ISMS-DOC-A05-7-3 Threat Intelligence Report

Page 1

Threat Intelligence Report

ISO/IEC 27001 Toolkit: Version 11A ©CertiKit


Threat Intelligence Report [Insert classification]

Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text, and certain generic terms, see the Completion Instructions document.

Purpose of this document The Threat Intelligence Report provides information about threats at the strategic, tactical and operational levels.

Areas of the standard addressed The following areas of the ISO/IEC 27002:2022 standard are addressed by this document: •

A.5 Organizational controls o A.5.6 Contact with special interest groups o A.5.7 Threat intelligence

General guidance The contents of each report will vary according to the level it applies to, for example a strategic report will generally be significantly less specific than an operational one. However, the headings given in this report template will provide a good starting point for the areas that should be addressed.

Review frequency We would recommend that this document is reviewed annually and on major changes to the organization.

Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): Version 1

Page 2 of 13

[Insert date]


Threat Intelligence Report [Insert classification] 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Version 1

Page 3 of 13

[Insert date]


Threat Intelligence Report [Insert classification] Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1

Page 4 of 13

[Insert date]


Threat Intelligence Report [Insert classification]

Threat Intelligence Report

Version 1

DOCUMENT CLASSIFICATION

[Insert classification]

DOCUMENT REF

ISMS-DOC-A05-7-3

VERSION

1

DATED

[Insert date]

DOCUMENT AUTHOR

[Insert name]

DOCUMENT OWNER

[Insert name/role]

Page 5 of 13

[Insert date]


Threat Intelligence Report [Insert classification]

Revision history VERSION

DATE

REVISION AUTHOR

SUMMARY OF CHANGES

Distribution NAME

TITLE

Approval NAME

Version 1

POSITION

SIGNATURE

Page 6 of 13

DATE

[Insert date]


Threat Intelligence Report [Insert classification]

Contents 1

Introduction .................................................................................................................. 8

2

Executive Summary ...................................................................................................... 9

3

Threat intelligence assessment ................................................................................... 10

4

3.1

Threat Actors ................................................................................................................. 10

3.2

Motivations.................................................................................................................... 10

3.3

Targets ........................................................................................................................... 10

3.4

Tactics, Techniques, and Procedures (TTPs) ................................................................... 10

3.5

Implications for our organization ................................................................................... 11

3.6

Recommended actions................................................................................................... 11

Appendix A: Threat intelligence sources..................................................................... 13

Tables Table 1: Threat intelligence levels..................................................................................................... 8 Table 2: Recommended actions ...................................................................................................... 12 Table 3: Threat intelligence sources ................................................................................................ 13

Version 1

Page 7 of 13

[Insert date]


Threat Intelligence Report [Insert classification]

1 Introduction The purpose of this report is to present the findings of an analysis of threat intelligence with relevance to [Organization Name]. Reports are produced at three levels, with the following characteristics: LEVEL

DESCRIPTION

Strategic

Focused on the collection and analysis of high-level information regarding groups of attackers, their motivation, typical targets, types of attack and current levels of activity.

Tactical

Concerned with specific attackers or types of attackers and the tactics, techniques, and procedures (TTPs) that they are currently using to gain access to systems or otherwise pose a threat to our organization.

Operational

Relating to specific and potentially ongoing attacks, including indicators of compromise (IOCs) which may allow us to identify cases where we have suffered a breach.

Table 1: Threat intelligence levels

This document is classified as a strategic/tactical/operational [Delete as appropriate] level report and is produced on an adhoc/annual/monthly/weekly [Define report frequency] basis. The assessment contained within this report is based on an analysis of information collected from sources which are stated at Appendix A. These sources have been reviewed to assess their reliability, accuracy and completeness. This information has then been subject to analysis within [Organization Name] to identify specific intelligence which is actionable within our organization to reduce risk. We welcome feedback on the frequency, layout, contents and any other aspects of this report, which will be used to improve future reports. Feedback should be sent to [Give feedback contact details].

Version 1

Page 8 of 13

[Insert date]


Threat Intelligence Report [Insert classification]

2 Executive Summary [Describe the main topics and conclusions of the report, with a clear focus on anything the reader needs to do as a result of it. This section should be short and written in language that is appropriate to the audience (for example, non-technical).] The activity of a several cybercriminal gangs has increased recently, with the number of ransomware attacks (where files are encrypted and money demanded for the key to decrypt them), targeting organizations similar to ours, growing sharply. The attacks are achieved using phishing techniques, where a fake email containing malware is sent to someone within the target company. Files are then encrypted, often with backups also being affected, hampering recovery. This report recommends that user awareness training is increased within the organization, particularly for management, and that a program of phishing testing is introduced. Cyber insurance should also be investigated as an option, as ransom demands can exceed one million Euros.

