A ransomware attack may be a once-in-a-lifetime event for some, while for others, it is more so of an evergoing battle of wits, technology, and speed, which requires constant diligence and preparations.
While more and more companies invest in proper cybersecurity measures, both by investing in professional infrastructures and relying on commercial privacy and data protection management tools, not many are involved in actively hunting threats that may as well have already penetrated their defenses.
To discuss such issues, Cybernews sat down with Sung-ting Tsai, the Chief Executive Officer of TeamT5 – a cybersecurity intelligence firm. We talked about the dos and don’ts in the event of a ransomware attack and what cybersecurity measures are most important to take.
Tell us about your story. How did TeamT5 originate?
Previously, I worked in a big cybersecurity company and led a research team. I found that clients often got hacked even though we made great solutions. I think the key is we didn’t have insights on attackers’ TTP (tactics, techniques, and procedures) so our defense couldn’t protect clients from those attackers.
Therefore, I became interested in cyber threat intelligence (CTI) research and decided to build TeamT5 to do CTI research. Back then, our team already discovered that the latest and advanced cyberattacks happened in Taiwan first. It gives us advantages to publish in-depth analysis and research.
Our niche is that we have focused on cyberattacks and cyber espionage for a long time. As not many people focus on this area, our research results are even more valuable and help many people and organizations around the world, especially in the US, Japan, and Korea.
Then, we made our reports of cyber threat intelligence into a solution – ThreatVision, a portal to see through the chaos. In 2017, we developed ThreatSonar which is an engine to hunt down intruders. It helps clients to defend against cyberattacks. When others can’t catch malicious cyberattacks – we can.
Since we established, we consider cyber threat intelligence research as the most important task. We have published more than 30 research papers in international cybersecurity seminars and conferences, including Black Hat Asia, SANS Institute – CTI Summit, Virus Bulletin (VT), and CodeBlue. Our findings are recognized by many clients, including one of the top five international banks, top telecom and business groups in Japan, and governmental critical infrastructures in Taiwan.
Can you tell us a little bit about what you do? What challenges do you help navigate?
Our mission is to become the best partner to defend against advanced persistent threats (APTs).
Clients are facing two challenges:
- While attackers know a lot about clients, our clients know a little about what they’re facing.
- Clients don’t have sufficient technology to defend against attackers.
To help a client beat ransomware and cyber espionage, we provide three types of solutions:
- Threat Intelligence – let clients know the enemies well and plan defense strategies.
- Defense Technology – let clients be equipped with good tools in order to hunt down the enemies.
- Professional Service – we work with clients to help them deal with various cyber threats.
You often emphasize the importance of proactive threat hunting. Can you briefly describe this practice?
Traditionally, the idea of cybersecurity protection is to do multi-layered defense. However, the current problem is that enterprises don’t know whether attackers are already on the intranet.
So, we suggest that “proactive threat hunting” is a better idea for cyber protection nowadays. It means enterprises use our tool ThreatSonar Anti-Ransomware to do active and aggressive scans on logs from SIEM (security information and event management). Enterprises can even apply new screening rules on previous logs to discover previous malicious activities.
How do you think the recent global events influenced the ways in which threat actors operate?
Looking into cyber attackers' behaviors, you can see that cyberattacks are effective and their impacts are bigger than ever. These impacts can be categorized into two types – one is leaking important information, while the other is data sabotage and ransom.
We observe that more operations with more power are conducted by many countries. Countries are also focusing on information operations (InfoOps). They invest more resources in public opinion operations, social media operations, and media operations. Their goal is to achieve impacts with certain purposes.
Recently, Ukraine conducts such operations really well. It indicates that if there are wars or disputes between counties in the future, such InfoOps will be common scenes.
In the age of frequent cyberattacks, do you think small businesses and big enterprises require the same security measures?
In fact, it’s unlikely that small businesses apply the same cybersecurity measures as big enterprises. Our suggestion is for small businesses to use the same cybersecurity framework and ideas as big enterprises do. And small businesses shall prioritize each task and start with the most important parts.
We found that the most challenges that small businesses are not willing to invest in are cybersecurity measures. However, it’s important to do that in order to make business operations go smoothly.
Since ransomware is one of your main fields of focus, could you give us a few tips on what should and shouldn't be done in the event of such an attack?
I advise companies to do defense in four steps:
- Threat awareness – catch up on the latest cyber intelligence to understand the potential threats.
- Before attack – deploy tools and measures to be prepared, e.g. backup your data and deploy anti-ransomware solutions.
- During attack – have tools to see attacks that are happening (which means to make attacks visible); if there are attacks happening, enterprises shall have response measures.
- After attack – companies shall have a standard operation procedure (SOP) on how to recover files and services. If companies prepare well, they may return to normal operations within a day; otherwise, they may still be shut down for a week, or even have to pay a ransom. Companies shall prepare for a negotiation. Some professional teams can help with that and lower the ransom amount.
Other things one should and shouldn't do:
- Should – backup your files and patch up security
- Shouldn't – threaten attackers
In your opinion, what are the worst cybersecurity habits that make companies attractive targets for ransomware hackers?
Do not provoke actors! They are more capable than you think. Companies shouldn’t claim themselves as 100% secured or unhackable as tall trees catch much wind. For ransomware prevention, the most important thing is to do backups and put them offline.
What new threats do you think the public should be ready to take on in the next few years? What security tools should be implemented by every internet user?
Firstly, there will be more ransomware attacks. The reason is that attackers are protected and hidden behind various technologies, such as the dark web (run on Tor), cryptocurrencies, and secured instant messengers. And victims are willing to pay to get files back. It makes ransomware attacks a profitable business.
The second threat is that countries will invest more in cyberattacks, including developing cyber weapons, increasing the power of cyberattacks, and recruiting more talents.
We suggest enterprises and government units invest more in cybersecurity in order to defend against the threats mentioned above. We think the key is cyber threat intelligence rather than tools. When enterprises and government units know more about attackers, they can defend better. As the old saying goes – know the enemy and know yourself in a hundred battles, and you will never be in peril.
Share with us, what’s next for TeamT5?
We hope to increase our influence through cyber threat intelligence research. We believe our experience, research, and technology shared with more people can help them deal with APT threats.