New research from Recorded Futures Insikt Group assesses the likelihood of four major conflict escalation scenarios that have the potential to materialize across the globe, detailing diplomatic, informational, military, and economic (DIME) signposts and indicators of those scenarios transpiring, and analyzes other global conflict flashpoints.

It is unlikely that the Russia-Ukraine conflict will escalate into a NATO Article 5-linked conflict in 2024, as both Russia and NATO are actively taking measures to prevent direct military confrontation. Nonetheless, the potential for military incidents resulting from miscommunication or miscalculation remains, posing risks of NATO involvement, especially if Russia perceives NATO actions as threats to its national security interests in the Black Sea region.

In 2024, the Israel-Hamas conflict is unlikely to extend to a broader war on a second front involving Israel, Hezbollah, Palestinian militants, and Iranian proxies based in Lebanon and Syria. Hezbollah is unlikely to initiate an invasion of Israel to avoid risking US intervention and Lebanon's stability. Instead, ongoing exchanges of fire serve to deplete Israeli resources and infrastructure without prompting a full-scale Israeli incursion into Lebanon. Similarly, Iran is unlikely to direct Hezbollah to provoke Israel, preferring to exert asymmetric pressure on the US and Israel indirectly. Israel, meanwhile, is unlikely to escalate actions against Lebanon, given its focus on eradicating Hamas and US pressure to prevent further escalation.

The conflict in the Red Sea and Gulf of Aden between Iran-backed Houthis and the US-led military coalition is unlikely to expand into a wider Arabian Peninsula war. The Houthis are expected to achieve their objectives by targeting adversaries in the Red Sea and Gulf of Aden without directly engaging American, British, or Israeli interests across the Arabian Peninsula. Low-intensity conflict is anticipated to persist in the region as Houthi rebels escalate their maritime campaign against American and British assets, despite coalition airstrikes aiming to degrade Houthi capabilities.

Furthermore, armed conflict between China and Taiwan in 2024 is very unlikely due to various political, military, economic, and diplomatic factors. Chinese leaders are very likely to continue military and non-military coercive efforts to dissuade Taiwanese independence while also promoting mainland unification through economic and cultural measures. Despite the high risks associated with a Taiwan conflict for China and the Chinese Communist Party, the party-state is likely to consider using armed force against Taiwan on a more urgent timeline if acute challenges present themselves.

To read the entire analysis, click here to download the report as a PDF.

Recorded Futures Insikt Group has identified TAG-70, a threat actor likely operating on behalf of Belarus and Russia, conducting cyber-espionage against targeting government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020. In its latest campaign, which ran between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in its targeting of over 80 organizations, primarily in Georgia, Poland, and Ukraine. This activity is reminiscent of other Russian-aligned threat groups such as BlueDelta (APT28) and Sandworm, which have targeted email solutions, including Roundcube, in previous campaigns.

Geographic spread of victims of TAG-70s Roundcube exploit in October 2023 (Source: Recorded Future)

The compromised email servers represent a significant risk, particularly in the context of the ongoing conflict in Ukraine. They could expose sensitive information about Ukraine's war effort, its diplomatic relations, and its coalition partners. Moreover, the targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran's diplomatic activities, especially regarding its support for Russia in Ukraine. Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia's aspirations for European Union (EU) and NATO accession.

To mitigate the risk posed by TAG-70's campaign, organizations should ensure that their Roundcube installations are patched and up-to-date, while actively hunting for indicators of compromise (IoCs) in their environments. The sophistication of TAG-70's attack methods and its targeting of government and military entities underscore the need for robust cybersecurity measures and proactive threat intelligence efforts. The widespread nature of TAG-70's activities and its potential impact on national security highlight the urgency for vigilance and preparedness among affected organizations and government agencies.

To read the entire analysis, click here to download the report as a PDF.

Available in the following modules:Threat Intelligence, and Geopolitical Intelligence

In the ever-changing and converging threat landscape, organizations must remain vigilant to protect their critical assets and sensitive data from increasingly sophisticated attacks. At Recorded Future, were constantly finding new innovations to help customers deal with their most pressing security challenges. Back in April 2023, we were the first company to introduce AI for Intelligence with Recorded Future AI Insights. Today, we are excited to announce the general availability of the next evolution with Enterprise AI for Intelligence, supercharged with a generative AI-based assistant.

This capability gives security teams on-demand access to critical threat intelligence and actionable insights via a simple natural language interface. Combining the power of Recorded Futures Intelligence Cloud, the most comprehensive and transparent sourcing* in the industry. This includes research and reports from Insikt Group, Recorded Futures threat research division. Our AI continuously learns and adapts, providing security teams with the most up-to-date and relevant threat intelligence.

See Recorded Future AI in Action

Scenario 1: Based on an indicator of compromise (IoC) related to BlueBravo, a CTI analyst is tasked to provide information related to the full scope of the threat.

The IP Intelligence Card highlights a known command and control (C2) server associated with BlueBravo.

Recorded Future AI provides powerful assistance in understanding a comprehensive list of tactics, techniques, and procedures (TTPs), and associated indicators of compromise (IoCs) with BlueBravo. As MITRE is a common framework to analyze attacks, Recorded Future AI can tie the TTPs to specific MITRE T-codes. The Red Team can use information about how BlueBravo targets Windows Management Instrumentation (WMI) and powershell to inform their next threat hunt.

Scenario 2. A CTI team needs to assess the latest zero-day vulnerabilities, prioritize by active exploits and provide an executive summary to the CISO.

Search for the latest vulnerabilities using simple English prompts and Recorded Future AI will provide a list with embedded links into each CVE showing details, remediation steps, and playbooks.

An analyst can quickly create a comprehensive executive summary of the vulnerability assessment for their CISO - and generate a report that used to take hours in a matter of minutes.

Scenario 3: An intelligence team needs to monitor geopolitical trends and their impact on cyber events.

With elections, summits, and hearings, government entities need to stay up-to-date on cybersecurity threats and provide real-time reporting to their chain of command.

Lets look at how Recorded Future AI gathers information on China's disinformation campaigns.

Suggested follow-up questions from Recorded Future AI expands the scope of your inquiry and provides additional insights. Recorded Future provided this follow-on question about the Volt Typhoon cyber campaign.

Discover Whats Next with Recorded Future AI.

For Security teams that need to detect and respond to suspicious activity, time is of the essence. Recorded Future AI will continue to evolve so that analysts can automatically aggregate and analyze commonalities across attacks, brand exposure, and much more. To stay up-to-date on the latest in AI-driven threat intelligence, sign up for our newsletter.

*Open web, dark web, technical, and our proprietary Insikt Group sources. We are the only threat intelligence provider that offers mid-point / network traffic analysis with your proprietary data.

***Recorded Future uses OpenAI's large-scale language generation model to summarize content and help our clients consume the vast intelligence available via Recorded Future more efficiently.

What better way to join in on the celebration than by sharing the inspiring stories of our team members and how they have influenced their career field. We know that diversity, inclusion and awareness build a thriving workforce. When we share our rich collective of backgrounds, origins, and learning paths it enriches our organization and the industry as a whole.

This year, we interviewed Mohamed Fall, Senior Intelligence Consultant and Monet Ford, Customer Success Manager at Recorded Future and are thrilled to share their experiences..

From left, Monet Ford and Mohamed Fall

As a black woman in cybersecurity, sharing my story is crucial for several reasons. Firstly, it sheds light on the challenges facing minority groups in the field. Secondly, my story can serve as an inspiration for other black women to pursue similar career paths. Ultimately, my narrative contributes to creating a more inclusive and diverse workforce, which benefits the tech industry as a whole. - Monet

The Journey Up Until Now

The speed at which technology changes is crazy and no one is a master at everything. This job, unlike other professions, requires communication and collaboration more than ever. Everyday is full of challenges and learning opportunities. - Mohamed

Mohamed was first introduced to the Recorded Future platform working at another company. He explains that exposure to the solutions, both as a security and an educational tool, helped him gain a wealth of knowledge in the intelligence field. Soon after, he reached a significant milestone when attending the Recorded Future Certified Analyst Lab training and certification.

Learn more about Recorded Future University and our newest free certification.

It not only expanded my skill set but it also opened doors and new opportunities to further my Cyber Threat Intelligence knowledge and build an expertise. Joining Recorded Future was not just a career move. It was a personal decision I made to further enhance my learning. - Mohamed

In 2023, Monet was impacted by one of the significant tech layoffs. Determined to find a new opportunity, she began her job search and came across Recorded Future.

From the initial recruiter call to my final interview, the experience felt refreshingly authentic, and I didn't feel like I was going through the motions of a traditional interview. That's when I realized that the company's culture resonated with me, and I knew I would enjoy working there." - Monet

Read about our hiring process and get tips from Senior Recruiting Manager, Chris Barnes.

Celebrating Community and Impact

It was the first company I encountered that had such a community, and I wanted to be part of it. - Monet

Monet shared that engaging with the employee resource group has been impactful in helping her connect with colleagues across the organization. Not only does the group create a space beyond day to day work, it also is an opportunity to meet other ERG members in person: In the tech industry, where many positions are remote, it can be challenging to truly connect with colleagues. Meeting some of the ERG members face-to-face was a fantastic experience that added a personal touch to our interactions and strengthened our bonds.

Mohamed noted one of his favorite events he attended and the impact it had: the BEST employee resource group invited a dominant voice and scholar - Dr. Byron Lowens - to speak about privacy issues in a variety of contexts, such as wearable health technologies, people's reactions to data breaches, and how privacy concerns lead to disparate outcomes for marginalized populations.

He continued to say that this initiative not only highlighted the need to address sensitive issues and educate our workforce, but also inspired further academic research and community awareness.

Challenges and Growth

The dynamic and ever-evolving nature of the threat landscape keeps me on my toes. - Mohamed

Mohamed explained how his time at Recorded Future has exposed him to many topics that he once had no experience with and the supportive environment he found here. Stepping into such a large organization as a new employee with all knowledge and experience required to perform requires a supportive and collaborative environment. And that's what BEST and Recorded Future offered.

Monet added that her role not only has challenged her on a professional level but also on a personal level. Professionally, working in this environment has challenged me to stay abreast of the rapidly evolving cybersecurity landscape, honing my skills and expertise in threat intelligence. Additionally, I've found that my work here has complimented my educational pursuitsI'm currently going back to school for Cybersecurity. Being able to apply what I study directly to my role has not only deepened my understanding but also enhanced my learning experience. It's a rewarding cycle of knowledge acquisition and practical application that has accelerated my professional development.

Join Us on Our Journey

Our Futurists have a powerful message to anyone whos considering joining the field, making their next career move, learning something new, or getting involved in ERG work.

Go for it. If I can do it, so can you. The opportunities for growth and learning are boundless, limited only by your willingness to step out of your comfort zone. - Mohamed

Mohamed at a Colorado Rapids Game and Monets Family Christmas

If you're seeking a space where you can contribute to spreading diversity and fostering understanding of our mission, the ERG is the perfect place for you. And as for the company itself, it's a fantastic environment with great colleagues and an even better culture. You'll find yourself surrounded by supportive teammates and opportunities for growth. - Monet

We look forward to sharing more stories from our team, showcasing the diverse paths that have led us here and the shared vision that propels us forward. Your story could be the next to inspire, challenge, and transform our industry. You can check out our 2023 stories: Black History Month '23, Veterans Day '23, Hispanic Heritage Month 23, Pride Month 23, APIDA Month 23.

Recent Insikt research analyzes ransomware and vulnerability trends spanning the past six years and offers insights into future expectations.

Ransomware groups exploit vulnerabilities in two distinct categories: those targeted by only a few groups and those widely exploited by several. Each category necessitates different defense strategies. Groups targeting specific vulnerabilities tend to follow particular patterns, enabling companies to prioritize defenses and audits. To defend against unique exploitation, understanding the likely targets and vulnerability types is crucial.

Diagram showing the number of ransomware groups that have been associated with vulnerability exploitation in the last five years. By one group, for example, we mean that only one group has been reported to have exploited a vulnerability (Source: Recorded Future)

Widely exploited vulnerabilities are found in commonly used enterprise software and are easily exploited through various means like penetration testing modules. Defending against such exploits involves promptly patching vulnerabilities, monitoring security research for proofs of concept, and observing criminal forums for references to tech stack components rather than specific vulnerabilities.

Some ransomware groups focus on exploiting three or more vulnerabilities, providing clear targeting patterns for defenders. For instance, CL0P has targeted file transfer software from Accellion, SolarWinds, and MOVEit. Most targeted vulnerabilities are in widely used enterprise software and can be exploited easily. Vulnerabilities requiring unique vectors are typically exploited by only a few groups.

Ransomware operators and affiliates seldom discuss specific vulnerabilities, but the broader cybercriminal ecosystem identifies and discusses publicly known vulnerabilities and potential targets for exploitation.

Looking ahead to 2024, advancements in generative AI may lower the technical barrier for cybercriminals, facilitating the exploitation of more zero-day vulnerabilities. Major vendors like Google and Apple may become targets of ransomware campaigns, which were previously immune to such threats. Additionally, a potential rebound in cryptocurrency value might shift extortion groups' focus towards crypto wallet theft from vulnerability research.

To read the entire analysis, click here to download the report as a PDF.

The report discusses Iranian intelligence and military entities associated with the Islamic Revolutionary Guard Corps (IRGC) involved in cyber activities targeting Western countries through their network of contracting companies. Four known intelligence and military organizations linked to the IRGC engage with cyber contractors. Iranian threat groups linked to the network of contracting parties have launched espionage and ransomware attacks and are leading efforts to destabilize target countries through information operations. The victims are linked to governments, media, non-governmental organizations, critical infrastructure, and the healthcare sector, just to name a few. Some contractors are also implicated in developing technologies that enable surveillance activity that contributes to human rights abuses.

The IRGC-related cyber companies export technologies for surveillance and offensive purposes. The report highlights some select cases of financial activities outside Iran, suggesting contractors likely rely on the IRGC Quds Force (QF) for lucrative arrangements in countries like Iraq, Syria, and Lebanon.

Major ransomware-style attacks led by pro-Iranian government fronts like Moses Staff, N3tW0rm, and Agrius (Source: Recorded Future)

The report delves into an interconnected network associated with the IRGC's cyber program, revealed by a string of multi-year leaks and doxxing efforts led by anti-government hacktivists and dissident networks. Overlaps between sanctioned individuals and specific contracting parties are observed.

To read the entire analysis, click here to download the report as a PDF.

Despite the end-of-the-week fatigue, you explain that the Cyber Threat Intelligence (CTI) team has already incorporated the attack patterns into existing controls. A member of the infrastructure team updated the email security platform to quarantine the malware-infected file. Credentials recently stolen from RedLine Stealer have already been reset within your identity access management (IAM) platform.

This is a response to a familiar situation: quickly answering a question about the latest cyber news headline. To summarize the risks in that email, the security team needs to properly map, monitor, and mitigate cyber threats specific to your organization.

Map Your Company Assets

Cybersecurity writing often uses the phrase, defending your castle walls. Instead, lets envision strategically-placed barbed wire fences. As a security team, you prioritize the broken sections instead of rebuilding the entire fence (or wall) at once.A good place to start mending your fence is understanding what information about your company is freely available. Amateur open-source sleuths can now discover connections previously available only to those with specialized access. (A crowdsourced example includes the discovery of a disgraced Russian generals location based on the photo analysis of trees and a stone patio.)

Are there old domains still accessible that should be decommissioned? Security teams can use tools to discover subdomains that are potential candidates for subdomain takeovers.

Equally as important is understanding what assets are critical to business functions. If you work for an e-commerce company, any domains that handle payments should be prioritized as any downtime could result in monetary losses. Executives with, and without, a social media presence should be monitored for fake accounts that could post inflammatory comments and potentially impact stock prices.

If locked out of your house, you do not resort to immediately climbing onto your roof looking for an open window. Instead, you (hopefully) try to find another ground-level entrance or the key you hid by the ceramic gnome. Threat actors will often follow a similar path of least resistance.

Monitor What You Discovered

Based on your mapping exercise, your next task is to monitor the prioritized domains, executives and easiest to exploit attack vectors.

Understanding your companys password policy provides helpful context. But more important is monitoring for stolen credentials that can log into company systems. Intelligence providers that collect from these malware logs and integrate into IAM platforms increase the speed of detecting and resetting passwords before improper use. (According to the 2023 Verizon Data Breach Investigations Report, more than three-quarters of breaches involved external actors, with nearly half of those external breaches involving stolen credentials.)

Threat actors do not typically use stolen credentials immediately. Instead, Initial Access Brokers (IABs) package and sell these credentials to other actors who plan to use them. Monitoring for direct and indirect company references (when your company as a target is implied) will provide another opportunity to detect threat actor activity.

Using AI to Generate a Threat Map

A Threat Map that analyzes past attacks and understands current vulnerabilities provides security teams a short-list of actors to prioritize for monitoring.

Theres no need for analysts to spend their time manually researching and creating their own threat maps, thanks to Recorded Future AI. Threat actors understand their why for choosing to exploit a vulnerability in a particular organization based on their opportunity of success. For example, if your company is still susceptible to the MOVEit file transfer vulnerability, a threat actor will take advantage.

Emotional Response

Threat actors have feelings, too. When Spains Prime Minister met with Ukraines President, a hacktivist group called NoName057(16) targeted the Spanish governments websites in a DDoS attack. Recognizing when a current event may prompt even a low-level attack can improve defenses.

Fix What Is Broken

Mitigation is where the action takes place. Which steps did the security team take to improve security controls? Detection rules, or a pattern-matching search against security logs, can quickly notify analysts of potential malicious activity. If the malware is typically spread via a ZIP file, a detection rule can trigger an alert when there is a match in your companys logs. Your intelligence provider should produce the detection rules associated with the malware and threat actors most likely to impact your company, ideally via your unique threat map.

Some mitigation plans are based on compliance audits or security guidelines, such as NIST. Companies need to not only monitor for stolen passwords, but also prevent users from creating new passwords that have been previously leaked. Analysts should monitor and request takedowns for fake login pages targeting an organization. Takedowns are never an easy process. Using a provider with a high success rate will save security teams going back and forth with domain registrars. (A trusted partner will also steer you away from a takedown that will likely not be successful.)

Summing it Up

Understanding a companys most important assets is a critical stepping stone to prioritizing what to monitor and mitigate.

We havent forgotten about the fictitious CISO. If your team has properly mapped assets, installed appropriate monitoring services and enabled mitigating controls, that next Friday afternoon email should be easier to write. You may use generative AI to produce an outline of the attack patterns used and how your company could be impacted. However, dont forget to mention areas that need improvement. It is worthwhile to include how the social engineering aspect of the attack is more difficult to combat.

You may not receive an on-the-spot promotion for your email summary. But your teams well-crafted response will prove the importance of having the data, platforms and people to answer the boards next security question.

New Insikt Group research discusses the frequent abuse of GitHub's services by cybercriminals and advanced persistent threats (APTs) for various malicious infrastructure schemes. These include payload delivery, dead drop resolving (DDR), full command-and-control (C2), and exfiltration. GitHub's popularity among threat actors lies in its ability to allow them to blend in with legitimate network traffic, making detection and attribution challenging for defenders.

The "living-off-trusted-sites" (LOTS) approach is highlighted as a growing trend among APTs, with less-sophisticated groups expected to follow suit. The text suggests a short-term strategy for defenders to flag or block specific GitHub services known for malicious use. In the long term, organizations are encouraged to invest resources in understanding how GitHub and other code repositories are abused, leading to the development of more sophisticated detection mechanisms.

Breakdown of abused GitHub services among samples from March to November 2023 (Source: Recorded Future)

As attacks are anticipated to increase, the text emphasizes that legitimate internet services (LIS) will pose a new third-party risk vector for customers. Mitigation strategies are expected to require advanced detection methods, comprehensive visibility, and diverse detection angles. The responsibility for combating abuse may shift to LIS through structural changes and product innovations, leveraging their unique visibility into user and usage data.

