Connect with us

Hi, what are you looking for?



Using Threat Intelligence to Get Smarter About Ransomware

Given the crippling effects ransomware has had and indications that these types of attacks aren’t slowing down, it makes sense to look to threat intelligence to help.

Threat Landscape

Ransomware is rampant. On any given day you can visit your “go to” cybersecurity news source and read about another successful attack or a new malware variant. In fact, research by Proofpoint (PDF) finds that 76% of organizations experienced an attempted ransomware attack in 2022 and 64% were compromised. As a result, ransomware has become top mind for security and IT teams as they manage their threat intelligence strategies.

But how do you go from strategy to execution, from thinking “we need to use threat intelligence to help us thwart ransomware attacks” to making that happen?

As enterprises realize that compromises are inevitable, security operations centers (SOCs) are transforming into detection and response organizations. The end game now is to mitigate risk, and the sooner and better we understand threat actors – their motivations, targets and methods – the more effective we can be at reducing exposure. However, when only 35% of respondents to Mandiant’s Global Perspectives on Threat Intelligence report (PDF) say they have a comprehensive level of understanding about different threat groups and their tools, techniques and procedures (TTPs), we have a problem.

When it comes to dealing with ransomware, the key is to detect activity before the payload has run. Because after that, it may be too late. This is why threat intelligence has become so important; so, a company can understand what is happening externally to better anticipate and protect internally. Companies need to analyze the right data to anticipate these types of attacks and, if an attack is in progress, act on that intelligence to proactively stop threat actors before they execute the payload. Let’s take a closer look.

Anticipating a ransomware attack: Here, you’re enhancing your view of the threat landscape to identify critical trends in ransomware by bringing various sources of external threat data into a central repository so you can pinpoint the data that’s relevant within the context of your environment. There’s generic threat data that includes the signature updates we get from the defenses we use every day — our firewalls, intrusion detection and prevention tools, anti-virus, web and email gateways, and endpoint detection and response solutions – as well as Open Source Intelligence (OSINT) sources.

But to really understand threat actors that may be targeting your organization with ransomware, you also need to look at sources for more personalized data. A good place to start is with geographic and industry-specific data provided by national/governmental Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs) organized by industry. Additionally, commercially available threat feeds and tools and frameworks like MITRE ATT&CK provide more details on adversaries, their targets and their TTPs. And with the rise of supply chain attacks, it’s also important to include threat data based on third parties in your ecosystem that adversaries may be actively targeting and can potentially use as pathways into your organization.

With all that data aggregated in a central repository you can then prioritize it automatically using parameters you set based on your risk profile, security infrastructure and operational environment. Now you’re able to utilize threat intelligence from a proactive standpoint to anticipate attacks and mitigate risk with steps such as prioritizing a specific patch, introducing a compensating control, updating certain configurations and conducting security awareness training. As new data and learnings are added to the repository, you can reprioritize patching and update settings and policies.

Advertisement. Scroll to continue reading.

Getting ahead of the payload: If a ransomware campaign is already in progress, you may still have an opportunity to get ahead of it before data is exfiltrated and systems are locked up. However, you need to be able to act quickly, correlating external intelligence with internal threat and event data from your security infrastructure to understand if an attack is in progress, and where within the kill chain the threat actor is currently operating and what’s next.

Say you start to see indicators like unusual activity from a user account or an IP address from a country you don’t usually do business with. To get a more complete picture of what is going on, you can look at external threat intelligence to confirm or disprove malicious activity. You may see that the IP address that triggered suspicion is associated with a specific ransomware campaign. Digging deeper into additional threat intelligence sources you can learn more about that adversary, the campaign and the tactics used. As you observe what is happening across your environment, correlating internal and external data to get a complete picture of what is going on, you can quickly determine if the activity is part of a ransomware campaign and how that campaign will unfold. With a platform that is integrated with multiple systems across your security infrastructure you can respond before the payload is executed and it’s too late.

Given the crippling effects ransomware has had over the last few years and indications that these types of attacks aren’t slowing down, it makes sense to look to threat intelligence to help. Valuable external and internal data is readily available. And when combined with capabilities to accelerate analysis and action, organizations are able to move from intention to action fast.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.