KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Excellent. Well, first of all, thank you very much, everybody for coming along.
Well, my first time in Berlin and I love this city, well, myself, you heard me earlier. I'm rich. I'm the founder of CMA CFI is an external threat landscape management company, Derek. Okay. So thank you. And welcome. Also from my side, my name is Dick Feld. I'm the head of presales for the me and the us.
And yeah, I think we have some, some really interesting insights for you today prepared first of all, about the threat landscape, but also then the impact on the IM there's a closer relationship to that as you might at first. Think of it. Excellent. Thanks there. So let let's get it started. First of all, let's, let's try to tie this up a little bit.
You know, you've heard organizations talking about external threat landscape, what is really external threat landscape and why that is so important in your cyber posture management. I was talking earlier it's it goes back to all about being aware of what is going on around you. And it plays a very, very important role in your cyber posture management. Because if you are not aware as to what is going on around you, you know, your preparedness, your readiness is, is gonna be very, very different.
So what you're gonna hear from us today, talking a little bit about how the threat landscape is changing and specifically we will focus towards what we have witnessed, especially around Europe. What are some of those cyber criminals, which we are sort of witnessing who are very active in, in this part of the world, some of the cyber crime campaign, which we have witnessed in last four months, six months, you know, we we'll talk about some of those activist group as well.
Some of the active malwares, which are very pertinent to this part of the world, and then Dirk will take over and he will, he will talk about the marriage of how do we go about looking at, you know, external threat landscape, combining that with our IM strategy strategy? Well, little bit about SIFI. We are four and half years old cybersecurity company. We kind of got us started back in Singapore in Asia, and we have travels all the way to, to Europe and us.
Now, what we do is giving you ability to understand what is outside of your organization, how you are being looked upon by cybercriminals. What are some of the things which you are carrying, which is interesting for cyber criminals. We deliver that visibility to you. Now we are a Goldman Sachs funded company. We've gone about raising yeah, 12 million and we are still out in the market. We go about working with any established, I would say manufacturing companies to financial institution, to government agencies, to retail, you name it.
We have not actually left any industry, which we have not touched as SI firm. So it's a great journey and great to be here again quickly. Let's understand. And I think you heard the panelist earlier, you know, talking about their experience as to how they see the preparedness and the readiness. Quite frankly, if you look at it the way, well, cybersecurity budgets have been sort of a skyrocketing in last few years, it's quite overwhelming to see, you know, the demand for new budget always comes into, into play.
As soon as you start to talk about a environmental factor outside Russia, Ukraine, well, I need more budget, new malware. I need new budget, new attack techniques.
I need, I need new well more budgets. The reality is despite of hundreds of billions of dollars, which has been invested in cybersecurity tools, cybersecurity, I would say processes and people cybercrime and the impact of cyber crime. And what you're seeing there is the tangible and intangible impact of cyber crime went up to 6 trillion last year. And I'm very sure this year you're gonna see a bigger number than that. What that generally means is, you know, our, our current way of looking cybersecurity and our readiness might not be working.
I'm not gonna say that while it is not working, might not be working. That's why you're seeing such a big escalation out there. And the reality is if you start to analyze some of the statistics here, which we have collected, and we have analyzed this, you look at some of the numbers out there in last 12 months, we have seen what 560% escalation in state-sponsored groups taking interest towards their target. This was never there before we have never seen any, anything like this. Before you have a situation where, you know, target towards government agencies have gone up by 173 person.
You have a situation where fishing attacks and these are like targeted fishing attacks have gone up by 1100 person. And this is just one year, you know, targeted attack towards commercial organizations to a new breed of malwares, which was launched in last one year has gone up to almost 300%. This is clearly telling us that while cyber crime, as, as a business, if I can call it is, is a very, very booming business because there's no scarcity of, you know, targets. There's no scarcity of how you can go about orchestrating this against the target.
And you have a very proper infrastructure, arms and iation, which has been actually handed over to cyber criminals. The reality is we spoke about cyber warfare. Now this has been a very topical sort of topic from many, many years. You always hear, you know, a little bit of little bit of discussion about well is cyber warfare. Even if you're real, like, you know, we have been talking about this for many years, but we have not seen a clear sort of organized cyber warfare. I think this time around the notions have changed a little bit.
