Skip to content ↓ | Skip to navigation ↓

In this final article of our trilogy, we investigate how a cyber threat intelligence (CTI) analyst and associated programmes provide insight about physical and cyber threats to your organisation. The value of these insights is reflected in the wins, which come as a result of context building, holistic understanding, and enhanced awareness in order to outmanoeuvre malicious actor(s).

“The price of greatness is responsibility” – Winston Churchill

Let’s remember, that a core value of the CTI programme is to do no harm. Ethics play a massive role in the intelligence field. Any actions taken from gathered intelligence must be done with strict review and assurance that benefits outweigh the risk of action. Only in the most serious situation, with likely grave consequences, should active measures be considered for authorisation. In fact, active measures are the least desirable approach, as they will no doubt reveal the extent and capabilities of your programme.

For example, perhaps your intelligence programme receives a tip that a group of criminals are planning to break into one of your facilities. It’s appropriate to issue a reminder to onsite personal, in order to ensure the alarms are on, the building is secured, and possibly alert the local police force if the tip seems credible. However, it would not be appropriate to deploy untrained employees to ‘defend’ the building from this potential break-in.

There are a variety of proactive approaches that mitigate threats, i.e. appropriate lighting, fencing, visible warning signs and trained security patrols, but requesting untrained employees to take action could put their lives at risk. A recommendation of a reasonable and, most importantly, proportionate response is what the intelligence programme should always offer.

Virtual Kidnapping Scam

This frightening extortion scheme is where victims truly believe their loved ones are at risk of possible violence and even death. Due to this belief, the victim pays a ransom to free their loved one. In reality, the loved one is simply withheld from communication by some measure and often is unaware. If the victim did not make payment, eventually the relative would return or become available to communicate regardless.

Unlike traditional abductions, virtual kidnappers have not actually kidnapped anyone. Instead, through deceptions and threats, they coerce victims to pay a quick ransom before the scheme is discovered; before the loved one reappears.

This is another form of social engineering attack, however, not one we usually discuss. But it’s playing off the same set of emotions you might find in a Phishing email – fear, uncertainty, and that ever-present clock counting down until bad things happen.

Failures that lead to a successful virtual kidnapping can stem from gaps in the operational security (OpSec), such as actively sharing locational data, and this information together provides a public picture of a target’s life. Often, this can be passive monitoring of a target’s social media accounts. A malicious actor can review shared information to determine the affluence, associations, friends and social activities to time an attack, and increase the likely hood of a payment.  If you are interested in learning more about this, read the FBI’s article on Virtual Kidnapping.

A CIT programme lives in a worst-case scenario view, which includes relevant threat models, understanding of the attack surface, along with the constraints.

Implementation of a CTI programme within an educational institution, especially ones which are made up of wealthy student bodies, would need to anticipate this virtual kidnapping scam along with traditional abductions. They would need to drive proactive actions such as recommendations and/or restrictions of public information, practices, and limiting audience view.

Whilst Parents are naturally protective of their children, they can also be proud and wish to share achievements such as first days of school in the new uniform pictures, and these seemingly small mistakes can bring harmful consequences.

Applying the threat model:

  • Unfortunately, not all audience members viewing a photo of a uniformed child have the best intentions, it’s important to recognise what information a photograph can reveal.
  • When sharing on social media platforms, be aware there’s a chance a profile is viewable to more than the intended audience, often there is no way to know all who viewed an image.
  • Sites hosting images might not have a great track record, especially with what the general public knows about the value of their data.
  • Not all websites remove the metadata, i.e. hidden data on where/when a photo was taken.
  • Not all photo editors change the file when cropping, it is possible at times to restore to the original version.
  • Even when you limit your connections to known contacts, their profiles might not be as restricted, and/or can be used to access information you didn’t realise.
  • Limit locational information shared, such as through Instagram photos, until after you have left the location.
  • Do not ‘check in’ to loved one’s homes or share details of your usual routine.

Providing Proactive Recommendations

Limit your audience, make sure you know who you’re sharing a photo and/or information with, and remove anything that you do not wish the world to know. When posting photos of children, make the conscious decision whether or not faces should be included – this is a decision both you and your child should be a part of. Remove or blur labelled items, consider if a blank wall is a better option than the back garden.

Countering Business Email Compromise attacks (BEC)

Cyber Criminals compromise email systems – often by poorly secured office 365 or outlook web access accounts. Sometimes these criminals use social engineering tactics to gain information about corporate payment or payroll systems. They can deceive company employees into transferring money into a new bank account, using an updated invoice that was legitimate – also commonly referred to as invoice redirection scams. The FBI reports that $3.5 Billion was lost to cyber-crime in 2019, noted to be led by Business Email Compromise attacks.

CTI programmes would identify BEC attacks as a key risk to organisations, especially ones invoicing/paying many large accounts; and therefore analyse the processes and procedures for accounts payable/receivable.

