Welcome to the session. Just one thing before we start, in the following, I'm expressing my own opinion and I'm not speaking on behalf of my company. And with that being said, let's dive into threat intelligence.
Yeah, just recently, the company of a close family member of mine fell victim to a business email compromise attack. And besides the financial damage, they suffered from clients' trust damage and churn. So the criminals remained in the shadows. And I think it's more important than ever to be aware of the latest threats, the attackers, their techniques, and to handle the threats effectively. And so we will have, in the next few minutes, a deep dive into three prime threats, which have been singled out by UNICER in their latest Threat Landscape Report.
And I will show some statistics and news on them. So you can use them for your TI approaches to further optimize them. They should re-trigger some actions.
First one, and the king in several ratings, I checked this year ransomware. You just heard from Christopher. But I'm going to provide you some more news and interesting facts. So one third of the ransomware attacks started with an unpatched vulnerability. And nearly all of the attackers attempted the backups. And regarding the costs, we have an initial ransom demand of $2 million. And by the way, the record this year was around $75 million, which was paid to the ransomware group Dark Angels. And in average, we see a recovery cost of $2.73 million, which is still, yeah, excluding the ransom.
And what is really annoying is that many companies still pay, despite the strong recommendation of authorities not to pay, to not further fuel this business. And number two, it's going to be social engineering, with most of the cake going to scams and phishing still in the game. Then we also have counterfeit and extortion as the most famous attacks in this area.
And back, business email compromised, as I already mentioned. Investigations have shown that more than 30% of phishing mails were imitating Microsoft. So you might know why. And there was a strong increase in cyber attacks that used stolen or compromised credentials. And we can say now that hackers rather lock in with valid credentials instead of hacking into a corporate network.
And yeah, with the progress in the large language models, we will see more and more believable deepfakes, which now account to 40% of all biometric fraud. And yeah, that's going to be, yeah, an impressive development in the next years again. And then also interlinked with this is information manipulation as the next threat category. And this year, I was catched by an article with the headline distributed denial of truth, the mechanics of influence operations and the weaponization of social media. And actually, there were some interesting findings in this article.
One of them I extracted is that in July 24, a joint task force discovered an AI-powered software developed by the Russian state-sponsored actors to manage disinformation bot farms. So once deployed, thousands of fake accounts start posting on various topics. And ultimately, this leads to a snowball effect because this manipulated narrative gains traction and spreads widely. And then in this ongoing battle against coordinated inauthentic behavior, abbreviated by CIP in the meanwhile, Google's Threat Analyzers group has taken down over 65,000 instances of spam-moufflage.
That's a spammy influence network, which is linked to the Republic of China. And of course, there are currently other really terrifying threats, for example, supply chain attacks, which are also interlinked to those mentioned. When we go in the context of the shadows and the vehicle of masks, there's a really provocative quote I like.
It says, hackers have organized, the good guys have not. And it aptly describes the development because the dark business is professionalizing. We see marketplaces which have quality rates and feedback. So here for an Android remote control software you can illegally buy, the buyers have the chance to really leave some feedbacks to interact. Or even some dispute resolution supports have been detected.
And yeah, as a service, offerings remained popular in the underground, some of them with interesting updates. For example, phishing as a service now also has an MFA bypass techniques and brandings for password managers. Then we have seen the rise of trainer as a service. So with this, you could deploy crypto trainers and with them, you can transfer money from the victim's wallet and put it over to the wallet of the attacker who controls this.
Here, I also brought a screenshot, which actually shows a setup guide for NFTs dealers in Telegram. Yeah, then we have the jailbreaking as a service on the rise. We have dark GPT, escape GPT, fraud GPT. And to give you some impression, this is a screenshot where fraud GPT is described. And you can see some of the features like malicious code, create phishing pages, hacking tools, scam letters, find vulnerabilities. If you like, you can also buy for 3,000 confirmed sales or reviews. And just to give you an impression, I hope you don't use it, but the subscription fee starts at $200 per month.
So really not that expensive. And here an impression how it really works. Here the actor says, hey, write me a short but professional SMS text I can send to victims who bank with Bank of America, convincing them to click on my malicious short link. And here you can see how the bot actually reacts with some useful answers.
Moreover, we have here a code-based example. Write me a working code for Bank of America scam page. And the bot did so.
Yeah, who are the actors? So we all know the typical cliche of the dark room where the hacker sits alone. But of course, that's not the case anymore. So we can identify four distinct kinds of attack groups. And one is the state nexus actor. In general, they are well-funded and resourced, often directed by the military of their country. And these actors often spend a lot of time in investigating their targets to find vulnerabilities, respectively points to answer. And they currently use a lot of techniques, which means living off the land, to minimize their footprint.
