As cyber attacks become more frequent and more damaging, having the means to detect and analyse a network breach, and manage a response at an organisational level is critical. For many businesses, discrete cyber security tools, such as anti-virus software and firewalls, no longer do that job and, as an alternative, these organisations have implemented security operations centres (SOC) as a central part of their cyber security solutions.
What is a Security Operations Centre?
A security operations centre (SOC) is a dedicated security unit that combines the various aspects of a business’ threat management solution and serves as a centralised hub from which security incidents can be managed.
The scope of the SOC ranges from the identification of and response to threats, to the review of security incidents and their future prevention. The SOC may be an in-house team of experts or an outsourced service which monitors network security 24 hours a day. In a constantly changing threat environment, having a SOC is a way to ensure not just constant vigilance but a prompt and effective security response when an attack occurs.
What does a SOC do?
A SOC should centralise an organisation’s threat management process from end to end. The practical duties and responsibilities associated with the SOC include:
Maintaining an inventory of critical files and resources, and the measures it has put in place to protect them.
Developing a formal incident response plan for dealing with cyber attacks.
Testing security measures and incident response strategies regularly, and updating solutions where necessary.
Monitoring the business’ network continuously for threats or suspicious activity.
Threat hunting for possible or suspected network breaches.
Responding to security incidents by enacting the incident response plan.
Remediating security incidents, including reviewing damage, restoring network functionality, and recovering losses.
Pursuing an internal review process to prevent future attacks and, if necessary, engaging with authorities over regulatory issues.
Why is the SOC important?
The sheer scale of 21st century cyber threats make the SOC an essential component in many businesses’ security solutions. The better the SOC functions as a centralised hub in a wider framework of systems, the better the business’ security outcomes.
For example, when a network intrusion is detected, an analyst within the SOC may be able to quickly identify the hacker perpetrating it by consulting relevant tactics, techniques, and procedures (TTP), while a fellow analyst works to identify a method of remediation based on data from previous attacks. In their oversight role, SOC analysts are best placed to take significant steps, such as restricting access to certain files or initiating a business recovery plan, as soon as they become necessary.
Given its importance, businesses should seek to optimise the capabilities of their SOC, equipping it with the right technology and software tools, the right operational strategies, and the right expertise.
SOC Best Practices
To optimise your business’ SOC, consider the following best practices:
Skills and training: The impact of the SOC, and its automated cyber security processes, will depend on your employees’ expertise and ability to perform under pressure. Ensure your security employees receive sufficient training and professional development, not only in the technical aspects of SOC tools but in a range of security competencies, including regulatory compliance.
Threat intelligence: Your SOC should run on high-quality threat intelligence. Implement tools and strategies to deliver threat intelligence quickly and efficiently, and integrate that insight into SOC workflows.
Testing: Your SOC will be critical to your planned response to security incidents. Test SOC systems and processes regularly to ensure ongoing effectiveness and to spot emerging blindspots or vulnerabilities.
Automation and integration: Work to automate as many of your SOC processes and workflows as possible to maximise the speed, accuracy, and efficiency benefits of the technology you have integrated. Automation is a foundation from which to integrate new innovations, including artificial intelligence (AI) tools.
Monitoring: The SOC should be focused on the prompt detection and mitigation of network threats. With that in mind, it’s essential that you implement effective screening and monitoring systems and strategies, and ensure that analysts understand how to remediate and escalate alerts.
SOC Tools
Your SOC should feature the following key tools and systems:
Security information and event management (SIEM): SIEM tools enable security teams to collect data from an array of sources and analyse it for threat detection and incident response purposes. SIEM tools help SOC analysts develop a holistic view of the threat environment.
Endpoint detection and response (EDR): EDR tools serve as a first line of defence against cyber attacks that target specific system endpoints, which may be devices such as phones or laptops, or secure points within networks such as servers. EDR tools run continuously and may perform automated processes to mitigate and respond to threats.
Threat intelligence: Threat intelligence tools help SOC analysts coordinate the collection of threat data, and develop insight which can be used to prevent and respond to cyber attacks. Threat intelligence tools may facilitate data collection and analysis, knowledge management, entity extraction and data visualisation, and should be integrated closely with all SOC workflows.
Data fusion: Data fusion tools facilitate the unification of multiple data sources as a way of generating greater insight. In cyber security, data fusion enables businesses to collate and correlate data feeds for the production of actionable threat intelligence.
Optimise with Artificial Intelligence
As the threat landscape grows crowded, SOCs must be capable of managing increasing volumes of data in order to stay ahead of potential attacks and keep their businesses safe. That increased burden makes it harder, and slower, for conventional collection and analysis tools to generate meaningful threat intelligence, and for security teams to act on that insight.
Artificial intelligence (AI) represents a critical advantage in the fight against cyber threats, providing advanced analytic capabilities that surpass human security teams, and transform the impact of the SOC within the security framework. With the benefit of generative AI (GenAI), for example, teams can analyse vast amounts of unstructured data in seconds, pulling the most relevant threat information and fusing that data with insight from an array of different feeds for meaningful, real time insight. Meanwhile, machine learning algorithms help SOC analysts extract useful points from that data to predict security weaknesses through analysis of historic attack data.
Labyrinth for Threat Investigations
Ripjar’s Labyrinth for Threat Investigations (LTI) harnesses that analytic power with AI-enhanced threat intelligence and data fusion tools, including round-the-clock monitoring and advanced threat analysis capabilities.
LTI enables seamless integration of SIEM and EDR tools for immediate visualisation of incoming alerts, and applies detailed enrichments from threat intelligence feeds to facilitate deep-dive threat investigations. That insight provides meaningful cyber security advantages, enabling analysts to initiate immediate remediation activities – triggering updates of threat detection rules from within the LTI platform.
LTI’s in-built knowledge and reporting capabilities mean that SOCs can maintain a strong strategic perspective on their threat landscape, while ensuring that businesses always have the intelligence and tools they need to handle their next incident.
In the global fight against cyber crime, security teams that learn to use data effectively stand a greater chance of successfully addressing the threats that they face, and ultimately protecting their businesses from harm.
While information is power, not all forms of information are equally powerful and, to optimise the security value out of a particular type of data, it might be necessary to integrate it with another type, or multiple types of data – a technique known as data fusion.
What is Data Fusion?
Data fusion refers to the integration and unification of multiple data sources, via software automation, as a means of generating more useful collective data outputs. Those multiple sources might include data from databases, discrete files, APIs, websites, and watchlists, and involve information stored in both structured and unstructured formats.
In cyber security contexts, data fusion enables firms to capture threats in a way that reflects the shifting threat environment. Where traditional cyber security measures, such as firewalls and anti-virus software, operated independently of each other, in a data fusion environment, those systems form part of a larger entity which integrates sensitive monitoring and analysis tools, and which merges different security perspectives to derive greater meaning and value.
With that in mind, data fusion is not just about aggregating data sources and recording the information and insight that they produce. To get the most out of the process, security teams must be able to accurately assess and analyse data in conjunction with other data, and use that synthesis to generate actionable cyber security insight.
Data Fusion in Threat Investigations
Threat investigations present firms with a range of unique data challenges. In a suspected ransomware attack, for example, a network may generate an indicator of compromise (IoC) which, in isolation, would prompt a certain security response from the targeted firm. With the benefit of correlating data, however, perhaps concerning the type of ransomware or associated phishing strategy, a firm might be able to accurately identify the nature of the attack, and move quickly to address it by eliminating network vulnerabilities and securing targeted files.