We are clearly seeing the world being sort of a split into two units and both units are going against each other very, very clearly, which means cyber warfare is on us. Quite frankly, if the world has gone about actually, you know, organizing themself into two units, you are gonna continue to see this. This is not gonna stop. This is something which is upon us. And we need to now sort of realize that this is not something which we can deflect as, as we used to do earlier.
Now talking about some of the important actually, you know, verticals, which we have witnessed as a company, quite frankly, you know, a lot of interest again, towards critical infrastructure by cybercriminals. And we are talking about, you know, European threat landscape, great interest towards, you know, critical infrastructure. How do we get into critical infrastructure? And most cynical part is, you know, earlier threats towards critical infrastructure was for operational damage.
Now we are seeing, you know, interest of cybercriminals towards critical infrastructure for reputational damage, which is, you know, when you try to comprehend that it is very, very different, you know, for reputational damage. So I bring down power supply of let's say Germany. And that adds to my reputation is a very cynical sort of thinking, but that is evolving here. We have seen that very clearly cybercriminal groups are very focused towards financial institution. Historically, they have been very focused towards financial institution.
What really happened couple of years back their focus sort of got diverted towards other industry. Financial institution was always a top target for them, but then they started to focus on other industries where they were able to find a easy target very quickly. We are seeing from European threat landscape perspective, cyber criminals are revolving themselves towards financial institution. And when I say financial institution, this is not just banks or insurance company. We're also talking about virtual currencies. We are also talking about virtual assets.
Now those are assets which can be monetize end of the day. These cyber criminal groups needs to actually fund the air campaign. It doesn't come cheap, very honestly, supply chain attacks. We have seen this enough, so I'm not gonna spend a lot of time on this, but we have seen a clear evolution here. There used to be a time where, you know, cyber criminal groups used to try to get into your supply chain process and try to understand how you actually go about doing certain things to now, you know, software supply chain, cyber attacks you have seen.
And this evaluation is, is actually coming upon on us. Even if from European threat landscape perspective, SMEs, young companies, massive target. We continue to see, and you're gonna hear from me next, like 10 minutes. Why is the case? Again? Cybercriminals knows that while this particular vertical is a weak point, which they can get in very, very easily and end of the day, if they can get into your SMEs, they can get into your third parties. They can get into your fourth parties. They will get into you.
As, as simple as that ransomware groups are. You're gonna love this back in those days. If you go back couple of years, you used to see a flavor of ransomwares where we, we, we call it in our world as two phase sort of approach. They will infiltrate into our environment. They will encrypt file and folder, and they will demand for answer to what we saw starting from 2020. Like I would say, late of 2019, a three phase approach being used by them.
Whereas, you know, they infiltrate into your enrollment exfiltrate, the filing folder, encrypt demand for answer. And if you don't pay, they go naming and shaming you to. Now what we are witnessing out there, there are two factors which is playing here, right? There is a fourth page, which is coming along. Most of these cybercriminal groups who run these sort of campaigns, want to have a persistence existence in your involvement.
So despite of you actually paying their Anthem or your you're deflecting it altogether, they have a mold in your environment, which they want to use, come back and exfiltrate mold from you. Now, number two, what is also happening? And this is very pertinent to Russia and Ukraine story, which we were talking about earlier.
You know, ransomware actually, you know, groups have gone about being very innovative. You know, there was always this financial need there to now a geopolitical sort of need, which is being orchestrated using ransomware. So let me give you example, the three page of ransomware attacks, which I spoke about, you know, infiltrate into the environment, exfiltrate file folder, you know, demand for ransom name and shame organization, right? But it was always towards financial motive to what is happening right now.
And we have very clearly reported this back to number of agencies, number of our clients, to intelligence agencies, where, you know, two groups are now looking at asking you come public and support Russia or support Ukraine. That's your answer by the way. So if I'm a size of, let's say BHP, I will be put on, on the ransom and I'll have to go public and I'll have to say, I support this innovation and that's coming. I promise you, we have seen enough there. So it's a new breed of, of ransom that you're not paying money, but you are being actually asked to support a geopolitical situation.
