Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More
Cyberattacks in the gaming sector have increased 260% in just the first quarter of this year. Although such attacks may sound frivolous in comparison to those that have taken down infrastructure and paralyzed hospitals, this uptake in cyberattacks should be a wake-up call for sectors all around and to any company that handles personal data or money. These attacks are increasingly carried out by state-backed Chinese and North Korean hackers as well as sophisticated malicious civilian actors. This is a strong warning signal that no company, organization or sector is immune to state-backed attacks, no matter how minor or strategically uninteresting they may view themselves.
In the eyes of North Korea, under severe sanctions, or China, increasingly under economic strain, these gaming companies are de facto financial companies. This is due to their handling of large amounts of money or personal data that can be sold for money on the Dark Web, making them valuable and practical targets for those looking to gain access to money.
The overarching lesson in this trend is that all companies — even those with no obvious national or political role — are at risk of state-backed attacks. Other organizations, known as hub companies — those that on their own don’t offer much value to hackers but provide services to parties that have deep pockets or valuable data, thus becoming a gateway — are also increasingly at risk. It is often easier to infiltrate these hub companies to reach more interesting or significant targets, rather than go after the target themselves, which are usually more protected and savvy about security.
A shift to intelligence-backed security
To survive, CISOs need to make a shift to intelligence-driven operations. For this, we recommend an approach that has worked well for the Israeli military, where we served as officers. In the wake of several battle mistakes and failures in the 2006 Lebanon War against Hezbollah, the military adopted an approach where each and every operation is backed by specific intelligence, which is also shared with the parties directly involved.
Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.
This strategy, when applied to the cyber arena, can result in better security as well as better use of resources. Solid and specific intelligence should back up and drive each action, including software purchases, system upgrades or incident response operations. After all, attackers are investing heavily in intelligence to help ensure their actions are successful. The defensive side needs to do the same, using data and information to figure out who may attack and how they might do that.
Assessing specific threats and enemies
To carry this out, all organizations that see themselves as secure, resilient and responsible must make use of a professional cyber threat intelligence (CTI) team that takes into consideration the geopolitical landscape and state-level attackers. Companies need to know on an ongoing basis who their enemies are — through practices like actively monitoring if potential attackers are discussing the company, its clients, service producers, type of technology or sector on the dark web. They need to watch the dark web for leakage of information about their organizations or log-in and other credentials. Then, they can better decide what to protect first and, then, who to protect against.
It is also important to understand how those parties work. Using others’ experiences in incident response is key: A CTI team needs to build a database of certain threat actors and their methods and tools, search for trends, and assess which assets they are likely to attack. When used in a proactive way, this data can help potential targets search for evidence of certain attackers’ presence and stop attacks in progress or before they occur. Importantly, attackers’ tactics, techniques and procedures (TTPs) and unique indicators of compromise (IOCs) that the intelligence team discovers can be put into an organization’s security operations center to enhance daily defense activities.
For example, a company we recently worked with was able to prevent an attack from Chinese-linked PlugX malware. This was because they were able to put one of that attacker’s IOCs — which we uncovered in a separate incident and had in our database — into their security operations center, setting up an alert if it were to be detected. This then led to finding that exact IoC on their networks and being able to mitigate the damage before it spread.
If companies have the knowledge that they are being targeted or are at risk of being targeted by certain attackers, they can also appropriately increase training among personnel, especially if the attackers’ common tactics include phishing attempts. They can increase protection around the type of asset the attacker prefers. This not only improves security, but prevents waste because it means companies will no longer strive to protect everything or invest in mitigating threats that are not relevant.
Flow of intelligence is key for operations and strategy
The second part of an intelligence-backed approach is to make sure the right information and data get to the right people, not just for tactical reasons but also for strategic reasons. Different departments or organizations involved in cybersecurity need to have a plan for sharing intelligence. For example, incident response teams often find new IOCs or other markings of known groups (civilian actors and state-backed) in their daily work, and this information needs to be gathered and shared with those doing security assessments.
This information gathered in real-time is much more valuable for defense than that made publicly available in bulletins following attacks. This is because as soon as a new finding about an attack group’s methods goes public, it almost always changes its tactics, making such information useless. In contrast, real-time intelligence, not yet made public, is critical for defense.
Sharing information is especially important in understanding how and which threat actors are relevant to organizations’ vulnerabilities. CISOs and those carrying out security assessments know their own organizations and the possible vulnerabilities in them. But with the abundance of technologies and threats, knowing yourself is only half of the story; you also need to know your enemy. This is where CISOs need to rely on a team or department dedicated to threat intelligence—and make sure to communicate regularly with them.
The CTI “wingman”
A CTI team is no doubt an important part of cybersecurity strategy and is a “wingman” for any CISO to help analyze and understand the threat landscape and the actual potential threats to the organization, including the types of attacks and types of attackers. The CTI’s strategic function helps the CISO prioritize where to put the resources granted each year, including into the most relevant technological solutions, personnel, training, policies and strategies that will counter the specific threat landscape.
Strategic Information should not be shared just with those carrying out cybersecurity operations, but others including board members, executives and other decision-makers. Equipped with more threat intelligence details on cybersecurity, board members and other executives will gain a fuller understanding of how essential and effective cybersecurity spending can be in terms of protecting the business.
State-backed cyberattacks are no longer a threat limited to organizations of national, strategic or political importance. This means that ordinary organizations need to get more serious about threat intelligence. This will allow them to protect not just themselves but also the country and society: After all, by targeting anyone and everyone with money or data, enemy states can financially defeat economic sanctions and continue to work toward the political and strategic goals we are trying to prevent.
Elad Leon and Lionel Sigal, CYE
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!