While individual data points may offer limited security utility, as a fusion of complementary data points, they could help security teams progress their threat investigation with greater speed and accuracy and, ultimately, enhance its impact.
Key cyber security advantages of data fusion include:
Threat assessment: Data fusion enables firms to assess potential threats with greater accuracy, discounting costly false positive alerts and escalating legitimate threats for proper remediation. Data fusion also offers insight into the severity of threats, enabling firms to set priorities as part of their incident response plans.
Response efficiency: Following a security incident, time may be a critical factor in the successful mitigation of damage. By providing a holistic perspective, data fusion enables security teams to identify the causes of an attack, and deploy an effective response, faster.
Data correlation: Effective cyber security may require firms to manage vast amounts of data across multiple data streams. Within that environment, it may be difficult, if not impossible, for human analysts to perceive meaningful correlations. In a fused-data approach however, software tools can identify connections and correlations automatically, in seconds, and highlight those data points for human analysts to escalate.
Security flexibility: Data fusion helps firms react to a rapidly changing global threat landscape. While the risk of a given threat type might diminish over time, another may become more prominent, or entirely new threats may emerge. By monitoring and fusing multiple data sources, firms can remain aware of, and sensitive to, those subtle changes, and quickly adjust their security posture to better deal with the environment.
AI-Powered Data Fusion
While software automation gives firms the power to collect and analyse data with unprecedented speed and accuracy, artificial intelligence (AI) unlocks the power of data fusion by elevating its connective and correlative possibilities. AI tools offer deeper and more advanced analysis of structured and unstructured data sources, supporting firms’ threat investigations with more detailed live monitoring of data feeds, higher quality threat intelligence, and more targeted threat investigations.
Ripjar’s Labyrinth for Threat Investigations (LTI) is designed to tackle the efficiency challenges of swivel-chair analysis, harnessing the full potential of AI for powerful data fusion advantages. Supported by LTI, security teams can rapidly onboard new data sources, normalise disparate data feeds, and display data as vetted graphs. LTI’s graph features include capabilities to comprehensively map an organisation’s threat knowledge, add flexible data enrichment options, and customise data feeds to expand investigative possibilities.
LTI also enables you to prioritise data security: lock down data and add strong authentication with role and attribute-based access, integrate with existing security models, and comply with an array of privacy, security, and data protection policies. Backed by end-to-end platform security, LTI delivers peace of mind for your threat solution without compromising its analytic effectiveness.
In a treacherous global threat landscape, avoiding danger completely is at best unrealistic – sooner or later, your organisation is going to have to deal with some form of cyber attack, and implement an appropriate response. The more effective your response to a cyber attack, the more likely it is that you’ll be able to mitigate or minimise negative consequences, and ensure your business and employees are protected.
What is incident response?
Incident response refers to the policies and procedures that a business implements to help it minimise and manage the consequences of a security incident, such as a cyber attack, or even prevent the attack in the first place. In practice, that means not only reducing damage but addressing other critical factors, such as business recovery time, and the overall cost of the attack.
The incident response process goes beyond the investigation and containment of threats, and extends to analysing those threats, learning from them, educating employees, and developing new policies to enhance security outcomes in the future.
What are security incidents?
To understand incident response, it’s important to know what ‘security incident’ means in the context of cyber threats. A threat may manifest physically via employee conduct or behaviour, or digitally as a virus, malware or hack that penetrates a network. With those factors in mind, some of the most common types of security incident include:
Phishing
Phishing is a speculative strategy designed to convince an individual to reveal sensitive information to hackers. In perpetrating a phishing attack, hackers will usually craft an email or voice message that appears to be from a source trusted by the target, with the goal of having the target reveal sensitive information in their response.
Phishing attacks may be incredibly sophisticated in their execution, often employing creative means to convince the target of their authenticity. Since they rely on the manipulation of human nature, phishing attacks may be classified as a type of social engineering.
Ransomware
A form of malware, ransomware is a type of cyber attack that encrypts and then holds a user’s or an organisation’s files to ransom after it has penetrated a network. Since those files are often valuable or critical to operations, victims of ransomware are often highly motivated to pay the hacker, even if doing so would be a contravention of the law. Given its effectiveness, ransomware has become the most popular global cyber crime, with around 493.3 million attacks in 2022.
DDOS attacks
A distributed denial of service attack (DDOS) refers to large numbers of hacker-controlled computers or bots attacking a target network simultaneously in an effort to overwhelm security measures. DDOS attacks clog up networks with bogus traffic, preventing them from functioning normally and making them inaccessible to users.
Insider threats
An insider threat refers to either a user inside an organisation who attempts to compromise its network security maliciously, or a user who does so unintentionally as a result of negligence. Malicious insider threats may exploit network weak points and vulnerabilities, while negligent insider threats compromise security by not following protocol, for example, failing to protect log-in information, or using weak passwords. Insider threats do not necessarily need to compromise network security and may be as simple as the knowing or unknowing exfiltration of data – even copying to a USB drive which is subsequently taken off-site.
Privilege escalation
In privilege escalation attacks, hackers attempt to gain low-level or limited system access capabilities and then use that status as a foundation to escalate their access. Hackers typically gain higher-level access by moving laterally around a network until an opportunity presents itself, and often attempt to acquire or steal security credentials to facilitate their efforts.
Man-in-the-middle
If a hacker is able to intercept legitimate communication between two network users, they may be able to manipulate it to execute a man-in-the-middle attack. In this type of attack, legitimate users may be more willing to reveal sensitive information, or download malicious software, because they believe they are communicating with a fellow legitimate network user. Man-in-the-middle attacks do not necessarily need to be user-to-user: hackers may trick users by mimicking trusted wireless networks, such as coffee shops, penetrating secure networks when they log in with work devices.
Planning Incident Response
One of the foundations of incident response is the development of an incident response plan.
The plan should be organisation-specific and should be accessible and actionable for employees at every level of seniority. Accordingly, the plan should be developed by a team representative of the entire company, including not only security and IT experts but stakeholders from senior management, HR, compliance and risk management, or any department that may be affected by a security breach. It may also be helpful to engage third-party experts to shape the plan as it is being developed.
The incident response plan should be a living document, and be reviewed, tested, and updated regularly to ensure ongoing effectiveness. Key components of a incident response plan include:
A definition of “security incident” as it pertains to the organisation.
Step-by-step detail on how the organisation and its employees should execute their response to a security incident.
A list of employee roles and responsibilities during an incident response period.
The security software and hardware tools that the organisation has implemented to manage a network breach.
A business continuity plan to restore critical operations and systems.
A plan for communicating information about the security incident to internal stakeholders, employees and customers.
Guidelines for documenting the incident and collecting and preserving evidence for subsequent internal and legal investigations. It may also be useful to know which regulatory or law enforcement authorities should be notified.
Given the broad spectrum of threats that an organisation may face, it may be necessary to develop multiple incident response plans, adjusting the content of each to fit the unique challenges of the situation.
Executing an Incident Response Plan
The practical actions that a company should take before, during, and following a security incident typically align with the following sequence of steps:
Research and preparation: Pre-incident, firms should conduct research into their threat environment in order to understand what kinds of attacks they may have to deal with, and how their networks may be vulnerable. Firms should use this insight and other forms of threat intelligence to develop their incident response plan.
