External Threats: It's Just Business

Labs

External Threats: It’s Just Business

April 05, 2016

By Mike Wyatt

Cyber Security Researchers get asked questions that result in some interesting conversations. Often, these discussions make note of relationships between digital activity and the physical world. Depending on the situation, the correlations between the two help our clients gain a better understanding of the kinds of external threats they face—as well as the actors behind them.

A couple of examples I use when helping folks tap into the psyche of threat actors are language settings and alignments with actors' schedules. These are old concepts in the cyber security community, but I felt compelled to take a fresh look at the latter. I took a moment to extrapolate what appears to be an illustration of actors' "holiday schedule"—so to speak—from our crawl data.

If you pay attention to this sort of thing in the news, on social media, etc., you'll invariably see spikes and dips in the frequency of coverage of Angler Exploit Kit activity—as well as changes in the style of the attacks. While going back through this quarter’s data, I was reminded that we experienced a period where our crawlers encountered hardly any Angler Exploit Kit landing pages at all. The chart below illustrates the significant drop in unique hits around New Years:

It seems overly simple, but I remind individuals all the time that cybercrime and exploitation are often not personal; they're just business. As such, it's possible that just like those of us with more legitimate occupations, these actors take time off around the holidays and start January feeling fresh and with renewed resolve. The chart suggests that something like this was going on last January; note the sudden decline in detections around New Years and the sudden spike on January 11.

While this example does not give much insight into where these actors are, it does serve as a reminder that we have more in common with the people behind crimeware services than we like to think, and thus (with a little data), their activity becomes a bit more predictable.

After all, threat actors like to take time off and have a maintenance window in which to recover before the new year, just like the rest of us.

Featured Posts

External Threat Management | Labs

Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers

RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian he...

Joining Microsoft is the Next Stage of the RiskIQ Journey

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more ...

Media Land: Bulletproof Hosting Provider is a Playground for Threat Actors

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appea...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

Forrester Wave: External Threat Intelligence Services, Q1 2021

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

Five Security Intelligence Must-Haves For Next-Gen Attack Surface Management

Threat Investigations and Response RiskIQ Solution Brief

Illuminate One-Hour On-Demand Event