External Threats: It’s Just Business

Cyber Security Researchers get asked questions that result in some interesting conversations. Often, these discussions make note of relationships between digital activity and the physical world. Depending on the situation, the correlations between the two help our clients gain a better understanding of the kinds of external threats they face—as well as the actors behind them.

A couple of examples I use when helping folks tap into the psyche of threat actors are language settings and alignments with actors' schedules. These are old concepts in the cyber security community, but I felt compelled to take a fresh look at the latter. I took a moment to extrapolate what appears to be an illustration of actors' "holiday schedule"—so to speak—from our crawl data.

If you pay attention to this sort of thing in the news, on social media, etc., you'll invariably see spikes and dips in the frequency of coverage of Angler Exploit Kit activity—as well as changes in the style of the attacks. While going back through this quarter’s data, I was reminded that we experienced a period where our crawlers encountered hardly any Angler Exploit Kit landing pages at all. The chart below illustrates the significant drop in unique hits around New Years:

It seems overly simple, but I remind individuals all the time that cybercrime and exploitation are often not personal; they're just business. As such, it's possible that just like those of us with more legitimate occupations, these actors take time off around the holidays and start January feeling fresh and with renewed resolve. The chart suggests that something like this was going on last January; note the sudden decline in detections around New Years and the sudden spike on January 11.

While this example does not give much insight into where these actors are, it does serve as a reminder that we have more in common with the people behind crimeware services than we like to think, and thus (with a little data), their activity becomes a bit more predictable.

After all, threat actors like to take time off and have a maintenance window in which to recover before the new year, just like the rest of us.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor