Understanding the ins and outs of threat intelligence can be complicated for an organization. If your business is anything but cyber, it’s understandable to be overwhelmed by terms like ransomware, cryptocurrency, and DDoS attacks, especially in relation to your systems and assets. That’s okay.
But, to solve a problem (and trust us, cyber risk is a major, growing problem), you need to understand the terms involved, how they relate to each other, and more importantly, how they relate to your organization’s safety.
What Is Threat Intelligence?
Broadly, threat intelligence is the data, and subsequent analysis of that data, that allows for a response to some kind of cyber risk or intrusion. This data and activity can take many forms.
At Arctic Wolf, we utilize managed detection and response (MDR) and cloud detection and response solutions to monitor and analyze data for an organization. This allows our team to respond to any potential risk or intrusion. This kind of collection, analysis, and response can occur both before or after a cyber incident has occurred.
Threat Intelligence Terms to Know
So, let’s begin with the basics of threat intelligence:
1. Access Broker ( a.k.a. Initial Access Broker)
Sometimes access into a system for a threat actor comes from a phishing attack or from hacked credentials, but sometimes it comes from an Initial Access Broker (IAB). An IAB is a cybercriminal who has, and sells, access to an organization’s systems. If you’re a threat actor who wants to launch a ransomware attack on an organization, you could go through an access broker who, for a price, will get you the access you need.
2. Botnet
A botnet is a group of devices all working together due to a bot program. During a DDoS attack, a botnet would be deployed, causing multiple devices to direct to a specific IP address. Botnet attacks are common, and another example would be bots posting fake reviews online or bots snagging up concert tickets in order to resell them.
3. Business Email Compromise
Business Email Compromise (BEC) attacks refer to spear phishing schemes that target a user’s email with the hopes of financial gain. These attacks often target user’s high up within a company or with financial access and spending power. Relying on social engineering, these attacks aim to trick a user into wiring money or giving financial information. The targets for these attacks are often highly researched, and the fake email will be harder to spot versus other broad phishing attempts.
4. Cryptocurrency
When a ransomware attack occurs, the threat actors will often ask for ransom in the form of cryptocurrency. This kind of currency is untraceable and can be converted into other currencies quickly. Think of cryptocurrency like tickets in an arcade that can be traded in for a prize. It’s impossible to know which machine the tickets came from, and the value of those tickets is flexible, depending on the prize (or currency) they are converted to.
5. Dark Web
The dark web is a portion of the internet, or a specific URL, that is intentionally hidden from normal browsers. It requires a specific browser, often Tor, to access the URL. Think of it like a digital black market that exists outside the regulation or control of any law enforcement entities.
6. Data Breach
A data breach is any incident where any data (including highly valuable, sensitive or mission critical data) from an organization is compromised. This kind of breach can originate from ransomware, from an internal threat, or accidentally occur because of a careless user. A common kind of data breach would be the leak of a retail organization’s customers’ credit card information. Another would be where PHI (personal health information) is stolen from a healthcare network.
7. DDoS Attack
A Distributed-Denial-Of-Service (DDoS) attack is a specific kind of cyberattack that attempts to disrupt traffic to a server, service, or network by overwhelming the target with traffic. This is achieved through botnets or malware. The botnet (or malware) is installed on multiple devices, and through remote control, sends signals to the target’s IP address, overwhelming and shutting down traffic.
8. Encryption Key
An encryption key is the metaphorical key that unlocks data in a server, system, or asset. It’s a string of code (or algorithm) that can scramble, or unscramble data, making it useless or useful to users. In a data breach, threat actors may utilize a key to scramble data and then hold it for ransom.
9. Extortion
Ransomware is an example of extortion, which is the overarching term for cyberattacks that demand money. Specifically, it refers to any incident where a bad actor takes control of a system, or gains access to highly valuable data, and threatens to release that data (or keep controlling the systems) unless a payment is made.
10. Double (or Triple) Extortion
Double extortion gives threat actors another avenue toward success if an organization seems reluctant to, or is slow to, pay the ransom in a ransomware attack. In this kind of attack, the threat actors will extract data before encrypting the systems they are holding for ransom. If the attacked organization does not pay ransom, the threat actors will threaten to release that data onto the dark web.
With triple extortion, threat actors not only encrypt the data, not only steal the data and threaten to release it if the ransom isn’t paid, but also contact individuals who may be impacted by the data’s release and tell them to pay up or risk having their information exposed.
11. Exfiltration
Exfiltration, in threat intelligence terms, means the same as it does in other uses cases — the removal of some “thing” (assets, data, customer information) from a system. Exfiltration normally happens during an attack, where threat actors will exfiltrate, or steal, data. While often exfiltration is the main objective of an attack, the stolen “thing” can also be held for ransom, with payment as the main goal.
12. Ransomware
Ransomware is a type of malicious software (also known as malware) that prevents an end user from accessing a system or data that the ransomware has infected. The most common form is crypto ransomware, which makes data or files unreadable through encryption, and requires a decryption key to restore access. Bad actors install ransomware onto a system and then hold that system for literal ransom. Ransomware has been increasing exponentially over the years, with 700 million estimated attacks reported in 2021.
13. Ransomware-As-a-Service
Ransomware is so prolific it has become its own industry. Ransomware-as-a-service refers to the system where a bad actor purchases complete ransomware tools from a developer and then deploys them in a system. The profits are then split between the person that deploys the ransomware and the developer.
14. Social Engineering (Phishing)
Like a fishing rod wobbling through the currents looking for a catch, a phishing attack relies on the human element for success. It is an attack where a bad actor lures a user to hand over access, credentials, or valuable data. It can come in many forms including smishing, vishing, or spear phishing. Phishing is one of oldest forms of cyber attacks that exist, and it is still successful for many bad actors.
15. Tech Support Scam
A tech support scam is a specific scam where a bad actor claims to be someone from tech support. This kind of scam can come in the form of smishing, vishing or phishing, and has the goal of gaining credentials or data from the victim. This is a common phishing scam because internal users, or employees, are likely to trust someone claiming to be from tech support.
16. Trojan Horse Virus
A Trojan Horse virus, much like its namesake, is malware that comes in disguise. Disguised to look like a legitimate program, or even downloaded from a legitimately looking site, malware is often downloaded unknowingly. Once downloaded, the malware takes control of the system, wreaking havoc.
17. TTPs
Tactics, techniques, and procedures (TTPs) refer to the general behavior of what a threat actors does throughout an intrusion. It’s the specific criteria used to judge and evaluate their behavior used by those in the security industry.
For more, check out 16 Social Engineering Attack Types. And find out how Arctic Wolf® Managed Security Awareness prepares your employees to recognize and neutralize social engineering attacks and human error—helping to end cyber risk at your organization.