The primary infrastructure schemes for GitHub abuse are detailed, with payload delivery being the most prevalent due to its ease of implementation. GitHub is also commonly used for DDR, full C2 (linked to APT activity), and exfiltration, although the latter is less common. GitHub services are abused for various other malicious purposes, including hosting phishing operations and serving as an infection vector through repository poisoning techniques.

The research acknowledges that there is no universal solution for GitHub abuse detection, emphasizing the need for a mix of detection strategies tailored to specific environments, organizational structures, and risk tolerances. Overall, defenders are urged to allocate more resources to combat GitHub abuse, and LIS is expected to play a more significant role in addressing the issue through policy changes and technical innovations.

To read the entire analysis, click here to download the report as a PDF.

The Vital Role of Dark Web Monitoring

Understanding the vital role of dark web monitoring is essential in today's interconnected world. Dark web monitoring services act as crucial security tools, translating the cryptic language of cyber threats into actionable insights. This process is vital for identifying compromised credentials, insider threats, and other sensitive data breaches that often occur in the shadows of the deep and dark web.

In the vast expanse of the World Wide Web, including the surface web and the hidden layers of the dark web, this kind of monitoring helps safeguard against potential threats like identity theft, intellectual property theft, and proprietary data leakage. By proactively engaging in dark web monitoring, businesses, and security teams can tap into a wealth of threat intelligence, giving them a strategic edge in threat hunting and cyber defense.

Exploring the Intricacies of Dark Web Sites

Exploring the intricacies of dark websites reveals a complex underworld where cyber threats and criminal forums thrive. These sites often harbor malicious software and compromised credentials, posing significant risks to individuals and organizations alike.

Navigating this part of the dark web requires advanced dark web monitoring tools that can sift through the dense layers of information, extracting valuable insights about emerging cyber threats. This exploration is not just about identifying risks; it's about understanding the patterns of dark web activity, which can provide crucial clues for building preemptive measures against cyber attacks and data breaches.

Leveraging Dark Web Monitoring Services for Enhanced Threat Intelligence

To make the best use of dark web intelligence, you want to be alerted only when new and relevant information emerges and be able to quickly determine what requires further investigation or escalation.

Recorded Futures Digital Risk Protection solution enables you to automate the identification of proprietary data or lost credentials on dark marketplaces as well as mentions of your company, brands, or infrastructure. You can also uncover new and emerging exploits and malcode tools relevant to your technology stack being developed and traded in dark web locations.

Leveraging dark web monitoring services for enhanced security is a strategic move for any organization looking to fortify its cybersecurity posture. These services extend beyond mere observation, providing a comprehensive approach to detect and counteract the ever-evolving cyber threats.

By continuously monitoring the dark web, these services can pick up early warnings of data breaches, identity theft, and compromised credentials. This proactive approach is instrumental in preventing data theft and protecting sensitive information. Additionally, these services contribute to a more robust security stack, enabling businesses to stay one step ahead of cybercriminals and safeguard their digital assets.

The Power of Dark Web Monitoring Tools in Cybersecurity

The power of dark web monitoring tools in cybersecurity cannot be overstated. These advanced tools are designed to delve deep into the dark web, unearthing information that traditional web crawlers cannot reach.

They provide comprehensive coverage of the entire digital landscape, including the surface web and the deeper, more secretive layers of the dark web. By utilizing a dark web monitoring tool, organizations can effectively track and analyze dark web activity, extracting actionable intelligence that aids in threat hunting. This intelligence is crucial for identifying potential threats, offering insights into the tactics and techniques used by cybercriminals. Moreover, these tools play a vital role in protecting intellectual property and sensitive corporate data from the clutches of threat actors.

Navigating the Hidden Layers of the Dark Web

Newly identified vulnerabilities or exploits represent significant opportunities for threat actors, and these attack methods are discussed, developed, and sold in dark web forums and underground marketplaces.

Recorded Future automates the identification of exploit chatter for unknown vulnerabilities, helping you identify information uniquely relevant to your business and better prioritize remediation efforts based on evidence of increased adversary intent or their capabilities.

Having the time and resources to collect, analyze, and combine intelligence from the dark web manually is next to impossible, so Recorded Future continuously adds new, high-value dark web sources for you. We've collected content from hundreds of relevant Tor sites, IRC channels, forums, and paste sites. In addition to adding new sources, our technology tracks criminal communities as they change their IP and domain infrastructure.

How Personal Info Lands on the Dark Web

Ever wondered how personal details end up on the dark web? It usually starts with a data breach. Hackers find a way into a company's system and grab all sorts of private information. This isn't just about names and email addresses; it can include financial details and passwords. They don't use regular search engines to do this; they have special tools that dive deep into security systems to find and steal this info.

Once these hackers have what they want, they head to the dark web. It's a hidden part of the internet where they can sell or swap stolen data without getting caught. It's like a secret online market for all things illegal, including personal information. Here, everything from credit card numbers to private health records can be traded.

What happens when personal info gets to the dark web? It's not good. People might find themselves victims of identity theft, or companies might face unforeseen problems, like losing their customers' trust. That's why it's critical to keep an eye on the dark web. Some technology solutions can check these hidden corners and let businesses know if their data shows up there, And Quick action can aid in stopping the bad consequences of these personal data leaks.

Dark Web Monitoring FAQ

What is the meaning of dark web monitoring?Dark web monitoring means keeping a close watch on the dark web to detect if any stolen or sensitive information surfaces there. It's about using threat intelligence to identify risks, like leaked personal details or confidential business data. This monitoring helps in extracting actionable information from the raw intelligence gathered, enabling faster incident response to potential security incidents.

Is dark web monitoring legitimate?Yes, dark web monitoring is a legitimate and critical tool for cybersecurity. It's a proactive measure that helps reduce false positives -incorrect alerts of danger- and ensures higher quality alerts. This type of monitoring is particularly important for identifying and mitigating malicious targeting and threats that are hidden in the dark web's secretive corners.

Is the dark web the same as the deep web?No, they're different. The deep web refers to parts of the internet not indexed by standard search engines, and it's mostly harmless. The dark web, a smaller portion of the deep web, is deliberately hidden and often used for illicit activities. Dark web monitoring focuses here, as it's a common place for stolen data and illegal transactions.

What are the business benefits of Dark Web Monitoring?Dark web monitoring offers significant business benefits. It provides early warnings of data breaches, enabling faster incident response and reducing the impact of cyber attacks. By identifying and analyzing threat intelligence from the dark web, businesses can extract actionable information, leading to more accurate and high-quality alerts. This proactive approach helps in defending against malicious targeting and securing sensitive company and customer data.

Who needs dark web threat intelligence services?Dark web monitoring services are vital for organizations and individuals aiming to protect against data breaches, particularly in realms like financial services cybersecurity. Entities such as financial firms, healthcare providers, and retailers benefit immensely from these services, which offer crucial threat intelligence from both the deep web and the dark web. These services play a key role in identifying compromised information on the dark web, significantly enhancing overall web monitoring strategies. In essence, anyone concerned with the security of sensitive data should consider a dark web monitoring service as a crucial component of their robust digital defense.

Conclusion

In wrapping up, dark web monitoring enables organizations to navigate the complex terrain of digital threats with more confidence. By delving into the depths of the deep web and areas beyond the reach of standard search engines, a robust dark web monitoring solution becomes indispensable. Such a service is not just about tracking stolen data or sensitive data; it's about gathering relevant intelligence that traditional cybersecurity measures might miss. This intelligence is crucial for understanding the full spectrum of dark web threats and for digital threat monitoring across the entire security stack.

Furthermore, dark web monitoring service extends to both internal and external sources, providing a comprehensive view of potential data breaches and emerging threats. This comprehensive monitoring is pivotal in identifying targeted attacks and analyzing data collected from various high-risk attack vectors.

In facing the evolving cyber world, a resilient security posture is key. Recorded Future's dark web monitoring equips businesses with crucial insights for protecting vital data. Book your demo today to fortify your digital defenses against dark web threats.

In its 2023 Adversary Infrastructure report, Insikt Groups outlook for the infrastructure landscape in 2024 suggests a continuation of the evolving nature of cyber threats, with an emphasis on government efforts to combat malicious activities. Anticipated increases in takedowns of malicious infrastructure reflect a growing awareness among governments of the devastating impacts of ransomware and other destructive attacks. There is a specific focus on cybercriminal operations affecting critical infrastructure, such as hospitals, prompting governments to explore legal frameworks for actions against attackers.

While takedowns prove effective, the persistence of criminal organizations, exemplified by ongoing operations like TA577 after the QakBot takedown, highlights the need for apprehending individuals responsible for illicit activities to truly disrupt such operations.

The shift of advanced persistent threats (APTs) towards adopting commodity tools, especially command-and-control (C2) frameworks, is expected to continue, as these tools effectively obscure attribution. Additionally, all threat actors are likely to exploit remote monitoring and management software, such as AnyDesk and ConnectWise, along with legitimate internet infrastructure like Telegram and GitHub, capitalizing on perceived legitimacy and inadequate network controls.

C2 weaponization lifecycle (Source: Recorded Future)

Artificial intelligence (AI) is foreseen to impact cybercrime incrementally in 2024, particularly in areas like domain naming, network planning, and advanced obfuscation techniques for malware development. The use of AI by threat actors is expected to enhance organizational and technical efficiencies, reduce entry barriers for sophisticated attacks, and offer advantages to cybercriminals.

The report also identifies top offensive security tools, including Cobalt Strike, Viper, and Meterpreter, as well as prominent remote access tools (RATs) like AsyncRAT, QuasarRAT, PlugX, ShadowPad, and DarkComet. Sharing this information is encouraged to aid others in evaluating threat models, allowing for data verification by researchers and fostering a comprehensive understanding of the malicious infrastructure landscape.

Top 20 RATs and backdoors, based on the number of unique C2 servers observed (Source: Recorded Future)

In response to emerging threats, the report recommends organizations establish baselines for legitimate internet services on their networks and optimize security controls. However, it acknowledges that advanced security measures, such as decrypting and monitoring TLS traffic, may be necessary, necessitating careful consideration of privacy implications, implementation costs, and potential impacts on network systems and productivity.

To read the entire analysis, click here to download the report as a PDF.

As with any business decision, cost matters. Sure, you may want to fight mis/disinformation online, but is it worth it? Lets start with some context. As you balance the tradeoffs of proactive versus reactive engagement with the information ecosystem consider the potential adversarial investment. 2019 estimates cite the annual cost of mis/disinformation to the global economy at $78 billion with stock losses of $39 billion. An EU report stated Russia nexus disinformation sources paid for 170,000 political ads on Facebook between June 2015 and May 2017. A study by Cheq and the University of Baltimore estimated that at least $400 million is spent on advancing highly misleading or false political news globally, and in 2020, at least $200 million was spent in the US alone. This level of investment or more could be used to target the 2024 election cycle and subsequently, organizations caught in the crosshairs.

Adversaries certainly think these efforts are worthwhile, given the significant investment costs, but are there any metrics on disinformation efficacy? In terms of audience ability to discern information authenticity, a 2023 national survey of nearly 25,000 participants reported only 8% were able to correctly identify political falsehoods; in terms of belief adoption, 41% of participants actively believed in at least one political falsehood presented. And in terms of spread, a 2019 MIT study suggests falsehoods are 70% more likely to be shared on social media and can reach its first audience six times faster. Mis/disinformation is demonstrably capable of reaching susceptible audiences and changing their perspectives. The World Economic Forum stated disinformation and erosion of social cohesion continue to be some of the biggest global risks in the Global Risks Report 2023. Further, experts predict disinformation will increasingly target voters of color in the upcoming election and there are mounting concerns about AI-generated disinformation influencing the election.

Although this suggests mis and disinformation are mounting problems with potential real-world impact, it's a stretch to say this activity will impact all organizations risk; significant impact to businesses will be reserved for specific industries and potentially, specific organizations. Consider the role of pharmaceutical companies' relevance to the US electorate in the years following the pandemic.

As of 2020, a Pew Research survey found that 71% of Americans had heard of the rumor that COVID-19 was intentionally planned, and up to 25% believed the statement was at least probably true. A 2021 KFF study found that 78% of Americans were unsure about or believed at least 1 in 8 false statements presented to them about COVID-19, the pandemic, or vaccines. As of 2023, health misinformation continues to take its toll: CNN reported 20% or survey respondents believed it was definitely true that Covid-19 vaccines had killed more people than the virus itself. Russian state-backed disinformation campaigns were found to have targeted Pfizer and other vaccines; China also targeted US vaccines with disinformation about efficacy. Moreover, research suggests vaccine hesitancy was directly correlated with exposure to related misinformation.

As demonstrated, mis and disinformation can directly influence customer opinion and product uptake. Further, targeted disinformation campaigns may indirectly affect many businesses, influencing the reputation of industries your organization operates within. Organizations with a clear nexus to political topics would benefit most from a proactive election readiness effort, whereas others may be able to effectively leverage reactive plans for quick response surge efforts in the event of an emergency. If your organization is new to assessing the threat of disinformation and monitoring related risk, we recommend considering the following approach:

1. Enumerate Risk and Allocate Resources

• Assess your organization’s relationship with the upcoming election cycle and related risk. This will enable you to appropriately allocate election readiness resources. Consider the following:
  • What relationship does your organization, product, customer, partners, etc. have with politics? With either/both political parties? With topics related to the 2024 election?
• We've included a sample spectrum below to aid in assessing your organization’s risk and deciding on a preparedness strategy. Topics related to the election should be continuously evaluated and updated, as the landscape changes over the course of the coming year. Examples included in this spectrum indicate historical trends that may impact the upcoming election; 2024 practitioner insights on trending topic tracking will be discussed in future blog posts.

Allocating Election Readiness Resources Based on Risk

2. Scoping Election Efforts and Monitor Intel

• Based on your organization’s relationship with the upcoming election, decide what preparedness plans should be in place to manage risk. This will enable your organization to quickly take action in the event of political entanglement. Consider the following:
  • What external events are most likely to impact your organization? At what point would you be willing to take action? What actions might you and your security teams take in response to different events? How effective would different actions be in managing risk?
• We’ve included a sample process below to aid in drafting your organization’s response escalation plan, in the event election topics are likely to impact operations. Each organization carries its own election cycle risk, so this demonstration exemplifies a high level walk-through; election readiness efforts should replicate this escalation pathway with improved granularity specific to their organization.

Scoping Election Readiness and Response Efforts based on Intelligence

3. Monitor Outcomes and Forecast

• Based on your organization’s response to the information ecosystem, carefully monitor community responses and business impact. Doing so will enable you to update your response playbook with effective responses for future engagements. Consider the following:
  • Does your organization have clear pathways to respond, if a risk has the possibility to cause significant harm? Do key players know their roles and responsibilities? Are there mechanisms for tracking corporate responses and efficacy? Are there related feedback processes to integrate lessons learned and improve playbooks?
• We’ve included a sample question below to aid in evaluating your organization’s ability to respond to election related risks.

Forecast Emerging Risk based on Organizational and Community Responses

Preceding the 2024 Presidential election, business leaders should expect an increase in reputational risk resulting from information operations, disinformation campaigns, or political entanglement. Organizations operating with heightened risk, especially risk closely aligned with trending political topics, should prepare enhanced monitoring and response capabilities. Proactive risk monitoring should significantly precede elections, likely ramping up a year in advance. Monitoring trends and hot button issues may enable preemptive inoculation for inflammatory election season risks; whereas the efficacy of counter-messaging and fact checking is often debated, the promise of prebunking - or debunking a rumor prior to its distribution - is reason for early engagement with the election cycle. A proactive stance may also present emerging opportunities for organizations to capitalize on, aligning their image with a dynamic social and political climate.

In 2023, the payment fraud underground showed signs of recovery following Russian law enforcement's crackdown on domestic cybercriminals and the Russian invasion of Ukraine in 2022. The dark web carding shops saw a rebound in the volume of stolen payment cards, with 119 million cards posted for sale online. The median fraud charge was $79, resulting in $9.4 billion in preventable fraud losses for card issuers and $35 billion in potential chargeback fees for merchants and acquirers.

Fraudsters refined their techniques, using sophisticated social engineering tactics, phishing, scams, and advanced cyber-based tools like 3-D Secure bypass software. The report suggests that the trend toward hybrid cyber-fraud threats is likely to accelerate in 2024, requiring financial institutions and stakeholders to allocate resources for improved collaboration between cyber threat intelligence (CTI) and fraud teams.

Magecart actors continued to use Google Tag Manager, Telegram Messenger, and attack-carrier domains for e-skimmer infections in 2023. Restaurants, bars, and online ordering platforms were targeted, and phishing and scam pages gained prominence for card compromise. Most breaches and e-skimmer infections targeted US merchants, but a significant portion affected merchants in other countries with developed e-commerce sectors.

Threat actors engaged in card-testing activity, and workflows for 3DS bypass gained popularity in 2023. Cybercriminals utilized artificial intelligence workflows for fraud schemes, and social engineering tactics exploiting victims became more prevalent. Telegram sources became increasingly important for free full card data, but the threat remained lower compared to for-sale card data on dark web carding shops.

Looking ahead to 2024, fraudsters are expected to refine their tactics, continuing to compromise cards using both old and new methods. Stolen payment cards from North American and European financial institutions led in volume throughout 2023 and are likely to persist in 2024. The report concludes that in 2024, fraudsters will likely combine sophisticated technical solutions, nuanced workflows, and social engineering tactics to bypass rules-based fraud detection.

To read the entire analysis, click here to download the report as a PDF.

Image provided by authors

The following inspects the mechanics and economies of stolen credentials and current security approaches. We also dig into why intelligence matters greatly for enterprises committed to managing IAM cyber risk and potentially seizing competitive opportunities.

The simplest method for obtaining unauthorized access to an information system is reusing stolen credentials. Its straightforward, doesnt require technical know-how, and generally, credentials are available for almost any network or service; thus, stolen credentials remain a hot commodity. Social engineering (e.g., phishing) and software vulnerability exploitation are also effective but require more effort and investment. Threat actors (this label sounds sophisticated, but the opposite is typically true) tend toward laziness, so purchasing or otherwise acquiring stolen credentials is often the first and most desirable option.

Since the dawn of modern computing, identity verification has been a vexing challenge, and smartphones have only compounded the problem. Technology consortiums continue to push for improved standards that obviate the need for passwords. Still, static credentials are stubbornly persistent, and multi-factor authentication (MFA) options only create a sliding scale of deterrence.

Image provided by authors

Identity Intelligence

Stolen credentials previously originated primarily from significant database breaches where passwords lived in plaintext or varying degrees of hash that were generally easy to recover. Today, credentials are stolen from web browsers via malicious infostealer code. These malware families have names like RedLine and Vidar (marketing is essential when differentiating against competitors). Infostealers have been around for a decade or more. However, recently, bad actors realized infostealers effectively obtained credentials for business systems.

Of course, there is still plenty of money in ransomware and data extortion, so its a match made in criminal heaven. These stolen credentials enable an entire ecosystem - sold in buyer-friendly markets - of derivative goods and services. Searching for and purchasing corporate credentials (SaaS, Remote Desktop, VPN, etc.) has never been easier.

Screenshot: Russian Market, courtesy of Recorded Future

Its tempting to believe that infostealers are a fringe problem, a victim domain of the irresponsible, but the magnitude of stolen data suggests otherwise. Recorded Future detected one billion compromised credentials in the first half of 2023 alone, many of which led to significant business risk impacts. Approximately 50 credentials are stolen on average per compromised device, translating to roughly 20 million compromised devices in six months.

Chart: Infostealer initiated compromised credentials in 2023, courtesy of Recorded Future

Of course, many of these credentials ripped from web browser authentication events lead to account takeover (ATO) of consumer services (think free movie binging, fraudulent payments, or social media contact spamming). However, enormous amounts of purloined business system credentials (e.g., VPN access, email passwords, etc.) often create derivative access to higher-value targets, like corporate infrastructure.

