Finished intelligence, at its core, requires both data and context. While I’ve written previously about how different data sources — specifically the Deep & Dark Web versus the open web — can dictate the value and relevance of the resulting intelligence, establishing the proper context is just as crucial.
The problem is, context can be complex — especially amid our current geopolitical landscape and its ever-increasing overlap with many of the cyber and physical threats targeting organizations across all sectors. Since most threat intel teams haven’t been conditioned to maintain a comprehensive understanding of how geopolitical factors can influence, for example, emergent strains of malware, insider threats, or supply chain security vulnerabilities — they may overlook such factors when establishing the context within which the data pertaining to these threats has been collected. And without timely, accurate, and complete context, finished intelligence is hardly intelligence at all.
Ultimately, organizations seeking to produce and apply finished intelligence to address emerging threats, vulnerabilities, and potential impacts accurately need to maintain an ongoing and strategic view of the geopolitical landscape. The following observations reinforce this point by illustrating the substantial extent to which shifting geopolitical conditions have influenced different threat actors’ targets, motivations, and capabilities since the start of 2017.
Despite increased global law enforcement attention and the widespread implementation of comprehensive security measures across all sectors, financially-motivated cybercriminals continue to develop new ways to circumvent protections. Over the last six months, organizations around the world have incurred billions of dollars in damages from cybercriminal schemes targeting EMV chip payment technology, SWIFT infrastructure, financial institutions’ user access controls, electronic medical record systems (EMRs), and anti-fraud measures aimed to prevent identity theft, among others.
Most threat intel teams recognize the critical need to remain informed of the latest cybercriminal threats emerging from the Deep & Dark Web. Geopolitical shifts from the last six months, however, have yielded several unexpected developments that some teams may not be prepared to address. The increasing sophistication of cybercriminal communities outside of Eastern Europe — such as the Brazilian underground — is one noteworthy example. Without fluency in Portuguese and a keen understanding of Brazilian cybercriminals’ emerging targets, capabilities, or motivations, organizations may be unable to address and mitigate the respective threats effectively.
Nation State Actors
State-sponsored actors have received no shortage of attention during the last six months — some of which correlates with mounting tensions between the U.S. and countries such as Russia and China. In addition to Russia’s alleged involvement in attacks against the U.S. Democratic National Committee and several high-profile elections in Western Europe, highly-targeting phishing campaigns linked to the Chinese regime, as well as both China’s and Russia’s major regulatory shifts to limit anonymity in cyberspace align with several major themes exacerbating global concerns over state-sponsored cyber activity.
It’s crucial to recognize that while state-sponsored actors have long been considered highly-capable and dangerous, their malicious activities are also known for being extremely targeted and relatively infrequent. These same tendencies also mean that most threat intel teams — especially those in the private sector — face state-sponsored cyber activity very rarely, if ever. But, as attribution continues to grow more complex and blur the lines between state-sponsored and other types of malicious cyber activity, threat intel teams without the proper geopolitical expertise — much less lingual and cultural acumen — may not be prepared to address and mitigate these threats effectively.
It should come as no surprise that political, economic, and/or social unrest always carries the potential to catalyze hacktivist activity. But unlike historical trends that reflect higher concentrations of such activity in the West, the first half of 2017 was ripe with decidedly non-western displays of hacktivism. Despite the decline of notorious Western hacktivist group Anonymous, hacktivism gained prominence throughout other countries, particularly Turkey.
Indeed, since late 2016, Turkish hacktivist group Aslan Neferler Tim (ANT) has carried out a string of seemingly-indiscriminate distributed denial of service (DDoS) attacks against numerous high-profile Middle Eastern, European, and American targets including government ministries, international airports, telecommunications providers, and banks — often without prior justification. In addition to ANT’s rapid emergence as a highly-capable and active hacktivist collective, the group’s lingual and cultural intricacies create substantial difficulties for threat intel teams seeking proactive visibility into the groups’s disruptive cyber campaigns.
Much like gathering data from the most difficult-to-access corners of the Deep & Dark Web, addressing today’s threat landscape accurately can present challenges for even the most advanced threat intel teams.
Realistically, the most effective way to establish any data’s context amid the undeniable complexity of our geopolitical landscape is to seek out subject matter experts with the proper lingual, cultural, and geopolitical expertise. Rather than expend endless resources conducting such operations in-house, most organizations are better off working with reputable vendors with extensive knowledge both of geopolitics and the Deep & Dark Web. After all, finished intelligence — when accurate, timely, and contextual — can help not just threat intel teams but all business functions across the enterprise gain an increased understanding of the impact, relevancy, and corresponding risks posed by a full spectrum of malicious actors.