Monitoring: Firms should begin monitoring their network for suspicious activity, including indicators of compromise (IoC). It may be useful to conduct threat hunting activities to identify potential breaches and shape any necessary response.
Mitigation: If a network breach is detected, firms should be prepared to implement measures to contain and mitigate negative effects. In this situation, the response plan should guide security activities.
Remediation: Once a threat is contained, and further damage prevented, firms should work to secure their network and ensure that all traces of the threat are removed.
System recovery: Following successful removal of a threat, firms should seek to restore normal operational activity as soon as possible. Recovery activities may involve patching compromised security measures, reinstalling or resetting software, and bringing critical systems back online.
Review: It’s critical that firms understand and learn from the threats they face. To that end, security teams should seek to preserve, collect, and analyse data from an attack in order to determine its cause and address vulnerabilities. It may also be necessary to pass data to law enforcement authorities for forensic analysis.
Automating Incident Response
Effective incident response involves the coordination of multiple workflows and a depth of technical expertise. To reduce friction, pressure on employees, and the chance of positive outcomes, firms should seek to automate as much of the process as possible through the integration of technology solutions.
Data management tools are particularly useful in cyber security contexts: the more security teams learn about the threats they face, the more efficient and impactful they can make their response when an attack occurs. Network traffic analysis (NTA), endpoint detection and response (EDR), and security information and event management (SIEM) tools all offer a level of automated vigilance that can be critical to incident response outcomes.
Integrating AI Advantages
Artificial intelligence (AI) has the power to transform incident response by providing security teams with an unprecedented analytic power and versatility. In addition to automated speed and accuracy, AI innovations can automatically identify anomalies within vast data sets, infer connections between seemingly discrete data points, and even predict attack vectors based on historical information.
Ripjar’s Labyrinth for Threat Investigations (LTI) is used by some of the world’s largest MSSPs to maintain a sophisticated knowledge store of threats and historic incidents that can be applied to protect customers from incidents as they occur. Harnessing the latest AI innovation, Ripjar’s LTI solution delivers powerful new incident response possibilities, including cutting-edge threat intelligence, threat hunting, and data management features. Combining those industry-leading AI tools with machine learning and data fusion capabilities, LTI enables firms to visualise the threats they face quickly and effectively, and provides analysts with the flexibility and depth they need to deliver positive investigatory outcomes.
The effectiveness of a cyber security solution depends on a business’ ability to defend against both known and unknown threats. In practice, this means not only implementing defences against existing cyber threats but searching for emerging threats, and testing the network for vulnerabilities.
What is threat hunting?
Threat hunting refers to the process of proactively searching for threats to a network that may have gone undetected by existing security measures or are as-yet unknown. As a discipline, threat hunting emphasises the need for vigilance and evolution: the cyber threat landscape can change dramatically in a relatively short space of time, and so organisations need to build agility into their security solutions in order to grow and adapt to new challenges, such as new types of virus and malware, or new hacking techniques.
Why is threat hunting important?
Static, inflexible security solutions develop vulnerabilities surprisingly quickly, either as a result of hackers and criminals learning to better exploit or circumvent defensive measures, or the increasing sophistication of active threats such as malware, viruses and phishing strategies.
Having penetrated a network, intruding malware can wreak havoc, with hackers stealing and selling customer data, imposing ransoms for encrypted files, or even lurking undetected for weeks in order to maximise damage at an opportune time. The cyber security stakes are high: beyond reputational damage, a security failure may impose significant financial costs. In 2023, for example, the global average cost of a data breach was $4.88 million. Depending on the nature of the breach, firms may also contend with potential regulatory penalties.
Threat hunting aims to help avoid that kind of outcome, providing firms with the means to stand up to threats in their immediate environment and shape their security solution to unique challenges. Threat hunting practices also help businesses create and reinforce a positive security culture, in which employees at all levels of seniority are aware of the potential dangers, and of their own responsibilities.
How does threat hunting work?
Threat hunting programmes vary depending on a business’ needs, industry, and regulatory environment. However, certain core steps are common:
Threat supposition
The threat hunting process begins with the supposition that a business’ network has been compromised by a cyber attack. A previously-unknown vulnerability may have come to light, or the network itself may have generated an indicator of compromise (IoC). Security employees may need to develop a hypothesis about the nature of the unknown attack in order to steer subsequent hunting activities.
Research and investigation
Following the hypothesis, security teams must work to establish the nature of the threat and its potential effects. The process should involve research into attack methodologies informed by threat intelligence, including tactics, techniques, and procedures (TTP) which may identify specific hackers or criminals. Security teams will also investigate the impact of the malicious activity to establish the scale of any damage to the company.
Incident response
The security team must work to resolve the threat against the network by mitigating its impact and eliminating the possibility of further damage. While time is usually a factor, the resolution phase should draw on the data and insight gained in previous steps, and will likely provide new threat intelligence that can strengthen existing defensive measures.
Types of Hunting Activity
While specifics vary by organisation, key types of threat hunting include:
Structured hunts
A company may base its hunt for threats on established TTPs associated with a specific attacker. In structured hunts, where those TTPs are detected, security teams usually strongly suspect or know who is behind the attack, and can draw on the MITRE Adversary Tactics Techniques and Common Knowledge (ATT&CK) framework in response to it.
Unstructured hunts
In an unstructured hunt, security teams initiate their hunting activities after finding indicators of compromise (IoC) on their network. While these are not necessarily as specific as TTPs, they may include unusual log-in activities, network traffic anomalies, or changes to system configurations. As part of the process, hunters may need to trace indicators back to a source in order to gather actionable intelligence about a threat.
Situational hunts
In a situational hunt, a company assesses its vulnerabilities, including high risk systems or even employees, and then conducts its subsequent hunting activities from those start points. By identifying and prioritising those areas of concern in its IT ecosystem, companies can allocate security resources more efficiently and more effectively during the hunt.
Optimise Your Threat Hunting Capabilities with Labyrinth
The outcome of threat hunting often depends on the quality of the data that security teams have to work with. The better the threat intelligence, the faster, and more impactful the security response, and the greater the chance of avoiding serious negative consequences.
Ripjar’s Labyrinth for Threat Investigations (LTI) is built to empower your threat hunting activities with next-generation AI-enabled analytic capabilities. LTI provides multiple out of the box threat intelligence workflows and coordinated threat data feeds to supercharge hunting strategies and help security teams zero-in on, and respond to, network intrusions quickly and decisively.
21st century threat environments are evolving constantly. As hackers and cyber-criminals develop increasingly sophisticated attack methodologies, businesses are racing to deploy effective countermeasures for both cyber and physical threats. In this climate, protecting your business means not only implementing robust cyber security but understanding as much as possible about the threats you face by developing and optimising threat intelligence.
In this guide, we’ll explore the security advantages of effective threat intelligence, how software tools help firms enhance the impact of intelligence data, and how artificial intelligence (AI) is changing threat investigations.
What is Threat Intelligence?
Threat intelligence refers to the collection and analysis of data as a means to identify current and emerging threats to a business and implement appropriate defensive strategies. Those threats may include:
Cyber attacks perpetrated by hackers and cyber criminals
Viruses, ransomware, and malware
Deepfakes and AI-enabled fraud
Supply chain disruption
Nation-state espionage
Threat intelligence is more than the aggregation of data on potential attack vectors. It should be a process of ongoing analysis, coordination and learning, with the goal of developing comprehensive, ongoing awareness of a business’ threat environment. In practice, the process might involve:
Analysis of customer behaviour for patterns or abnormalities.