Chart: volumes of stolen credentials segmented by business system categories, courtesy of Recorded Future

How does an infostealer end up on a perfectly healthy computer? Millennials that came of age during the height of peer-to-peer (P2P) file sharing - Napster, LimeWire, Gnutella, etc. (Kazaa, anyone?) remember that downloading music was treacherous, as files were often viruses in disguise. The situation hasnt changed much other than that P2P file sharing is less popular as kids now download directly from web servers, often in search of games and game add-ons. For example, when an employee takes their laptop home (or stays home post-Covid) and their child surreptitiously downloads the latest free Minecraft add-on, the installation file may include an infostealer. The infostealer works quickly, exporting pages of credentials to a central server for cataloging and sale.

Malvertising and spam also account for partial infostealer installation success. Malvertising campaigns are not limited to popular games and cheats. Malvertising also targets victims with scareware (Install this Chrome update or bad things will happen to you), running campaigns linked to trending office and productivity software, and related updates.

Chart: Malware filenames and malvertising campaign trends, courtesy of Recorded Future

Tragically, anti-virus software typically does little to slow these infostealers down, as the chart below demonstrates.

Chart: anti-virus software installed on infostealer-infected systems

Security Challenges

Multi-factor authentication (MFA) has emerged as a partial identity and access management (IAM) solution in B2B and B2C, but the implementations often require meticulous oversight. Infostealers grab web session cookies and other meta-data to facilitate session cloning. SMS-delivered validation codes are susceptible to SIM swapping, and humans remain a weak point in mobile app authorization due to a desire to be helpful or eliminate nagging prompts (prompt fatigue).

On the far end of the security spectrum, hardware tokens are the most effective at preventing MFA bypasses, but they represent cultural challenges in most industries outside of technology. The overhead cost of replacing hardware tokens for remote employees when lost or forgotten is a non-starter for many businesses. The advent of passkey technology offers a promising alternative, but broad adoption will likely require a forcing function.

In addition to MFA, identity intelligence automated into IAM solutions (e.g., Microsoft Azure AD, Okta Workflows, etc.) is required for quick detection and remediation when infostealers experience success targeting employee systems.

The Risks

How should businesses think about managing IAM and the risk impacts from IAM failures?

In B2C, sponsored research suggests consumers are security conscious, particularly around ATO. Yet, where consumers have options, as in U.S. financial services, there is little incentive to care about ATO because consumers rarely bear the final cost of fraud (beyond time, which amounts to mild frustration). That paradigm is unlikely to change anytime soon.

In B2B, there is scant evidence (one recent study suggests a different conclusion) that a data breach has a long-term impact on reputation primarily because enterprise security is complex. All businesses experience varying degrees of security event impact. Even publicly traded companies dont experience sustained share price devaluation after large-scale data breaches.

A ChatGPT summary of revenue loss caused by the recent MOVEit vulnerabilities reveals even brand impairment has a short life.

The MOVEit file transfer vulnerabilities do not appear to have created significant revenue loss for Progress Software, the company behind MOVEit. According to estimates, MOVEit Transfer and MOVEit Cloud accounted for less than 4% of the company's annual revenue. Furthermore, Progress Software reported that the business impact from the MOVEit attack was minimal, despite the exploitation of a zero-day vulnerability that affected more than 2,100 organizations and exposed the data of at least 62 million people. The company reported $951,000 in expenses related to the cyber incident and vulnerability response.

However, IAM failures may cause significant legal or compliance failure risk impacts due to the increasingly aggressive evolutions of privacy-based regulatory regimes and lawsuits/class actions.

Additionally, the SECs new reporting requirements are ushering in a new age of coerced transparency. Following meaningful cyber incidents, even partial movement away from the confines of legal privilege to public reporting could usher in a new era of transparency value where robust security analytics provide evidence of risk management efforts.

Chart: recent results for SEC form 8-k filings that contain item 7.01 or item 8.01, courtesy of Recorded Future

Businesses may also see an opportunity to gain a competitive advantage in crowded markets by publicly providing near real-time security analytics, which could improve security resourcing while bolstering the reputations of companies committed to transparency.

The emphasis on transparency will be particularly relevant for critical industry vendors and suppliers. One recent example is the SBOM (Software Bill of Materials) movement designed to create more transparency in software supply chains. Frequently publishing IAM security analytics would also demonstrate transparency within a long-term commitment to security and privacy, which will only help mitigate future legal or compliance risk impacts.

Image provided by authors

New Insikt Group research outlines malign influence threats to the United States's 2024 elections from various actors, including Russia, China, Iran, domestic violent extremists (DVEs), and hacktivist groups. These entities are expected to engage in influence operations to shape or disrupt the elections for strategic geopolitical purposes. The dynamic global backdrop, including Russia's war with Ukraine, Israel's conflict with Iran-supported Hamas, China's assertiveness on Taiwan, and social media content moderation controversies, creates a conducive environment for aggressive targeting of the 2024 US elections.

The identified overarching influence trends include increasing polarization and undermining confidence in US democratic institutions, reducing domestic support for aiding US allies, and undermining political candidates with unfavorable policies while promoting those with favorable policies. Influence operations are anticipated to employ historical and innovative tactics, including cyber-enabled operations and the integration of generative artificial intelligence.

Additionally, the report warns of the likelihood of DVEs physically attacking and threatening election personnel or infrastructure and an increase in false information surrounding US-deployed voting technologies and voting systems manufacturers from domestic sources as the 2024 elections approach.

Screenshot of RTs parody video The 11th Package of Anti-Russian Sanctions Challenge featuring a deepfake of US president Joe Biden (Source: RT)

The spread of false and manipulated information by state and non-state actors has the potential to influence voter behavior and impact election outcomes. Insikt Groups findings emphasize that even unsuccessful influence activities can damage public trust in democratic institutions. Advanced actors may leverage official announcements and events opportunistically in pursuit of their objectives.

To counter these threats, a whole-of-government approach integrated with private industry is recommended. This involves publicly identifying, announcing, and refuting false information related to the elections. Prebunking, or proactively addressing misinformation, is suggested as a method to enable the public to discern credible information. Awareness among government officials, public figures, and business executives, along with pre-planned playbooks and responses, is deemed crucial to mitigating risks associated with influence activities.

To read the entire analysis, click here to download the report as a PDF.

New Insikt Group research examines an ongoing operation by the Russia-linked influence network called Doppelgnger. The operation targets audiences in Ukraine, the United States (US), and Germany through inauthentic news sites and social media accounts. Doppelgnger's tactics reveal a high level of sophistication, incorporating advanced obfuscation techniques and likely utilizing generative artificial intelligence (AI) to create deceptive news articles.

Doppelgnger articles dated Nov. 10, 2023, impersonating UNIAN. (Left) Translated: They Again Want to Make Donkeys out of Us; (Right) Translated: The money ran out. The inauthentic UNIAN domain is highlighted in orange. (Source: Inauthentic UNIAN (archived, 2))

The first campaign identified by Insikt Group targeted Ukrainian audiences, employing hundreds of social media accounts engaged in Coordinated Inauthentic Behavior (CIB). These accounts shared links to inauthentic articles impersonating reputable Ukrainian news organizations, spreading narratives undermining Ukraines military strength and political stability.

In subsequent campaigns targeting US and German audiences, Doppelgnger created six original but inauthentic news outlets producing malign content. The US-focused campaign aimed to exploit societal and political divisions ahead of the 2024 US election, fueling anti-LGBTQ+ sentiment, criticizing US military competence, and amplifying political divisions around US support for Ukraine. The German-focused campaign highlighted Germanys economic and social issues, intending to weaken confidence in German leadership and reinforce nationalist sentiment.

Doppelgnger's adaptability exemplifies the enduring nature of Russian information warfare, with a strategic focus on gradually shifting public opinion and behavior. The use of generative AI for content creation signifies an evolution in tactics, reflecting the broader trend of leveraging AI in information warfare campaigns. As the popularity of generative AI grows, malign influence actors like Doppelgnger are very likely to increasingly employ AI for scalable influence content.

The findings emphasize the importance of continued collaboration and public reporting across sectors to raise awareness and enhance online literacy in countering malign influence. Media organizations, in particular, are encouraged to proactively monitor for brand abuse during such operations and issue takedowns where appropriate. Despite the exposure of Doppelgnger's activities, its ongoing evolution and use of AI suggest potential long-term societal impacts, including the erosion of public trust and increased polarization.

To read the entire analysis, click here to download the report as a PDF.

In a new report, Recorded Futures Insikt Group examines North Koreas success in its cybercriminal operations targeting the cryptocurrency industry. Since 2017, North Korea has significantly increased its focus on the cryptocurrency industry, stealing an estimated $3 billion worth of cryptocurrency. Initially successful in stealing from financial institutions through the hijacking of the SWIFT network, North Korea shifted its attention to cryptocurrency during the 2017 bubble, starting with the South Korean market and later expanding globally. In 2022 alone, North Korean threat actors were accused of stealing $1.7 billion in cryptocurrency, equivalent to 5% of the country's economy or 45% of its military budget. The stolen funds, often laundered using methods similar to traditional cybercriminal groups, contribute to the regime's revenue, allowing it to operate despite international sanctions.

North Korean state-sponsored activity targeting the cryptocurrency industry (Source: Recorded Future Intelligence Cloud)

North Korean threat actors, supported by the state, engage in operations that mirror those of other cybercriminal groups but operate on a larger scale, with 44% of stolen cryptocurrency in 2022 attributed to them. Targets include not only cryptocurrency exchanges but also individual users, venture capital firms, and alternative technologies. Those operating in the cryptocurrency industry, as well as traditional finance entities, are advised to be vigilant. Stolen cryptocurrency is often converted into fiat currency, and North Korean threat actors use various methods, including stolen identities and altered photos, to evade anti-money laundering measures.

The regime views cryptocurrency theft as a major revenue source, particularly for funding military and weapons programs. While the exact amount used for ballistic missile launches is unclear, both the volume of stolen cryptocurrency and missile launches have risen. Without stronger regulations, cybersecurity measures, and investments in cybersecurity for cryptocurrency firms, North Korea is likely to persist in targeting the industry for additional revenue. Despite restrictions on movement and isolation of the general population, the regime's elite and highly trained computer science professionals with privileged access to technology play a crucial role in conducting cyberattacks against the cryptocurrency industry.

To read the entire analysis, click here to download the report as a PDF.

As Black Friday and the holiday shopping season approaches, the threat of online scams is on the rise, with a 22% increase in consumer scam losses reported during the 2022 Black Friday and Cyber Monday sales. Recorded Futures Insikt Group has analyzed recent high-impact scam website campaigns, revealing three key themes in how scammers operate and offering insights into how consumers and businesses can protect themselves.

Online shopping scams pose significant financial fraud risks, with reported US losses ranging from $8.8 billion to $10.3 billion in 2022. These scams not only impact consumers but also pose risks to financial institutions, payment processors, and digital retailers, eroding consumer trust and potentially leading to brand impairment. A 2023 study found that 19% of shoppers abandoned their carts due to concerns about the security of payment card data on websites.

Scam website campaigns rely on social engineering and scale for success, making identification, analysis, and customer awareness crucial for prevention. Businesses are advised to solicit scam website leads from customers as a foundational strategy. Mitigation efforts may increase operating costs, so tailored approaches are recommended. Increasing customer awareness is seen as beneficial for all businesses, with marginal increases in operating costs for communication management. On the other hand, significant investments in scam campaign identification and analysis are most likely to benefit financial institutions, major digital retailers, and businesses in the e-commerce and payments industries.

Looking ahead, the use of generative artificial intelligence (AI) is expected to amplify the threat of scam websites, lowering entry barriers for scammers who can swiftly generate content and ad lures. As shoppers seek holiday deals on Black Friday, scammers are poised to exploit the opportunity through scam e-commerce websites and phishing pages. While scammers employ cookie-cutter methods and open-source tools to scale their operations, businesses may use these patterns for potential detection. Despite the use of open-source tools, scammers also employ sophisticated methods for disseminating scams, cashing out victims' payment cards and crypto wallets, and stealing victim data. Understanding and exploiting consumer psychology remains a key aspect of scammers' tactics to maximize the impact of their scams.

To read the entire analysis, click here to download the report as a PDF.

We sat down with Matt Bittick, the head of the Attack Surface Risk Management program at Cummins, to discuss strategies and methodologies for protecting your expanding digital attack surface, and how utilizing Recorded Future can help with prioritization and risk reduction.

(Recorded Future) Before using Recorded Future, how were you attempting to secure your attack surface?

(Matt) Painstakingly. Using open source tooling is kind of the easiest way. We try to get from the business what they know in our inventory management systems. Spoiler alert, its not much, and then we work from there. A lot of Nmap, Kali Linux, built-in tools as well. Reconning, and just trying to build out what that inventory could even be and find everything. It was very labor intensive.

For many organizations, it takes over 80 hours to perform their attack surface discovery. Is that something you were finding as well?

Yeah, thats exactly right, we found on average were spending about 80 hours. The old adage in the intelligence community is when intelligence is neither timely or actionable, its just news and its old news at that. So spending that long to find something in a space thats dynamic, like your attack surface, thats not ideal.

Enjoying what youre reading so far? Watch the full fireside chat video!

After implementing Recorded Future Attack Surface Intelligence, how has that helped improve your visibility and efficiency?

Immensely. We talked about the efficiency piece and about all the labor that would go in just for inventory and mapping. Its significant, right? So cutting that out, and now it's all ready for me in the morning. I can come in, I know what the attack surface is, cause it's already been done. I don't have to spend all day plugging away in a command line interface just to find some assets.

One big difference that we found compared to when I started when we were doing this manually, and now I'm pretty confident in my ability to conduct reconnaissance on an organization, but we still found that there was a delta of about 20% of the attack surface that I wasn't finding on any given day.

There's multiple reasons for it, but I'm also confident that any person whose career is malicious exploitation of somebody's organization for cybercrime, they're probably better at it than me. So we want to have the best image that can be produced, and I find that incredibly valuable from the product.

What do you need to have a successful Attack Surface Risk Management program?

You know it's a really great question, and I think visibility, asset inventory, and the mapping is the start of your journey. We believe that you need workflows, you need processes, and you need ways of handling that. So to be successful, you need to not only know what your problems are, but also how to deal with them.

We have two main problem statements when we're looking at this attack surface problem:

• What is our attack surface?
• And then how do we secure it?

There's also a couple of different actions you take, whether it's remediation or reduction. We love reduction. If it can't be on the Internet. Great. Let's get it off there.

How would you describe the importance of protecting your digital attack surface, and the role that Recorded Future plays in that protection?

I think there's kind of a three-pronged approach when you're showing the importance of an attack surface program to your CISO. First, I always try to paint a picture for the CISO. The organization is their castle, right? And they're sitting there defending it. I think the best way to even pitch the idea of attack surface to a CISO is to show what it is and come prepared with the measurement of this is how much of your castle is just open. Is there a big old hole in the wall? If 50% of the castle's penetrable or just has an open door, there's not much point to the castle.

The second piece is then showing how you're going to take action on that, and the processes youre building and the way its going to be done. I think that's where Recorded Future comes in, both in showing the original attack surface, but also in the value it brings. For me, what I think is really key is the fact that Recorded Future Attack Surface Intelligence is more than integrated, its a part of our cyber threat intelligence platform so we can take that risk assessment to the next level.

When youre looking at two different vulnerabilities that are possibly both critical per the CVSS score, which one's more important? Well, probably the one that the APT who's interested in your type of organization or industry and it's a part of their TTPs, or it's being actively used in your threat landscape. We really want to go after that first. When you can show how in a resource constrained environment where you need to rack and stack your priorities, I think thats key. Im sure theres nobody in the audience who feels like they have enough resources.

The third piece is to show the value that it brings to your organization. As you bring these processes online, map that attack surface, then measure it, understand how big it is and measure the problems that exist within it. And then you can present the value in the reduction of your overall attack surface. That's why we refer to my role as a risk reduction role, because we're showing how maybe our attack surface is expanding, but our risk profile is constricting. And that's really where you start to show the value of an attack surface tool and an attack surface program.

I'll also say this, I don't think you have to do all 3 of those things in one presentation. That evolves over time, it certainly did for us. When I first came we had the problem of Hey, we have an attack surface. We don't know what it is. We don't know what to do about it. So it took a whole lot of build up to reach those points. And I think that as long as you're keeping those touch points with your CISO and helping them understand what the risk is and what could happen if we dont do anything about it.

Why do exposed admin panels present a big risk along your attack surface?

With exposed admin panels, its kind of an interesting conversation, but its a direct interface into that software platform. You may see varying types of Apache, Drupal, sometimes even admin panels for firewalls. The reason thats a problem is, there's always the potential for out of the box configurations not being changed. So if you have default credentials, what was the point for deploying a firewall? Thats always a key risk, but assuming you have a little more mature processes and somebody didnt mess up, things happen. Sometimes even the most expert person can make a mistake, maybe they didnt have enough coffee that day.

Additionally, theres brute forcing potential. Why open something up that really doesnt have a need to be external to begin with. We have VPNs, we have remote administration. You can come into your internal environment from your own home nowadays and navigate your admin panel that way, instead of just having these logins available for brute forcing. Thats a huge issue that you could just mitigate by saying Hey, lets just take this off. Lets just move this inside.

When we look at successfully protecting the attack surface, what does that look like? Is there an end state?

That's almost the first question I got asked by my CISO when we started looking at this problem. And the answer is that the attack surface is way too dynamic for it to ever be an end-state objective. I personally believe that there's goals for management to get to an acceptable level. In the risk space, you'll never have zero risk. There's always going to be residual risk. And even if you do hit zero, it's not going to stay there.

Unfortunately, well fortunately for the world, the cloud exists. Cloud is a fantastic business tool. But Cloud is on and off, you know. It's incredibly dynamic and things shift so often and the ability for the company to be so elastic in expanding its attack surface at such a rapid rate is critical. So to reach an end state, that goalpost is never going to be sitting still. You're always going to be chasing the next thing and driving that wave of risk down, but we do believe that you can have it within a certain margin that's acceptable for both the cybersecurity organization and the business to operate with.

Want to learn more about how Matt and his team at Cummins protect their organizations attack surface?

Ad fraud, driven by automation, is a pervasive issue in online advertising, involving the inflation of performance metrics through automated bot software and tools. The increasing accessibility of automation solutions has lowered barriers to entry for fraudsters, making ad fraud a more significant threat. Ad fraud results in significant financial losses, estimated to reach $100 billion by the end of 2023, directly impacting advertisers and publishers. Consequences include skewed metrics, inaccurate targeting, and deceptive lead submissions. The credibility of the programmatic advertising industry is at stake, posing a risk of brand impairment for ad tech companies and intermediaries.

Despite differences in execution, Methbot and 3ve were both sophisticated ad fraud operations that relied on the establishment and maintenance of formidable bot infrastructure capable of imitating human activity (Source: HUMAN; Google, HUMAN)

To mitigate ad fraud, stakeholders are urged to implement automated solutions that detect and prevent invalid traffic (IVT). Ensuring advertisers access information for identifying ad spend inefficiencies and employing threat intelligence is crucial. Looking ahead, the impact of ad fraud is expected to grow alongside the online advertising market, with artificial intelligence (AI) playing an increasingly significant role.

Automation and ad fraud, directly linked with programmatic advertising, directly impacts advertisers and publishers, causing distorted metrics and misleading analytics. Leveraging AI to detect and prevent invalid traffic and ad fraud is crucial. The tools and techniques employed by fraudsters, accessible and likely to become more sophisticated with AI development, require stakeholders to adopt proactive strategies in recognition of the evolving nature of ad fraud and cybercriminal tools.

To read the entire analysis, click here to download the report as a PDF.

