It’s often said that the best form of defence is attack, and one cybersecurity company prides itself on its ability to get under the skin of the hackers.
Rather than wait idly for ransomware crews to strike, Recorded Future recruited a former cybercriminal to its ranks – to get into the minds of threat actors on the dark web.
Going by the name of “Dmitry”, the rehabilitated hacker is just one of many assets available to the global threat intelligence platform, headquartered in the US.
Jason Steer, UK chief information security officer for the company, explains the approach. “It’s effectively poacher-turned-gamekeeper, and that enables us to leverage insights into the tactics and techniques deployed by hacking gangs, profiling and even engaging with them,” says Steer.
He adds: “To operate and interact in some of these closed forums, you really have to have the look and feel of an operative, to be observed as being cut from the same cloth, effectively.
“They are the perfect operative in that sense, because they know all the slang, and they have inside knowledge of how ransomware operations work.”
In Dmitry’s case, he was arrested and indicted by the United States Secret Service (USSS) for his role in serious and organised cyber criminality, and later spent several months in custody.
During his time inside, he worked with USSS agents to explain the tactics of threat actors. Upon release, he was able to secure employment with Massachusetts-headquartered Recorded Future and has played a vital role in tracking down the threat actors on illicit dark web forums.
Turning the tables on the hackers is proving increasingly effective. The FBI in the US has successfully managed to take down some of the most high-profile gangs, such as Hive, in a much-heralded international seizure last year.
More recently Britain’s own National Crime Agency (NCA), played the lead role in a similar multi-agency takedown of the Lockbit gang last month.
Recorded Future also works heavily on the prevention side. Matt Ford, engineering team lead, says effective online resilience depends on having the right data at your fingertips.
“In threat intelligence, the collection of data is imperative, whether it’s knowledge or foresight of certain vulnerabilities or exploits, to deep insights into ransomware gangs that are targeting certain sectors,” he says.
“All of that data allows you to really focus on where you and your teams really need to devote their time and efforts. It’s mostly a science, but it’s also the art of threat intelligence in bringing this picture together.”
In a practical sense, it’s that information that helps clients develop their endpoint detection and response (EDR) and security information and event management (SIEM) tools to be deployed on the cyber frontline, protecting their valuable data assets.
“Using these insights really helps us to enrich what our clients are doing, enabling their security teams to shorten the attack and threat lifecycle, and to make sure that they can be as proactive as they can, deploying software patches whenever known vulnerabilities become apparent,” adds Ford.
“But it also enables them to be reactive as well, making sure any critical decisions by the SOC (security operations centre) teams and incident response teams can be taken as quickly as possible.”
An example of that working in real-time is how the company’s intel can be quickly integrated into a client’s EDR or extended detection and response (XDR) tools; once any “indicators of compromise”, whether they be IP addresses, hashes or mitre attack techniques are ingested into the platform, it can stop the ransomware or malware almost immediately from hitting its target.
Ford says: “We’re never going to say we’re 100 per cent effective, but we always make sure we’ve got those up-to-date elements in place to allow clients to be proactive in their security posture.”
Recorded Future is also gearing up for increasingly AI-driven cyber world, for online harms and mitigations.
Ford says: “AI is going to be huge, particularly with generative AI capabilities. Obviously, there’s the threat, but the ability to run generative queries across threat intelligence platforms like ours is going to enable clients to learn in seconds everything that is out there about a threat actor.
“And that’s not just a bullet point list, but a written executive summary, which is going to be a really powerful intelligence capability.
“And then comes the ability to cross-reference risk scores and perform multiple analyses. These are the kind of abilities that are really exciting and potentially transformative in the cyber industry.”
Partner Content in association with Recorded Future