Threat intelligence and its role in CyberwarfareBy Dónal Munnelly,
Anyone in a business with high IT dependency will know the importance of cyber security in 2021. But the scale and pace of the arms race between attackers and protectors is still not widely understood outside the industry. On BT’s Cyber Security Platform alone, 600,000 events are processed every second and each month we block over 100 million connections to malware sites.
The scale of our role as a global protector reflects the scale of the threat. Where once malicious code was delivered by individuals or small groups, it’s now an open market. One increasingly run by cybercrime groups and even nation states, who collaborate with shared infrastructure that facilitates ever-changing attacks while obfuscating their origin.
The way in which their malware threats penetrate a perimeter, spread, persist and cause multiple types of disruption, has become a major battleground. BT and other security practitioners have to be every bit as agile as the bad actors; we have to fight back on their terms and infiltrate their infrastructure just as they try and infiltrate ours.
How this works in practice is exemplified in the way we fought Emotet, one of the biggest malware attacks in recent years.
Attack as a form of defence
What started out as banking Trojan used to steal financial data, changed into a more widespread infection in 2019 with the payload delivered via phishing emails. One of the tricks used by the cybercriminals was to drop malicious Emotet files into email chains where multiple people communicate. Because users trust the emails and the content is familiar, they are more susceptible to generic requests that contain malware.
Emotet is polymorphous, which means it constantly changes its control flow and evades signature-based detection once it has infected an environment. Because criminal groups share exploits and use earlier infections to detect data which is used in subsequent attacks, it poses a major challenge for endpoint detection and response (EDR) solutions.
In August last year, our cyber team detected a new Emotet campaign and alerted our customers to the imminent threat. Our analysts were scrutinising Emotet samples in September; by October, when a major botnet attack got under way as we predicted, we were ready with a defence.
We mitigated the risk by using the malware’s C2 (command and control) interface to reverse- engineer the upcoming host list. This provided valuable intelligence that allowed our Security Operation Centre and security partners to contain the addresses and stop the attacks. Basically, we pretended to be a victim and got C2 lists that gave us access to Emotet updates, which we sandboxed and analysed in real time, enabling us to apply mitigation tools.
By December we had that campaign under control and the cybercriminals knew we were on to them. By January they had changed their code and a new Emotet threat was on the rise. This is the landscape we all now operate in. A cat and mouse battle where a global security provider like BT has to be agile enough to stay on top of constantly evolving threats.
The need for collaboration and global threat intelligence is paramount, which is why we now share some of the information we monitor via the BT Cyber Index. It gives a high-level view of the threats that we protect our customers against on a daily basis, including DDoS alerts, phishing sites we’ve taken down, malware sites blocked and scam activity that we’ve acted upon.
Given the sheer scale and breadth of our global networks, the data we provide offers valuable insights into the wider security ecosystem and a snapshot of the growing threat landscape. The good news for our customers is that it’s inherent in all our security offerings and puts them on the front foot in a war where advanced intelligence is one of the best weapons you can have.