Veterans Day, observed in the U.S. every November 11, is a moment to honor and thank all military veterans who have served in the United States Armed Forces and around the world internally. This year, we were thrilled to present the 2nd Annual U.S. National Veterans Day Celebration on Nov. 10, in collaboration with the Old Soldiers Home Foundation. This event, hosted at the Armed Forces Retirement Home in Northwest Washington, D.C., is an incredible gathering of military veterans residing at the home including locally based veterans, actively serving military members, and supporters from various industries.

Join us as we share some of their stories. Through these stories, we aim to illustrate why our company is more than just a great place to work; it's a place where veterans can thrive, grow, and make an impact.

Covering the Basics

In honor of Veterans Day, we interviewed three of our Veterans ERG members: John Percic, Natalie Albright, and Will Cunha.

(From left, Intelligence Consultants John Percic and Natalie Albright, and Will Cunha, Senior Manager, Enterprise Security)

"Half of my job is mastering the platform and applying it to client use cases, but perhaps the more important half is developing and maintaining relationships with clients and building partnerships with them." - John Percic

John has been at Recorded Future for over a year. As an Intelligence Services consultant, he ensures clients are getting the most out of our solutions. Prior to Recorded Future he has worked in a number of different capacities for the Department of Defense. He was an Arabic Linguist and Human Intelligence Collection, worked with the NSA, DIA, and with USCYBERCOMMAND, where he gained his knowledge of cyber security and threat intelligence.

John in Wadi Rum, Jordan, where he studied Arabic

"I ensure I am providing the best possible service to our clients and identify gaps that Recorded Future may be able to help fill." - Natalie Albright

Natalie started at Recorded Future in January 2022. As a consultant on the public sector team, she works closely with government clients to help them reach their security goals. Prior to this role, she served on active duty in the U.S. Navy from 2012-2019 as an intelligence analyst specializing in imagery analysis. In her off time, she made a point of trying local delicacies from guinea pig, to alpaca, and beef heart. Shes a mom to two daughters, and recently graduated with her master's degree in business management - all that on the side of her day-to-day responsibilities.

My primary responsibilities are the security of all non-product systems and services such as endpoints and business productivity systems. - Will Cunha

Since he joined the company in May 2022, Will has been spearheading Recorded Futures Enterprise Security. He found out about Recorded Future through a mutual friend, who thought his government and military background would be a great addition to Recorded Futures team.

What Its Like Working at Recorded Future

I've met some of the smartest people in my life at Recorded Future. - John Percic

The culture at Recorded Future is welcoming and hard working. I'm proud to work at Recorded Future because I see the hard work that we put into the product and it's clear that customers' security is everyones No. 1 priority. The military or government service were all I knew prior to joining Recorded Future, but they made the transition easy. I have other veterans I can reach out to, and early on I recognized a lot of similarities between my past jobs and the culture here.

The culture at Recorded Future is one of innovation, fast pace, high performance, and inclusivity. - Natalie Albright

Futurists are approachable and non-judgemental. Everyone operates at such a high level that I was apprehensive about interrupting their flow by asking questions, but I couldnt have been more wrong. You cant possibly know everything about everything at all times, and the network within the organization is often our greatest asset. Every coworker I have reached out to for insight or assistance along my journey in this company has been so humble and helpful.

People are patient, respectful, and wicked good at what they do. - Will Cunha

The culture of Recorded Future is one of openness, teamwork, and excellence. I have never found a better group of people to work with that truly embody the notion of teamwork. Everyone I work with holds themselves to a high standard, is respectful, and always works to do the right thing. People are always willing to help solve a complicated problem, strive to get the best answer or solution, and are genuinely interested in each others lives outside of work.

Celebrating Veterans Day

On Nov. 10, Futurists will join forces with the Old Soldiers Home Foundation to support their programs. The foundation works on projects focused on wellness, vitality, and camaraderie, ensuring veterans continue to lead a fulfilling life.

Natalie: Lauren, our employee resource group (ERG) chair organizes a ton of events both in person and virtually - much of which I do with my family. From doing the 22 Pushup Challenge as a family to attending the National Veterans Day Celebration, there is so much you can do to help.

Will: The military did so much for me and I want to ensure I am not taking that for granted. We owe our veterans a lot, particularly those who have suffered mental/physical issues from their service. Besides the Veterans Day events, I help coordinate our Wreaths Across America participation and want to increase our reach nationwide.

Will in San Diego, Calif. in 2016

Why Get Involved in the Vets Group / ERGs

I wanted to be there to help if anyone needed it. - John Percic

It was helpful for me to find people with a common background in the military and wanted to explore opportunities to volunteer for the veterans community.

I immediately felt part of the group. - Natalie Albright

As soon as I joined Recorded Future, Lauren Mitchell welcomed me with a Veterans ERG mug and challenge coin. Being part of the ERG has given me an opportunity to meet other Futurists in other aspects of the company, connect over mutual friends, past deployments, and even discuss veteran mental health.

There is nothing more rewarding than seeing a veteran light up and get excited about sharing their sea stories. - Will Cunha

Recorded Future practices what it preaches. A lot of organizations 'support the military,' but that is about as far as they go - through words. Recorded Future backs that up with action. From sending deployed veterans care packages, with a personalized letter from our CEO, or supporting veteran causes, we don't just say things. We do things. And we do big things.

Recorded Future made the transition from government/military life simple. - John Percic

It was something I was concerned about as my entire career was spent in government service. However, I quickly met several people who were in the same situation, and Recorded Future employees were extremely accommodating, willing to help, and they had a ton of experience to draw from. Having a veterans' organization makes it easy to find these people, and our regular meetings are a great place to share experiences and find solutions to any issues that arise.

Growing at Recorded Future & Final Words

John: Working at Recorded Future has been a great challenge, and I learn something new every day. It can sometimes get overwhelming, but there is always someone who is willing to help. Every day I reach out to someone on the product team, in marketing, sales, or intelligence services to draw from their expertise and everyone is always happy to share.

Natalie: My standards are even higher than they were the day I walked in the doors of Recorded Future. There is no showing up at the top of your game and knowing you can stay there. You must constantly improve to remain knowledgeable and relevant - and to do that, you cannot be afraid to ask questions - no matter how hard or easy they may seem. Operating in this environment has given me the courage to research, learn, and when that doesn't answer the question, just ask.

Will: I have a much better appreciation for the impact of actionable intelligence. Leveraging information to improve the ability of people to make the best decision possible. On top of that, I get to work with a multitude of different cultures and nationalities, which I didnt get to experience before.

As we commemorate Veterans Day and the contributions of our veteran colleagues at Recorded Future, we're reminded of the diverse perspectives and unique skills they bring. If you're inspired by these stories and are looking for a place where your experience is valued, we invite you to explore job opportunities with us. Join our team and take part in securing the world with intelligence.

Natalie at the Office of Naval Intelligence in Washington, D.C. in 2018

Over the past five years, Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. They have also placed a strong emphasis on operational security and anonymity, making it harder to detect their activities. These changes have been influenced by both internal factors like military restructuring and changes in domestic regulations, as well as external factors including reporting by Western governments and the cybersecurity community. This evolution has made it more challenging for organizations, governments, and the cybersecurity community to defend against these threats.

Evolution of Chinese cyber-espionage activity (Source: Recorded Future)

Chinese cyber-enabled economic espionage has shifted from broad intellectual property theft to a more targeted approach supporting specific strategic, economic, and geopolitical goals, such as those related to the Belt and Road Initiative and critical technologies. This poses risks for governments and corporations, impacting negotiations and competitiveness. Due to the focus on exploiting novel vulnerabilities in public-facing devices, a vulnerability-centric defense approach is inadequate, emphasizing the need for better defensive in-depth measures to detect post-exploitation activities.

As China continues to develop its cyber capabilities, there has been a growing focus on exploiting zero-day vulnerabilities in public-facing appliances, which has proven an effective tactic for gaining access to various global targets. With organizations moving to cloud services it is likely they will see a similar emphasis. China's efforts to project power in the South China Sea and Taiwan, along with the U.S. strengthening alliances in the region, will likely lead to increased intelligence gathering and strategic reconnaissance activities. Targeting critical infrastructure is not necessarily a sign of imminent conflict but is done in preparation for potential future actions.

Given China's significant commitment of resources to offensive cyber operations and the evident enhancement of their capabilities, they are poised to become a dominant global force in cyber espionage and information warfare.

To read the entire analysis, click here to download the report as a PDF.

Recorded Future's research group, Insikt Group, has identified an application disseminated on a Telegram Channel used by members/supporters of the Hamas terrorist organization.

The application is configured to communicate with Hamas's Izz ad-Din al-Qassam Brigades website. Infrastructure analysis associated with the website led to the identification of a cluster of domains that mimic the domain registration tradecraft of TAG-63 (AridViper, APT-C-23, Desert Falcon), a cyber group that we believe operates at the behest of the Hamas terrorist organization. We also observed that these domains were interconnected via a Google Analytics code. Furthermore, a domain associated with the cluster hosted a website that spoofs the World Organization Against Torture (OMCT). Again, based on domain registration patterns, we observed a likely Iran nexus tied to that domain. It is likely that the newly identified domains were operated by threat actors that share an organizational or ideological affiliation with the Qassam Brigades. At the time of writing, Iran's Islamic Revolutionary Guard Corps (IRGC), and specifically the Quds Force, is the only known entity from Iran that provides cyber technical assistance to Hamas and other Palestinian threat groups.

The application has direct links to the website of the Hamas organization (Source: Telegram)

The website has worked intermittently since the start of Hamass ground incursion into Israeli territory. From October 11, 2023, onward, we observed the domain point to multiple different IP addresses, which is likely related to attempts to ensure operability, evade website takedowns or, potentially, denial-of-service (DoS) attacks.The infrastructure overlaps that were identified between the Hamas application and the cluster of domains we suspect are linked to TAG-63 tradecraft are notable because they depict not only a possible slip in operational security but also ownership of the infrastructure shared between groups. One hypothesis to explain this observation is that TAG-63 shares infrastructure resources with the rest of the Hamas organization.

To read the entire analysis, click here to download the report as a PDF.

Western companies operating in Russia are facing an increased risk of asset seizure or nationalization due to escalating geopolitical tensions between Moscow and the West, particularly related to Russia's war against Ukraine. Russia has been working on legislation to target Western corporations designated as "unfriendly" or "naughty" without publicly articulating specific criteria for this designation, in response to Western sanctions freezing Russian assets in Western financial institutions. Moscow aims to establish economic soft power parity with the West and inflict financial damage on Western corporate entities, as it lacks the capacity to freeze or seize Western government funds. Russia is aware of the corporate dilemma, where Western companies must decide whether to stay in Russia and risk potential targeting or leave and face asset loss but gain Western praise.

Litigation is an option for Western corporations, but it's costly and uncertain. Companies suffering financial losses from leaving Russia could negotiate with Western governments to obtain compensation using frozen Russian funds or seized assets. In the long term, Russia's actions could deter Western businesses from investing in the Russian market, potentially leading to economic balkanization. Countries at risk of Western sanctions may restrict Western corporate access to their economies to defend against economic destabilization.

Geopolitical escalation between Russia and the West heightens the risk of Moscow targeting Western corporations in Russia, and the Kremlin's legislative actions reflect Moscow's anticipation of Western corporations departing the Russian market and the need for legal measures to prevent economic damage. Russia's legislative actions also indicate the need for enhanced legislative tools to target Western companies in response to Western sanctions. Western corporations that support Ukraine or condemn Russia may be framed as "unfriendly" or "naughty" by Russia, justifying the seizure of their assets. This leaves Western companies in a conundrum, as Moscow exploits their position, believing they will prioritize access to Russian economic markets and corporate profits over alignment with the Western collective geopolitical stance towards Russia. Western corporations remaining in Russia have limited options to protect themselves or seek compensation for seized assets, necessitating support from Western governments to address potential fiscal losses. Ongoing economic escalation between Russia and the West threatens to fragment the global economic market, forcing corporations to choose between Western and Russian markets based on their perceived support for Ukraine or Russia.

To read the entire analysis, click here to download the report as a PDF.

Thats where we come in - Recorded Future has long pioneered making threat research and prioritization easier for organizations with our Intelligence Cloud, which collects and structures adversary and victim data from text, imagery, and technical sources, then uses natural language processing and machine learning to analyze and map associations across billions of entities in real-time.

This week, at our annual industry conference, PREDICT, we announced exciting new capabilities related to AI and Collective Insights. These capabilities extend our mission of creating a unified view of your threat landscape, prioritizing relevant threats, and accelerating response to threats.

At RSA 2023, we unveiled Collective Insights, a new capability that combines your internal telemetry with threat insights from Recorded Future and Threat Maps, representing your unique threat landscape.

A Holistic View of Your Threat Landscape

Today, were excited to announce the combination of these two incredible capabilities. Now, the Threat Map will take into consideration detections seen in your environment, making it a tool for the holistic prioritization of threats. This enables you to set priorities, identify areas of focus, and tailor additional security activities - like red-teaming and other proactive initiatives.

Taking it a step further, we have made Collective Insights more holistic, enabling clients to bring more insights from all of their security tools, including EDR, email, and identity - in addition to SIEM and SOAR.

Automate Threat Investigation & Prioritization

Once you have a view of your holistic and unique threat landscape, its essential to streamline investigation and prioritization of those threats. The Threat Map already goes a long way to showing you what threats matter and today we launched additional features to enhance threat investigation and prioritization workflows.

During RSA 2023, we unveiled AI Insights, revolutionizing the way analysts conduct research on entities, summarizing everything Recorded Future knows about an entity into natural language to quickly understand impact, without needing to spend precious time summarizing yourself. Today, weve launched the next generation of Recorded Future AI, a tool to engage with our Intelligence Cloud through a simple conversational interface. Think of us as an invaluable extension of your team, assisting you in obtaining the essential answers to swiftly prioritize your investigation and response efforts!

Additionally, weve expanded availability of AI Insights to our Threat Map - meaning you receive a summary of your specific threat landscape to understand the impact on you, without having to spend precious time crafting it yourself.

AI Insights Client Testimonial

A Forbes Global 2000 travel company found Recorded Future AI valuable for accelerating the vulnerability triage process, as the AI summary provides the team with an understanding of the initial risk and usually also highlights important factors like the initial source of the exploit right off the bat. With the AI summary, the team can quickly assess whether the CVE merits additional investigation and which vulnerabilities he should spend his time prioritizing.

Accelerate Response to Threats

Prioritizing the threats that matter most to your organization and then investigating them further, either as part of the prioritization or response process is important. However, closing the loop by driving action with intelligence and accelerating response to those threats is essential. Over the past quarter, Recorded Future has been developing capabilities with our integration partners to run threat hunts automatically based on changes in your Threat Map, inside your SIEM or SOAR tools to find evidence related to the malware that has been identified as a potential threat. This helps ensure that you are only focusing on the threats that are critical today.

Playbook that automates threat hunting based on changes to entities in an organizations unique Threat Map.

Interested in learning more about our product improvements in action?

Recently there have been millions of attacks demonstrating that public companies of all sizes and operating in all industries are susceptible to cybersecurity incidents. These incidents can cause business interruptions, impose direct costs via remediation or ransomware payments, lost revenues due to exfiltration of intellectual property and interruptions, litigation and regulatory risk, and damage to reputation.

In response, on Sept. 5, the SECs latest Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rule went into effect which fundamentally altered the way US public companies communicate with the market about cybersecurity incidents and governance.

The SEC sought to enhance and standardize disclosures to better inform investors about cybersecurity related matters. Given the ever increasing importance of availability, integrity and confidentiality of information and infrastructure as digital transformation has accelerated, it is unsurprising that the SEC has stepped in to ensure that public markets have sufficient transparency related to these issues.

Fortunately, public companies do not need to face these challenges alone. Commercial threat intelligence providers, and Recorded Future especially, can help regulated entities tackle these new regulatory obligations while mitigating their cybersecurity risk.

Third-Party Risk

One of the key statistics highlighted by the SEC in the proposal of this new rule is that 63% of breaches are linked to a third party. The SEC also clarified that updates to Item 106(b) of Regulation S-K will require disclosure concerning a registrants selection and oversight ofthird-party entities.

Recorded Futures Third-Party Intelligence Module is geared to specifically address this concern. Recorded Future Third-Party Intelligence empowers security teams and business leaders to make fast, informed decisions about the companies in their organizations supply chain and reduce the overall risk of data breaches and reputational damage. Third-Party Intelligence provides deep visibility into suspicious activity related to vendor ecosystems, and provides organizations an opportunity to conduct meaningful oversight of third-party entities.

One of the biggest differentiators of commercial threat intelligence providers, is that cybersecurity governance shifts from relying on a vendors answers to a security questionnaire that may be inaccurate and/or stale to externally sourced intelligence. This can give investors confidence that organizations are using independently collected data to have visibility into their supply chains.

Recorded Futures Third Party Intelligence Module gives real-time alerts on security incidents, breaches, and a wide variety of risky security practices allowing registrants to stay a step ahead. Plus, Recorded Future provides access to exclusive sources including high-tier dark web forums, ransomware extortion sites, and a massive leaked credential and data library to better protect organizations from emerging risk. Third Party Intelligence also provides quantitative Risk Scores for third parties better enabling cybersecurity risk assessment as required under Item 106(b).

Cybersecurity Incident Reporting

Under the updated rule, the SEC has amended Form 8-K to require current disclosure of material cybersecurity incidents. Given that organizations will be mandated to disclose these incidents, it is imperative that registrants have as much context and intelligence about incidents as possible.

Recorded Futures Intelligence Cloud is perfectly positioned to provide that insight. This extends from information about threat actors via the Threat Intelligence Module, to granular exposure insights. Examples include compromised credentials via Identity Intelligence Modules and compromised card data via the Fraud Intelligence Module to provide visibility into the exact extent of a specific breach.

One can imagine the materially different way the market may react to a disclosure with an unknown threat actor, unknown scope, and unknown intent, versus being able to provide guidance of the probable intent of the threat actor, past history of the threat actor, and the precise scale of impact. For example, the public exposure related to an incident connected with Chinese state-sponsored advanced persistent threat will be dramatically different compared to an attack associated with ransomware-as-a-service actors which are more often associated with reputational risks.

Accessible intelligence will better enable organizations to address Item 1.05 in Form 8-K to assess whether any data was stolen, altered, accessed, or used for any other unauthorized purpose. Only comprehensive threat intelligence will allow companies to confidently determine motivations of threat actors, their typical TTPs, and insights into the criminal underground where data is monetized.

Further, given that the SEC will require disclosure by organizations within four business days, it is imperative to have a threat intelligence provider, like Recorded Future, that operates in real time. It is also important to note that the ticking clock only starts upon determination of materiality - yet another analysis where threat intelligence can help in better understanding the scope and impact of the incident. The SEC itself states that the analysis should [take] into consideration all relevant facts and circumstances surrounding the cybersecurity incident and threat intelligence can provide such context.

Policies and Procedures to Identify and Manage Cybersecurity Risk

One of the elements of the SEC rule is that Item 106 will be added to Regulation S-K which will require registrants to describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats.

Last year, Recorded Future launched Threat Maps which automates the analysis of threat actors targeting a clients enterprise, and organizes the intent and opportunity of those groups to harm an organization. An organizations customized Threat Map shows the most dangerous threats that have an opportunity to harm an organization, and changes over time allows security teams to better prioritize countermeasures. Use of Threat Maps allow organizations to carefully calibrate response and granularly identify specific threats - it is the difference between merely gesturing at Nation-State Threats writ large, and actually being able to point to specific threats such as Lazarus Group. This level of granularity allows organizations to have actionable insights to both be more authoritative with the market, and more efficiently deploy risk mitigation strategies.

Threat Maps join Recorded Futures expansive offerings, such as SecOps Intelligence, which collects data from a comprehensive range of sources, contextualizes it, and feeds meaningful insights directly into existing security tools and workflows to improve alert triage, threat detection, and threat blocking - providing a more comprehensive process in line with SEC requirements.

Conclusion

The SEC has ushered in a new era of cybersecurity transparency for public companies. Public companies should begin preparing immediately for the enforcement of these updates. Preparations should be focused on the collaboration between internal stakeholders and access to the relevant information from both external and internal sources to be able to comply with the new requirements.