Version 1

Page 9 of 13

[Insert date]


Threat Intelligence Report [Insert classification]

3 Threat intelligence assessment 3.1 Threat Actors [State who the threat comes from in as much detail as is known, for example a specific nation state, criminal gang or hacking collective.] A number of cybercriminal gangs, mainly based in Russia, are currently active in launching ransomware attacks using very similar methods. These are believed to be: • • •

Weevil BadGang HackU

There has been a number of high profile cases where significant ransoms have been paid. The level of activity of these groups has increased greatly over the last few months, and international efforts to close them down have not yielded results so far.

3.2 Motivations [Describe the main motivations behind the threat, for example political, financial or commercial and what the threat actor is trying to achieve through their actions.] The main motivation for these attacks is financial, with significant amounts being paid out in cryptocurrency. A secondary motivation is political, as only western organizations are known to be targeted.

3.3 Targets [Define the people, organizations or groups that are being targeted by the threat actor depending on their motivation, for example retail companies, Apache web server users or CEOs.] Generally the target of these attacks is thought to be mid-size public companies in Europe and the USA using Microsoft Windows as their server and desktop operating system. Companies where the availability of systems is critical to real time processing, such as in manufacturing or health, are particularly targeted.

3.4 Tactics, Techniques, and Procedures (TTPs) [Set out the ways in which the threat actor will attempt to attack its targets, including the timing of the attacks, the vulnerabilities exploited, the tools used and the intended impact.] Version 1

Page 10 of 13

[Insert date]


Threat Intelligence Report [Insert classification] Phishing emails are sent to the management team, often crafted with specific details taken from social media profiles. Recipients are asked to open a Microsoft Excel file (or similar) which contains malware. The malware installs remote access software onto the user’s device which is then used to access the network from Russia (often using a VPN to disguise the source) and download further malware. Anti-virus programs are bypassed using obfuscation techniques or disabled completely. The ransomware program is then replicated across the network, often over a period of weeks. Attempts are also made to disrupt or infect backups that are taken during this time. When ready, the attack is launched, and all network-attached folders are encrypted. A ransom is demanded in return for the decryption key and an assurance that data will not be sold or published on the Internet. The ransom must be paid in cryptocurrency. In general, organizations that have paid the ransom have been able to recover their systems using the provided key, but there have been some cases of further ransoms being demanded to prevent sensitive data being leaked or sold.

3.5 Implications for our organization [Describe how the information given in the previous sections relates to our organization, for example whether we are in the target group, use the technology that is exploited, or are particularly vulnerable to the methods used.] Our organization fits the target profile of the attackers as we are a mid-size company based in Europe. Several phishing emails matching the profile used by the attackers have already been identified by the ICT team and prevented from reaching users. Although some awareness training has been provided to users, senior management has not been as involved as lower-level users, and some members of the team are vulnerable to this type of phishing attack. The amounts paid to criminal gangs as a result of this campaign have typically been between one and two million Euros, which would represent a significant cost to our organization.

3.6 Recommended actions [Set out the actions that are recommended to mitigate the threat as much as possible, including what must be done, by whom and how urgently.] The following actions are recommended in relation to this threat intelligence: REF

RECOMMENDATION

WHO

URGENCY

1.

Increase the frequency and audience for user awareness training, to include senior management, particularly around phishing.

ICT Team

High

Version 1

Page 11 of 13

[Insert date]


Threat Intelligence Report [Insert classification] REF

RECOMMENDATION

WHO

URGENCY

2.

Initiate a program of phishing testing, linked to the provision of the awareness training.

ICT Team

Medium

3.

Investigate the viability of purchasing cyber insurance for the organization.

Procurement

High

Table 2: Recommended actions

Version 1

Page 12 of 13

[Insert date]


Threat Intelligence Report [Insert classification]

4 Appendix A: Threat intelligence sources The following sources of threat intelligence were used in the creation of this report: SOURCE

ITEM DESCRIPTION

LINK

ENISA (European Union Agency for Cybersecurity)

Report - ENISA Threat Landscape 202x

[insert link]

CISA (US Cybersecurity and Infrastructure Security Agency)

Alert (AA26-291B): Ransomware activity

[insert link]

Mandiant

Blog article: FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets

[insert link]

Table 3: Threat intelligence sources

Version 1

Page 13 of 13

[Insert date]


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.