#NSBCS.011 - Strategic & Operational Intelligence - What's right for your business?

Cyber Threat Intelligence
Written By Shane Bell

Source: NSB Cyber

 

Strategic & Operational Intelligence - What's right for your business?

Amongst the noise that surrounds the Cyber Threat Intelligence (CTI) space, Strategic and Operational Intelligence are two key considerations for businesses that are looking to navigate their Cyber threat landscape. Whilst both can play compatible, side-by-side roles within an approach, which one do you truly need to stay ahead of threats? The answer lies in understanding the differences, pros and cons for each:

Strategic Intelligence - From analysts, decision makers and executives, strategic intelligence provides a high-level view of the threat horizon. It's about understanding the 'why' and the 'who' – the Motivations, Capabilities, and Infrastructure of potential attackers, along with identifying Industries and Targets most at risk. It is the context that empowers anticipation of Cyber attacks and informed strategic planning.

Operational Intelligence - In contrast to the high-level focus of strategic intelligence, operational intelligence is more immediate and action-oriented. It is concerned with the 'how' of potential threats, focusing on relevant Indicators of Compromise (IOCs), Tactics, Techniques and Procedures (TTPs) and other indicators that would otherwise benefit operational teams in defending their organisation, such as Indicators of Attack (IOAs) used by Crowdstrike (https://www.crowdstrike.com/cybersecurity-101/indicators-of-compromise/ioa-vs-ioc/)

So what intelligence is right for your business? And why? Here are a few considerations:

1. Business Size and Complexity: The scale and complexity of your business greatly influences the type of intelligence that is most beneficial. Smaller businesses with limited resources might find operational intelligence more practical and immediately useful. In contrast, larger enterprises with more complex structures and a broader digital presence may require a blend of both strategic and operational intelligence to cover all bases.

2. Industry-Specific Risks: Different industries are susceptible to varying cyber threats of greater or lesser consequence. A business should tailor its intelligence approach based on the specific risks and common attack vectors for its industry.

3. Resource Availability: The decision between strategic and operational intelligence often depends on the resources available, including budget, personnel, and technology. Businesses need to assess their capacity to gather, process, and act on intelligence.

4. Dynamic Nature of Cyber Threats: Cyber threats are constantly evolving, and businesses need to adapt their intelligence strategy accordingly. It's important to understand that neither type of intelligence is static; they should evolve as new threats emerge.

5. Strategic Goals and Risk Management: Companies should align their intelligence strategy with their overall strategic goals and risk management plans. Strategic intelligence can inform higher-level policy and decision-making, while operational intelligence is key for managing and mitigating immediate risks.

Whatever the decision, including Cyber Threat Intelligence into your approach is better than not. Making a call on which one, or the most suitable mix of both, is organisation specific and a good decision process to go through either way.

NSB Cyber is dedicated to helping organisations navigate the complexities of establishing and maintaining cyber threat intelligence programs. We can assist by guiding informed, risk-based decisions that align with specific cybersecurity goals of an organisation. For information on NSB Cyber’s Cyber Threat Intelligence capabilities or to book a meeting with our team, click here.

What we read this week

  • Blackwood hackers hijack WPS Office update to install malware - Hackers affiliated with the Chinese government, known as Blackwood, are hijacking update requests for popular software like WPS Office, Tencent QQ, and Sogou Pinyin to inject malware called NSPX30 onto victim systems. This sophisticated malware steals a wide range of data, including files, screenshots, keystrokes, hardware and network information, and credentials. NSPX30 employs a multistage approach with various components like a dropper, DLL installer, loader, orchestrator, and backdoor, each equipped with its own plugins, making it challenging to detect and eradicate.

  • PoC Exploits Heighten Risks Around Critical New Jenkins Vuln - CVE-2024-23897 affects the built-in Jenkins command line interface and can lead to remote code execution and system compromise. Proof-of-concept code to exploit this vulnerability is already publicly available, making it easier for attackers to carry out attacks. The vulnerability affects unpatched Jenkins systems running versions earlier than 2.442, putting a significant number of installations at risk. Applying the patch to versions 2.442 as soon as possible is crucial to mitigate the risk of attacks and protect your systems.

  • TeamViewer abused to breach networks in new ransomware attacks - Hackers are using TeamViewer to gain initial access to organisation endpoints and attempt to deploy encryptors. The cybercriminals are gaining unathorised access to TeamViewer via credential stuffing rather than zero-day vulnerabilities. The deployed ransomware shares similarities with the infamous LockBit strain, raising concerns about copycat groups or even a new LockBit iteration. TeamViewer emphasises that most compromised systems were running outdated versions with potentially weak security settings. Updating to the latest version and implementing strong passwords is crucial to fortify your defenses.

  • Apple Issues Patch for Critical Zero-Day in iPhones, Macs - Update Now - Apple fixed a critical vulnerability in the WebKit browser engine tracked as CVE-2024-23222. This bug could allow attackers to remotely execute malicious code on vulnerable devices, potentially enabling data theft, system compromise, or other harmful activities. Apple acknowledged limited reports that the vulnerability was being actively exploited, but no specifics on attacks or threat actors. Apple released security updates for iOS (16.3.1), iPadOS (16.3.1), macOS Ventura (13.2.1), tvOS (16.3.2), and Safari (16.3.1) to address the flaw.

  • US, UK, Australia sanction REvil hacker behind Medibank data breach - Governments from the US, UK, and Australia have imposed financial sanctions on Aleksandr Gennadievich Ermakov, a Russian national allegedly involved in the 2022 ransomware attack against Medibank. The attack compromised the data of approximately 9.7 million Medibank customers, including dates of birth, and Medicare numbers. Ermakov, known online as "blade_runner" and "GustaveDore," is believed to be a member of the now-defunct REvil ransomware group.

References
https://www.bleepingcomputer.com/news/security/blackwood-hackers-hijack-wps-office-update-to-install-malware/
https://www.darkreading.com/vulnerabilities-threats/poc-exploits-heighten-risks-around-critical-new-jenkins-vuln
https://www.bleepingcomputer.com/news/security/teamviewer-abused-to-breach-networks-in-new-ransomware-attacks/
https://thehackernews.com/2024/01/apple-issues-patch-for-critical-zero.html 
https://www.bleepingcomputer.com/news/security/us-uk-australia-sanction-revil-hacker-behind-medibank-data-breach/
Shane Bell
Previous

#NSBCS.012 - Securing your Data - Third-Party Risk
Next

#NSBCS.010 - From the desk of the CEO | Goals v Systems - The Quest for Cyber Resilience