And it it's, it's a next level of cynicism, which we are seeing out there. Again, collaboration of cybercriminal groups, massive topic. You might have seen heaps of actually, you know, articles out there. But clearly now what we have started to witness in at least last 14 months, state-sponsored groups are sharing their assets. They're sharing their infrastructure, they're sharing their arms and ululation, which was never the case before. And I say this with a lot of experience, I come from the same background.
So, you know, this was never the case. State groups never used to collaborate. Their assets were never sort of accessible to other estate groups.
Now it's, it's, it's, it's like open out, you have infrastructure access, you have tools, access, you have, you know, arms and emulation access and you can buy these sort of things and like $2, three euros out there. So clearly the collaboration is also driving lot of actually, you know, sort of attention towards what is going on in Europe. Very quickly. I spoke about this earlier, you know, the type of, sort of trends, which we are seeing from cyber crime perspective.
It's, it's actually at a very, very different level. Now, you know, kinetic cyber attacks. I don't know how many of you are aware of this. This is a type of cyber attacks by which you take people lives. Let me repeat. This is a type of cyber attack, which you orchestrate against organizations where you will have loss of life. Now this was, this was, every agencies have been looking at this, but I'll tell you what has happened. In last six, eight months, we are seeing a very active campaigns around this.
We are seeing a very active sort of cynicism out there where cyber criminal groups, state-sponsored groups wants to achieve kinetic cyber attack. And I'm sorry to give you bad news, but that's the reality. And you're gonna start to see that cyber being used for a kinetic aspiration. We have seen some of those footprint in case of the, the, the conflict which we are seeing right now, they were not successful, which is good news. But I promise you if this has started now, this is gonna evolve. And every state, every cybercriminal groups will look at actually exploring this more.
You know, again, collaboration of a state is sponsored groups. I spoke about, you have tools, you have infrastructure chair, you have arms and emulation, which is being shared by cybercriminals, which never happened earlier. You had cybercriminal groups who were selling your data. You had cybercriminal groups who were actually, you know, selling tools, but this was not the case that while I am, I'm just giving example, I'm China. I have my infrastructure out there and I'm sharing that with North Korea. I'm sharing that with Russia that never used to happen.
Now, we are seeing very, very clearly the same asset, the same malware, the same tools, the same infrastructure is being used by different groups of, you know, cyber criminals. Ransomwares we spoke about it defect the one which I want to touch upon. We've all heard about fishing. Let me say something very bold here. In two years time, you're gonna see fishing being the most important attack vector for cyber criminals going away and defect is gonna take over that. What that means, you know what DFA is, is an actual personal video of an individual.
It's like somebody talking to you, you get a phone call and or you, you are in a meeting teams. Somebody's video pops up and says, okay, just go ahead and do this. We have seen in last four months, 187% actually increase on dark web conversation around defect. This has been used many, many times, but you know, not for cyber crime. This is first time, which where we are seeing this is being looked upon by cyber criminals, as a tool, which they want to use for cyber crime. And I promise you, it is gonna be very, very invasive fishing.
You can, you can imagine, like we have evolved ourself. We have tools. We have capability. Yes. Still we get tripped over quite a many times, but at least we have evolved ourself defect. If my video goes out saying that, well, we are just wasting our time. You can imagine the type of impact that's gonna have on my own company.
So it's, it's a different level of things which is going on in cyber crime community right now. And what that means from, you know, European threat landscape. Let's just start with, you know, there are a few factors which we have presented here, and this is based on our research. This is based on our observation out there. We monitor hundreds of cyber criminal groups.
We, we monitor thousands of cyber crime campaign. That's what we do for living. And based on all that analysis is what we have assembled here in three slides, which you are gonna see here. These are important points, but we have also gone about explaining some of the trends, which we are seeing there. And in fact, the target. So let's just start with the first one. Cyber criminal groups are very actively looking at manufacturing, your automobile and retail companies and the vectors or the trends which we are seeing there is, you know, they want to use a specialized malwares.
