5 minute read

Table 1: Threat intelligence levels

1 Introduction

The purpose of this report is to present the findings of an analysis of threat intelligence with relevance to [Organization Name]. Reports are produced at three levels, with the following characteristics:

LEVEL DESCRIPTION

Strategic Focused on the collection and analysis of high-level information regarding groups of attackers, their motivation, typical targets, types of attack and current levels of activity.

Tactical Concerned with specific attackers or types of attackers and the tactics, techniques, and procedures (TTPs) that they are currently using to gain access to systems or otherwise pose a threat to our organization. Operational Relating to specific and potentially ongoing attacks, including indicators of compromise (IOCs) which may allow us to identify cases where we have suffered a breach.

Table 1: Threat intelligence levels

This document is classified as a strategic/tactical/operational [Delete as appropriate] level report and is produced on an adhoc/annual/monthly/weekly [Define report frequency] basis.

The assessment contained within this report is based on an analysis of information collected from sources which are stated at Appendix A. These sources have been reviewed to assess their reliability, accuracy and completeness. This information has then been subject to analysis within [Organization Name] to identify specific intelligence which is actionable within our organization to reduce risk.

We welcome feedback on the frequency, layout, contents and any other aspects of this report, which will be used to improve future reports. Feedback should be sent to [Give feedback contact details].

2 Executive Summary

[Describe the main topics and conclusions of the report, with a clear focus on anything the reader needs to do as a result of it. This section should be short and written in language that is appropriate to the audience (for example, non-technical).]

The activity of a several cybercriminal gangs has increased recently, with the number of ransomware attacks (where files are encrypted and money demanded for the key to decrypt them), targeting organizations similar to ours, growing sharply.

The attacks are achieved using phishing techniques, where a fake email containing malware is sent to someone within the target company. Files are then encrypted, often with backups also being affected, hampering recovery.

This report recommends that user awareness training is increased within the organization, particularly for management, and that a program of phishing testing is introduced. Cyber insurance should also be investigated as an option, as ransom demands can exceed one million Euros.

3 Threat intelligence assessment

3.1 Threat Actors

[State who the threat comes from in as much detail as is known, for example a specific nation state, criminal gang or hacking collective.]

A number of cybercriminal gangs, mainly based in Russia, are currently active in launching ransomware attacks using very similar methods. These are believed to be:

• Weevil • BadGang • HackU

There has been a number of high profile cases where significant ransoms have been paid. The level of activity of these groups has increased greatly over the last few months, and international efforts to close them down have not yielded results so far.

3.2 Motivations

[Describe the main motivations behind the threat, for example political, financial or commercial and what the threat actor is trying to achieve through their actions.]

The main motivation for these attacks is financial, with significant amounts being paid out in cryptocurrency. A secondary motivation is political, as only western organizations are known to be targeted.

3.3 Targets

[Define the people, organizations or groups that are being targeted by the threat actor depending on their motivation, for example retail companies, Apache web server users or CEOs.]

Generally the target of these attacks is thought to be mid-size public companies in Europe and the USA using Microsoft Windows as their server and desktop operating system. Companies where the availability of systems is critical to real time processing, such as in manufacturing or health, are particularly targeted.

3.4 Tactics, Techniques, and Procedures (TTPs)

[Set out the ways in which the threat actor will attempt to attack its targets, including the timing of the attacks, the vulnerabilities exploited, the tools used and the intended impact.]

Phishing emails are sent to the management team, often crafted with specific details taken from social media profiles. Recipients are asked to open a Microsoft Excel file (or similar) which contains malware. The malware installs remote access software onto the user’s device which is then used to access the network from Russia (often using a VPN to disguise the source) and download further malware. Anti-virus programs are bypassed using obfuscation techniques or disabled completely. The ransomware program is then replicated across the network, often over a period of weeks. Attempts are also made to disrupt or infect backups that are taken during this time. When ready, the attack is launched, and all network-attached folders are encrypted. A ransom is demanded in return for the decryption key and an assurance that data will not be sold or published on the Internet. The ransom must be paid in cryptocurrency. In general, organizations that have paid the ransom have been able to recover their systems using the provided key, but there have been some cases of further ransoms being demanded to prevent sensitive data being leaked or sold.

3.5 Implications for our organization

[Describe how the information given in the previous sections relates to our organization, for example whether we are in the target group, use the technology that is exploited, or are particularly vulnerable to the methods used.]

Our organization fits the target profile of the attackers as we are a mid-size company based in Europe. Several phishing emails matching the profile used by the attackers have already been identified by the ICT team and prevented from reaching users.

Although some awareness training has been provided to users, senior management has not been as involved as lower-level users, and some members of the team are vulnerable to this type of phishing attack.

The amounts paid to criminal gangs as a result of this campaign have typically been between one and two million Euros, which would represent a significant cost to our organization.

3.6 Recommended actions

[Set out the actions that are recommended to mitigate the threat as much as possible, including what must be done, by whom and how urgently.]

The following actions are recommended in relation to this threat intelligence:

REF RECOMMENDATION

1. Increase the frequency and audience for user awareness training, to include senior management, particularly around phishing. ICT Team High

WHO URGENCY

This article is from: