What is Threat Intelligence ... and Threat Actors?

People ask me all the time, ‘What keeps you up at night?’ And I say, ‘Spicy Mexican food, weapons of mass destruction, and cyber attacks.’
— Dutch Ruppersberger, American lawyer and politician

Threat Intelligence

Wherever you might live—a house, an apartment, whatever—you almost certainly have locks on your doors. Why? Because you know that without them a burglar could just walk into your home and steal whatever they wanted. What you’ve done is to is deploy a basic security strategy (locks) against a well understood threat actor (a burglar).

Now, let’s say you read in your local news that thieves in your community have been entering homes via unlocked windows. What do you do? You start checking that your windows are locked and maybe you put locks on them. By learning about an exploit that could be used to attack your property and then setting up a countermeasure before you get attacked, you have reduced your risk. Most importantly, you have just acted upon security intelligence (the reported threat) and expanded your understanding of and reduced your threat surface (i.e., the list of ways in which you might be vulnerable to an attack).

After that, and even more strategically, you start paying a lot more attention to your home security. You make sure to check the news every day, read the crime statistics and bulletins produced by your local police department, and maybe join your local neighborhood watch. You are now involved in responding and reacting to active security intelligence in the real world.

The Cyber Threat Side of Threat Intelligence

The traditional approach to cyber security was much like the first scenario we just discussed: Putting locks on your doors. You thought about how the bad guys might try to enter your network so you put in a firewall, and you ensured that people using your network resources remotely could only get in via a VPN. You added anti-malware to your end-user systems, and you started training your people how to identify and avoid phishing scams. You were, as in the home security example, acting on security intelligence to create and enhance your defenses against each type of cyber threat.

Then along came attacks more focused on specific targets. A recent example of this kind cyber threat was the Log4j vulnerability identified in 2021. Instead of being a general threat like phishing, this was a specific vector of risk. If, as part of your infrastructure, you were running the widely used Apache Log4j Java logging library prior to version 2.17.0 (“were,” hoping your organization is not one of the thousands that still haven’t fixed the problem) your risk was certain and you had to fix the vulnerability immediately.

Types of Threat Intelligence

We can break down threat intelligence into four types:

1. Operational Security Intelligence

The goal of operational security intelligence is to understand specific threats in the context of how the organization is currently functioning. For example, if you don’t know how to identify DDoS attacks you won’t know when you’re being targeted, and you won’t have the correct tactical response—a DDoS mitigation strategy—in place to counter it.

2. Tactical Security Intelligence

A tactical cyber threat is one you face in the immediate future. Tactical security intelligence gives your security team insight as the whether your existing threat countermeasures can detect and minimize your risk. At the core of tactical security intelligence is identifying indicators of compromise (IOCs), signals that make it possible to detect, for example, DDoS attacks or unusual traffic patterns.

3. Strategic Security Intelligence

It is not just the security team that needs threat intelligence, it’s also the key to effective executive decision-making. Understanding current cyber risk, where threats are coming from, along with the longer-term cyber threat issues, provides executive management with the foundation for budgeting, financial and operational risk assessment, technical staffing, and organizational strategy.

4. Technical Security Intelligence

Analyzing how a cyber threat was executed, for example, after a DDoS mitigation, one would look for the source of the attack, what tools were used, the cadence and style of the threat actor behind the attack, the similarity of the current assault to previous attacks, and so on. This allows for future detection and mitigation to be improved to minimize costs and downtime.

Sources of Cyber Threat Intelligence

There are many ways to slice and dice the sources of cyber threat intelligence including:

1. Human Intelligence (HUMINT)

HUMINT is security intelligence gathered from humans using direct or indirect contact and includes from espionage and surveillance.

2. Signals Intelligence (SIGINT)

SIGINT is threat intelligence derived from the interception of messaging between people (HUMINT) or machines (electronic intelligence or ELINT).

3. Open-source Intelligence (OSINT)

This includes publicly available sources such as news, social media (SOCINT), and public reports of all kinds including financial (FININT) and shared cyber security intelligence.

4. Financial Intelligence (FININT)

Financial incentives are a major clue to the motivation and resources that might be applied to executing a particular type of attack. North Korea famously uses cyber-attacks to bolster its financial resources so knowing where the money is and the potential attack vectors are crucial to both the attackers (North Korea) and the potential victims (banks and other traditional financial institutions, crypto exchanges, etc.).

5. Market Intelligence (MARKINT)

Knowing the market of a threat actor and potential targets is key to understanding not just the motivation but also the possible cyber threats they might use.

When these sources of threat intelligence are skillfully combined by security analysts, they provide a broad picture of the nature, scope, motivations, and risks of current and future cyber threats.

DDoS Attacks and Threat Intelligence

The most common cyber threat today comes from DDoS attacks. By using various techniques, a threat actor can direct bogus traffic from various sources to an online target thereby swamping the target with enough requests to slow down the response of a web server or web application. At worst, DDoS attacks can completely shut down online services, as well as provide cover for other types of cyber threats mounted in parallel.

The current geopolitical and sociopolitical landscapes afford threat actors, not just opportunity, but also reasons to launch exploits and campaigns of all kinds, particularly DDoS attacks. Over the last six months threat actors have been targeting countries, government organizations, healthcare, banks, social groups, and high-profile individuals driven by issues including politics (the Russian war against Ukraine is an obvious example), religion, and even sports.

The greatest source of DDoS attacks comes from botnets, which are huge armies of suborned machines such as PCs, routers, and IP cameras that have been exploited to act simultaneously on behalf of a threat actor. These botnets can generate vast quantities and volumes of requests. Over the last few years, threat actors have scaled up their botnets, and attacks are now frequently seen to last anywhere from minutes to days. They come from hundreds of thousands or millions of end points and are measured in tens millions of requests per second or terabits per second. This is making DDoS mitigation extremely difficult and complicated.

How A10 Can Help: DDoS Threat Intelligence and Mitigation Solutions

To survive and thrive online in the 21^st century, you need to understand the kinds of cyber threats you’re facing, and none are more generally dangerous to your digital resources than DDoS attacks. A10’s Three Reasons You Need DDoS Weapons Intelligence explains what you’re up against and what’s needed for DDoS protection.

A10’s market-leading expertise in DDoS mitigation comes from the company’s own research and understanding of threat actors, their motivations, and their tools. A10’s DDoS Threat Intelligence and DDoS Attack Report provide insights into the who, how, and why. The new DDoS Weapons Intelligence Map provides an unparalleled insight into the current DDoS threat environment

For communications service providers and data center and colocation providers looking for DDoS detection and DDoS mitigation, A10’s DDoS Scrubbing Service solution, which provides enterprise-scale DDoS protection, is based on the A10 Thunder Threat Protection System (TPS) , the Thunder TPS Detector, and the A10 aGalaxy® Centralized Management System.