It's rare for someone to be experienced as a CTI analyst on both cyber espionage and cybercrime threat types. I see it often that experienced cyber espionage analysts create groups and infer links for cybercrime where they don't exist [01/xx]
To truly analyze and understand cybercrime, one must understand that it's not at all like a cyber espionage group who can be bums on seats in a govt office with mostly their own tooling, infrastructure etc [02/xx]
Cybercrime is basically an actor/small group of actors who chain different capabilities together to carry out their business. Capabilities could include bulletproof hosting, malware, crypting services, ransomware services etc. The underpinning of this is the underground [03/xx]
Presenting cybercrime problems as groups (unless they are truly a group sitting together) doesn't really help an intel consumer understand that at the end of the day, cybercriminals are a business that have different pain points that can be stopped or disrupted [04/xx]
To illustrate the point, Trickbot itself is probably run by a group as a malware service (malware as a service). Combined with that, the actors behind this service are probably using it as well as customers of the service [05/xx]
The actors behind Trickbot (anyone using Trickbot) work with other actors based on the accesses they obtain through Trickbot intrusions. A financial institution with a system compromised with Trickbot could find that access sold to DPRK actors https://intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/ [06/xx]
Alternatively if you're a small to mid sized org compromised with Trickbot, you might find that access to your org is sold to another cybercriminal to do follow up intrusion activity. The end objective of that right now would likely be to deploy ransomware within your org [07/xx]
TLDR: I strongly encourage experienced cyber espionage intel analysts to spend cycles to understand how cybercrime works end to end. This is totally different to cyber espionage. Become one of those rare CTI analysts who can understand both cybercrime and espionage [08/xx]
A previous presentation I did a couple of years back covers the underground https://www.slideshare.net/MarkArena/the-cybercriminal-underground-understanding-and-categorising-criminal-marketplace-activity-93856202 [09/xx]
You can follow @markarenaau.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.