When it comes to making key decisions, an informed view of what may happen, what others are doing and how it may affect your organisation is incredibly useful. This is no different when deciding how to prioritise spend on cyber security, or how best to respond to a cyber security incident.
The goal of cyber threat intelligence (CTI) is to help organisations understand the specific threats they face, how those threats operate, and how best to defend against them. It answers the questions: who are the attackers, why would they target you and what can you do?
CTI is a fundamentally cross-disciplinary field, drawing on elements of conventional intelligence techniques, open-source investigations, technical specialisms such as forensic analysis, and international relations and geopolitical studies.
Just as it draws on many different disciplines, CTI can be applied to a wide range of situations. Good quality intelligence can be a substantial enabler for defenders, helping them to improve defences at a tactical level and mitigate the most immediate threats.
It is also vital for providing context to incident responders investigating security incidents, helping them to both better understand an attacker’s intentions and capabilities, but also anticipate their next moves. At the operational and strategic levels, CTI can provide senior decision makers with the insight they need to allocate resources and determine organisation priorities.
Our threat intelligence services benefit from a multi-disciplinary team. We also use tools and techniques developed from cyber threat intelligence to aid our fraud investigations, our asset tracing and our other intelligence services.
Our team use these techniques to identify data sources and infrastructure to challenge our opposition in cases and to disrupt wrongdoers. These skills give our incident responders and our legal teams a decisive edge, which can be pivotal in making recoveries and minimising losses.
MDR Cyber’s CREST-accredited CTI services draws on the expertise of our diverse team of investigators, intelligence practitioners, incident responders, and security specialists to help businesses understand their threat landscape and how to defend against the most pressing threats. We provide detailed, well sourced, and actionable intelligence to help our clients defend against attacks, respond to incidents, and take proactive measures to prevent incidents from happening at all.
The MDR Cyber team recently assisted a client with responding to an incident involving a router which had been unlawfully accessed. Malicious changes were made to the device config to allow for persistent covert access by unknown individuals, potentially representing a significant security issue.
The MDR Cyber response team engaged with the client IT to validate the actions they took to contain the threat and advise on how to proceed. We then reviewed the device configuration file and conducted online investigation to determine if the incident could be linked to a wider activity set.
We rapidly developed a high confidence attribution linking the device to an ongoing and very widespread activity set, concluding that the device had very likely been automatically compromised and conscripted into a botnet by a known malware variant. This provided the client with reassurance that they had not been specifically targeted as well as detailed insight as to how the compromise had likely occurred. This timely, detailed intelligence significantly facilitated the client’s resolution of this incident.
MDR Cyber was also able to provide the client with specific mitigation guidance on securing network devices as well as broader advice on secure network device deployments. We also suggested some specific network architecture changes which could both significantly reduce the risks around its network device deployments.
Thanks to our unique position within a law firm, we are also able to use CTI in close co-operation with our legal colleagues to assist our clients in identifying attacker infrastructure and identities and taking legal action against them. With the help of our lawyers and our global network of partner firms, and as part of our CREST-accredited enhanced incident response services, we can use legal tools to unlock information using disclosure orders against service providers, or take injunctive measures to freeze assets.
We collect, analyse and alert our customers to changing attacker methodologies, but critically, offer considered assessments of impact and practical mitigation advice, tailored to their needs and with an understanding that all businesses are different.