Of course this is not new, but this time their target is not system. This time, their target is identity. It's different. They're not looking at actually breaking into your system, just like that. They're looking at your identity because they know that they can capitalize on your identity. So trends are a little bit different here. Look at intellectual property, very important, actually, you know, element here from Europe point of view, we have got heaps of industry. We have got heaps of companies who owns a lot of intellectual property.
Cybercriminal groups are clearly looking at, at least in, in those three industries where you see automobile chemical and food and privileges beverages. The reality is if you start to look at the trends, they have a clear view that, well, you know what? They're not interested in your internal systems. They're not interested in your, your people. Their interest is how do we go about exfiltrating intellectual property from those industries? And those are actually trends they're looking at using is ware. And by the way, when I'm saying, they're looking at doing things, it is happening.
As we speak, you have spyware, you have malware, you have plug plugins, which are being used by cybercriminal groups to run a reconnaissance against you to understand, are you carrying any CR jewels? And if you are carrying a crown jewels, then that's, that's their target. So of course, as you know, as I mentioned, IPN trade secret, and again, using identity theft, which is very, very relatable to where we are. It's super important. Adversaries are looking at attacking cosmetics industry.
My God, this is a next level of thing, online business. I understand. And they want to capitalize on like your trade secret. And they're looking at your chemical composition. So in cosmetics industry, as you know, chemical composition of a product is super important. That's your trade secret. They're looking at potentially actually exfiltrating that that's their motive here very quickly managed service providers will continue to be a target. I don't think so.
Cybercriminal growths have gone about, you know, deflecting themselves away from it because they know for a fact, if they have to attack a particular target, the amount of energy, money, resources they have to invest will be equal. If they go about actually going behind a managed security service or managed service providers, because then they can get access to hundreds of companies, data, information, assets. So they will continue to be a big focus for cyber criminals, large engineering companies, again for intellectual property, which was very difficult for us to understand.
But when we started to actually comprehend this a little bit, we clearly saw, especially from European threat landscape perspective, there are a lot of engineering companies in this part of the world who has been holding on their processes on their intellectual property, which has been their CR jewels by looks of it. Cybercriminal groups have figured that out and they are actually looking at breaking into it. They're looking at exfiltrating that information out. Is it gonna go out for trade? I don't think so, but it might land up into a competitive hand.
You can imagine the impact of that supply chain. I'm not gonna bow you with this, but again, in manufacturing, tourism, utility companies, we are again seeing lot of focus in cyber criminal groups towards these industry. And specifically, you know, in this case, their focus is towards the processes, which goes into these companies again, very, very quickly, you know, financial institution. We spoke about this and, and quite frankly, there, their focus seems to be, you know, your whitelisted applications.
So the applications which you generally use, like outlook or zoom or X, Y, Z, they're looking at actually impersonating them impersonated applications. You will start to see, we are seeing that a lot in us and, and in Asia. But I think in Europe, this is gonna be a new phenomena, consumer goods and pharma companies, again for their trade secret. This has been there for a while. We have seen little bit of little bit of attention of cybercriminal grips towards this, but this is not new.
And the last one is again, your, your, you know, scammers looking at throwing your, your, you know, misinformation and trying to get a advantage on, on that. Now what that means from cybercriminal groups perspective. Now you're gonna see some flags here and apologies. If you belong to one of these nations, we are, we are not against any nations. Quite frankly, our job is to give you visibility. We love all the nations. You look at apt 41. We call it as mission 2025, a cybercriminal groups supported by, well, let me, let me say it. Chinese is speaking.
Cybercriminal groups, very focused towards intellectual property. We have seen them at least in last four, five years, many cases where they've gone about actually, you know, taking out intellectual property, their focus is, is very much your intellectual property, nothing else. And this has been reported by number of other cybersecurity companies as well. LA's group is a north Korean group.
You, you have heard about them. Multiple cryptocurrency agencies has been hacked by them. They work for financial motives is as simple as that. Anything which, which can give them money, they will go for it. They're available out there. I promise you for $12. This is a state sponsored groups are available level for $12 to launch your attack against a target. You can buy them. This never used to be there. You had activist, you had activist.