Tracking of emergent criminal activity, including exploitation of new technologies, viruses and malware.
Screening of adverse media and watchlists.
Fusion of data points for actionable security insight.
The complexity of the threat intelligence challenge reflects the diversity of the global risk landscape. Threats to a particular business may be missed as a result of security blindspots, or the sophistication of a new criminal methodology. The deeper and more detailed the threat intelligence picture, the more likely it is that a firm will be able to identify and respond to potential danger effectively.
Types of Threat Intelligence
Not all threat investigations deliver the same type of actionable insight. Consider the following types of threat intelligence:
Strategic threat intelligence: Providing a high-level perspective on an organisation’s threat environment, strategic intelligence is most useful for revealing institutional security vulnerabilities and shaping executive-level decision-making.
Tactical threat intelligence: More focused on specific actors and attack vectors, tactical threat intelligence offers useful detail for security specialists and insight into countering specific threats.
Technical threat intelligence: Insight into technical threat data and evidence for attacks, which experts may analyse in order to strengthen security measures. Threat intelligence data may include phishing email content, URLs, samples of malware and other attack indicators. Analysis of technical threat intelligence may be time sensitive.
Operational threat intelligence: Insight into attack strategies, including motive, timing, characteristics and impact. Operational threat intelligence may be derived from the analysis of previous attacks, or even by the direct polling of threat actors such as hackers and cyber criminals.
Tools and Services for Threat Investigations
The means by which firms gather threat intelligence impacts its quality and utility. With that in mind, specific tools and services may be particularly useful to threat investigation solutions.
Data collection and analysis: The quality of threat intelligence data will shape its security impact. Software tools can automate the process of identifying and collecting quality threat data, providing valuable speed, efficiency and accuracy, and reducing the potential for human error during manual, repetitive tasks such as data entry.
Entity extraction: Intelligence-gathering activities typically involve vast amounts of data, which make it challenging for security teams to identify specific threats within unstructured sources without triggering a high volume of false positives. Entity extraction tools can help security teams automatically identify those high risk entities, and even establish connections with other potentially dangerous entities that human employees might have missed.
Knowledge management: The security impact of threat intelligence depends on a firm’s ability to deploy it quickly and effectively in real-world security situations. Knowledge management software enables firms to organise, collate, record and retrieve data in seconds, and annotate key data points to support decision-making and ongoing investigations.
Data visualisation: Security software provides the means to represent threat intelligence data in the form of maps, histograms, timelines and other visual interpretations that teams can use to illustrate threats more clearly, and support investigative efforts.
Threat Investigations and Artificial Intelligence
Artificial intelligence has significant potential in threat investigation applications. Beyond automating data collection and monitoring tasks, AI-enabled systems and processes, such as natural language processing (NLP) can supercharge analytic capabilities across structured and unstructured data, with the capacity to derive intelligence at a greater scale, and in greater detail than ever before.
GenAI tools can be deployed across a spectrum of high value threat indicators including the automatic analysis of indicators of compromise (IoC), IP addresses, malware hashes, and more. Supported by GenAI, threat intelligence solutions can identify and extract relevant data in seconds, and present clear concise summaries of that information to support human decision-making.
From integrating disparate intelligence streams into a centralised source of truth to generating ongoing data feeds that support real-time protection, AI promises to transform the security landscape. Key use cases include:
Threat hunting: AI algorithms can proactively monitor for emerging threats, including new viruses, malware, and phishing schemes, and feed that information back to security teams in real time. Similarly, AI tools may be able to detect emerging vulnerabilities within an existing security solution.
Incident response: The enhanced insight that AI-enabled systems provide can accelerate and focus firms’ responses to threats. AI tools can provide, for example, tactics, techniques and procedures (TTP) that identify specific threat actors, IoC for networks, and a list of response priorities in the aftermath of an attack.
Third party risk: Threats often emerge from third parties, including links in an organisation’s supply chain. These types of threat, including anything from expired certifications to nation state espionage, can be extremely challenging to spot, but AI-enabled screening and monitoring algorithms can help firms to capture and connect the necessary data points.
Next Generation Threat Investigations
Defending your business in an evolving threat landscape can be daunting, but with the right tools, it doesn’t have to be difficult. Ripjar’s Labyrinth for Threat Investigations (LTI) platform is designed to unlock the power of threat intelligence by using a combination of advanced analytics and industry leading AI, machine learning, and data fusion capabilities to visualise threats quickly and simply. LTI offers analysts even more flexibility, providing the tools to develop the platform further, add extra data enrichments to investigations as necessary, and harness the power to mitigate emergent issues.
Backed by decades of security expertise, LTI offers a cutting-edge solution with intelligence grade security. Deploy multiple workflows out of the box, customise your data feeds to suit your business’ security requirements, and create detailed, fully traceable reports on investigation outcomes.
On Thursday 30 May, Ripjar hosted a webinar on Navigating Cyber Threats. The online event included a guest presentation and a discussion of the top cyber-security challenges in the current threat landscape. Ripjar’s Chief Product Officer, Gabriel Hopkins, chaired the panel which brought together:
Brian Wrozek – Principal Analyst, Forrester Don Smith – Vice President Threat Research, Secureworks Matt Chinnery – Pre-Sales Manager, Ripjar
Let’s explore some of the webinar’s highlights and key discussion points.
Presentation: Threat Intelligence Trends
Opening the webinar, guest speaker Brian Wrozek outlined the top cyber-threats faced by the global business community in 2024, and the role that threat intelligence plays in addressing them.
Brian began with a reminder that day-to-day cyber-threats such as ransomware and denial of service are pervasive, and never really go away. Beyond that ambient, ongoing threat, he pointed to a number of emerging concerns in 2024, grouping them into two broad trends:
The uncertainty created by false or unverifiable information, such as:
Narrative attacks
Deepfakes
AI responses
The increasing complexity of threat environments in which advanced technology installations create opportunities for misinformation to take hold. Complexity trends include issues relating to:
AI software supply chain
Nation state espionage
These emerging trends have been prompting firms to increase their security spending in recent years, with security leaders prioritising threat intelligence as a means to address emerging and future threats. Brian noted, however, that firms also allocate a significant portion of their cyber-incident response to the investigation phase, meaning that better threat intelligence capabilities could enhance both the efficiency and impact of their response.
With that in mind, many firms are focusing on threat hunting: the process of identifying areas in which a system may be compromised, and developing strategies to deal with that vulnerability. Effective threat hunting should have multiple objectives:
Primary objectives:
Finding previously undetected network intrusions
Verifying that there is no evidence of a successful attack
Enhancing a firm’s security controls
Secondary objectives:
Enhancing security team knowledge and skills
Demonstrating the complexity and maturity of the security solutions
Acquiring potential new security assets
Brian stressed that threat hunting should result in firms being able to take tangible action – and so the intelligence that it provides must be complete, accurate, relevant, and timely to the needs of the commissioning firm. He added that expectations around cyber-security are also rising, and contributing to the need for threat-fighters to leverage as much expertise as possible, including from third-party data and networks.
Exploring trends in cyber-security and threat intelligence
Responding to Brian’s presentation on threat intelligence trends, Don Smith zeroed in on one of the most specific threats on the landscape: ransomware attacks.
