An Inside Look at How Insikt Group Produces Leading Threat Research
December 18, 2018 • Maggie McDaniel
Insikt is Swedish for “insight.” At Recorded Future, Insikt Group is responsible for delivering analyst-generated assessments, insights, and recommended remediative actions to customers and the public for informed decision making and risk reduction. Insikt Group is also responsible for identifying data gaps, discovering new sources for content, and driving Recorded Future product improvements.
Insikt Group includes analyst-on-demand services and the threat research team. The former team supports customers who have requests for specific threat information or regular “subscribed” threat landscapes, while the threat research team conducts proactive research focused on adversary tactics, techniques, and procedures in the context of geopolitical and cyber events, with a particular focus on China, North Korea, Russia, and Iran.
Let’s take a closer look inside Insikt Group’s threat research.
Mapping the Course
Topics that Insikt Group proactively pursues for threat research are informed by analysts’ expertise and experience, customer requirements, and knowledge gaps within the industry where we might serve as thought leaders.
Additionally, we typically have three pipelines for production:
- Strategic topics that we plan to explore based on our knowledge of, and changes to, the threat landscape
- Opportunistic issues that we have uncovered in the course of pursuing our strategic research that might be previously unknown
- Reactive analysis largely driven by current events where we want to lend our expertise
Insikt Group research is available to all Recorded Future customers within the product in the form of Insikt Notes (found on the homepage) and the research is also linked to Intelligence Cards, as well as downloadable PDFs. In the event that we publish our findings publicly to our blog, we will often include details about how to replicate our findings.
Customers can expect Insikt Group to produce notes within the platform on a daily basis, as well as a weekly post on top threat leads. On average, we will post one to two profiles per week, and more in-depth research every six to eight weeks.
The Big Four
Insikt Group research is predominantly focused on China, North Korea, Russia, and Iran, which we view, strategically, as the top threats to cybersecurity in general.
Our research has focused mainly on attack campaigns sponsored by China and North Korea, as well as the Russian cybercriminal underground. This research has resulted in foundational, baseline analysis on North Korean elite internet usage, including evidence showing that North Korean actors exploit cryptocurrency to support the Kim regime. We also unveiled the extent of the Chinese Ministry of State Security’s influence not only within the state security apparatus, but also through advanced persistent threats like APT3.
Our criminal underground analysis has cast a wide net, dredging up larger trends in prominent cryptocurrency use, evidence of the actual costs of cybercriminal operations, and the discovery of sensitive and proprietary documents for sale.
As our resources have expanded, so has our threat coverage — we now look at the Chinese-, Farsi-, and Arabic-speaking underground communities alongside Russian and Iranian state-sponsored actors.
On the Horizon
As Insikt Group enters its third year, we are looking to expand our account coverage to include deepening analysis on Iran and Iran-sponsored campaigns, the exploration of the Brazilian cybercriminal underground, and the expansion of our technical analysis to include prescriptive workflows for enterprise defense. Customers can expect to see Yara rules and live feeds of IOCs available in Recorded Future on a weekly basis for 2019.