Yeah, that was there. This is the next level of thing, which is going on. Now. You can buy actually state sponsored groups, which is well, very, very cynical LA's group.
Again, as I said, they work for financial motive. They are literally running the economy of North Korea. Take example.
Last year, they made four and half billion in cyber crime. There's no other industry in North Korea, which make made that kind of money just by cyber crime, four and a half billion dollars.
This year, the predictions are, they're gonna go up to seven or eight. So they're growing a hundred percent year on year, beautiful business model, tier 5, 0 5, well affiliation to, to well, Russian establishment.
Again, their focus has been more towards your critical infrastructure. Their focus has been more towards, you know, retail industry. Their focus has been more towards how do we actually, you know, capitalize our agenda against you, more geopolitical, which we have seen there.
So, as I said, as you start from, you know, PT 41 intellectual properties, their focus, the cybercriminal groups, we have seen them very, very active in this space. Now, at least in last 11 months, their activities have gone really, really up Aria's group. They understand that.
Well, there is, there's a money to be made from this market, TA 5, 0 5. Again, they're, they're working for geo agenda, but you know, this is gonna actually translate very, very quickly to financial motives as well. Some of the other groups, I'm not gonna bow over this, you guys are aware of, of lapses.
Well, we know this, and this is very relevant to this particular, you know, forum, which we are running. They went behind. Few of our colleagues, K ransom were very active.
Again, being supported by Russian establishment, very, very popular. They have gone about actually ganging up almost 17 different well ransomware groups into one. Now the game is very different lock bit. Another one, this is ransomware as a service. So you can hire these guys. And the price point is $54. And you want, you give them a target. They go and launch attack against them, a ransomware attack versus publicly available. I I'm very sure you guys can see this. Now let's talk a little bit about cyber crime campaigns, which we are seeing.
These are hacking campaigns, which are active right now, which is very relevant to, to this part of the world. Again, sort of attributing back to a cybercriminal group, think pocket, a very, very popular, you know, campaign again, focused towards intellectual property, lot of different type of actually, you know, assets. They have gone about exploiting systems. I'm not gonna worry with that, but that's the kind of color you see, all these IP addresses, which you're seeing here is, is actually, you know, their target, which we were able to capture from a community.
We went about actually, you know, releasing a global fishing campaign, which was launched by Arias group against multiple nations globally, where they wanted to capitalize on your data. This was during, you know, when, when the COVID was at the peak and, and surely their interest was how do we actually, you know, exfiltrate information out of you, which then we can potentially use to launch cyber attacks towards you. And the third one being a night blood, which is another very popular campaign out there, which is all around ransomware.
So I spoke about earlier, you know, ransomware groups are ganging up together. This is the campaign under which they have ganged up. This is the flag and again, different verticals, different tools, different infrastructure, which is being used by them. But clearly, you know, this campaign is very active in this part of the world. We have seen actually their, their attack footprint in this part of the world. We have seen organizations being tripped over by them as well.
And I can't name any organizations, but if you start to reflect back in last six months, number of ransomware attacks, most of those ransomware attacks, which we saw in, in Europe was launched by this particular campaign. Most of it, 89% of that very quickly, you know, these are set off malwares, which are active in this part of the world. Let me not Bo you with the details of it.
But again, what we are very clearly seeing, you know, when you start to attribute this back to a particular cybercriminal groups or a particular state nation, clearly you see on the first one sidewalk, you guys can Google it. That back door is super popular to exfiltrate your intellectual property. It has the ability to scan your environment. It has the ability to actually understand what is important in your environment. And it has the ability to actually exfiltrate footprints of that. They don't go about actually exfiltrating the whole intellectual property out.
All they need is a document, a process, or some sort of architectural framework. Well, Las group, very popular.
As I said, recent times, most of the cryptocurrency agencies globally, they have seen a rant from these guys, very focused towards that because they can very quickly actually capitalize. So most of the cases we have seen, you know, virtual currencies trading platforms being attacked by them, and they have a method how they go about actually exfiltrating this, you know, the, the whole virtual currency out.
