The cyber threat intelligence industry is strongly rooted in a military-government mindset in large part because so many people doing the work in private industry came from the national security space. These people bring with them the mission and objectives learned in the public sector. This can result in biasing espionage and spying over the many threats that have real-world impacts on a much greater number of people.
State actors have more long-term, strategic objectives to support various goals, and often there is no visible or immediate harm to the target or organisation. Cybercriminals want to hurt people and businesses to make money.
By focusing on disrupting cybercrime, there is the ability to have an immediate positive human impact and make threat actors’ lives much harder. Historically, in focusing mainly on APT, law enforcement, government and defenders have missed opportunities to disrupt cybercrime, contributing to the strength of the modern ecosystem. But that is changing.
In 2024, international public and private sector collaboration resulted in two monumental takedowns of cybercriminal threat activity that are still having considerable impacts on ecrime operations: Operation Endgame and the LockBit ransomware disruption. Operation Endgame in particular had far-reaching impacts. Europol called it the ‘largest ever operation against botnets, which play a major role in the deployment of ransomware’, and it disrupted the infrastructure of IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee and Trickbot. These malware families played a major role in the initial access broker ecosystem and were used by some of the most sophisticated cybercrime adversaries.
Since the weeks following Operation Endgame, cybercriminal activities from some of the most prominent threat actors operating in email using the targeted loaders have decreased. And while some threat actors whose malware operations were disrupted are slowly returning, overall, the targeting of the loader ecosystem that enables ransomware activity appears to have been a success. It is likely we will see the emergence of new favoured payloads and updated attack chains from these impacted threat actors, because every disruption forces hackers to retool and reconsider their behaviours. But beyond tooling, the impacts across the ecosystem disrupt partnerships, trust and collaboration between groups, which is never good for business.
Now is the time to focus on cybercrime. There is an inherent ‘cool factor’ in APT that influences decision-makers – and security practitioners – to care about them differently. How we communicate threats impacts how organisations, law enforcement, and defenders prioritise and deal with them. In reframing APT and the importance of cybercrime, we can change the mindset from ‘who did this?’ to ‘what is the risk and impact?’. In doing so, we can build defences against behaviours regardless of the perpetrators, and make our digital world much safer and more resilient.
© Selena Larson, 2024, published by RUSI with permission of the author
The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.
For terms of use, see Website Ts&Cs of Use.
Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.
Click Here For The Original Source.