To tackle these challenges, it is now imperative that registrants have the most comprehensive and timely intelligence available - Recorded Future is the most comprehensive and independent threat intelligence cloud platform. It enables organizations to identify and mitigate threats across cyber, supply-chain, physical, and fraud domains, and can be a powerful tool in complying with the new regulations.

Hear me talk to Christopher Hart (Partner at Foley Hoag LLP) and Lavonne Burke (VP Legal - Global Security & Resilience and Digital (IT) at Dell Technologies) about these regulations and how organizations can stay ahead at PREDICT 2023 in Washington D.C. on Oct. 11 at 10:05 a.m. ET.

The keynote speaker lineup for PREDICT 2023 includes:

• Charlie Brooker, Visionary creator of the Emmy Award winning Netflix series, Black Mirror, and one of the TIME100 Most Influential People in AI

• Chris Inglis, Inaugural U.S. National Cyber Director (2021-2023) and Member of the U.S. Department of Homeland Security Cybersecurity Advisory Council

• Colonel Christian Lewis, Director of Intelligence for Joint Force Headquarters Department of Defense Information Network (JFHQ-DODIN)

• Koos Lodewijkx, Chief Information Security Officer, IBM

• Lauren Zabierek, Senior Advisor in the Cybersecurity Division at the U.S. Cybersecurity and Infrastructure Security Agency (CISA)

• Maynard Holliday, Performing the Duties of Assistant Secretary of Defense for Critical Technologies, Office of the Under Secretary of Defense (DOD) for Research and Engineering

Recorded Future executive speakers include:

• Christopher Ahlberg, PhD CEO and Co-Founder of Recorded Future
• Staffan Truv - CTO and Co-Founder of Recorded Future
• Stu Solomon President of Recorded Future
• Craig Adams Chief Product Office at Recorded Future
• Tom Wentworth Chief Marketing Officer at Recorded Future
• Kalpana Singh VP, Product Marketing
• Jamie Zajac VP, Product Management
• Adam Janofsky Editorial Director, Recorded Future News
• Dina Temple-Raston Senior Correspondent, Recorded Future News, and Executive Producer of Click Here podcast

PREDICT 2023 will also feature insights from organizations including Amazon, TIAA, Toyota Motor NA, Southern California Edison, and Cummins.

Building on Recorded Futures mission to secure the world with intelligence, we are excited to unite intelligence visionaries and pioneers at this years annual summit to foster collaboration within our community. In todays digital era, with technology evolving rapidly, vigilance against security threats is paramount. It is our belief that together, we can better disrupt our common adversaries. PREDICT 2023s insightful discussions will shine a spotlight on the complexities of the current threat landscape and will demonstrate how emerging technologies such as AI and machine learning can help prepare for the threats of tomorrow. Dr. Christopher Ahlberg, CEO and Co-Founder, Recorded Future

PREDICT 2023 is open to intelligence analysts, network defenders, cybersecurity leaders, and others interested in learning about intelligence-led security. The annual summit will also host regional events in Tokyo (October 24-25 ), Singapore (November 7-8), and London (November 14).

For more information visit: https://www.recordedfuture.com/predict.

For real-time updates on #PREDICT2023 sessions, follow @RecordedFuture on X (formerly Twitter).

For all the latest breaking news and reports from #PREDICT2023, follow @TheRecord_Media on X (formerly Twitter).

About Recorded FutureRecorded Future is the worlds largest threat intelligence company. Recorded Futures Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure, and targets. Indexing the internet across the open web, dark web, and technical sources, Recorded Future provides real-time visibility into an expanding attack surface and threat landscape, empowering clients to act with speed and confidence to reduce risk and securely drive business forward. Headquartered in Boston with offices and employees around the world, Recorded Future works with over 1,700 businesses and government organizations across more than 75 countries to provide real-time, unbiased, and actionable intelligence. Learn more at recordedfuture.com.

Media Contact
Olivia Francis
Global Communications
Recorded Future
media@recordedfuture.com

Insikt Group examines the Chinese People's Liberation Armys (PLA) resurgent focus on utilizing near-space flight vehicles (NSFVs) for various military applications, as evidenced by the appearance of a high-altitude surveillance balloon over US Minuteman III missile silos in 2023. This marks a culmination of PLA and Chinese defense analyst research interest dating back to 2005, with a focus on deploying NSFVs like balloons, aerostats, and hypersonic platforms for military intelligence, surveillance, reconnaissance (ISR), and more.

Chinese high-altitude surveillance balloon over the central US (Source: Secretary of the Air Force Public Affairs)

The PLA is believed to operate a fleet of these NSFVs, aiding China's strategic reconnaissance and early warning capabilities. These platforms offer redundancy in case of satellite disruption and play a vital role in gathering intelligence during peacetime. They monitor foreign military activities and collect data on global military trends and capabilities, posing a legitimate intelligence collection threat.

The two categories of NSFVs are low-dynamic (LD) and high-dynamic (HD) platforms. LD platforms include balloons and aerostats, while HD platforms involve hypersonic vehicles. These NSFVs can be equipped to collect various forms of intelligence, such as imagery, signals, communications, and electronic data.

Although the PLAs more traditional platforms, including satellites, offer robust intelligence collection capabilities, NSFVs are seen as augmenting gaps in those. The PLA likely sees NSFVs as offering operational flexibility, supporting precision strikes, electronic warfare, communications, and logistics, ultimately bolstering their offensive operations and resilience.

As the PLA advances in near-space technology, the international community should closely monitor these developments and prioritize the development of countermeasures to mitigate potential advantages the PLA could gain during conflicts. The use of NSFVs for military purposes is poised to remain a significant component of China's military strategy.

To read the entire analysis with endnotes, as well as receive more information about the author, Devin Thorne, click here to download the report as a PDF.

Recorded Future's Insikt Group has conducted an analysis of a prolonged cyber-espionage campaign known as TAG-74, which is attributed to Chinese state-sponsored actors. TAG-74 primarily focuses on infiltrating South Korean academic, political, and government organizations. This group has been linked to Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia. TAG-74s targeting of South Korean academic institutions aligns with China's broader espionage efforts aimed at intellectual property theft and expanding its influence within higher education worldwide.

The motivation behind Chinese state-sponsored actors collecting intelligence in South Korea is likely driven by regional proximity and South Korea's strategic role in China's competition with the United States and its regional allies in the Indo-Pacific. Recent tensions have emerged as China expressed concerns about South Korea's closer relations with the US and its perceived involvement in Taiwan and alignment with the US and Japan's containment of China. TAG-74's intelligence collection efforts, which include spoofed domains and decoy documents related to inter-Korean cooperation, are expected to intensify as China seeks information to shape its diplomatic and business engagements with South Korean entities.

Typical infection chain observed in TAG-74 campaign targeting South Korea (Source: Recorded Future)

TAG-74 is a well-established Chinese state-sponsored threat activity group specializing in intelligence collection against South Korean, Japanese, and Russian organizations. Their tactics, techniques, and procedures (TTPs) include the use of .chm files that trigger a DLL search order hijacking execution chain to load a customized version of the VBScript backdoor ReVBShell. Additionally, a custom backdoor known as Bisonal is used to enhance capabilities once initial access through ReVBShell is established. This customized ReVBShell variant is likely shared between TAG-74 and another closely related threat activity group, Tick Group, indicating collaboration between these groups.

The persistence of TAG-74 in targeting South Korean organizations and its likely operational alignment with the Northern Theater Command suggests that the group will continue its active and long-term intelligence-gathering efforts in South Korea, Japan, and Russia. Notably, the use of .chm files by Chinese state-sponsored actors is not particularly common outside of South Korea. However, the use of this attack vector in activity targeting South Korea has been seen both in TAG-74 campaigns and, more widely, in activity attributed to North Korean state-sponsored threat activity groups such as Kimsuky and APT37. Organizations should monitor for the presence and use of .chm files, particularly if they are not commonly used within their environment, as this tactic has gained prevalence among threat actors in recent years.

To read the entire analysis, click here.

The ERG provides Hispanic/Latin members a formidable voice, transparency, and openness in their endeavors to highlight cultural differences, encourage learning, professional development and success.

They are committed to building a united community that thrives on shared experiences and mutual respect.

Throughout this interview, we emphasize the importance of ERGs in fostering an authentic connection both in and beyond the workspace. A diverse and inclusive workforce not only reflects the broader society but also empowers employees to grow personally and professionally. By celebrating their heritage, sharing knowledge, and learning from each other, employees are paving the way for a stronger, more connected company culture.

Covering the Basics

In honor of Hispanic Heritage Month we interviewed two Futurists from our Latin-Network: Armando Origel, ERG leader and Iris Salazar, supporting member.

From left, Armando Origel and Iris Salazar

I work with customers throughout the Americas and Europe: Canada, US, Central and South America, and even Spain. Some of my Spanish speaking clients are from Mexico, Uruguay, Chile and Spain, which is awesome for flexing my spanish skills, specifically the cybersecurity and intelligence vocabulary.

Armando, known as Mando, has been at Recorded Future for a year and works as a Customer Success Manager within our Intelligence Services. Day-to-day he works with customers, account managers, sales engineers and renewal reps to ensure customers priorities and goals are met and that Recorded Future is offering great value. In his role, he optimizes customer experience and helps clients get valuable and actionable intelligence.

I am lucky to be working with amazing and talented teammates who are passionate about Recorded Future and customer education.

Iris is at the forefront of client enablement at Recorded Future. With her team, she strategizes and delivers the best in class content to our clients. Whether through Recorded Future University, live instructor-led training, or via external partnerships with universities and other collaboration partners, her team is dedicated to providing high quality educational resources.

What Its Like Working at Recorded Future For You

From the start, I set up this network of team members and friends within Recorded Future that I can rely on.

Armando: I started in August of 2022 and just three weeks later, I was already traveling to Spain. It was my first time in Europe and it was really special connecting with the people I would be working with. Everybody here is not only intelligent in what they do, they also show great emotional intelligence.

Its fast paced, engaging, and enjoyable.

Iris: I see our values and empathy shine through when there are tough conversations about work, or when someone is going through personal struggles. I also see it in our everyday work when a Futurist has an idea during a conversation and it actually turns into something really great!

I can see a great level of professionalism, and a willingness to help out.

Armando: My team is spread out all over the world, I have team members in Dublin, Italy, Singapore, the US and more. Sometimes it's hard to feel like you belong to the team, but we go the extra mile to make it work and adapt accordingly to better connect. My manager has been key in achieving that: she creates a diverse and inclusive environment within our team, shes an ERG lead for Women@RF and an amazing ally and participant for all other ERGs.

We are encouraged to innovate and bring people together, internally and externally, this is paramount.

Iris: Im proud of the many ERGs we have, I knew of only 1 when I started; I was privileged to co-lead it for a year. Further, ERGs come up a lot when having conversations with future partnerships because those future partners see us beyond our product and how we can help improve the life of their audiences!

Its great to be able to have that kind of transparency between who I am as a person and what I do here

Armando: The people here are friendly and super supportive. I've been able to open up about personal things with my manager and with my team. Getting involved in the Latin Network ERG gave me another purpose and reason as to why I am at Recorded Future, beyond helping my clients protect their organizations. Im proud to be helping Recorded Future become a more diverse and inclusive workplace. Its been truly empowering to feel like I'm helping build a culture where everyone looks out for one another. As a company were trying to be very conscious of reflecting our society within the company and I think we're on a good path to build an even greater culture here at Recorded Future.

In my CSM role, I'm also very proud to be able to connect with my LATAM clients and help them succeed. Through my work Ive implemented more consistent communication both because I speak the language but also because I can connect culturally. Im proud to be able to serve my community in both of these aspects.

Celebrating Hispanic Heritage Month

For Hispanic Heritage Month, employees will participate in themed activities such as an inclusion workshop, games, happy hours across our offices and other educational opportunities about the latin and cybersecurity world.

Armando: As an initiative to engage our members and promote inclusivity in the community and beyond, the Latin Network is partnering up with NOTA Inclusion to bring an Inclusive Thinking Workshop. The purpose of this workshop is to discover what matters to us and to create an inclusive community through sharing of our experiences. We share our experiences to learn to love what makes us different, but also to identify what connects us. My goal is to foster a deep level of trust so that employees can feel like the Latin network is not just an ERG but a place where they can share things, be open, comfortable, feel loved and appreciated.

Why Get Involved in Latin-Network / ERGs

If you want to be a part of something beyond your work, ERG involvement is a great way to leave your mark and bring authenticity into the group. That's what it is for me.

Armando: The people we work with and our clients come from so many backgrounds. A company needs to reflect society, to reflect our clients. We need to have these initiatives in place in order to work towards a more diverse workforce.

Read more about our other ERGs in these blogs: Pride Month, APIDA Heritage Month, Womens History Month, and Black History Month.

Its about sharing knowledge of our heritage and learning from others. Many times youll find a lot unites us.

Iris: I think being part of a company-wide initiative is exciting because of the opportunities to work with people you may not have otherwise! You learn more about what our business does. I think you also see challenges that come with being a leader, which hopefully give context in what your direct leadership may face, which gives you greater understanding. It's also an opportunity to connect with people personally - which is just a life skill.

Growing at Recorded Future

Ive learned a lot from my colleagues on how they're able to inject their own authenticity to their day to day job. It's helped me grow into my own.

Armando: Working with my LATAM customers has been challenging as it was new for me. Its rewarding to find ways to get them more engaged in the platform, to ask more questions, and get them to connect with us. My role has also challenged me to be a better team member. I work with many different internal stakeholders so I have to find a way to communicate effectively with each team member based on their working style.

My experience as an ERG leader has been really wholesome. It has helped me grow personally. Ive learned about the why and purpose, Ive worked with people that come from similar backgrounds and also learned about other cultures, and other ERGs.

Leaning into opportunities without a clear sense of how it would go has been anxiety inducing, thrilling, and completely worth it.

Iris: Recorded Future is a unique place to work for me. I have worked in the airline, pharmaceutical, and finance industry prior to Recorded Future. Working here has offered me opportunities that I wasnt sure I would get, such as leading an amazing team that is making a positive impact for our clients and business, co-leading the Womens ERG, and leading projects across our company. Though were a big company now there are lots of opportunities to improve and ideate on what we have today. Recorded Future is open to all of it.

Final Words

We live in a world thats very divided. Whenever you're involved in ERG work, you're trying to unite.

Armando: It can be intimidating sometimes when you see people in your company don't reflect your background. You wonder if youre going to be able to be authentic within the company. And because we spend so much time working, belonging is important. Recorded Future is an open-minded, diverse place, and very in sync with society. Youre constantly reminded to look beyond your work, to get involved in broader initiatives, and to inject purpose into your day to day. It's a place where you can feel like you can have an impact.

Armando and Iris stories highlight the power and importance of inclusion in a rapidly changing world. Were proud to see our Futurists embody our core values of inclusion, ethics, and high standards (Read more: Setting The Scene: Company Core Values, Our Guiding Principles). They demonstrate the role of ERGs, D&I initiatives, and all employees in building a culture of empathy, respect, and innovation and testify to the meaningful impact of their work.

As we continue to grow as a company, these stories, insights, and values help guide us. If this resonates with you, there might be a path for you here at Recorded Future. Learn more about our careers.

Armando playing Dominoes with family

Iris with her sisters-in-law

Protecting your brand is critical. However, more often than not, organizations are blindsided by cyberattacks targeting their brand. Thats because most security professionals have limited visibility outside of their own organizations network and zero visibility into the nefarious corners of the web where cybercriminals are known to plan and launch attacks.

Too frequently, analysts spend valuable time pouring over disconnected keyword-based data points to find cyberattacks that have already begun chipping away at their brands integrity. An effective brand protection solution shouldnt merely hack together old data points it needs to deliver relevant and contextual intelligence to prevent attacks from happening in the first place.

Brand Monitoring Alone Isnt Enough

Many organizations start building their strategy around a brand monitoring solution only to eventually learn that it doesnt sufficiently protect their brand. Brand monitoring solutions are great for surfacing mentions of your brand on open web sources. However, simply monitoring for brand mentions isnt enough to detect and prevent cyberattacks. For that you need dynamic brand intelligence.

Digital Risk Protection From Recorded Future

Digital Risk Protection is a precision solution that takes brand monitoring to the next level by surfacing the most relevant and actionable brand mentions. Its not enough to know every mention of your brand on major social media platforms. To truly protect your brand, you need to strategically surface the company, product, and brand mentions that indicate your brand is potentially under attack. This includes intelligence around leaked credentials, copycat domains, phishing, and more.

Dynamic brand intelligence at scale empowers security teams to proactively detect and take action against brand attacks in real time before they damage the business.

The Brand Intelligence Module

Recorded Futures Brand Intelligence Module provides unmatched visibility into threats that were previously difficult or impossible for organizations to identify. By collecting data and intelligence from an unrivaled quantity and variety of open, closed, and technical sources, the brand intelligence module delivers the context you need to proactively defend your brand against cyberattacks. We even assist you in taking down attacks with built-in takedown services that go the last mile to simplify and expedite the removal of malicious content from the internet.

Recorded Future combines analytics with human expertise to produce elite security intelligence that disrupts adversaries at scale. More than simply monitoring keywords, dynamic brand intelligence enables you to instantly identify relationships between emerging threats, your brands, and your infrastructure to deliver easy-to-consume brand intelligence. Proactively detect brand attacks as they surface and take them down before they damage your business. Recorded Future makes it easy to protect your brand by empowering you to detect and take action against:

• • Domain Abuse Get up-to-minute intelligence about copycat websites and typosquat domains as soon as they are registered and when they are weaponized. Dynamic risk scores paired with unprecedented context enable you to pivot and dig deeper into associated IPs and domains. Then, take immediate action by reporting and initiating a takedown request directly within Recorded Futures platform.

• • Data and Credential Leaks Manually searching for leaked company data and credentials on paste sites and the dark web is next to impossible, not to mention dangerous. Recorded Future instantly processes information across these sites including criminal forums that sell sensitive data and instantly alerts you when there is a data or credential leak involving your brand. We even cache these posts for you to review and escalate.

• • Infrastructure Risk Continuous monitoring for threats against your infrastructure is the only way to proactively prevent attacks that could have otherwise launched undetected. Recorded Future delivers configurable alerts around your domains and IP addresses that empower you to swiftly secure your network when there are malicious mentions of your organizations assets.

• • Brand Attacks As mentioned earlier, organizations often start their brand protection efforts with brand monitoring solutions. But closed criminal-access forums, social media channels, and foreign language sites are the real breeding ground for threat actors ploys. Most brand monitoring solutions dont reach these corners of the web. Recorded Future does instantly detecting, alerting you, and empowering you to take action regardless of where your brand is mentioned in reference to a cyberattack.

• Industry Threats If cybercriminals are targeting your industry or your peers, it is likely that theyll be knocking on your door next. Recorded Future surfaces known and emerging threats to your industry and organizations like yours, empowering you to proactively defend against the very risks that threaten your brand and infrastructure.

See Brand Intelligence In Action Right Now

Brand intelligence arms organizations with unmatched visibility to proactively protect their brand. By surfacing relevant and actionable intelligence, it enables you to defend your organization from the most common brand attacks. See Recorded Futures Brand Intelligence Module in action right now watch the short, on-demand webinar, Disrupt Adversaries With Brand Intelligence.

Enter "The Risk Business: What Leaders Need to Know About Intelligence and Risk-Based Security," a groundbreaking book by Levi Gundert, Chief Security Officer at Recorded Future. Drawing from his extensive experience, Gundert proposes a shift in focus - from threats to risk. Aimed at security professionals looking to up-level executive buy-in on cybersecurity within their organizations, this second edition emphasizes the importance of communicating intelligence to decision-makers in a language they understand - the language of risk.

The book introduces innovative concepts like the Intelligence to Risk (I2R) Pyramid and the taxonomy of the five leading types of risk impact. It emphasizes the importance of second-order thinking for effective intelligence assessments and provides leaders with a decision advantage in a complex, rapidly shifting cyber threat landscape.