Don made the point that the ransomware’s danger lies not only in its prevalence but its impact, since the ROI on a ransomware network intrusion is “maximised” in the sense that it “drives an entire criminal ecosystem”. Referencing the success of the recent Operation Endgame, the largest coordinated operation by European law enforcement authorities against malware botnets, Don emphasised the importance of ongoing disruption to that criminal ecosystem. As part of that disruptive effort, Don added that firms should focus on cyber-security fundamentals, such as applying timely patches for internet-facing software, fully implementing multi-factor authentication (including for admins and supply chain), and dealing with basic-commodity malware.
Don pointed to the need for firms to “extract salient learning” from the threat intelligence they gain from incidents, and use it to determine where they should be investing in controls or double-checking compliance. That constant strengthening is critical since cyber-criminals typically take “a scattergun approach” to their attack methodologies, with firms “self-selecting as victims through the state of their control frameworks.”
Ripjar’s Matt Chinnery also focused on the pervasiveness of cyber-threats, warning that “everyone is a threat and everyone is a target” in the 21st century cyber-security landscape. Complicating the challenge further is the constant evolution of both threats and targets, which means that it often falls to security professionals to ”fit in with what the bad guys are doing”. Matt raised the importance of threat data, pointing out that many clients struggle to “make sense” of the sheer volume of information feeding in to their risk screening solutions, making it “difficult to ratify and justify and get to the root cause immediately.”
He added that, while having enough information to address potential cyber-threats is critical, the quality of that information is just as important to defending against attacks.
Gathering meaningful threat intelligence
“Automation is absolutely key” to the threat data challenge, said Don Smith. Discussing his experience with Ripjar’s Labyrinth Intelligence over the last 5 years, he pointed to the value of the platform’s flexibility, a quality that allows his team to analyse vast amounts of risk data in seconds, and tailor “tens of thousands of indicators” to the specific needs of clients.
That screening capacity includes performing quality assurance against client telemetry from the past 24 hours, along with other checks and balances, to ensure the client’s security operations centre (SOC) isn’t adversely impacted, and domains like Amazon.com aren’t inadvertently put into a protective block list. “There is absolutely no way that you can do threat intelligence these days without having automation to orchestrate the researcher playbook,” Don said.
Understanding a new generation of hackers
Exploring the threat of “different attack groups”, Gabriel Hopkins brought up the issue of a new type of bad actor: “nihilistic young hackers with very, very different motivations” to their predecessors. Don characterised this group as “the Minecraft generation of young, Western-located cyber-criminals who have a unique combination of skillsets”. He added that this new type of hacker has not only the technical expertise to carry out cyber-attacks but the “social engineering” skill and eloquence to exploit the human vulnerabilities of a target network.
Brian noted that the motivation of this new kind of hacker is fundamental to their threat, with groups perpetrating attacks for reasons beyond the financial, and targeting critical infrastructure as much as corporate assets. “In the past, there was almost an honour among the threat actors,” he said. “They didn’t target things like nuclear power plants or the healthcare industry. Now it seems all that’s changed. Anything’s a target.”
Don underlined that difficulty. “The motivations change,” he said. “One day they’re an affiliate of a ransomware gang. Another day, they’re stealing crypto wallets. Another day, they’re doxxing or swatting their friends. Very, very unpredictable.”
The novelty of this emergent hacking trend adds to the danger it poses, Brian argued. Since critical infrastructure targets haven’t had to contend with the level of cyber-threat they now face, they are now years behind their corporate counterparts in terms of their investment in, and maturity level of, cyber-security. He suggested that while nation state actors were once held back by a sense of mutual financial threat, the new generation of hackers doesn’t face that same constraint.
The importance of threat intelligence to threat hunting
Brian illustrated the advantages of leveraging threat intelligence during a cyber-attack, describing an instance in which he was able to use a TTP approach (tactics, techniques and procedures) to identify a specific threat actor, inform the security response, and ultimately eliminate the threat. Don pointed out that threat hunting also plays a critical role in the effectiveness of cyber-security frameworks, emphasising the investigative value of hunting exercises, which not only prevent attacks but increase client confidence and create better business outcomes.
Picking up on that point, Brian noted that threat reports help justify budget decisions by demonstrating the requirements, and limitations, of a particular security system, and ultimately supporting the opinions of compliance officers.
The value and functionality of AI and machine learning
Brian suggested that AI tools are contributing to the effectiveness of threat intelligence. For example, generative AI queries phrased in simple English are replacing the archaic query language required in previous security frameworks, speeding up incident responses and threat hunting activities, and even simplifying the search process to the point that junior analysts can be better involved. Similarly, generative AI tools are capable of creating human-readable summaries and reports from unstructured threat intelligence data, making the screening process quicker and easier to validate.
Following on from Brian, Don recommended caution around the more open-ended applications of AI, including requests for generative AI tools to report on specific threat actors. He pointed out that, even when producing quality, informative threat intelligence “98% of the time”, generative AI is vulnerable to hallucinations and firms should be wary of that potential outcome. “They’re trained to sound like they know the answer,” Gabriel added, “even when they don’t.”
Gabriel closed the webinar by asking the panellists for key takeaways from the discussion:
Matt focused on the need for specifics, suggesting that in order to acquire actionable security data, firms need to know exactly “what it is you’re trying to get” from their threat intelligence. He also stressed the need for users to be mindful of generative AI since, as much as security teams can use AI tools for good, threat actors may also be able to use them maliciously. To that end, users should stay on top of their security responsibilities, enabling dual-factor authentication, patching regularly, and preparing for the unexpected.
Don emphasised the importance of perspective when dealing with the changing threat landscape. “There is an awful lot of turbulence for very little flow,” he said, suggesting that while information security incidents may appear to vary over the short term, over a longer timescale we see consistency across TTP and “the learning remains fairly solid.”
Finally, Brian urged security leaders to strike the right balance between implementing foundational security controls and taking the time to understand new threats, solutions, and technologies. Finding that balance not only offers protection from existing and emerging cyber-threats, but helps firms keep pace with competitors in a rapidly changing risk landscape.
According to the National Cyber Strategy 2022, ransomware has become “the most significant cyber threat facing the UK”, posing a danger not only to the country’s economy and businesses, but to “essential services” and “critical national infrastructure”.
Crippling business operations and threatening the privacy and security of individuals, ransomware attacks are increasing in frequency, sophistication, and impact. In a recent article for Finance Derivative, Ripjar’s Toby Butler points out that, in 2021, the UK’s financial services sector saw a 55% increase in ransomware attacks, while in 2022, the National Cyber Security Centre (NCSC) warned that 17 ransomware attacks on the UK were so severe that they required “a nationally coordinated response”. Adding to the threat, is the emergence of Wholesale Access Markets (WAM) which Toby characterises as “underground internet flea markets” that criminals use to purchase access to vulnerable networks for as little as $10 to $20.
The global ransomware threat has prompted governments and regulators to strengthen their cybersecurity infrastructure, and develop new tools to defeat cyber criminals. In 2023, the Financial Action Task Force (FATF) released its Countering Ransomware Financing report, detailing the methodologies behind ransomware along with proposals for how to more effectively disrupt attacks – including the integration of innovative technology solutions such as artificial intelligence (AI) analysis and machine learning systems.
Given the scale of the ransomware threat, it’s critical that organisations understand their risk landscapes. With that in mind, let’s take a closer look at the FATF’s report, and explore the ways that AI-enabled screening and intelligence solutions can help firms enhance their compliance capabilities and deal with key ransomware challenges.