I understand on, on public forums, you might have seen number of intelligence agencies have gone about blocking their access to, you know, some of the asset, which they were able to exfiltrate, but they have a new ways they're coming out with new ways, how they can swipe a particular asset to another asset. And that is happening very much real time. We have seen that happening in case of GS sniffer and tiny met another malware, very, very popular as you can.
Well, you can, you can Google it. You're gonna see heaps of them very active in this part of the world. At least in last three and a half months, we have seen this particular malware being actually Ted towards European organization, starting from retail to critical infrastructure to financial institution, very quickly, a little bit of analysis of Tokyo 2020 game and why this is important because we've got two very important event coming towards us.
In 2024, we are gonna be hosting Olympics and we are gonna be hosting EUROCOM. So again, as, as, as part of our assessment, you know, we were very quickly able to identify cyber criminal grips, state sponsored grips, looking at actually, you know, capitalizing on, on Tokyo games and the type of actually trends, which we were able to see back in those days.
Now, of course, this game is over what we were able to see very clearly before the event cybercriminal groups were looking at actually exfiltrating information, running reconnaissance exercise, you know, creating fictious sites to fictious, you know, merchandise website, to everything else, to the post event, the focus of those cybercriminal groups completely change towards the sponsoring organization. We saw a lot of actually threats going towards the sponsoring organization. And as I was saying, why that is relevant because we are about to actually host to very important sporting event.
And this is super important for us to actually keep eye on very, very quickly. And I'll I'll hand over to Derek. Why do we see cyber criminal groups succeeding?
You know, you will always hear bad names. As I was saying earlier, clearly I think in our assessment, what we have seen, you know, organizations do not have a very clear visibility of their external threat landscape. See if you don't know what you are up against, how are you gonna defend against?
Let me, let me give another example. You have a house, you have a tsunami coming right now. You really don't know. You think that wall there's gonna be a strong wind. My doors and windows are good enough. It's gonna be able to defend ourself. The reality is if you have a tsunami coming, and if you have no visibility of that, your house, your doors and windows will, will not be able to stop that. It's super important for us to have visibility. What is going on outside of the organization? What am I up against?
You know, going back to old days, you need to prepare yourself, right? So clearly the problem is there is zero visibility out there. We do not understand our external assets. We do not have a clear visibility of our assets, which are out there, which we have thrown. We do not understand our distal footprint.
We have, we are throwing everything out there on distal platforms without re really realizing that cybercriminal grips can actually potentially use that to capitalize on it. Our cybersecurity controls are pretty much inward looking. Yeah. Perimeter security to network security, to data security, to endpoint security controls. Now those are all great. You need all those tools. Those are very, very important. But if you don't understand what is coming towards you, these tools are gonna be able to defend you. No problem at all, but it's always gonna be very reactive in nature.
Something has to hit you before you respond back. And if you can potentially apply the visibility which I spoke about earlier, at least you can, you can make the whole thing a little bit more proactive, more predictive in nature. Third party systems.
Of course, we, we have got zero visibility. We keep saying that, well, we have got tools. We have got infrastructure by which we very clearly understand how third party and fourth parties are, are stage. The reality is we do not have any way of actually monitoring what is going on there.
And well, cybersecurity solutions are complex. As you know, one solution doesn't talk to other solution. Now I might dispute in few cases, there are many solutions which talk to each other, which is great. And I think we need to continue to drive that agenda.
But, you know, we are still kind of operating in a very, very silo way. If somebody is delivering perimeter security control and I'm delivering IM solution, I don't wanna actually talk to each other. It's like sort of that, that thing going on there, and that needs to go away. And that is one of the prime problem because of which we continue to see. Cybercrime escalating one, you do not understand your enemy. Number two, you have your infrastructure, which is very partisan in nature, and you have zero visibility of that.
You're, you're going out full throttle on, on distal without really understanding that that can be capitalized by cybercriminal groups and it's happening in real time base. Well, I'm, I'm gonna skip this and I'm gonna hand over to, to Dick for, for him to give you a little bit of color around how we look at, you know, the, the convergence of I am and external threat landscape manager. Thank you. I'll come back. Thank you.