Join us in exploring this game-changing approach to enterprise security. Discover how to frame operational outcomes in a clear, concrete way that tells a story of profit, loss, and risk reduction. "The Risk Business" is more than just a book; it's a roadmap to a more secure future for your organization.

• Download a free digital copy here.

• Buy the audiobook, Kindle e-book, or printed copy on Amazon.

Insikt Group has identified and analyzed a network named "Empire Dragon," which is believed to be a coordinated and inauthentic operation likely aligned with the Chinese government and based in China. This network has been active since early 2021 and appears to engage in information operations (IOs) aimed at manipulating global audiences through various languages, topics, and platforms. Over time, Empire Dragon has evolved its tactics and focus. Initially targeting Chinese interests such as the "Five Poisons," it shifted its attention to the United States and its allies after August 2022, particularly in response to geopolitical events and emerging conspiracy theories.

Timeline of Empire Dragon operations, with an estimated number of posts (Source: Recorded Future)

Notably, there is a growing convergence between Empire Dragon's narratives and those propagated by Russian disinformation campaigns. This convergence involves amplifying narratives originating from the Russian disinformation ecosystem, indicating a wider shift in the threat landscape for covert information operations in China. Empire Dragon's use of tactics like employing "useful idiots," fringe political groups, and account impersonation further reflects this convergence.

Despite its efforts, Empire Dragon has struggled to generate organic engagement with its narratives, attributed to factors such as poor content quality, machine-translated text, and sporadic content amplification. However, improvements in multilingual large language models and image generation models are anticipated to enhance the network's ability to overcome these challenges in the future.

Looking ahead, Insikt Group predicts that Empire Dragon will continue to capitalize on current events and conspiracy theories, refining its tactics and procedures in preparation for significant events in 2024, including the Taiwanese and US presidential elections. The network is likely to attempt to influence these elections by supporting specific candidates, attacking political leaders, fostering division among voters, and discrediting critics of the Chinese government.

Overall, the narrative convergence observed in Empire Dragon's operations suggests a broader trend of convergence between Chinese and Russian influence activities, even though their geopolitical objectives differ. Content quality is likely to be improved with the advent of multilingual large language models (LLMs) and advanced image-generation models, meaning that we will almost certainly witness an improvement in Western audiences engagement with Chinese state-aligned IO despite linguistic and cultural barriers.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Foreign and domestic influence actors are capitalizing on the Hawaii wildfires to advance their own objectives. Russian and Chinese actors are leveraging shared narratives, asserting that the US prioritizes military spending over citizens' welfare, almost certainly aiming to curtail US defense expenditure in relation to Ukraine and Taiwan, potentially affecting the 2024 US elections. Influence actors are also engaging in disinformation campaigns suggesting that the US government caused the wildfires using weather or energy weapons, with a possible feedback loop between Chinese state-sponsored and domestic violent extremist (DVE) influence operations.

Russian state-funded media is amplifying genuine US domestic concerns about the wildfire response, emphasizing parallels between US aid to Ukraine and assistance during the Hawaii wildfires, almost certainly to undermine support for Ukraine and erode confidence in the Biden administration. A Chinese government-aligned covert network is spreading disinformation attributing the wildfires to a "weather weapon," while Chinese state media is accusing the US government of valuing military spending over citizens' safety. These narratives aim to provoke anger and domestic pressure to reduce defense expenditure.

RT article and social media post graphic boosting an opinion from former Rep. Ron Paul, arguing that Ukraine matters to Biden more than Hawaii (Source: RT)

US DVEs are promoting disinformation that the US government deliberately ignited the wildfires using a directed energy weapon, with some DVEs weaving in anti-Semitic conspiracy theories regarding plans to acquire and sell land. These narratives very likely intend to undermine government emergency responses, propagate anti-government sentiment, and advance anti-Semitic ideologies.

Post with purported evidence of a directed energy weapon attack on Maui from a source linked to the DVE conspiracy movement qAnon (Source: Telegram)

The proliferation of disinformation highlights influence actors' opportunism and speed in shaping the information landscape. Counter-influence strategies, awareness campaigns, and psychological impact consideration are advised to mitigate the influence of these narratives. The convergence of influence narratives, intended to influence defense spending, aid policies, and election outcomes, is very likely to escalate in the lead-up to the 2024 US presidential elections.

Beyond political manipulation, exploiting natural disasters risks eroding trust in disaster relief efforts and agencies like FEMA. Effective strategic communications, preemptive identification of emerging narratives, and reliance on credible scientific and fact-checking institutions are crucial during such events.

To read the entire analysis with endnotes, click here to download the report as a PDF.

In this report, Insikt Group examines false information surrounding the possible creation of a new advisory body in Australias parliament, the Aboriginal and Torres Strait Islander Voice (also known as the Voice) this false information overwhelmingly opposes the Voice and the actors spreading it are very likely seeking to manipulate or influence voters to vote against the proposed change to Australia's Constitution in a referendum scheduled for sometime between October and December 2023.

Online manipulative content is primarily produced by conspiracy theorists, political activists, and extremist groups such as the National Socialist Network and Patriotic Alternative. Additionally, the Communist Party of China (CCP) is reported to be involved in an ongoing disinformation campaign seeking to amplify divisive narratives about the Voice. Notably, state-sponsored information operations from Russia and Iran were not observed targeting the Voice.

Five key malign influence narratives have emerged against the Voice. These narratives claim that the Voice will lead to racial segregation, is part of a Jewish plot, aims to establish communism, invites a globalist invasion, and introduces an "aboriginal tax". These narratives are promoted through various channels, including alternative news sites, social media platforms, and video-sharing platforms.

(Left) Screenshot of the Telegram channel Aboriginal Voice Exposed; (Right) A post on the Telegram channel Aboriginal Voice Exposed, published on June 21, 2023, which received over 9,000 views

The potential impact of these false narratives is concerning, particularly when amplified by political figures and media personalities, potentially influencing voters ahead of the referendum. As the referendum approaches, official announcements and events associated with the Voice will likely provide more content for malign influencers to exploit. If the referendum passes, the resulting advisory body will likely remain a target of online manipulative content.

To counter these efforts, a comprehensive approach involving both the government and private industry is recommended. Publicly identifying and refuting false information, raising awareness among business executives and public figures, and proactive monitoring of information sources can help reduce the effectiveness of malign influence narratives. This report underscores the importance of maintaining information integrity and countering false information to protect democratic processes.

To read the entire analysis with endnotes, click here to download the report as a PDF.

As a company, we strongly believe our employees are the backbone of our success. Perfecting our hiring process and candidate journey is crucial both for us and the talents we interact with on a daily basis. Recorded Future is committed to being a workplace that attracts top talents and an environment where builders thrive.

This blog shares great insights and best practices to engage top talent and provide a world-class candidate experience. We wanted to hear from an expert, so we interviewed Chris Barnes, Recruiting Manager at Recorded Future.

The Basics

Can you introduce yourself and what you do at Recorded Future?

Chris: Im Chris, I manage talent acquisition for all technical and post-sales departments in North America and I've been with Recorded Future for almost two years.

What does Recorded Future do?

Chris: Recorded Future is able to help organizations protect their security posture in a wide variety of ways. Whether it's protecting their security posture from a security operations standpoint, protecting their security posture from a brand management standpoint, or a third-party vendor management standpoint for instance. We provide clients with actionable intelligence in all of these areas and more. It helps clients take more of a proactive stance in their security posture, especially given the fact that in the last 10 years in the cyber security space, a lot of tools are being used more from a reactive approach.

Recorded Future is the most comprehensive and independent threat intelligence cloud platform. It enables organizations to identify and mitigate threats across cyber, supply-chain, physical, and fraud domains. It is trusted by 1,700+ customers to get real-time, unbiased and actionable intelligence. Learn more about our platform.

Can you tell us a bit about your experience at Recorded Future so far?

Chris: Its been very positive. It's a very collaborative environment here and I am really able to drive talent initiatives and recruit for a purposeful mission. What we do: securing the world with intelligence is really unique and being able to recruit for that mission is really exciting.

The Interview Process

What is the process like?

Chris: The process at Recorded Future typically consists of five stages.

1. Resume Review: that would be reviewing a candidate's resume.

2. Preliminary Screen: if their profile seems to fit the roles needs and requirements - a phone call with a recruiter is scheduled to determine if the candidate's experience aligns well with the goals for the position.

3. Interviews: if the preliminary screen is a success, the candidate typically moves to either a panel interview or one-on-one interviews with employees they would collaborate with, should they be hired.

4. For technical positions this usually includes additional assessments such as a code walkthrough, product demonstration, or scenario-based exercise. For some of the client-facing positions we have, candidates might be evaluated in role play scenarios as well.

5. References: upon success in the previous steps we will gather references from the candidate.

Decision: the hiring team will then determine if they will extend an offer to the candidate.

How does the process differ from one job to another or to a non-technical team?

Chris: The interview process for our technical teams usually focuses on a specific technical skill set that will enable success against the business objectives for the position. This can be evaluated in the form of a technical case study, code walk-through, or technical presentation. In our working environment, collaboration is a key factor for successful initiatives and the technical evaluation also allows for a candidate to demonstrate how they would approach working with other team members.

What We Look For In Candidates

What type of positions do you look to hire for?

Chris: Recorded Future hires across the globe into multiple functions from engineering, to customer service, consulting, and sales.

What skill sets do you look for?

Chris: While the exact skills required may differ among roles, we consistently seek extraordinary people who align with our values, work hard and are willing to go the extra mile to achieve goals.

For technical or semi-technical roles, the experience and skills we look for in candidates align to the technical components of our product and how we provide threat intelligence to our clients. For instance, Python is an essential language for some of our roles. That skill-set can apply to a wide-ranging amount of positions, such as Customer Success Managers, Data Engineering, Professional Services, Threat Research, and many other technical teams we have.

All of our positions require strong written and verbal communication skills. When providing information to internal or external stakeholders, it is imperative to be able to clearly define and articulate information needed to grow our business.

Resume Building & Interviewing Tips

Do you have any advice for crafting a strong resume for the industry?

Chris: Something that is not thought of as much as it should be, is the ability to clearly define your experience and accomplishments in your resume format, so your skill-sets and experience align to the position clearly and thoughtfully. A common best practice is describing not only what you know, but how you applied your skills, and how it resulted in success for the business through a measurable indicator. Your resume should broadcast how your skills align to the criteria needed to achieve success in the position. If this is not defined clearly and thoroughly, it could be hard to determine if your experience aligns to the position.

Is it important to match a resume to the job description?

Chris: It is common for a candidate to have multiple resumes that can speak to their experience in different ways. In each version, I would still recommend demonstrating how you have used your experience.

How should someone prepare for an interview?

Chris: To start, be on-time and ready for the interview, aware of who you are interviewing with, have an understanding of the history of the company, what the business focus of the company is, and based on the information that has been shared with them thus far, an understanding of the position. Come prepared with questions and ready to share why youre interested in the opportunity.

The job description and the business focus of a company should definitely be part of the research and preparation, prior to an interview. However, looking deep into a company throughout the interview process and taking advantage of the time you have with the interviewers to learn about how you can grow, how you can collaborate with others, and how the position you are interviewing for can contribute to the mission of the company are the foundation to understanding the position in totality. This is something each candidate should consider at each step of the interview process. Ultimately, this is how you will be utilizing your time when striving for success!

Any interviewing tips?

Chris: When interviewing for a position at any stage in the interview process, it is important to show you have invested time in researching our company. You could have experience and skills that match all requirements of the position, but if a candidate shows a lack of preparation or awareness for the interview, it will be seen as they may take a similar approach to their work, once hired.

Regardless of the position we are hiring for, a good tool for candidates is to apply the STAR method (describing examples by clearly defining the situation, task, action, and result) when describing their experience. The STAR method not only clearly defines the steps someone took to achieve success, but it also allows the hiring team to fully determine whether or not a candidate has experience needed to successfully complete the business objectives aligned to the position.

Are there any particular questions you often ask candidates during interviews?

Chris: I ask each candidate what they know about Recorded Future to start the interview to gauge the amount of interest and research they put into their preparation for the interview. I also ask why they are interested in Recorded Future, and what is driving their interest for a new opportunity in their career.

Why You Should Join Recorded Future

How would you describe the company culture at our organization?

Chris: We have three Core Values that all of our Futurists live by: We have high standards, act ethically, and we practice inclusion. We are a highly collaborative environment: supporting team members across the organization acts as the ultimate driver of our success. This core aspect of our DNA truly drives our ability to grow. The mission of the company really aligns well with our culture and regardless of what department you work in and the responsibilities of your position, you are contributing to something that is making the world safer.

Read more about our core values: Setting The Scene - Company Core Values, Our Guiding Principles

What opportunities for growth and development does our company offer?

Chris: As part of development and career progression for Futurists, all levels of management encourage and support development and career progression for their team members. There are current examples of this that range from Interns who were offered a full-time position upon completion of their Internship, to Futurists who have moved to adjacent teams within the company based on personal interest, and those who have chosen to pursue career advancement into SME or management positions.

Final Words

There are many reasons why Recorded Future is a great opportunity for job seekers. 1. We are a leader in the industry: no one is doing what we're doing at the scale that we are. Were the world's largest intelligence company. 2. Probably most importantly, were a people-first company. Whether that's in the way we collaborate together, the way we promote diversity and inclusion, or the way we put a strong focus on learning and development and building tailored careers for our employees so they can thrive and build their own paths.

Learn more about our DE&I initiatives from our most recent blog: APIDA Heritage Month: ERG Employee Stories, Community, and Support

Now what?

If any of that resonates with you or youre interested in learning more about careers at Recorded Future, we invite you to visit our careers page.

Are you actively looking for a new opportunity? Were hiring across teams and across locations.

For more information or questions, feel free to email careers@recordedfuture.com.

In the first half of 2023, ransomware attacks surged, with attackers increasingly relying on exploiting vulnerabilities for rapid compromise. Prominent campaigns targeted organizations using vulnerability exploits, such as the VMware ESXi hypervisor breach. This trend was fueled by ransomware groups targeting Linux servers, which allow for faster attacks but present a less user-rich environment than Windows or MacOS, making vulnerability exploitation a priority for initial access.

Prominent malware variants in H1 2023 included LockBit, ALPHV, Royal, ESXiArgs, and Pegasus. Additionally, attackers exploited vulnerable drivers to bypass endpoint detection and response solutions, emphasizing the need to inventory and patch organization-used drivers.

An event of significant financial impact was the exploitation of a zero-day vulnerability affecting Barracudas email security gateway (ESG), leading to the replacement of ESG appliances and substantial financial losses. Redundancy in IT and security architecture is crucial. The rest of 2023 will likely witness continued ransomware attacks through exploited vulnerabilities and targeting vulnerable drivers. Defenders should optimize resources and budgets for redundancy to distribute risk.

Ransomware actors will exploit third-party software vulnerabilities, as demonstrated by the CL0P group's breaches. Defenders should review security policies for third-party software, especially products targeted in H1 2023. Steps include inventorying MFT systems, maintaining robust patch management, and coordinating with vendors for effective vulnerability responses.

Vulnerable drivers are a growing attack vector requiring vigilant tracking, identification of malicious drivers, and regular audits to minimize exploitation. Organizations relying on single security solutions should prioritize redundancy for cyber risk distribution.

Overall, the landscape emphasizes the need for proactive measures to counter ransomware and vulnerability exploits, involving thorough inventorying, patch management, redundancy, and collaborative response strategies.

To read the entire analysis with endnotes, click here to download the report as a PDF.

New Insikt research highlights an emerging trend where threat actors are increasingly exploiting trusted platforms like Google Drive, OneDrive, Notion, and GitHub to conceal malicious activities within normal internet traffic. This tactic enhances their efficiency in data theft and operations while weakening conventional defenses. Advanced persistent threat (APT) groups are at the forefront of this strategy, with less sophisticated groups following suit. This underscores the need for adaptable defense strategies that evolve alongside threat actor innovations.

The report addresses a crucial gap in understanding by offering a systematic overview of legitimate internet services (LIS) abuse across malware categories. It predicts a further increase in LIS abuse due to advantages enjoyed by threat actors and the challenges faced by defenders. The lack of comprehensive reporting makes it difficult to quantify the trend definitively, but the prevalence of LIS abuse by well-established malware families, the adoption of these methods by newer strains, and the rapid innovation by APT groups all suggest an increasing trend in LIS abuse for adversary infrastructure.

Overview of a full C2 infrastructure setup using LIS

As threat actors continue to evolve their tactics, traditional defenses like indicator of compromise (IOC) blocking and basic detections will become less effective. A multi-faceted approach, encompassing network-, file-, and log-based detection methods, is proposed. Defenders should also proactively identify potentially vulnerable internet services and conduct attack simulations to stay ahead.

The report's analysis of over 400 malware families reveals that 25% of them abuse LIS in some capacity, with 68.5% of those families abusing more than one LIS. Infostealers are the most likely to exploit LIS (37%), driven by their data exfiltration objectives and ease of infrastructure setup. Different malware categories adopt distinct infrastructure schemes. Cloud storage platforms like Google Drive are the most commonly abused, followed by messaging apps like Telegram and Discord.

In the short term, defenders are advised to identify and block LIS that are not used within their environment but are known to be used maliciously. For long-term security, organizations should invest resources in understanding both legitimate and malicious uses of specific services. This understanding will facilitate the development of more effective and nuanced detection methods. Technologies like TLS network interception are gaining relevance for improved visibility, though they also introduce privacy and compliance concerns.

Despite the challenges, defenders can implement measures such as blocking or flagging malicious LIS usage, proactive threat hunting, and focusing on a diverse range of detection methods. Developing a comprehensive understanding of legitimate and malicious service usage is crucial for effective detection mechanisms and overall protection. The next report in the series will delve into the abuse of a specific LIS category used as malicious infrastructure.

To read the entire analysis with endnotes, click here to download the report as a PDF.

New Insikt Group research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel's operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors. Particularly focused on Southeast Asia's governments and private companies in specified sectors, RedHotel's infrastructure for malware command-and-control, reconnaissance, and exploitation points to administration in Chengdu, China. Its methods align with other contractor groups linked to China's Ministry of State Security (MSS), indicating a nexus of cyber talent and operations in Chengdu.

Schematic of RedHotels multi-tiered C2 infrastructure network

RedHotel has a dual mission of intelligence gathering and economic espionage. It targets both government entities for traditional intelligence and organizations involved in COVID-19 research and technology R&D. Notably, it compromised a US state legislature in 2022, highlighting its expanded reach. RedHotel employs a multi-tiered infrastructure with a distinct focus on reconnaissance and long-term network access via command-and-control servers.

Since at least 2019, RedHotel has exemplified a relentless scope and scale of wider PRC state-sponsored cyber-espionage activity by maintaining a high operational tempo and targeting public and private sector organizations globally. The group often utilizes a mix of offensive security tools, shared capabilities, and bespoke tooling.

Recorded Future's Insikt Group observes various Chinese state-sponsored cyber threats, with RedHotel standing out for its broad scope and intensity of activity. RedHotel's campaigns include innovations such as exploiting a stolen code signing certificate and commandeering Vietnamese government infrastructure. Despite public exposure, RedHotel's bold approach suggests it will persist in its activities.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Insikt Group has been tracking the threat activity group BlueCharlie, associated with the Russia-nexus group Callisto/Calisto, COLDRIVER, and Star Blizzard/SEABORGIUM. BlueCharlie, a Russia-linked threat group active since 2017, focuses on information gathering for espionage and hack-and-leak operations. BlueCharlie has evolved its tactics, techniques, and procedures (TTPs) and built new infrastructure, indicating sophistication in adapting to public disclosures and improving operations security. While specific victims are unknown, past targets include government, defense, education, political sectors, NGOs, journalists, and think tanks.

