With the rise in cybercrime, it's more important than ever for businesses to take on a future-ready posture. Although the scope and nature of cyber-attacks vary, one constant remains: they never stop. With the increasing digitalization of data and businesses, cyber-attacks have increased and begun to target organizations of all sizes in an opportunistic manner.
In fact, it’s not just about the biggest but the most vulnerable. According to a recent study, cyber attackers prefer to target smaller organizations because they have fewer resources to strengthen their cyber security. Given this reality, it’s more important now than ever for organizations to have a clear view of the threat landscape – they need a real-time cyber threat map.
Developing the solutions of tomorrow, today
A threat map, also known as a cyber-attack map, is a real-time map of security attacks that are taking place globally. Cyber-attack maps are useful tools for determining how to stay ahead of attacks. A cyber-attack map visualizes threats across the globe and Industry segments to gain visibility of threats at a point in time.
HCLTech has partnered with Cybersixgill to develop such a real-time threat map, allowing organizations to stay one step ahead and have information on cybercrime globally at their fingertips. A real-time threat map brings increased agility to enterprise security teams by providing a fully autonomous threat intelligence solution to improve their ability to respond to threats and validate their cyber resilience. With a few clicks, security teams can view exploited vulnerabilities, ransomware, malware, data leaks, and other threats in a more proactive manner.
So how does such a map work?
Threat maps function as a mousetrap and a global threat intelligence network is kept up to date. These tools impersonate thousands of applications and devices that hackers frequently target. When a hacker attacks such a network, they are led to believe they have breached a system. Instead, the hacker’s data is recorded and displayed on the cyber-attack map as data. With such a map, organizations gain a clear view of the dangers lurking across all networks.
Shining a light on the deep and dark web
The dark web is a veiled and unregulated part of the internet notorious for providing cybercriminals with anonymity and privacy. As a result, it’s become a major hub of illegal activity where digital criminals exchange illicit information, dangerous tools, and exchange stolen data. Given its major threat potential, it has also become a rich source of threat intelligence that can be used to monitor, predict, identify, and defend against cyber threats.
Implementing a Dark Web Monitoring program allows businesses to incorporate dark web intelligence into their cyber risk management process, allowing them to improve their security posture by gaining access to relevant, timely, and actionable information. The main types of data and services offered on the dark web by digital criminals include:
Exposed credentials: On dark web marketplaces, proprietary credentials are exposed and offered for sale. These are sourced from various criminal activities such as data breaches and credential stuffing attacks. These exposed credentials are a major enterprise vulnerability as they can be used to bypass firewalls and IAM defences to gain access to authorized account. They can also be used as a part of a spear-phishing attack to trick users into thinking they’ve been exposed due to a hidden malware exploit on their device for blackmailing purposes.
Targeted attacks: Cybercriminals also sell services for targeted attacks, such as offering a distributed denial of service (DDoS) attack which makes it easier for a non-technical person to choose any target at will, as well as set up the timing, intensity, and duration of the attack. Similarly, buyers can also find services on the dark web market for a customized attack, such as hacking personal social media accounts of partners or colleagues.
Vulnerability information: Cybercriminals also leverage the dark web as a communications platform where they can securely exchange proprietary information. This includes sharing details on system vulnerabilities that haven’t been openly reported and security gaps in IT infrastructure that haven’t been patched. Other valuable information on the dark web also includes technical explanations of system vulnerabilities, methodologies for certain exploits, and how vulnerabilities can be leveraged across cyberattack campaigns.
Insider threats: The dark web also plays host to information regarding insider threats of various organizations. It is a marketplace where malicious insiders can sell proprietary information such as an organization’s intellectual property, security credentials, and other private data. From a security management perspective, all people – from current employees to third-party agents can be considered a potential insider threat.
Hacked accounts: Another key product that’s offered on the dark web is information on already hacked accounts. This information is available for sale, as it can provide access to valuable controls across financial accounts, personal emails, e-commerce platforms, social media, and anywhere else online where access control can be exploited for gain. High-value deals are mainly when cybercriminals sell hacked accounts from major corporations to allow other malicious agents to breach security and launch even greater attacks more easily.
Solving the challenges of dark web monitoring
The Cybersixgill-powered HCLTech threat map will help enterprises stay one step ahead by going beyond traditional threat intelligence and detecting malware as soon as it is offered for sale on the dark web. So, before any danger can arise, security teams can block the threat across their networks and trigger a response as per their SIEM, SOAR, EPP, or VM platforms.
Based on real-time alerts, the data is collected over the last 30 days. The number of organizations and countries being monitored is fixed at 90 in total, with 30 in each region. Each industry and country have a different number of organizations. With a far-reaching, automated, and real-time collection system, the map provides up-to-date information to mitigate underground threats with greater transparency and visibility
The threat map also displays key malicious “indicators of compromise” (IOCs) that act as forensic evidence to identify potential breaches. These include compromised domains, URLs, and IP addresses. With in-depth deep and dark web IOC coverage, the map can provide advanced warnings to help security teams intercept, mitigate, and prevent new cyberthreats.
Based on the actors' intent, the map is also able to add an important layer of context due to its comprehensive collection on dark web intelligence. This ensures real-time visibility and understanding of vulnerabilities that can help profile the interests and decision-making of cyber criminals and allow security teams to make more proactive decisions.
Conclusion
Phase 1 of our current real-time threat map can be accessed here: HCLTech Threat map | HCLTech, with HCLTech and Cybersixgill working together to launch the next phase in the coming couple of months. During this period, we will address minor improvements that were missed in the initial phase as we bring new improvements in Phase 2, such as country-specific data, industry-specific data in each country, and expanded coverage, among other things, will be introduced.
Leveraging this threat map will enable enterprise security teams of organizations benefit by helping them combat upcoming threats faster than ever before. The security posture can further be enhanced by refining their monitoring, automation and orchestration solutions such as SOAR/SIEM playbooks.
