External Threats: It's Just Business

Labs

External Threats: It’s Just Business

April 05, 2016

By Mike Wyatt

Cyber Security Researchers get asked questions that result in some interesting conversations. Often, these discussions make note of relationships between digital activity and the physical world. Depending on the situation, the correlations between the two help our clients gain a better understanding of the kinds of external threats they face—as well as the actors behind them.

A couple of examples I use when helping folks tap into the psyche of threat actors are language settings and alignments with actors' schedules. These are old concepts in the cyber security community, but I felt compelled to take a fresh look at the latter. I took a moment to extrapolate what appears to be an illustration of actors' "holiday schedule"—so to speak—from our crawl data.

If you pay attention to this sort of thing in the news, on social media, etc., you'll invariably see spikes and dips in the frequency of coverage of Angler Exploit Kit activity—as well as changes in the style of the attacks. While going back through this quarter’s data, I was reminded that we experienced a period where our crawlers encountered hardly any Angler Exploit Kit landing pages at all. The chart below illustrates the significant drop in unique hits around New Years:

It seems overly simple, but I remind individuals all the time that cybercrime and exploitation are often not personal; they're just business. As such, it's possible that just like those of us with more legitimate occupations, these actors take time off around the holidays and start January feeling fresh and with renewed resolve. The chart suggests that something like this was going on last January; note the sudden decline in detections around New Years and the sudden spike on January 11.

While this example does not give much insight into where these actors are, it does serve as a reminder that we have more in common with the people behind crimeware services than we like to think, and thus (with a little data), their activity becomes a bit more predictable.

After all, threat actors like to take time off and have a maintenance window in which to recover before the new year, just like the rest of us.

Featured Posts

External Threat Management

The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need

Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...

#TwitterHack: How RiskIQ Data Exposed Hundreds of Domains Belonging to the Attackers

The discussions in the coming days and weeks surrounding yesterday's large-scale compromise of verified Twitter accounts, including those of Joe Biden, Barack Obama, and Bill G...

Partner Deep-Dive: RiskIQ Security Intelligence Services for Splunk

The average organization's digital presence has exploded in size. Even before COVID-19 spread their staff and operations outside the firewall, businesses were rapidly migrating...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

COVID-19 Solution Brief

Hacker Valley Podcast

Forrester Wave: External Threat Intelligence Services, Q1 2021