Timothy Reboulet | April 8th, 2022

The United States Secret Service has a motto that every agent strives to affirm and demonstrate daily: “Worthy of Trust and Confidence”. Whether protecting the President or investigating global financial crimes, we recognize that the lives and well-being of those we serve are dependent on our preparation, focus, dedication, and actions. These same mindsets can, in so many ways, be grafted onto the nature of cybersecurity and how the SpearTip team aims to be perceived by our partners.

To be deemed ‘worthy of trust and confidence’ in the realm of cybersecurity, it’s vital to first establish an understanding of the landscape and then operate in a manner demonstrative of that understanding.

The current threat landscape is as treacherous as it has ever been given the outburst of war in Ukraine, advancement of ransomware capabilities, increase of state-sponsored threat actors, and lack of adequate preparedness among individuals, governments, and businesses.

When there is global conflict in the modern era, it is no longer possible to distinguish between it occurring at home or abroad. Amidst the daily violence and death on the physical battlefield is a borderless—and in some ways invisible until it personally impacts you—clash raging in the cloud. The only meaningful protection against this cyber warfare is a robust cybersecurity posture with 24/7 endpoint monitoring as the backbone.

On the global scale, state-sponsored threat actors are emerging as the weapon of choice within national arsenals. These ‘hacktivists’, while always around, have made themselves known with the Ukrainian conflict: there are pro-Russian groups (Conti, Gamaredon, XakNet) and anti-Russian groups (Anonymous, Belarusian Cyber Partisans) carrying out attacks, both as pre-cursors to territorial invasion and in efforts to buttress their favored benefactor. State-sponsored or state-targeted attacks are primarily concerned with intimidating their adversary and devastating large and critical infrastructure operations.

These nation-state level threats and attacks are not reserved solely for times of severe conflict. Because state-sponsored threat actors typically carry out their operations as anonymously as possible, their movements are often under a self-professed guise of tilting the balances of ‘diplomacy’ in their favor. This is often done by disrupting industries vital to maintaining a functional society: manufacturing, travel infrastructure, healthcare and financial institutions, and supply chain movements. If a state-sponsored threat operation can interfere on these fronts, the leverage gained and fear stoked go a long way in re-balancing the global landscape.

So, how do we—from the nation-state level to the personal—deal with this threat landscape littered with state-sponsored threat operators and ransomware groups actively working to compromise sensitive data and interfere with our systems and infrastructure?

By going on the offensive.

During my time assigned to the European Union Agency for Law Enforcement Cooperation (Europol) and the European Cybercrime Centre (EC3), we initiated campaigns targeting threat actors on the Dark Web in attempts to disrupt their criminal organizations. By developing intelligence on the threat operations and then proactively acting on the intelligence, the weaknesses of these criminals—no matter their purpose or allegiance—can be exploited and efforts thwarted.

Any information gained from a threat group can be used beneficially. For example, decryption keys to ransomware can be shared with the public as a defense against ransomware. The Dutch National High Tech Crimes Unit (DNHTCU) publishes discovered keys to known ransomware variants on its website: www.nomoreransom.org.

While we may never be able to completely shut down threat actors because there will always be a new group to fill the vacuum, an offensive approach teamed with intelligence sharing and 24/7 endpoint monitoring provides the best and most comprehensive counter to state-sponsored and independent threat operations. Most threat groups utilize similar software and tactics—evidenced by the rise in ransomware-as-a-service offerings and affiliate programs—allowing for optimal protection from malicious actors if the aforementioned approach is properly implemented. Traditional threat actors need to adapt their malicious software so it can defeat the latest mitigation tools: just as the defense measures change, so too do offensive tactics.

The distinctions between traditional warfare and cyberwarfare, between state-sponsored and independent threat groups, are more blurred than ever. My experiences working for the US Federal Government and Europol made me realize communication between all allied agencies, foreign and domestic, is essential to minimizing the impact of threat actors. It’s also important to rely on our European partners because typically the latest trends and tactics are seen in Europe before they make their way to the US.

With our Security Operations Center actively tracking global threats and protecting our partners against devastating cyberattacks, SpearTip aims to demonstrate that we are “Worthy of Trust and Confidence” in defending sensitive, business-critical information, critical infrastructure, and supply-chains from malicious threat operators at home and around the globe.