Requests for a changing in banking information from legitimate invoices, or even completely fictitious invoices in the first place, are all different aspects of this sort of financial attack. For individuals, it could be as simple as discounted gift cards, where they cost £10 for £100 card credit. Organisations large and small fall for this attack, a few examples you might have heard of is when Google paid $23 million and Facebook $100 million to criminals who simply sent them invoices.

Another example, that includes misuse of their position as well as fraud, was an insider threat who registered a company and invoiced his employer for hardware that didn’t exist; earning a total of £4.6 million over four years.

Providing the Proactive Recommendations

  • Verify all requests to update or change banking, payroll or any financial information.
  • Make this verification over known, previously confirmed secure communication channels – such as making a telephone call.
  • Confirm the identity of the requesting individual using an out of band means, i.e. the telephone call on a known number.
  • Never respond to any urgent requests via email or chat without verifying and confirming the identity of the requestor. If they call you, request to call them back on a known number – remember even caller ID can be faked.
  • If there are any suspicions, ask someone else to verify the transaction.
  • Set up executives with code words or authorisation codes, prior to an incident, and request it for further verification.
  • Implement separation of duties, so no one person can sign off invoices.
  • Have a job/role rotation schedule that limits a person’s capability to abuse their position. This rotation can include mandatory holiday leave.

Spotting an Attack Before it Occurs

There are a number of sources of information on the internet which can be leveraged into an early warning of an impending attack. Being on the lookout for those signs is the primary job of a CTI programme. In order to conduct a typical cyber-attack, the malicious actor(s) must complete several steps – some of which can be noticeable, such as active information gathering, or even passive gathering if monitoring specific sources.

A typical cyber-attack, delivered by a phishing campaign to an organisation, requires infrastructure. In order to send the email, launch an exploit, deploy and control a Trojan and order it to download a ransomware payload, for example – these all require infrastructure either owned or software-as-a-service.

Prior to interacting within the organisation’s environment, what can organisations look for? Consider the attack that is commonly seen in a phishing email: similar-looking domains. Known as typosquatting, and URL hijacking, these forms of attack simply rely on typographical errors, small differences that go unnoticed and confuse users into thinking an email was from a legitimate sender or that a URL links to a legitimate site. RoseSec[.]com is legitimate whereas RoséSec[.]com is not – you can notice the accent over the e in this article, but could you see it on your phone with it’s smaller typeface?

All of these attacks with fake domains, certificate registrations and hosted infrastructure are indicators of a malicious actor potentially getting ready to attack. Even if you remain unaware of this first layer, the early stages of cyber-attack can also be detected. Malicious actor(s) have to gain system access which involves interacting with your environment, making changes to systems and possibly even disrupting services.

By identifying these signs, a good CTI programme can make recommendations like:

  • Provide additional but tailored awareness training to employees with specific roles that may be impacted.
  • Run an awareness campaign, such as advising users to never enter their credentials into a link launched from an email, simply navigate to known sites manually.
  • Make use of password managers, not saving credentials in-browser, and allowing that password manager to support identifying it a URL is known or unknown for an account.
  • Alert the network team/email filter to block inbound and outbound communications from specific locations such as an IP address or domain name.
  • Report the domain as malicious to the registrar, and investigate any host resolving to that domain and ask for that infrastructure to be taken down.
  • Monitoring data breach sources, just like the previously mentioned intelligence feeds, these sources are providing insight into sources that could be used to compromise the organisation. i.e. credential stuffing and/or reuse. Signing up for alerting on resources such as allows organisations to become aware if one of their user accounts has been compromised in a data breach, and therefore may require additional monitoring, password changes, and/or further restrictions depending on the account’s access.

These are just a few of the many examples we have seen where a CTI programme and good analysis can prevent a major security issue from personal, physical, and professional environments. These CTI programmes have helped thwart serious cyber-attacks on the organisation and provided wins that can be used to enhance existing security controls. Often, following a win these CTI programmes share internally, not just to build awareness, but also to highlight the value of seemingly small indicators and encouraging discussions. These wins are also used to monitor for any identification of trends.

Knowing that malicious actor(s) are using OSINT, and intelligence within their targets to enhance their chance of success, organisations should be making use of these techniques as well, in order to identify and reduce their chances. Whilst we aren’t saying CTI programmes will remove all risk, we are saying these insights will work to strengthen an existing security programme and ultimately make the organisation more resilient.

About the Co-Author:

Ian Thornton-Trump cloud securityIan Thornton-Trump, CD is an ITIL certified IT professional with 25 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. After a year with the RCMP as a Criminal Intelligence Analyst, Ian worked as a cybersecurity analyst/consultant for multi-national insurance, banking and regional health care. His most memorable role was being a project manager, specializing in cybersecurity for the Canadian Museum of Human Rights. Today, as Chief Information Security Officer for Cyjax Ltd., Ian has deep experience with the threats facing small, medium and enterprise businesses. His research and experience have made him a sought-after cybersecurity consultant specializing in cyber threat intelligence programs for small, medium and enterprise organizations. In his spare time, he teaches cybersecurity and IT business courses for CompTIA as part of their global faculty and is the lead architect for Cyber Titan, Canada’s efforts to encourage the next generation of cyber professionals.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.