In today’s threat landscape, collaboration is the name of the game. It is widely known that threat actors have become increasingly sophisticated and aggressive in recent years. Yet, most of our security teams still rely on traditional threat intelligence, keeping them a step behind modern attackers.
Threat actors are no longer focusing solely on an organization’s IT infrastructure. Instead, they analyze the organization’s entire digital footprint to reveal unexpected attack surfaces. This next generation of threats is more targeted, patient, and dangerous. Attackers have a specific purpose in mind and are customizing their approaches to leverage individual organizational, geopolitical, or cultural events.
Latest reports from OpenText Cybersecurity show that nation-states and cybercriminals are collaborating with one another more frequently to further their motivations, specifically geopolitical ones.
Organizations must incorporate adversary signals within their threat intelligence to respond to these evolving tactics and protect against next-generation threats to contextualize attacks and improve cyber resiliency.
The Bad Guys are Working Together
Threat actors are no longer working independently to take down their targets. Today’s cybercrime groups are sharing intelligence with one another, sometimes even collaborating with nation-states to carry out attacks that drive the agendas of both groups.
For example, Russia has collaborated with malware-as-a-service gangs, including Killnet and Lokibot, to carry out targeted cyberattacks against countries supporting Ukraine. These gangs often launch spikes in ransomware-as-a-service or DDoS-as-a-service attacks shortly after a country announces endorsement or support of Ukraine. China, another country with notable cyber capabilities, has entered similar relationships with the Storm0558 and Red Relay cybercrime rings, often to support its geopolitical agenda against countries in the South China Sea region.
This trend is especially problematic considering the lack of collaboration between security leaders. With threat actors and nation-states combining efforts to carry out their respective agendas, it is increasingly important that organizations that come under attack be forthcoming and transparent about any incident or breach. By disclosing this information to the U.S. Cybersecurity & Infrastructure Security Agency (CISA), organizations can increase visibility within the security community and help to further initiatives that protect against attacks like these.
Additionally, it’s not uncommon for enterprises and governments to experience these joint attacks from their known adversaries, but nation-states are taking the technique even further. To help facilitate cyberattacks, nation-state actors are pulling in third-party nations to stage their attacks and indirectly reach intended targets. Developing nations and those with weaker cyber defense infrastructure, such as the Democratic Republic of the Congo, Argentina, Iran, and Nigeria, have all been compromised in this way.
These trends have created more targeted attacks, often exploiting unexpected entry points to disrupt specific verticals necessary for a business to operate. We also see adversaries exhibit more patience, giving themselves time to plan their attacks and better understand their victims extensively.
Adversarial Signals Threat Intelligence Promotes Proactivity
Traditional threat intelligence provides insights into threat actors' behavior, such as their typical activities, their tools, and the geographical areas in which they operate.
The more nation-states work with cybercriminal groups, the more security analysts and leaders must watch for calculated behavior. Specifically, adversary signals that reveal an attacker’s malicious behavior and intentions. Adversary signals are indicators that provide specific, real-time information about the behavior and tactics of individual threat actors. These are critical because they offer actionable insights into an attacker’s methods and objectives, allowing security teams to anticipate, defend against and mitigate threats more effectively. Organizations need to detect adversary signals earlier.
Adversarial signals threat intelligence utilizes far-space signals to identify attacks targeting an organization, including the origin and actor responsible. This advanced signaling arms organizations with more context so they can approach threats more proactively. For example, adversary signals can reveal geopolitical cyberattacks, a growing threat many companies don’t expect to be targeted. Adversary signals provide threat actor attribution, enabling security teams to anticipate the tactics that are most likely to be used and thus defend accordingly.
Strategies for Integrating Adversarial Signals Threat Intelligence
The data shows adversarial signals threat intelligence is now a must-have, not a nice-to-have. This telemetry can be added to SOC operations to modernize threat intelligence processes and cybersecurity strategies. Here are a few steps to use as guide:
- Use adversarial signal analytics to understand which threat actors are most interested in your assets. By mapping out and identifying which threat actors are most interested in an organization's assets and infrastructure, these signals can help pinpoint the actors behind specific attacks, track their tactics, techniques and procedures (TTPs), and understand their motivations.
- Prioritize your defenses based on the TTPs used by threat actors as discovered in step one. Once you’ve identified the adversarial signals and the threat actors behind them, organizations need to prioritize cybersecurity defenses based on the TTPs used in their industry. This means focusing on potential vulnerabilities and entry points that are most likely to be exploited by attackers and specific adversaries they are likely to face, making organizations more resilient to targeted attacks. This proactive approach shifts the focus from reactionary incident response to anticipating and blocking likely attack vectors.
- Collaborate with government agencies and share data when attacked; governments need this insight to triage and pursue threat actors. When an organization is attacked, it needs to promptly share data and adversarial signals with relevant agencies, especially CISA, because collaborating attacks require a collaborative response. By sending early alerts to U.S. agencies, the government can prioritize its response efforts and support broader national and global initiatives to take down cybercriminals and nation-state actors.
Adversarial signals add proactivity to threat hunting, which traditional threat intelligence lacks. Organizations can elevate their defenses against increasingly coordinated and sophisticated attacks by integrating these signals into their cybersecurity frameworks. Armed with adversarial signals, threat hunters can finally be one step ahead.