Ransomware and Money Laundering
A typical ransomware attack involves the use of malicious software to encrypt data and block access from users, with the attackers demanding the payment of a ransom to remove the encryption. If the victims don’t pay, then they risk losing an exorbitant amount of money as a result of being unable to access critical data and network functionality.
When victims pay a ransom, criminals must find ways to launder that money, which means evading anti-money laundering (AML) and counter-financing of terrorism (CFT) controls. Ransomware attacks are anonymous, and ransom payments are often made covertly and without disclosure to law enforcement, which makes it more difficult for authorities to catch those responsible through conventional AML/CFT controls. Adding to that challenge, attackers typically demand ransom payments in virtual assets, such as cryptocurrencies, which can be transferred instantaneously and – under the right circumstances – are virtually impossible to trace.
It’s important to remember that, when firms do pay ransoms, the transfer of funds itself often violates AML/CFT regulations and exposes firms to significant criminal liability, including violations of international sanctions restrictions.
Ransomware Financing Methodologies
In its 2023 report, the FATF set out some of the most common methods and trends associated with ransomware attacks. These include:
Malware: Ransomware attacks rely on users unwittingly introducing malware to their secure computer network. To that end, criminals will typically disguise their attack methodology as phishing attacks or fake adverts with links to malicious software, or simply launch brute-force hacking strategies to compromise network protections. The sophistication of ransomware attacks is an evolving challenge: firms must be constantly alert for suspicious emails and ensure employees are trained to recognise possible attack vectors.
Anonymous payments: Criminals will seek to maintain their anonymity throughout the ransom payment process, including demanding ransoms in virtual assets. Once victims make payments, attackers will typically move virtual assets between multiple addresses, depositing small amounts at each address, in a technique known as a “peel chain”. Alternatively, attackers may use special software such as mixing and tumbling services that obscure connections between cryptocurrency wallets, or even move funds between different blockchains in order to thwart attempts to trace payments.
Cross-border transfers: The FATF points out that ransomware is a global problem, affecting firms in jurisdictions around the world. However, ransomware attacks typically originate in countries with lower levels of AML and CFT regulation, and target firms in wealthier jurisdictions, particularly in Europe and North America. The transnational nature of the ransomware process, and the swift movement of virtual assets between wallets, makes tracking and catching perpetrators more challenging.
Fiat conversion: At some point, criminals must introduce their illegal virtual assets into the traditional cash-based financial system by converting them to fiat currency. At this juncture, criminals will typically seek to cash out their proceeds in jurisdictions with very low or non-existent AML/CFT regulation, and use amenable virtual asset service providers (VASPs) to receive and convert illegal funds.
Money mules: Ransomware attackers may engage money mules to cash out illegal funds on their behalf, coercing participation or offering payment incentives. Mules may create legitimate accounts with VASPs or use stolen identities, but their apparent disconnection from the ransomware process makes them harder for authorities to identify.
Solving Ransomware Challenges with AI
Addressing ransomware risks can be daunting, complicated and expensive, especially in a constantly-evolving threat environment where criminals work hard to monetise network vulnerabilities. However, AI represents a significant advantage in the battle against ransomware and cyber-crime, especially in the financial services industry, where the technology solutions offer powerful insights that can help firms prevent and deter future attacks.
Unstructured Data Analysis
AI is so effective in the fight against ransomware because it offers users advanced data review and analysis capabilities, including the means to harness vast amounts of unstructured data with speed, efficiency and accuracy, to generate actionable intelligence.
Cyber security experts can struggle to make sense of the vast pools of data available to them. That process can be hard enough with structured data, which is generally relatively simple to analyse, but it is significantly harder when it comes to unstructured data with data points stored in their native formats, including invoices, emails, news articles, and other types of complex online prose. AI and machine learning provide an answer to this problem. Using natural language processing algorithms, AI systems can analyse unstructured data inputs quickly, extract the relevant data points, and then generate financial intelligence.
Intelligence for Decision-Making
In the battle against ransomware, different elements of AI are essential to resolving different challenges. AI compliance tools can fuse and analyse a network for ransomware vulnerabilities, extracting information from hundreds of different systems and identifying anomalies across security logs, email, and many other sources. The tools can then combine that intelligence with internal and external threat reports. With the benefit of machine learning, AI systems are also capable of protecting against future ransomware attacks by utilising historic data to inform decision-making, anticipate ransomware attack strategies, or even address emerging network vulnerabilities.
AI can also help relevant organisations quickly respond to money laundering and terrorism financing threats by providing effective screening against the broadest range of risks, identifying potential culprits quickly using the latest unstructured data inputs from the news media.
The Importance of Data
Data is critical to preventing and addressing the ransomware threat. AI-enabled systems need to have access to vast amounts of accurate customer data in order to generate effective protections for as broad a range of ransomware threats as possible.
In practice, this means integrating data screening solutions, such as Ripjar’s Labyrinth for Threat Investigations product, that can meet your firm’s data collection and analysis requirements. Labyrinth is capable of searching millions of structured and unstructured data sources from across the world, in over 25 foreign languages, and generating actionable financial intelligence in seconds. Built with cutting-edge machine learning technology, Labyrinth gives you the power to extract the most relevant risk data from inputs in order to make faster, stronger compliance decisions, and stay one step ahead of potential attackers.
The announcement of enhanced defense collaboration between the UK, US, and Australia underlines crucial global alignment in multiple areas.
There are many interesting elements to the new AUKUS pact between the United Kingdom, Australia, and the USA – from the way it was announced to the tenor of many of the reactions. There are a number of less talked-about points behind the headlines that are also worth looking at.
1. It’s not all about submarines
The coverage has focused on nuclear and diesel submarines from France and Australia. Given the geopolitics, the amazing hardware is a critical and fascinating component, but this is also about other types of confrontation.
Critically, cyber is a crucial element, recognising the threat the three nations and their allies face from cyber warfare, as well as the opportunities inherent in data and capability sharing. The joint statement says, “This is an historic opportunity for the three nations, with like-minded allies and partners, to protect shared values and promote security and prosperity in the Indo-Pacific region.”
A critical driver for the pact is the substantial defence spending from China in submarines and aircraft of their own. You can be sure that China’s investment in Cyber weapons is equally concerning.
Once the dust settles, we will see a commitment to collaboration coming from the highest level of allied governments with huge potential to disrupt adversarial cyber threats.
We know from our experiences with Ripjar’s Labyrinth platform how powerful technologies can make sense of large scale structured and unstructured data to understand threats. Data sharing and collaboration across jurisdictions will make AUKUS truly formidable, but will also provide some complex challenges. Extreme caution will be needed around data segmentation, classification and control.
2. Advanced technology is central
The AUKUS leaders are ambitious. The White House statement even talks about Quantum computing. While we will have to see if that part of their vision is fully realised, we can be sure that Artificial Intelligence and Machine Learning will be utilised like never before.
“In the last 5 years, the rule books have been torn up. As a result, immense compute power and complex machine learning algorithms are within reach of sophisticated individual hackers, never mind state-sponsored adversaries.”
It is essential to enlist the latest public and private sector technology to combat emerging threats. AUKUS provides a robust framework for Australian, UK and US agencies and their vendors to work together to build the formidable capabilities we need.
The commercial sector will have a significant role to play in the AUKUS developments. We have seen first-hand the importance of strong systems integration partners such as Accenture in delivering capability vision in a timely efficient manner.