Breakdown of terms used in BlueCharlie activity since November 2022

Recently, Insikt Group observed BlueCharlie build new infrastructure for likely use in phishing campaigns and/or credential harvesting, which consists of 94 new domains. Several of the TTPs seen in the recent operation depart from past activity, suggesting that BlueCharlie is evolving its operations, potentially in response to public disclosures of its operations in industry reporting. Since Insikt Groups initial tracking of the group in September 2022, we have observed BlueCharlie engage in several TTP shifts. These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers.

To counter BlueCharlie's threat, network defenders should enhance phishing defenses, implement FIDO2-compliant multi-factor authentication, use threat intelligence, and educate third-party vendors. BlueCharlie's continued use of phishing and its historical adaptation to public reporting suggest it will remain active and evolve further in its operations.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Recorded Futures Insikt Group has been monitoring the activities of Russian state actors who are intensifying their efforts to hide command-and-control network traffic using legitimate internet services (LIS) and expanding the range of services misused for this purpose. BlueBravo is a threat group tracked by Insikt Group, whose actions align with those of the Russian advanced persistent threat (APT) groups APT29 and Midnight Blizzard, both attributed to Russia's Foreign Intelligence Service (SVR).

(Overview of BlueBravo attack flow (Source: Recorded Future)

In January 2023, Insikt Group reported on BlueBravo's use of a themed lure to deliver malware called GraphicalNeutrino. They identified several consistent tactics employed by the group, including compromised infrastructure, known malware families, third-party services for command-and-control (C2), and reused lure themes. Another malware variant used by BlueBravo, named GraphicalProton, was discovered. Unlike GraphicalNeutrino, which used Notion for C2, GraphicalProton uses Microsoft's OneDrive or Dropbox for communication.

The group's misuse of LIS is an ongoing strategy, as they have used various online services such as Trello, Firebase, and Dropbox to evade detection. BlueBravo appears to prioritize cyber-espionage efforts against European government sector entities, possibly due to the Russian government's interest in strategic data during and after the war in Ukraine.

Based on observed trends, Insikt Group predicts that BlueBravo will continue to adapt and create new malware variants while leveraging third-party services for C2 obfuscation. Defenders are urged to invest additional time and resources to track the evolving group, particularly organizations targeted by Russian state actors in relation to the Russia-Ukraine conflict.

BlueBravo is expected to continue developing infrastructure and compromising vulnerable websites to deploy new strains of malware, targeting diplomatic and foreign policy institutions in Eastern Europe, as these organizations provide valuable insight for the Russian intelligence consumers during the ongoing war in Ukraine.

To read the entire analysis with endnotes, click here to download the report as a PDF.

To summarize, operational risk refers to the potential for losses due to technical failures, human errors or omissions, internal processes or system failures, or uncontrollable external events. These risks can lead to business disruption, system downtime, infrastructure damage, fraud and more.

According to Splunks State of Security 2023 report, 49% of respondents have experienced a ransomware attack and 46% faced brand impersonation in just the past two years. This suggests its not a question of if, but when adversaries might target vulnerabilities across your cyber, supply chain, or physical attack surface.

It should also be noted that cybercrime is increasingly lucrative for attackers, its projected to cost the world $10.5 trillion annually by 2025 Cybersecurity Ventures. To enhance their profits, attackers are becoming more automated, incorporating artificial intelligence and machine learning into their arsenal. Additionally, as-a-service offerings for phishing, ransomware, and malware are lowering the technical barriers to entry, enabling less skilled cybercriminals to put business operations at risk.

To keep up, organizations must be prepared to make the right security decisions and build resilience at the speed and scale of todays threat environment. Given the current landscape, security risk is synonymous with business risk.

However, reducing operational risk is no a quick fix, there are many challenges to overcome:

• Detection tools only monitor traffic that hits your network, leaving them blind to various exposures and misconfigurations that attackers can exploit.
• Theres no control over third parties in your supply chain ecosystem to enforce, detect, respond, or manage risks.
• While some of your security tools may offer a partial view of defense strategies against ransomware, they often fail to provide a comprehensive picture.
• Automation is growing in importance, but confusion frequently arises regarding how, what, and when to automate. Without properly answering these questions, automation strategies may fail due to unrealistic expectations.

To navigate these challenges, a strategic advantage is necessary and threat intelligence offers just that.

How does threat intelligence reduce operational risk?

Threat Intelligence provides insights and indicators to protect against internal failures and external threats that may lead to business disruption (for an in-depth look at Threat Intelligence, check out our blog on What is Threat Intelligence?) At its core, security is a big data problem, threat intelligence serves as the connecting layer that distinguishes signal from noise, transforming data into actionable information.

Threat intelligence reduces operational risk across four key areas:

Protecting your expanding digital attack surface

To support business growth, many organizations are undertaking extensive digital transformation projects that may take years to complete. Adding emerging technology to legacy IT systems increases the complexity that cybersecurity teams must manage. Additionally, as a business grows, so does its reputation, making it more likely for adversaries to impersonate the brand or executives to sow confusion among employees, partners, and customers.

Threat Intelligence enhances visibility into potential attack vectors, providing an outside-in perspective of vulnerabilities, misconfigurations, and out-of-policy assets left defenseless along the digital attack surface. Further, threat intelligence can provide an inside-out view of digital risks, such as fake websites or domains, logo abuse, fake mobile applications, executive impersonation and additional risks putting your business in jeopardy.

Mitigating third party risks in your supply chain

Not only are businesses enhancing their digital channels, but theyre also increasingly relying on a larger supply chain network. Operating in a hyperconnected ecosystem means businesses must rely on multiple third parties including suppliers, physical locations, partners, software providers, software packages, contractors, gig workers and more. Lacking insight into supply chain risk presents a number of challenges, including a lack of real-time visibility into third party vulnerabilities and security posture, as well as limited protection from detection tools to highlight third-party risks.

Similar to how threat intelligence enhances visibility into weak points across the digital attack surface, it can also help provide insight into third-party vulnerabilities, the emerging threats they may be exposed to, and attacks they are experiencing to ensure appropriate mitigation controls are in place.

Defending against ransomware

Ransomware continues to infiltrate systems of organizations across the globe, causing business disruption, financial loss, and reputational damage. Supported by a multi-million-dollar industry, ransomware groups persistently innovate to bypass security controls and outsmart defenders. Due to the intricate web of threat actors involved, no single tool or detection method can effectively mitigate an attack.

However, threat intelligence on ransomware threat actors, their tactics, and targets enables organizations to proactively defend against ransomware attacks. Additionally, visibility into compromised credentials for employees and partners can help safeguard these accounts from being exploited for initial access.

Automating Security Workflows

Security teams continue to struggle with manual processes and keeping pace with a changing threat landscape, leaving them attempting to do more with less. This leads to slow responses to threats, lack of confidence in automation tools and workflows, wasted time on false positives, employee burnout and more.

Threat Intelligence helps security teams minimize manual investigation and research of security threats with real-time threat intelligence, integrated into the tools and workflows security teams use on a daily basis. In addition, automating manual processes reduces the risk of human errors and provides breathing room for analysts to focus on more high-impact activities.

How can Recorded Future help?

Recorded Future is the most comprehensive and independent threat intelligence cloud platform. We enable organizations to identify and mitigate threats across cyber, supply-chain, physical and fraud domains; and are trusted to get real-time, unbiased and actionable intelligence.

Learn more about how Recorded Future can reduce operational risk and securely drive business growth in our eBook: The Security Teams Guide to Reducing Operational Risk.

Interested in seeing how Recorded Future can help your organization protect against operational risk, Request a Demo, and our experts will walk you through how Recorded Future can plug into your existing security tools and workflows to elevate your security defenses.

Vladimir Putin is in his fourth term as Russias president, having held the role for (a noncontinuous) 18 years. Russias next presidential election cycle is in 2024, and while Putin has amended the constitution to permit his rule until he is 84, speculations continue to circulate regarding his declining health at 70 years old. Moreover, as domestic and international pressure continues to mount on Putin over a year into Russias war against Ukraine, Putins longevity as the Federations president is a key topic of interest for the international community.

New Insikt Group Research examines Aleksey Dyumin, the governor of Tula and former chief security guard of Russian president Vladimir Putin, and his potential to serve as the next Russian president. The report evaluates factors that establish Dyumin as a potential successor for Putins role, including his success as a member of the siloviki and his effective managerial skills as governor of Tula. In addition, we assess factors that weaken Dyumins bid for the presidency, specifically his strained relationship with defense minister Sergei Shoigu and the broader Russian military apparatus. To strengthen his bid, Dyumin very likely would need to improve his relations with the Russian military to ensure that his appointment as the Tsesarevich would not cause a conflict within the siloviki faction.

(Dyumin (left) serving as Putins bodyguard in 2000)

Dyumin would very likely be a leading candidate should Putin decide to choose a successor. His personal loyalty to Putin, good relations with members of the Russian elite, successful completion of strategically important tasks in Ukraine, and effective leadership in Tula have established the former aide-de-camp as a strong contender for the presidency.

Dyumins policies and actions as a member of the siloviki faction and the governor of Tula suggest that a Dyumin presidency would very likely preserve Putins political system. Domestically and internationally, Dyumin would likely continue Putins policies, given his career in the Russian Federal Protective Service (FSO), the Russian Defense Ministry, and his role in annexing Crimea. However, any candidate chosen by Putin would also likely seek to improve relations with the West.

To read the entire analysis with endnotes, click here to download the report as a PDF.

New Insikt research examines Chinas coercion of international organizations as part of geopolitical competition. International businesses and corporate decision-makers cannot ignore geopolitics, as companies, their supply chains, and customers are increasingly targeted in cyber and non-cyber efforts to secure the national objectives of governments around the world. Companies must monitor the nexus between their business activities and countries' perceptions of national security particularly as great power competition intensifies and plan to mitigate geopolitically driven risk.

Given Beijings engagement in an escalating rivalry with the United States (US), assertive role in many potential flashpoints in Asia, and prioritization of national security over economics, China is currently among the leading sources of such risk. Geopolitical competition involving China since 2017 has cost (or had the potential to cost) international businesses hundreds of millions of USD in revenue. In some cases, Chinas treatment of businesses during geopolitical disputes and subsequent financial losses has further prompted companies to scale back operations in or exit the country.

Notable risks to businesses operating in China or exposed to the Chinese market include changing laws, new export controls, and potential supply-chain disruptions if regional conflict erupts. In responding to perceived threats to Chinas national security, human rights record, technological advancement, and territorial and sovereignty claims, Beijing has taken and is very likely to continue taking 8 types of actions that create special risks for international businesses: Cyberattack, Boycott, Embargo, Exit Ban, Law Enforcement Action, Product Ban, Regulatory Action, and Sanctions. Although planning for these risks is made difficult by Beijings ill-defined laws and regulations, broad government powers, and lack of an independent judiciary, businesses should establish constant Monitoring teams, pursue supply-chain and market Diversification strategies, and increase Resilience through broad crisis management planning.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Its clear that Recorded Future clients see quantifiable results. So we asked them to report the value delivered by Recorded Future across a few critical themes: time savings, increased capacity, increased efficiency, and increased visibility.

Clients of various sizes and industries across the globe were surveyed and overall reported saving time, increasing their teams capacity and efficiency, and getting a more complete picture of their digital footprint and threat landscape with Recorded Future.

Significant Time Savings with Recorded Future

Time is perhaps the most valuable resource in the cybersecurity world. Users report that they save more than an entire business day of work each week on investigation and threat hunting efforts with Recorded Future, at an average of 9.2 hours per week saved. At that rate, our clients are able to save nearly one full business week per month (36.8 hours) on investigation and threat hunting efforts when using The Recorded Future Intelligence Cloud. Whats more, users report that they save an average of 6.5 hours per week on threat mitigation efforts with Recorded Future.

Our clients are also reaping the time-saving benefits of having actionable intelligence at their fingertips. Clients report that their teams save an average of 13.1 hours weekly by using Recorded Futures actionable intelligence compared to using open or free sources of intelligence. Its clear that DIY intelligence solutions that rely on open or free sources of intelligence are costing organizations time that could be better used taking action.

Actionable intelligence enables clients to quickly decide how to move forward in defending their organization or shift their security posture proactively. A Data Security Analyst from Butler Snow LLP, a US law firm, says in a Recorded Future case study that actionable intelligence helps us drive and validate our group's decision on how to prioritize patching critical systems.

Threat Intelligences Increases Teams Capacity

Doing more with less is the name of the game in the resource-strapped security industry. The security space has faced a security professional shortage for years, and the shortage is growing. As per the 2022 (ISC)2 Cybersecurity Workforce study there is a $3.4 million gap in the cybersecurity workforce. Persistent staffing challenges make it difficult for teams to accomplish all the work before them on a daily basis, so its critical that threat intelligence providers multiply your teams capacity rather than adding to your workload.

Our clients report an average increase in their teams capacity of 32.9% by using Recorded Future. They also report that their teams can now shift 21.7% of work that could previously only be done by senior analysts to junior analysts. Empowering your teams to be more productive and capable than they would otherwise be, and allowing teams to shift work to less skilled workers is a cost saver that helps you combat the industrys growing talent shortage. It gives you an advantage over other organizations, because while others are overwhelmed with threats, unsure of what to prioritize, you are getting more done with fewer resources.

Teams Efficiency Increased Across Multiple Dimensions

Efficiency is the foundation of a scalable, cost-effective, and resource-optimized security program. With efficiency at your intelligence-led security programs core, your team is enabled to detect, investigate, and mitigate threats quickly, often with less effort required.

Users report that they are now 48.1% faster at identifying new threats than prior to using Recorded Future. Faster identification can enable clients to take steps towards mitigation sooner than before, and adopt a proactive approach to security, allowing them to stand up defenses where threat trends are appearing.

For some of our clients, Recorded Future is not their only intelligence provider, but it is their fastest. We asked clients with multiple intelligence providers if they observed a difference in alerting speed between Recorded Future and other vendors, and more than half (55.4%) reported observing that Recorded Future alerts faster than their other providers. In fact, 29.7% of clients reported that Recorded Future alerts them at least days before other providers.

Increased Visibility Provides a Complete Picture

You cant protect what you dont know about. Revealing a complete picture of your threat landscape and digital footprint allows you to make informed decisions about where to spend your effort and brings to light threats you may not have been aware of. In a case study, Group Head/CISO of Allied Bank Limited mentioned that the need for increased visibility was one of the main reasons the company chose Recorded Future. He said the biggest challenge we faced the reason we opted for Recorded Future was we did not have enough visibility into Allied Banks digital asset inventory. We wanted to be able to see what digital inventory information was out there, and to be alerted if any anomalies were detected."

Users report marked improvements in their understanding of their organizations threat landscape and digital footprint, with 90.4% of clients saying that they have a better understanding of their threat landscape and 85.9% of clients saying they have a better understanding of their digital footprint now using Recorded Future. Whats more, clients report that theyve been able to gain 61.9% more visibility into potential threats with Recorded Future.

Conclusion

In the face of budget tightening and an increasingly complex threat environment, clients need threat intelligence to help them quantifiably improve their security teams outcomes. Recorded Futures clients report observing significant time savings, improvements in team capacity, increased efficiency, and improved visibility when using the Recorded Future Intelligence Cloud.

In a recent effort to alert federal civilian institutions and similar governing bodies about the risks of exposing network management interfaces to the internet, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD). This directive offers specific guidelines and recommendations aimed at minimizing the attack surface.

Issued as BOD 23-02, this latest best practices document highlights a 14-day timeline from identifying any exposed asset(s) to proper remediation. This post will explore its scope and required actions, helping you take appropriate measures if necessary.

Understanding the risks

First, its crucial to understand the risks associated with any exposed network and device management interfaces to the public internet to maintain a robust cyber defense. When these interfaces are accessible from the internet (see below), they become potential entry points for malicious actors to exploit, compromising critical infrastructure, sensitive data, and organizational resources.

Practice banned by CISAs BOD 23-02Source: cisa.gov

For instance, CISA's new directive addresses current and past incidents where threat actors exploited previously unknown vulnerabilities in popular networking products. These exploits led to ransomware and cyber espionage attacks against targeted organizations. Affected devices include firewalls or routers, often with remote management capability over protocols such as HTTP or RDP.

Best practices for mitigation

According to BOD 23-02's main document and accompanying implementation guide, after two weeks of receiving notification from CISA or upon discovering a networked management interface falling under the purview of the directive, agencies must take at least one of the following actions and protections:

1. Isolate the interface from the internet, restricting access solely to the internal enterprise network (CISA suggests implementing an isolated management network or a VLAN).
2. Deploy access control mechanisms aligned with a Zero Trust Architecture where technically feasible, thereby regulating interface access through a separate policy enforcement point (preferred course of action).

In particular, Zero Trust's role "in enforcing accurate, least privilege per-request access decisions in information systems and services" cannot be overstated. CISA considers this model to be an absolute requirement for network management interfaces to remain accessible from the internet on networks where agencies employ capabilities to mediate all access to the interface in alignment with OMB M-22-09, NIST 800-207, the TIC 3.0 Capability Catalog, and CISA's Zero Trust Maturity Model.

Collaborative Efforts and Industry Solutions

Before establishing any controls or enforcement policies, CISA expects a thorough analysis and understanding of the attack surfacethis involves correctly identifying all networked management interfaces (a foundational first step to risk mitigation.) In other words, proactive monitoring of these assets is crucial for effectively detecting and responding to potential threats.

Recorded Future Attack Surface Intelligence helps organizations gain visibility into their networked management interfaces. For example, we recently examined the risks and potential consequences of having login panels exposed to the Internet and how Attack Surface Intelligence addresses these challenges, specifically when it comes to finding remote management interfaces over public internet in popular protocols such as the HTTP and HTTPS, this includes, but is not limited to out of band server management interfaces (such as iLo and iDRAC), mobile security platforms, SSL VPN interfaces, or popular Firewalls.

Exposed login panels detected by Recorded Future Attack Surface Intelligence

Similarly, the principles and best practices outlined in BOD 23-02 align with the importance of protecting publicly-exposed network management interfaces (which login panels can be part of) and utilizing Attack Surface Intelligence to identify and manage such risks.

Final words

In summary, safeguarding network management interfaces from exposure to the public internet is paramount in mitigating critical cybersecurity risks. Initiatives like CISA's BOD 23-02 underscore the need for comprehensive risk mitigation strategies, emphasizing these interfaces' identification, protection, and monitoring.

By implementing the best practices detailed in the directive, assisted by Attack Surface Intelligence, organizations can fortify their security posture, swiftly detect and respond to potential threats, and safeguard critical assets from unauthorized access and exploitation. Maintaining a comprehensive understanding of the attack surface and leveraging appropriate security measures are crucial to building resilience in the face of evolving cyber threats.

Learn more about how Attack Surface Intelligence can keep your organization secure by booking your demo today.

The risk of cyber attacks is pervasive and no organization is immune. From data breaches to ransomware attacks, the cost of these security breaches can be devastating both financially and in terms of reputational damage. Its no longer a question of if your organization will be targeted but rather when (which is a sad state of affairs for an industry which has $160B of spend, but that is a topic for another blog). This concern is echoed by leaders across the globe. As per World Economic Forum, Global Cybersecurity Outlook 2023, The character of cyber threats has changed. Respondents now believe that cyber attackers are more likely to focus on business disruption and reputational damage. These are the top two concerns among respondents.

Therefore, having effective security defenses is essential for every business. One of the most effective ways to enhance your security defenses is by utilizing threat intelligence. In this blog post, we will explore what threat intelligence is, its benefits, and how it can be used to elevate your security defenses.

Lets start with defining Threat Intelligence

Threat intelligence is data collected and indexed from sources including dark web, open web, technical, customer telemetry etc., that has been organized, analyzed and delivered to understand the threat landscape including threat actors, the malicious infrastructure they are building, their tactics, behaviors and targets. Threat Intelligence gives the same external view of gaps and weaknesses that an attacker sees and may want to exploit. Threat intelligence enables organizations to make faster and effective data-driven security decisions and shift from being reactive to proactive in defending their critical assets from attackers.

