Cyber Intelligence: Adding Up the Threat Landscape

Numbers don’t lie. These numbers from Symantec’s Internet Security Threat Report are scary, but they describe what’s at stake in the never-ending fight against hackers. Last year:

  • Attackers targeted five out of six large companies, a 40 percent increase over 2013
  • 24 zero-day vulnerabilities were discovered
  • 317 million pieces of new malware were created

That’s just the tip of the cyber threat iceberg. It all adds up to a big problem.

Making Data Count
So how does law enforcement get ahead of the attackers?

Data and analysis. One of the most important pieces of information for law enforcement in a cyber investigation is the malware, Allison Tsiumis, section chief with the Federal Bureau of Investigation’s Cyber Division, said at the Symantec Government Symposium. Malware can reveal a lot of information, so law enforcement must:

  • Maintain a current inventory of known malware
  • Track which malware threat groups use to carry out attacks
  • Reverse engineer malware once it’s identified and contained to see how it works and what it can do

Law enforcement must also understand the TTPs of cyber criminals – their tactics, techniques, and procedures – including:

  • Who the hackers target
  • When they launch attacks
  • How they carry out attacks
  • What method they use
  • What data they target

Connecting all these dots can help law enforcement identify hackers and even capture the bad guys. Understanding the questions law enforcement asks in its cyber investigations can help Federal agencies better understand how they should respond following a cyber attack.

Don’t Count Out the Good Guys
Stopping attacks and identifying the criminals isn’t easy, but methodical data collection and analysis has helped.

The FBI gathered enough data to pinpoint which unit of the Chinese People’s Liberation Army (PLA) was responsible for cyber attacks that led to charges being filed against five people in May 2014. The indictment named members of Unit 61398, which was publicly identified in 2013 as the Shanghai-based cyber unit of the PLA.

“That was really key, to be able to drill that far in with our investigation techniques to get that distinct of an identification of the threat actors. Not just the threat group, the Chinese government, but drill down to their actual location,” Tsiumis said.

The Justice Department’s indictment charged the PLA members with hacking into the networks of Westinghouse Electric, the United States Steel Corporation, and other companies. Jeff Brannigan, a special agent with the Department of Homeland Security’s Immigration and Customs Enforcement, said at the Symposium that the theft of intellectual property, like the thefts carried out by the PLA, “is a pervasive crime that is only going to grow in volume and severity.”

Jason Brown, Assistant to the Special Agent in Charge in the U.S. Secret Service’s Criminal Investigative Division, said that agency’s efforts have allowed it to determine that Russians in former Soviet states represent the leading perpetrators of cyber attacks against U.S. financial institutions.

“There are a lot of other nationalities and actors that are involved in computer crime,” Brown said at the Symposium. “The Secret Service views specifically those attacking our financial infrastructure seem to be mostly emanating from Eastern Europe or are Russian-speaking individuals.”

Listen to the full discussion on cyber intelligence, read the complete Internet Security Threat Report, or see a list of all session podcasts.

Feel like sharing something Noteworthy? Post a comment below or email me at

Bill Glanz is the content director for MeriTalk and its Exchange communities. In the past 14 years, he has worked as a business reporter, press secretary, and media relations director in Washington, D.C.