How Cybersecurity Threat Intelligence Teams Spot Attacks Before They Start
Last year, cybersecurity threat intelligence helped stop a MegaCortex ransomware attack before it was executed. In turn, this saved the client organization from damages that had the potential to stretch to $239 million or more. Several threat intelligence insights were able to provide a warning that the attackers were likely preparing for a ransomware attack. The threat intelligence team advised incident responders and the client to remain vigilant. The threat actors could turn destructive if they suspected they had been found. The possibility of these actors deploying ransomware potentially within hours.
As a result of these actions, cybersecurity threat intelligence preparing for the worst paid off, the attacker uploaded MegaCortex ransomware and related deployment tools to one of the compromised systems. Incident response quickly advised the client that this attack was in progress. IBM and the organization executed on the planned containment and eradication items. IBM’s intelligence team had already made maps of the attacker’s command and control infrastructure. This meant they could provide the client with IP addresses, the event’s location on the internet, to block based on observed activity in their environment.
This attempted attack showed how important cybersecurity threat intelligence can be for incident response. Knowing the attacker’s intentions, capabilities, next moves, command and control infrastructure, malware capabilities and indicators of compromise (IOCs) played a pivotal role in keeping the incident response team and the client on top.
In addition, greater intelligence in an incident response practice allows for ongoing research and awareness. In this case, the cybersecurity threat intelligence team has been able to warn additional organizations about MegaCortex attack techniques, such as malicious outbound communications, Cobalt Strike and lateral movement