3. AUKUS – more of the same?
Australia, the United Kingdom and the US already work together on aspects relating to cyber and intelligence. The Five Eyes alliance adds New Zealand and Canada to the other three nations and has been in existence since 1941. The English-speaking nations share intelligence to counter threats of different types.
The experiences of previous collaboration will be an important catalyst to future AUKUS collaboration. Aside from the English language, there are strong cultural and technological ties between teams in the different jurisdictions. It is no coincidence that Ripjar itself has experience in all three pact countries.
AUKUS truly is a historic pact, and we welcome every opportunity to support the work being done to bring security and stability to the region and the world.
Serious and organised crime is big business. The often quoted figures are mind-boggling:
$2 trillion dollars of illicit finance are laundered annually;
The costs to the UK’s economy of at least £37 Billion
These figures hide the true cost of the threat. A chronic and corrosive force in our society that survives on the suffering of millions. Illegal narcotics damage lives, corruption diverts funds away from much needed projects, the trade in illegal wildlife damages our ecosystem and could foster the next worldwide pandemic.
The alarming rise in fraud and cybercrime continues at pace, and investigators – whether in law enforcement, AML investigations teams, Financial Intelligence Units (FIUs) and the other bodies that are set up to manage risk and spot the tell-tale signs of money laundering – are all struggling to make best use of precious resources.
The only way to succeed, is to painstakingly join the dots between internal and external data – from company records which might hide a shell company in the Carribean, news articles from an on-going embezzlement trial, and sensitive KYC/CDD internal records, transaction reports or data from other monitoring systems.
Manually sifting through this data, matching unstructured reports to structured client records takes extraordinary patience and time, often meaning the dark corners of criminality remain uninvestigated and have time to flourish unabated.
This is where Ripjar’s Labyrinth Investigations technology has transformed criminal intelligence and investigations work. This breakthrough data intelligence platform built from decades of experience in government, law enforcement and banking provides a framework for intelligence teams tackling criminality including human trafficking, smuggling, corruption, fraud and cybercrime.
It turns flat and difficult-to-interpret two dimensional data into rich, connected and insightful visualisations – to see criminal networks holistically from all data sources, in three-dimensions.
There are three founding principles that our Investigations platform is built on:
Data Fusion – our powerful workflow engine allows data engineers and data scientists to rapidly iterate and integrate any data source available that might help fight crime or manage risk. Existing data warehouses, clouds or external data sources which all might have their own security, policy controls or limitations to all be integrated into a single seamless 360 degree view of client or criminal risk.
As criminality evolves, so too does Labyrinth Investigations . New data sources, analytics or visualisations can be added quickly with support for common components and services and allow investigators to always stay one step ahead.
AI and Machine Learning – In its quest to tackle on-going criminality, Ripjar has developed some of the world’s most advanced NLP (Natural Language Processing) and NER (Named Entity Recognition) for processing unstructured documents such as news articles, intelligence reports and other text.
Covering dozens of global languages, the technology allows investigators – often for the first time – to see and understand the hidden linkages between structured data, spreadsheets and other traditional data sources, and the vast quantities of unstructured text that is available in the public domain.
At the heart of this approach is our breakthrough in entity resolution which uses a database of millions of observed names to provide unprecedented accuracy in uniquely identifying people, organisations and locations from vast quantities of unstructured and structured data. This fused view of entities, allows Labyrinth Investigations to build a continuous knowledge graph of client profiles and their links to others – a game changer for understanding risk.
Investigations and Knowledge Management – When usingAI tools like Ripjar assess client risk or investigating serious and organised crime, it is essential to have powerful visualisation tools.
Labyrinth Investigations provides state of the art link analysis software giving investigators new ways of exploring their data, following leads and finding hidden patterns. Linking to a secure centralised database of knowledge, Labyrinth Investigations gives teams working across the world the ability to collaborate, breaking down institutional silos and creating a single and complete view of the investigation that can be accessed in the future.
Exposing these technologies to KYC/CDD, AML and international law enforcement teams, we’re continually enhancing our platform to service wider market needs for investigations and risk analysis. I’d be delighted to speak with any professionals working in this space and talk more about what Ripjar can offer.
Gabriel Hopkins, Chief Product Officer, Ripjar Contact Us
“Anyone can deceive us …. for a time” Tom Clancy, Cardinal of the Kremlin
The spy novels of the cold war perhaps provide some of the most evocative and enduring imagery of espionage. A world of dark alleys and trench coats, meetings at train stations, sleeper agents, deception and secret cameras and bugs. The world of Le Carré, Fleming and Clancy has been endlessly repeated – and of course parodied – deep into our collective consciousness.
Espionage and counter-intelligence in their modern forms continue to shape the world in which we live, as hostile actors vie for information superiority; gaining economic or political advantage, or use the same covert networks to exert malign influence within a greater goal of soft power.
Well-resourced nation states can spend years positioning undercover human agents into a foreign country to collect intelligence, or develop complex technical cyber attacks to acquire gigabytes of valuable intellectual property on the latest advances in vaccine development, aerospace and material science, or policy making – without setting foot in a country at all.
Some are even known to routinely use these capabilities to acquire compromising or embarrassing material – so called ‘Kompromat’ on their adversaries – which they can leak on the web or to an unwitting press at the right time to exert their influence.
Not since the cold war have intelligence agencies been so necessary to protect the national advantage and monitor emerging threats from hostile intelligence gathering operations. Increasingly aggressive actors including traditional nation states, emerging powers, terrorist groups, organised crime and lone actors increasingly use these methods to scale up their understanding of the world, threatening economic wellbeing and global security and eroding our national advantage,
As the number of these groups has broadened and the array of technology at their disposal to carry out espionage and covert intelligence gathering has expanded, so too must the response from those who seek to defend against it.
This is not just a matter for shadowy government agencies. Spies from hostile entities have interest in all manner of civilian and private networks. Almost no public or private sector entity is exempt from the possibility of infiltration by hostile foreign agents. Critical infrastructure can be targeted as part of an attack to undermine resources. Supply chains are at risk – particularly during an emergency pandemic responses. High growth technology companies producing new advances in artificial intelligence or robotics are an attractive target. And so too is personal data of any staff member with access to privileged or sensitive data systems.
As the number of these groups has broadened and the array of technology at their disposal to carry out espionage and covert intelligence gathering has expanded, so too must the response from those who seek to defend against it.
Even your and your parents’ social media accounts may not be safe – as intelligence agencies are increasingly tasked with online propaganda and misinformation campaigns to interfere with foreign elections, democractic processes and exacerbate political divisions.
The solution to this new wave of espionage is to equip government agencies, global companies and financial institutions with new tools that enable the identification of these threats, providing a holistic, joined-up view of the intelligence threat so that defensive measures can be implemented.
We have deployed Ripjar’s Labyrinth Investigations platform to intelligence analysts all around the world, to enhance the integration of counter intelligence, security and cyber data feeds so that investigators can see a more complete view of how systems or networks have been potentially compromised by hostile actors. This type of data fusion is essential to the future of counter-intelligence work where groups operate seamlessly between the real and virtual worlds.
Using technology pioneered in the banking sector, such as entity resolution – uniquely identifying individuals in large volumes of data – we can help spot the tell-tale signs of an undercover alias, suspicious entities who have entered the country under different names, or have opened multiple bank accounts by the same person.
