Threat Analyst Insights: Behind the Scenes of On-Demand Research
As a member of the analyst services team at Recorded Future, I wear multiple hats, but first and foremost, I view myself as an extension of our customers' threat intelligence or security operations center (SOC) teams. Our team is a diverse group; some were formerly linguists or technical analysts, while others served in the military or worked in the intelligence community.
Since I started at Recorded Future, each day has been different, as our daily operations depend heavily on customer requests for reporting or research. The primary purpose of the analyst services team is to help customers research events that their team may not have the time or ability to dig into, but sometimes we simply provide a second opinion on research that they have curated themselves. Typically, after being given a general idea of what a customer wants researched, we use a combination of technical and non-technical assessments to determine what direction would best benefit the customer based on their requirements.
Reports We Have Delivered
Our unofficial team motto is that we will research “anything and everything,” which in my opinion makes our workday more exciting because our day to day tasks constantly change and we have to be ready for anything. We’ve delivered reports ranging from the more typical malware and phishing analyses, down to more focused topics such as third-party security evaluations or city profiles. The delivery period ranges from a 24- to 48-hour time frame for shorter assessments to a 30-day delivery period for longer pieces, such as industry-specific or vertical risk analyses.
The most common type of report requests we receive — aside from the scheduled weekly, monthly, and quarterly reports — are for analysis on malware or phishing emails that customers have seen in their environment. Our analysis typically combines information from our product itself with open source items that we may come across during the course of our research.
Trends We Have Noticed
In the past six to 10 months, we have noticed an uptick in scam campaigns targeting businesses in the travel and hospitality industries. These campaigns typically disguise themselves as third-party booking or payment systems and direct customers to a separate site for them to enter their booking or payment information. From what we have discovered, these campaigns appear to be largely operating out of India and have been targeting customers of large travel groups. Our open source research and threat actor engagement did not provide enough information on whether these different groups are linked; however, we can assess with high confidence that any customer information that may have been given to these groups is at a high risk of compromise.
Another trend that we have noticed is the rise of user account credentials for sale on dark web or underground forums from a number of companies across a variety of verticals. The majority of these credentials for sale have been from major data dumps such as breaches into websites like LinkedIn, or more recently, Ticketfly. While there are differing degrees of validity regarding these account credentials (e.g., some have passwords, while others just contain a name and email address), we believe that there is a high likelihood that these people will face an increased risk of targeted phishing scams from attackers trying to gain further information, such as banking information.
The analyst services team researches and writes assessments for pretty much anything that our customers may have concerns about. I, for one, have appreciated the variety in report writing and in knowing that not every day will contain the same tasks or research. It also allows me to gain insight into topics that I may not be as familiar with, such as malware reversal or actor engagement, and see how the other subject matter experts on the team approach it. It also gives me a better idea of what I envision my future career path to be, as I begin to specialize in certain areas of research and analysis.