And yeah, which really makes it hard to detect them in your security environment. Lazarus and Tula, for example, have been very active in this year. And security researchers expect they will increase their activities next year, especially in targeting military and their supply chains for maximum impact. And next to this, we have the hacker for hire. These are cyber experts, a group with very high knowledge. They are also hired by other hackers who have less knowledge. And they provide access to corporate environments with this trend in line called initial access broking.
And of course, against payment. I put some examples here. The first one is Slavik. You might know him in the name Evgeny Bugachev, who was on the most wanted FBI list because he was responsible for the software. So in fact, the malware who provided the access to banking accounts. Number three are the private sector offensive actors, commercial entities who develop cyber weapons and they are active in the surveillance industry. And they often work for governments. And one trendy thing are the zero day exploits they sell. Yeah.
And one example I want to point out, you might remember the scandal of the spyware Pegasus, which was sold by the Israeli NSO group. It was affecting iOS as well as Android devices. Why are SMS unnoticed? All data has been accessed and the victims had basically no chance because they targeted by SMS and they could not deny it. And most of the victims were journalists and politicians, but as well as family members and close colleagues of them.
And the last one in this logic would be the hacktivists, not as well resourced as the other ones, but fueled by strong emotions, which pushes their aggressiveness. And they have become a serious issue with international reach, 3,700 hacktivist incidents have been observed in the last year because of this geopolitical issue between Ukraine and Russia. And we have examples which are no name, 057 or the Cyber Army of Russia. And most of us would think, hey, my company would not be affected by an hacktivist.
We are not interesting, but actually a close friend of mine who works in a TMT company, I'm sure everybody knows them. They have suffered a lot this year because of a hacktivist who published secret information of them.
Yeah, and with that being said, let's ask the question, what are the main motives behind? And that's, of course, financial gain, but also espionage, destruction and ideology. And also to be mentioned that for a considerable number of the security attacks, it still remains unclear.
Yeah, with the rapid developments and the complexity, it really helps to get structured with a fundamental model. And that's why I brought this TI lifecycle with the six phases, planning, collection, processing, analyzing, dissemination and feedback.
And yeah, with the ear on the community of TI, but also from my clients, I put some challenges for you on the side and I added some methods or solutions to overcome. Just pointing out a few due to our time constraints, data quality, yeah, garbage in, garbage out. You really need to make sure that the data sources are reliable. And for this, it helps to define quality criteria and want to admiralty scale could be used. It's also known under the abbreviation NATO system. And with this, you can assess the credibility and reliability of your information sources.
And second thing I want to point out is the intelligence sharing barrier. Most of the practitioners in TI say, hey, it's really hard in this dissemination phase to collaborate and to be aware of the legal constraints of the inconsistencies in our languages, in our reports. So for this, it helps to use a MITRE. For example, the Ingenuity CTI blueprints, which are a huge tool set with standardized reporting and also MITRE ATT&CK, which is a great matrix for tools and templates which shows techniques, but also measures which can be really helpful for your security team.
And regarding the platforms which can be used, for example, MISP or YETI or OpenCTI, which are open source and really great developments in the meanwhile. You can have a look in my sources, but I want to point out some things you should consider if you don't have a TIP so far and want to choose one. So one would be the features. So really check what would be really important for your organizations. For example, real time monitoring. Is this something you would need or the context of information depth? Then the quantity and quality of data sources.
Check which data sources are processed in this platform to make sure that you meet the right decisions for your business. Integration capabilities. You should be able to integrate your platform smoothly into your security infrastructure, but also connect your existing systems like CM or SOA, for example, for the maximum impact.
And yeah, let your team just test them before you buy and check the level of customization and usability in order to make sure that they could really handle the insights. So then let's get ready for the future of TI. Here I selected some trends which you could use for your TIP and to further optimize your efforts in this.
Of course, the adoption of AI will have further impact. We will see AI powered analytics and reporting, as well as gen AI assisted search and investigation capabilities. Apart from that, security experts also say that we will have an increasing incorporation of user entity behavior analytics. The third one would be the expanded coverage of cyber physical systems. So going out of the traditional cyber arena and also tracking IoT devices. Then number four would be industry specific CTI sharing groups, but also smaller and medium businesses, which enhances the whole Intel you can access.
And finally, also TI as a service, which means that you can leverage the skills and this infrastructure of the third party providers and to make really sophisticated intelligence affordable. And some studies predict the growth of the market. So in the next 10 years, we will see the CTI market will grow above 44 billion dollars. And this really underlies the high importance of these data driven threat intelligence for our business strategies.
And yeah, with that being said, if you have any questions, feel free to contact me on LinkedIn and stay secure. Stay curious. Thank you for your attention.
Thank you, Andrea.
