Over the past two weeks, we’ve examined the findings from SIEM vendor AlienVault’s Open Threat Exchange (OTX) platform report. AlienVault commissioned and designed these reports to put the anonymised security event information collected from their customers to use: they’re meant to help other security vendors and solution providers improve their comprehensiveness and adaptability. Part one of the report focused on exploits, and part two focused on malware.
Today, AlienVault released Part Three of its findings, this time exploring the most reported threat actors and patterns, so that solution seekers can learn about the nefarious people attempting to infiltrate their enterprise’s databases.
Here are the 3 key findings from Part Three:
1. Determining the Threat Actors That Pose the Most Risk is Not Simple
The hreat actor that poses the most risk to your enterprise contrasts wildly from the threat actor targeting enterprises in a separate industry, or even an enterprise of a different size. If you are a medium-sized business that deals with food promotion, you will have a very different set of threat actors than a global energy conglomerate to worry about. To use a nerdy analogy, the Joker represents a villain that is most suited to fighting and is most interested in fighting Batman, whereas he wouldn’t nearly as capable nor as invested against Aquaman.
So even as Sofacy, the Lazarus Group, Anunak, Turla Group, and OilRig are considered the five most active hacking groups as detected by the OTX, those actors may not consider your enterprise or even your industry as a target. That does not mean that your enterprise or small-to-medium business is not at risk of a cyberattack; it just means that you are (possibly) most vulnerable to a hacker that may not make national headlines.
2. Determining How Capable a Threat Actor Is Can Also Be Tricky
“How capable is the threat actor working against your enterprise?”
It is actually a far trickier question than it appears. If a hacker never uses automated spear-phishing tactics against your enterprise, does that means they lack the knowledge and resources to run an automated attack? Or are they actually specially tailoring each fraudulent message for each of your employees to for a greater success rate?
Moreover, it can be difficult to tell how some hacking groups even operate; AlienVault acknowledges that certain criminal organizations have seemingly gone dark after some recent unwanted public attention. The vendor is convinced these groups are still active, just acting quietly outside the notice of solutions providers, perhaps operating under different handles and with different tactics.
3. The Most Active Threat Actors Have (Alleged) State Backing
The most referenced threat actor, Sofacy—also infamously known as Fancy Bear—is best known for its attacks on the U.S. and French elections in the past few years, and has alleged ties (which most cybersecurity experts are convinced of) to Russian military intelligence agencies.
The next highest ranked actor, Lazarus, has been connected to the North Korean government, somewhat confirmed by their continual attacks against South Korea. The 10th highest is operating out of China, which represents a significant decrease following political pressure to stop such activities against the West and increases in evasion tactics by those groups.
It speaks to a fundamentally different world than the one we imagine of a hacker in a dark basement. Now threat actors have the resources and the motivation to go further and attack more persistently and precisely than ever before—and the evidence shows that they will.
You can read part three of the report in full here.
Latest posts by Ben Canner (see all)
- By the Numbers: Business SIEM in 2020 - June 4, 2020
- How SIEM Improves Business Incident Response Plans - June 3, 2020
- Revisiting Whether SOAR Will Replace SIEM in Business Cybersecurity - May 29, 2020