, and more importantly, how they relate to your organisation’s safety.
What Is Threat Intelligence?
Broadly, threat intelligence is the data, and subsequent analysis of that data, that allows for a response to some kind of cyber risk or attack. This data and activity can take many forms.
At Arctic Wolf, we utilise managed detection and response (MDR) and cloud detection and response solutions to monitor and analyse data for an organisation. This allows our team to respond to any potential risk or attack. This kind of collection, analysis, and response can occur both before or after a cyber incident has occurred.
Threat Intelligence Terms to Know
So, let’s begin with the basics of threat intelligence:
1. Data Breach
A data breach is any incident where highly valuable, sensitive or mission critical data from an organisation is compromised. This kind of breach can originate from ransomware, from an internal threat, or accidentally occur because of a careless user. A common kind of data breach would be the leak of a retail organisation’s customers’ credit card information. Another would be where PHI (personal health information) is stolen from a healthcare network.
Ransomware is a type of malicious software (also known as malware) that prevents an end user from accessing a system or data that the ransomware has infected. The most common form is crypto ransomware, which makes data or files unreadable through encryption, and requires a decryption key to restore access. Bad actors or even ransomware gangs install ransomware onto a system and then hold that system for literal ransom. Ransomware has been increasing exponentially over the years, with 700 million estimated attacks reported in 2021.
Ransomware is so prolific that it is becoming its own industry. Ransomware-as-a-service refers to the system where a bad actor purchases complete ransomware tools from a developer and then deploys them in a system.
Ransomware is an example of extortion, which is the overarching term for cyberattacks that demand money. Specifically, it refers to any incident where a bad actor takes control of a system, or gains access to highly valuable data, and threatens to release that data (or keep controlling the systems) unless a payment is made.
5. Double (or Triple) Extortion
Double extortion gives hackers another avenue toward success if an organisation seems reluctant to, or is slow to, pay the ransom in a ransomware attack. In this kind of attack, the hackers will extract data before encrypting the systems they are holding for ransom. If the attacked organisation does not pay ransom, the hackers will threaten to release that data onto the dark web.
Exfiltration, in threat intelligence terms, means the same as it does in other uses cases — the removal of some “thing” (assets, data, customer information) from a system. Exfiltration normally happens during an attack, where hackers or bad actors will exfiltrate, or steal, data. While often exfiltration is the main objective of an attack, the stolen “thing” can also be held for ransom, with payment as the main goal.
7. Dark Web
The dark web is a portion of the internet, or a specific URL, that is intentionally hidden from normal browsers. It requires a specific browser, often Tor, to access the URL. Because the dark web is hidden, it is unregulated, and is regularly used as the place where data from cyber attacks is leaked, where hackers negotiate with access brokers, and where ransomware tools are exchanged. Think of it like a digital black market that exists outside the regulation or control of any law enforcement entities.
When a ransomware attack occurs, the hackers will often ask for ransom in the form of cryptocurrency. This kind of currency is untraceable and can be converted into other currencies quickly. Think of cryptocurrency like tickets in an arcade that can be traded in for a prize. It’s impossible to know which machine the tickets came from, and the value of those tickets is flexible, depending on the prize (or currency) they are converted to.
9. Encryption Key
An encryption key is the metaphorical key that unlocks data in a server, system, or asset. It’s a string of code (or algorithm) that can scramble, or unscramble data, making it useless or useful to users. In a data breach, hackers may utilise a key to scramble data and then hold it for ransom.
10. Access Broker ( a.k.a. Initial Access Broker)
Sometimes access into a system for a hacker comes from a phishing attack or from hacked credentials, but sometimes it comes from an Initial Access Broker (IAB). An IAB is a cybercriminal who has, and sells, access to an organisation’s systems. If you’re a hacker who wants to launch a ransomware attack on an organisation, you could go through an access broker who, for a price, will get you the access you need.
Tactics, techniques, and procedures (TTPs) refer to the general behavior of a threat actor as they attempt (or succeed) to gain access to an organisation’s system. It’s the specific criteria used to judge and evaluate their behavior used by those in the security industry.
12. DDoS Attack
A Distributed-Denial-Of-Service (DDoS) attack is a specific kind of cyberattack that attempts to disrupt traffic to a server, service, or network by overwhelming the target with traffic. This is achieved through botnets or malware. The botnet (or malware) is installed on multiple devices, and through remote control, sends signals to the target’s IP address, overwhelming and shutting down traffic.
13. Trojan Horse Virus
A Trojan Horse virus, much like its namesake, is malware that comes in disguise. Disguised to look like a legitimate program, or even downloaded from a legitimately looking site, malware is often downloaded unknowingly. Once downloaded, the malware takes control of the system, wreaking havoc.
14. Social Engineering (Phishing)
Like a fishing rod wobbling through the currents looking for a catch, a phishing attack relies on the human element for success. It is an attack where a bad actor lures a user to hand over access, credentials, or valuable data. It can come in many forms including smishing, vishing, or spear phishing. Phishing is one of oldest forms of cyber attacks that exist, and it is still successful for many bad actors.
15. Tech Support Scam
A tech support scam is a specific scam where a bad actor claims to be someone from tech support. This kind of scam can come in the form of smishing, vishing or phishing, and has the goal of gaining credentials or data from the victim. This is a common phishing scam because internal users, or employees, are likely to trust someone claiming to be from tech support.
A botnet is a group of devices all working together due to a bot program. During a DDoS attack, a botnet would be deployed, causing multiple devices to direct to a specific IP address. Botnet attacks are common, and another example would be bots posting fake reviews online or bots snagging up concert tickets in order to resell them.
For more, check out 16 Social Engineering Attack Types. And find out how Arctic Wolf® Managed Security Awareness prepares your employees to recognise and neutralise social engineering attacks and human error—helping to end cyber risk at your organisation.