Benefits of Threat Intelligence

Threat intelligence provides numerous benefits to organizations. One of the most significant benefits is that it helps you stay informed about evolving threats. By understanding the common attack patterns, you can proactively adapt your security posture to mitigate future attacks. It also provides situational awareness to security teams that can reduce response time and improve incident management. By leveraging threat intelligence, organizations can focus their resources on the most critical risks, thus enhancing the effectiveness of their security defenses.

Threat Intelligence is the lighthouse in the sea of todays uncertain and evolving threat landscape.

How to Use Threat Intelligence to Elevate Your Security Defenses

Utilizing threat intelligence for your security defenses is a multi-phase process. It involves collecting relevant data, analyzing the information to detect patterns and trends, and then integrating the insights to create a proactive security framework. To begin with, an organization needs to first understand their attack surface, what they look like from the outside looking in, and what areas attackers might exploit. This is an important first step because according to CSO Today, only 9% of organizations believe they actively monitor 100% of their attack surface. The highest percentage (29%) say they actively monitor between 75% and 89% of the attack surface while many monitor even less.

Once the security team understands the attack surface, they need to also understand the external threat landscape, what are the threats that can actually harm them. This is no easy feat as the global cyber threat landscape continues to expand, in 2022 there were 38% more cyberattacks compared to the prior year, according to Security Magazine. However, threat intelligence can help shed light on the threat landscape by collecting signals, trends, and indicators on threat actors and attacks as they talk about and conduct them. To make the most out of the threat intelligence the security team should identify the primary data sources that are most applicable to the organization and the threat landscape itself. Once the data is identified and collected, it can be shared across the security ecosystem including directly in SIEM and SOAR tools for analysis and faster response. This analysis allows security teams to identify trends and patterns and update existing security protocols and measures.

Threat Intelligence and Continuous Improvement

Ultimately, as cyber threats continue to evolve and become more sophisticated, threat intelligence is continually learning, adapting, and evolving to maintain its effectiveness. Staying ahead of the curve requires that organizations continuously refine and improve their threat intelligence and security defenses. Being able to detect threats earlier also saves significant resources and money, according to the IBM Cost of a Data Breach 2022 report, organizations that detected and contained a breach in less than 100 days saved an average of $1.2 million compared to those taking longer. With continuous improvement, organizations can stay proactive in their threat mitigation approach and remain prepared to face the next attack.

Conclusion

With threat intelligence, organizations can elevate their security defenses significantly. By leveraging a proactive plan that utilizes the insights and patterns revealed by the information gathered, businesses can make informed decisions about how to bolster their security posture, reduce risk, and respond quickly to incidents. The key is not to wait for an attack to happen but to stay ahead of potential threats by utilizing threat intelligence. After all, effective security is the responsibility of everyone in the organization, and we must all work together to ensure that our defenses are continuously improving to reduce the risk of cyber attacks.

How a Client Uses Threat Intelligence to Elevate Their Defenses

We sat down with Recorded Future client Alex Arango, Head of Cyber Threat Management at Mercury Financial, to talk about how hes using Recorded Future to elevate his companys defenses with threat intelligence. With 4 years at Mercury Financial and 14 years experience in the industry, Arango is leading his team and his company in an intelligence-led approach to security. Arangos team helps the organization identify new methodologies, monitor threats, and secure themselves against threats. Arangos team is composed of security operations and security assurance functions.

Q: When and why did you start using Recorded Future? What drove the need for Recorded Future at Mercury Financial?

A: It was really important for us to understand what was going on in the threat landscape, so we identified a need for a threat intelligence program. We wanted to know which threat actors we should care about, their techniques and procedures, and also what our third-party threat landscape looked like.

Recorded Future met all of those needs by giving us that tailored, full service package where we could get an understanding of all of our needs - understanding what our partners are doing and the threats to them, what the vulnerability landscape looks like, what events geopolitically may be impacting us, and more.

We started using Recorded Future in 2020, and ever since then, its been very valuable.

Q: How long did it take to start seeing results with Recorded Futures threat intelligence?

A: We saw results instantly. The first thing we were alerted to was brand impersonation. With the Brand Intelligence Module, we are alerted when an actor is using our companys likeness, or even our executives likeness on social media, and prioritize response to that. We are also able to monitor for infrastructure impersonation, for example if a site or application was impersonating ours. Its very important to us to be able to understand the scope and driver for the threat actor, allowing us to provide attribution, and respond to these issues and take them down within a reasonable amount of time.

Recorded Future allowed us to understand trends in our industry and partners, and prioritize where we should spend our efforts. I've seen teams get overwhelmed with intelligence and not have the analytical team to go through it all in a reasonable amount of time. Recorded Future helps us combat that issue, and gives us the ability to proactively move our security posture around and prioritize intelligence events or different intelligence collections.

Q: What benefits have you seen using Recorded Futures threat intelligence?

A: We like that Recorded Future gives us a historical look at trends. This data helps us analyze or make recommendations, based on what Recorded Future has seen in the past. Recorded Future also gives us insight into what attackers are doing, what they are saying, and where they are targeting. This helps us build a picture of our risk levels and how we can better bolster our security posture in the future.

Recorded Future allows us to make informed decisions. For example, when we assess a vendor, we can go into Recorded Future's platform and quickly turn around an assessment of what that vendor's historical security posture has been and what it looks like now. In addition, we are able to have a real-time assessment of key third-parties and technologies we are using to assess if they could be susceptible to vulnerabilities. We are also able to collaborate with our partners to alert them of exposed vulnerabilities and understand their action plans to address it. We have built a robust process where we feel confident about the security posture of the critical third-parties our organization engages with.

Recorded Future provides holistic threat intelligence in a digestible way that meets the needs of our various stakeholders. I can easily take summaries from Recorded Future AI Insights and build well-written summaries for our executive stakeholders.

Q: What impact has Recorded Futures threat intelligence had on your organizations security posture?

A: Recorded Future is the cornerstone of our threat intelligence program. Its allowed us to take a proactive approach to security and make informed decisions. If I had to get rid of Recorded Future and build out my own threat research capability myself, Id probably need 2-4x the personnel headcount on my team, and I dont even think Id get close to having a finished intelligence product that you provide.

With Recorded Future, we can paint an eloquent risk picture that gives leadership and organizational stakeholders a holistic view of our threat landscape and security posture and enables them to make confident decisions.

Because Recorded Future's data is finished, we can quickly use it. We work with many intelligence providers, but the biggest difference is that other data needs to be shaped or finished - it's not ready to be acted upon. But Recorded Future's data is finished and ready to be acted upon.

Q: How does using threat intelligence from Recorded Future set you apart from other financial services companies in the industry?

A: With Recorded Future, we get a full picture of our threat landscape. We can track our industry-specific attacks like payment fraud, but we can also zoom out and look at geopolitical risks, state actors' techniques, and ransomware trends. With Recorded Future, we can learn about new threat actors, their techniques, and targets.

Having a complete view of threats within our environment, across our industry, and externally across the globe is critical to being proactive. Recorded Future is your Minority Report, telling you when the next attack will happen and enabling you and your leadership to proactively mitigate it.

Q: What would you say to others in the financial services industry who are considering threat intelligence from Recorded Future?

A: For other leaders in financial services who are looking at Recorded Future, Id say youre going to be partnering with an organization that has a large amount of intelligence experience. Intelligence impacts us all - its not just useful for critical infrastructure industries.

Were going through a security professional shortage nowadays, and the question is, how do we become better? How do we become faster? Do you have the right partner in your corner? Recorded Future can help elevate your security defenses with an intelligence-led approach.

Ultimately as security leaders, we want to be able to sleep at night knowing our intelligence program is strong and ready to report up metrics, show us trends, and be ready for the worst, all the while maintaining customer trust. Recorded Future supports us in all of those efforts.

Insikt Group research examines the complex and dynamic risk environment of submarine cables, the information superhighways that underpin the global economy and facilitate worldwide telecommunications. The rapid expansion of the submarine cable network in the 21st century, driven by data demands, cloud computing, and the needs of hyperscalers like Amazon, Google, Meta, and Microsoft, must contend with converging geopolitical, physical, and cyber threats. State actors pose the greatest threat in terms of sabotage and spying, followed by non-state actors like hacktivists and ransomware groups, who pose a less capable and lower likelihood threat to the networks and operating systems that submarine cables rely upon. Accidental damage from ships and fishing vessels is more frequent but less impactful.

Map of submarine cables as of May 16, 2023 (Source: TeleGeographys Submarine Cable Map)

Major geopolitical developments, specifically Russia's conflict with Ukraine, China's preparations for potential forceful unification with Taiwan, and the deterioration of US-China relations, are likely to fuel physical attacks and intelligence collection efforts against submarine cables. Notably, Russia has shown intent to map the submarine cable system in the Atlantic Ocean and North Sea, very likely for potential sabotage. The impact of these attacks will vary widely, ranging from intermittent traffic disruptions to widespread outages that take days or weeks to resolve, depending on the redundancy and resiliency of the affected network. State actors seeking an espionage edge will almost certainly target the entire submarine cable ecosystem for intelligence collection: landing station infrastructure, the submarine cables themselves, third-party providers, and the hardware and software that knits it all together.

Other major developments in the production, ownership, and operation of submarine cables have introduced new geopolitical challenges and created potential vulnerabilities. The rise of Chinese state-owned enterprises as cable owners, operators, and producers has elevated concerns over digital surveillance, while the expanding ownership stakes by hyperscalers has brought forward questions about market monopolies and digital sovereignty. Finally, the pursuit of expanded bandwidth capacity within the submarine cable industry has led to the adoption of advanced network management systems, which could be exploited for cyberattacks.

To read the entire analysis with endnotes, click here to download the report as a PDF.

New research by Recorded Futures Insikt Group examines North Koreas cyber strategy. Despite the ever-increasing number of cyberattacks publicly attributed to North Korea, the regime does not publish an official cyber-strategy doctrine. North Korea's cyber strategy is focused on aggressive information collection and financial theft operations to support its goals of maintaining the Kim family dynasty and unifying the Korean peninsula under its leadership. The regime conducts information collection to gain insights into the thinking of its adversaries and to access technology that can provide an advantage during times of conflict. Financial theft is used to fund the regime's activities, including its nuclear and missile programs. Despite its centralized leadership system, North Korea creatively targets a wide range of industries across different countries.

A quantitative analysis of 273 cyberattacks attributed to North Korean state-sponsored threat actors reveals that the regime primarily engages in cyber espionage and financial theft activities. While it has the capability to conduct disruptive or destructive cyberattacks, it rarely does so. South Korea and the United States are the most common targets, but North Korean threat actors have a global reach, targeting entities in at least 29 countries. Cryptocurrency heists are on the rise, but espionage remains the primary goal of North Korean cyberattacks.

Breakdown of industry verticals of victims grouped by North Korean state-sponsored threat actors

North Korea's cyber strategy is part of its larger asymmetric strategy to achieve the perpetuation of the regime and the unification of the Korean peninsula. The regime has invested in STEM education and nurtures talented individuals in computer science. Students are sent to domestic and international institutions for further education and exposure to technology not easily accessible in North Korea due to sanctions. The regime also deploys IT workers for online services and freelance platforms, which may overlap with cyber operators.

The report presents a comprehensive analysis of cyberattacks attributed to North Korean state-sponsored threat actors. It examines the threat actor groups involved, their targets, purpose of the attacks, and geographical distribution. Kimsuky is the most common threat group, followed by Lazarus Group and APT37. The data set covers attacks from 2009 to 2023, with a significant increase in the number of reported cyberattacks from 2016 onwards. Kimsuky's activity has seen a dramatic increase in recent years.

Overall, North Korea's cyber strategy is focused on information collection, financial theft, and espionage. The regime has developed a considerable cyber capability and targets various industries globally. However, destructive cyberattacks are rare, and the regime continues to invest in training cyber operators to further its strategic goals.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Recorded Future's Insikt Group, in partnership with Ukraine's Computer Emergency Response Team (CERT-UA), has uncovered a campaign targeting high-profile entities in Ukraine that was cross-correlated with a spearphishing campaign uncovered by Recorded Futures Network Traffic Intelligence. The campaign leveraged news about Russias war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an open-source webmail software), using CVE-2020-35730, without engaging with the attachment. We found that the campaign overlaps with historic BlueDelta activity exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397 in 2022.

The BlueDelta activity, identified by Insikt Group, appears to have been operational since November 2021. The campaign overlaps with activity attributed by CERT-UA to APT28 (also known as Forest Blizzard and Fancy Bear), which multiple Western governments attribute to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). In this operation, BlueDelta primarily targeted Ukrainian organizations, including government institutions and military entities involved in aircraft infrastructure.

The BlueDelta campaign used spearphishing techniques, sending emails with attachments exploiting vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) in Roundcube to run reconnaissance and exfiltration scripts, redirecting incoming emails and gathering session cookies, user information, and address books. The attachment contained JavaScript code that executed additional JavaScript payloads from BlueDelta-controlled infrastructure. The campaign displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients. The spearphishing emails contained news themes related to Ukraine, with subject lines and content mirroring legitimate media sources.

BlueDelta Outlook and Roundcube spearphishing infection chain overlap

BlueDelta has demonstrated a long-standing interest in gathering intelligence on entities in Ukraine and across Europe, primarily among government and military/defense organizations. The most recent activity very likely represents a continued focus on these entities and specifically those within Ukraine. We assess that BlueDelta activity is likely intended to enable military intelligence-gathering to support Russias invasion of Ukraine and believe that BlueDelta will almost certainly continue to prioritize targeting Ukrainian government and private sector organizations to support wider Russian military efforts.

Recorded Futures collaboration with CERT-UA further emphasizes the importance of partnerships between industry and governments to enable collective defense against strategic threats in this case, Russias war against Ukraine.

To read the entire analysis with endnotes, click here to download the report as a PDF.

OUT@RF is Recorded Futures LGBTQ+ Employee Resource Group. OUT@RF strives to empower and promote visibility of LGBTQ+ employees at Recorded Future. The group cultivates networks and communities in the company and the technology and cyber industry. They connect members and build a foundation of LGBTQ+ members in the tech industry.

Covering the Basics

In honor of Pride Month, we interviewed two of OUT@RFs co-chairs: Ryan Boyero and Alexis Duffey.

Ryan (he/him)

Alexis (they/she)

Ryan has been an Intelligence Services Consultant at Recorded Future for almost a year. Born in Alexandria, VA and raised in Charleston, SC he is now based out of St Louis, MO where he moved five years ago for his military career. He describes his role as being the sound and reason and technical source of truth for our clients and partners. He works to ensure satisfaction, answers and solves technically-led questions, and develops and enriches relationships.

Through his military career, Ryan was first a Recorded Future user before he joined the company as an employee. As an Intelligence Specialist Active Duty Marine he was introduced to the art of Cybersecurity.

Ryan: During my tenure with the unit I was introduced to Recorded Future and was tasked with deriving our intelligence and obtaining information from the platform. It was then that I realized that there was a professional blend of intelligence and cybersecurity professionals that shared the same passion as my own.

Alexis is also an Intelligence Consultant within our Intelligence Services. They have been at Recorded Future for over a year and work from Michigan. Alexis identifies as genderqueer and uses they/them and sometimes she/her pronouns. They started their cybersecurity career as an Intelligence Analyst at the Department of Defense before working as an Information Security Officer at a small tech company prior to joining Recorded Future. Most importantly, they are the proud parent to two adorable cats.

Alexis: My role is to ensure that clients have the knowledge, tools, and support they need to not only maximize the value they receive from our platform, but to mature their intelligence program in the process. Each client is different, which means every day usually brings something new

What Its Like Working at Recorded Future For You

Talent is never undermined.

Ryan: Recorded Future is an incredible opportunity and team to join simply due to the wide-level of talent across the globe. The organization is growing and invests in personnel who seek to better themselves and grow within a thriving company. Whether the passion is speaking with partners and clients on a daily basis, working behind the scenes on our intelligence platform, developing the training criteria, or planning marketing and sales events, there is a special place here for everyone.

I chose cybersecurity because it made me feel like I was contributing to the greater good.

Alexis: Working at Recorded Future has taken that one step further: I still get to work directly with my clients to help support them in their immediate battles against cyber threats, while we as a company are supporting global causes like the War in Ukraine and highlighting malicious Nation-State campaigns.

The culture at Recorded Future is what drove me to apply for the organization in the first place.

Ryan: As a proud out man it was important for me to secure a position with a company that not only respected professional boundaries for protection and acceptance of who I was and what I stood for, but also welcomed people like myself with open arms.

I have been blown away by how supportive my management has been around my work as an ERG co-chair

Alexis: Its not a case of simply being allowed to dedicate time for ERG responsibilities, they have fully encouraged it, ask about it during our 1:1s, and have even advocated to their management for additional resources where possible. It feels great to know that Ive got that upper-level support not just around my official Consultant role but extending into all aspects of my work at Recorded Future.

Recorded Future is much more than an accepting community, its a home

Ryan: For the longest time I was afraid to be who I am because I was always taught by my leaders, peers, and loved ones that there was something wrong with me. But its that defining experience that makes me and others shine so bright in our everyday lives and professional roles. Recorded Future understands that.

Celebrating Pride Month

_Simply living proudly as an LGBTQIA+ person is a huge accomplishment._

Recorded Future's Out@RF leadership has organized a range of educational and celebratory activities for Pride Month. The month kicked off with a fireside chat and Q&A session on the theme of equal dignity for all and the LGBTQIA+ journey towards recognition and respect.

Alexis: Whether its bringing in speakers to educate our colleagues on LGBTQIA+ issues, bringing folks in our community together through buddy programs, or even just giving visibility, I want to continue to provide a safe space for our queer community members at the company.

We are pushing to spread the celebration of Pride globally

Various offices worldwide, including London, Gothenburg, Singapore, and DC, will host happy hours or celebrations. The largest celebration will take place in Boston, where OUT@RF Futurists, allies, and families will participate in the Boston Pride For The People parade on June 10th. Remote employees can engage in LGBTQ+ themed online games that provide meal donations for homeless youth.

Pride with Purpose

As a call to action, the ERG has also compiled a list of suggested activities to foster inclusivity and compassion, such as supporting queer owned businesses, adding pronouns to signatures, attending company events, volunteering for LGBTQIA+ focused non-profits, and more.

Ryan: We want to spread the importance of Pride with Purpose and ensure our message is received and understood. Its important to ensure diversity, inclusion, acceptance, love, and camaraderie are the main focal points of any company or organization. Representation matters and when we speak out against negativity and misalignment or discuss openly we pave the way for others to join the team and be themselves.

Why Get Involved in OUT / ERGs

Im not just a me, Im part of a we

Ryan: I wanted to belong to something bigger and better than just myself. In the Marine Corps I led a team of roughly 30-40 people and there was no greater sense of accomplishment than striving to achieve excellence and acceptance together. That same mindset applies to Recorded Future and the ERG I so proudly represent.

I wanted to help our ERG grow to match our organizations growth.

Alexis: Theres still a lot of confusion and stigma around non-binary gender identities in the world at large and it can get exhausting, so I was happy to find a safe space in the form of our Out@RF ERG when I first joined the company.

I also wanted to show folks that you can thrive and be different from societal normalcy.

Ryan: Im here to represent and speak for those who cannot. I want to remind each and every one of you that were a community and family that relies and leans on one another to continue forward in this world. Our work matters and we will continue to pursue diversity in leadership within this industry as well as acceptance and belonging throughout our organization.

Were grateful to hear and witness the inspiring stories and insights of our OUT@RF ERG leads. By joining employee communities, individuals become part of a larger movement that promotes diversity, acceptance, and belonging and help pave the way for meaningful impact. If this resonates with you, we encourage you to explore the job opportunities at Recorded Future. If youre curious to learn more about our ERGs you can read through our previous blog for Black History Month, Womens History Month, and APIDA Heritage Month.