Threat intelligence failure – three words that have been increasingly prevalent in recent years, whether it is Russians paying bounties to the Taliban for the killing of American forces [1]; COVID-19 warnings prior to February 2020 [2]; or an unfortunate million-dollar pay-out after a ransomware attack. Whilst the third in that list may not appear to fit, I count this, too, as a threat intelligence failure for reasons that will be explored in this article.
We in the IT industry spend significant sums on threat intelligence. This is not a bad thing: properly implemented threat intelligence programs can provide tremendous organisational benefit. To further explore that topic, the following series of articles that I co-wrote with Zoe Rose is available on the Cyjax blog (here, here, and here) to provide a broader understanding of how threat intelligence can help.
As mentioned, the spend, across sectors, on threat intelligence is already significant and is expected to experience double-digit growth for the foreseeable future. [3] However, while it appears that organisations are embracing the idea of threat intelligence in principle, they are struggling with its practical application. I have previously written on that topic here: https://www.hackread.com/cyber-security-report-falls-in-forest-is-anyone-listening/
The takeaway from the article linked above, is that if we know what is being commonly exploited, then why are we still plagued by vulnerabilities from six, seven, or eight years ago? This is not new intelligence, so why hasn’t it been actioned? This is a good question, to which the answer may be surprisingly simple: executives, government leaders and those in positions to command action are simply not listening to the threat intelligence. Why not?
Professional security researchers, threat intelligence analysts, and journalists covering information security, all share similar feelings of exasperation that are encapsulated in the lead paragraph of a recent Forbes article:
The University of California, San Francisco (UCSF) has confirmed it paid a ransom totaling $1.14 million (£925,000) to the criminals behind a cyber-attack on its School of Medicine.I have been warning anyone who will listen about the dangers posed by the Netwalker ransomware threat since March 5, 2020. – Davey Winder, 2020
I was asked to provide a comment for this article and regularly contribute to Forbes in this way. While this is an honour, however, quotes in articles are generally significantly edited and necessarily constrained by the specific angle being explored. I had a lot more to say about the UCSF situation, which can now be shared:
Working in threat intelligence we have seen numerous warnings both public and private of actors – cybercriminal and Advanced Persistent Threat (APT) targeting anything to do with research related to Covid-19. Given that this attack seemed to target UCSF’s School of Medicine probably and most likely with a phishing attack, it would appear the warnings were not heeded.
Furthermore, I think it is really devastating when you receive all this great intelligence on the threat and a cybersecurity basic like robust backup is not implemented or checked (the assumption being that the encrypted data was not backed up securely and the ransom needed to be paid).
Conceivably maybe this ransomed research held the key to curing or vaccinating against Covid-19 that could be worth billions of dollars so paying the million-dollar ransom, in that case, is a “no brainer” It’s just sad and pathetic that despite the warnings and intelligence robust and secure backup was not a “no brainer.”
I make a lot of assumptions in the statements above, not least because we don’t know if UCSF has a threat intelligence program which could have foreseen and forewarned of this issue. Nor do we know if either UCSF’s IT resources, its IT management, or the university’s executives actually read any of the dozens of mainstream and information security press articles analysing the attacks expected to hit the healthcare vertical or ransomware attacks more generally. Many of the most useful articles on this subject were written four or five years ago. In 2016 or 2017, therefore, a statement along the lines of “we had no idea; we are the victim of a sophisticated attack” may have been a reasonable excuse; in 2020, however, after years of coverage and numerous warnings? Perhaps not.
In information security, we like to say, “Security is everyone’s responsibility”. I would like to take this one step further and suggest that Intelligence is everyone’s responsibility, as well. For a minimal investment – in the face of the potential costs – a formal threat intelligence program can substantially increase the likelihood that your organisation avoids a UCSF-like situation. Paying attention to what’s going on in your industry vertical, supply chain and partner organisations will also serve this purpose. If you don’t feel that you have time to pay attention to these things, however, then it’s time to find a partner that will do it for you.
[1] https://apnews.com/425e43fa0ffdd6e126c5171653ec47d1
[2] https://www.cbc.ca/news/politics/coronavirus-pandemic-covid-canadian-military-intelligence-wuhan-1.5528381
[3] “The global threat intelligence market size was estimated at USD 4.8 billion in 2019 and is expected to reach USD 5.6 billion in 2020. … The global threat intelligence market is expected to grow at a compound annual growth rate of 17.4% from 2017 to 2025 to reach USD 12.6 billion by 2025” https://www.grandviewresearch.com/press-release/global-threat-intelligence-market
[4] https://www.forbes.com/sites/daveywinder/2020/06/29/the-university-of-california-pays-1-million-ransom-following-cyber-attack/#70b5061818a