Additionally, by curating threat intelligence and knowledge over time from multiple cyber attacks, analysts within large Managed Security Service Providers (MSSPs) and Security Operations Centres (SOCs) can use our data fusion platform to reveal the patterns and clues to identify and attribute hostile adversaries who have penetrated secure networks and ensure remedial steps can be taken.
Lastly, at the strategic level, we are working with intelligence, law enforcement and financial bodies to enforce international sanctions which are playing an increasing role in the range of countermeasures against hostile espionage activity and helping enforce international norms of behaviour. Throughout 2019 and 2020 sanctions placed against the Russian intelligence agency, the GRU, or ‘Sandworm’ and the North Korean Reconnaissance Bureau or ‘Lazarus Group’ have meant specific individuals are placed on rigorously enforced watchlists. Unable to use international travel, infrastructure or access to finance, these sanctions have a powerful deterrence effect for future behaviour. This enforcement is also bolstered by state of the art technology produced by Ripjar – with real time alerts to any sanctioned entity being issued by our artificial intelligence when an accurate match is found.
The secret to uncovering deception is both patience and meticulous attention to detail. With new capabilities and data fusion technology such as Ripjar, we are ensuring that analysts can scale to meet the challenges of operating in the digital age.
It’s not John, it’s James. In the US alone, it is estimated there are over 30,000 people who share the same name, James Smith. In Korea, almost 20% of the population – some 10 million people – share the same family name of Kim. The world is also home to over 150 million with the same given name – Mohamed. Cases of mistaken identity are common, particularly when searching over large volumes of data, but they needn’t be.
Almost all investigatory work, whether in law enforcement, counter terrorism or within the anti-money laundering (AML) and due diligence processes of a bank, require accurate ways of searching and discovering specific entities in large data sets. However, poor record keeping, missing or incomplete data and legacy matching-logic hamper these efforts. False positive matches – selecting the wrong entity – and worse, false negatives (where a critical search result is missed altogether) are abundant.
Not only are they not unique, there is also no standard way of rendering names. Thus, James Smith can be Jim Smith, J Smith, J M Smith, as well as a huge array of possible typos, transpositions, aliases, or renderings in different dialects, alphabets and scripts. Matching against “exact hit” names works when data quality is very high, but it means there are no alerts at all if names have even the slightest variation, increasing the chances of criminals slipping through the net. Similarly, so-called “fuzzy matching” which will alert if one or two characters are different, still cannot account for the sheer variety and array of cultural nuances in how names are rendered in different types of data.
The solution is to use data to drive a new type of matching logic – advanced Entity Resolution. Ripjar uses observations from millions of names, deriving matching logic from how the name is used in real-world situations.
Entity Resolution is an essential capability in the fight against financial crime, fraud and terrorism. By improving the quality of the data that is used to make decisions such as enforcing international sanctions or alerting to possible corruption or fraud, it can dramatically improve the effectiveness and efficiency of human analysts and allow small teams to scale investigations to the demands of the modern information environment.
Combining recent work in entity resolution and NLP means that analysts can now see the complete picture across structured and unstructured data, and data-driven approaches to name matching covering transliterations, scripts and other real-world name variants can give 90% more accuracy than legacy “fuzzy matching” technology. Robust data privacy controls mean interconnected graphs of knowledge, resolving entities from all available data sources can be now built without compromising user privacy or data protection.
If you would like to know more about Ripjar’s approach and how we have helped global institutions roll out breakthrough innovations in entity resolution to support their counter-financial crime programmes, please download our whitepaper or get in touch with the team below.
2020 and 2021 have definitely been bumper years in risk management. Businesses, governments and financial institutions face serious risks on all fronts – whether hidden in their supply chain, their client relationships or in their operations. In the wake of the global pandemic, we are all living through the outcome of how we have, or have not, successfully managed those risks.
As the G7 leaders meet in sunny Cornwall, it is interesting to reflect on which risks will dominate the next few years. It is natural that the risk landscape alters over time, but I think it is fair to say that underneath all other concerns, the nature and understanding of risks has changed noticeably over the last few years. Global leadership on these issues matter more than ever – to drive change, inspire others and enhance regulatory guidance – and we are seeing a resurgent America re-join the world stage and start to exert its influence on the global stage.
At the heart of the new risk agenda for groups such as the G7 is to understand what new governance models need to put in place around tackling climate change, the environment and wider issues society such as exploitation and modern slavery. These risk factors are often clustered as ESG – or Environmental, Social and Governance – Risk and may pose questions to decision makers such as:
Can my organisation continue to support or finance coal-fuelled power stations, or companies involved with the deforestation in Brazil?
Are we comfortable with our clients’ exposure to a regime that turns a blind eye to modern slavery?
Is enough being done to counter bribery and corruption?
In answering these questions, corporations face a combination of regulatory, reputational or moral incentives – but if we are to create a more prosperous and safer society more may need to be done.
Consumer preferences are rapidly shifting too – partly as a result of the pandemic – and there is growing demand for brands who are actively conscious of potential reputational issues, and the public reaction can be extremely cruel to organisations who are caught unaware of poor or illegal practices in their vendor networks or supply chains.
The challenge here is to find a way to reliably measure corporate exposure to these important risks. Our Ripjar technology has proved expert at understanding when clients are connected to financial crime, and this week I was delighted to announce at our user forum that we will be extending the same machine algorithms to review news and media data for signals relating to ESG risk to help organisations get ahead of their potential exposure and make the right decisions about who to do business with.
The next 5 years will see a huge shift in sentiment against poor ESG practices. No longer will it just be a large group of activists at events like the G7, but it is likely that public opinion shifts behind the move for governments, banks and corporations to do more and work more efficiently to guard against ESG risks. Contact us today to find out how you can put effective controls in place.
Imagine if we had had to try lockdown working in 2010, or even 2005. As we’ve become adept and accustomed to Google Meets, Webex meetings and Zoom, it’s easy to forget a time when an international video conference call required a dedicated ISDN line, a couple of weeks of preparation and budget approval.
Today we can bridge continents and timezones in a few seconds for little or no cost, and find ourselves complaining if there’s a minor glitch.
The wholesale move online that enables such frictionless and rich online communication is far from being problem free. Picture a jungle or maybe an inner city. In amongst the beautiful trees or pristine skyscrapers are predators galore.
These predators – a complex ecosystem of cybercriminals, advanced nation-state hackers and other malicious actors – are constantly innovating to circumvent network defences. Their goal? To steal intellectual property, intimidate or extort money or even to subvert and denigrate the systems which we all rely on.
Protecting global networks therefore has never been more complex. To produce timely and actionable threat intelligence, analysts must piece together the full picture of threat actors behaviour from dozens if not hundreds of data sources, from their own network telemetry and logs, to open source threat feeds and other publicly available information.
Ripjar’s clients are using the power of our flexible orchestration platform – Labyrinth – to build threat intelligence over disparate data sources. The Labyrinth platform provides intelligence-grade technology to security professionals to make sense out of the ocean of data and connect the dots of adversary behaviour and illuminate hidden threats.
The platform not only provides clarity of how cyber attacks take place but it provides processes to simplify the reporting of the tools, techniques and procedures (TTPs) of threats to wider information sharing groups.
Flexible and adaptable, Labyrinth has the power to scale to new threats as they emerge, allowing developers and integrators to build new analytics, data integrations and visualisations as and when they are needed for defending our critical cyber services and networks.
