ACID Technologies is a well-established threat intelligence company that provides services to companies and organizations operating in a wide variety of sectors and industries, including banking and finance, healthcare, education, transportation, energy, state and local government, gaming and gambling, and others. ACID monitors the dark web and multiple other sources and platforms 24/7/365, to detect signs of a cyber attack being planned, as well as attacks that are in progress or have already taken place.

The monitoring is meticulously tailored, based on client-specific keywords and relevant languages, in order to yield optimally precise results and actionable intelligence. Once a threat is detected, the targeted organization is alerted in real time and provided with all known details, to enable it to effectively respond. Additional intelligence is conveyed as it becomes available, enabling it fine-tune its response. By implementing targeted countermeasures, the organization can reduce the harmful consequences of the attack – be they disruption to operation, loss of business, payment of heavy regulatory fines, loss of clients, reputational damage, and/or other. When the threat detected is an attack that is still in its planning stage, it can potentially be thwarted altogether.

What is the importance of threat intelligence?

Threat intelligence provides valuable insights to an organization and enables it to proactively protect itself from cyber threats. It supports timely, well-advised decision making regarding an organization’s security status, and enables it to take steps to effectively safeguard itself from existing and anticipated threats. The more detailed and precise the information provided through the employment of the threat intelligence tools, and the earlier it is received, the better the chances of the organization to keep itself safe from cyber attacks and breaches that compromise its data and are likely to result in harm which can be severe in many aspects: Disruption or shutdown of operation – in extreme cases, for weeks or longer; financial loss; reputational harm; loss of clients; and where relevant – heavy fines for noncompliance with regulations.

What actions do threat intelligence tools execute?

Threat intelligence tools are designed to execute a number of actions carried out in sequence in order to yield optimal threat intelligence. As cyber criminals continuously seek and implement new methods of attack, organizations are required to constantly repeat the sequence of actions in order to gain additional insights into evolving threats and develop a response that will help the organization remain safe.

The main actions commonly executed by threat intelligence tools are the following:

• Data collection – data is collected by monitoring numerous sources, be they publicly available information (open-source intelligence) one can find on the internet, on social media and forums, in reports issued by some cybers security companies – whether annual reports or case-specific ones, particularly when an attack with far-reaching consequences has taken place. Other possible sources of data include governmental bodies, research institutes and the like; some of these provide the data to subscribers only, or to random buyers interested in a specific report.
• Data analysis – once the data is collected, it is analyzed to detect commonalities and anomalies. Commonalities include, for example, similar methods of attack employed by various adversaries, taking into consideration the vulnerabilities they direct their attention to, especially if they are likely to be present in the systems of a sizable number of organizations. Detecting anomalies is also extremely important, as these might point to attacks that have taken place and have compromised the organization’s data. Anomalies can include, for example, irregular network traffic. To be useful for an organization, the data analysis must yield actionable intelligence that is relevant for it.
• Provision of information – to be effective, the information must be provided in a timely manner, so that the recipient will be able to study it and act upon it. If the intelligence reveals, for example, malware or various types of methods of attack, the organization will need to check if its systems are vulnerable to these methods, and if so, develop and assimilate solutions that will reduce its risk of it succumbing to a cyber attack based on them.

Which categories can threat intelligence be classified into?

The main categories, with each type of threat intelligence filling its own specific function, include:

• Strategic threat intelligence – this category is particularly important to policy setters and decision makers, as it focuses on the long term. They gain a high-level understanding of threats and the risks they present, their potential impact, trends and developments. This supports them in setting policies that take into account not only the current, but also the anticipated threats and risks, and make well-informed decisions.
• Tactical threat intelligence – is intended to provide information on threat actors’ tactics, methods of operation and procedures; for example, new techniques implemented by adversaries when striking, for example, malware and phishing attacks. The information provided here, which delves into details, includes analyses of methodologies and patterns, as well as data on techniques preferred by specific cyber criminals and groups.
• Operational threat intelligence – is intended to help cyber security teams deal with specific threats or attacks that are taking place or are forthcoming. As such, it is time-sensitive, and the sooner the information is conveyed, the greater the chances that it will contribute meaningfully to countering the threat or attack. The intelligence provided can include, for example, information about newly discovered cases of exploitation of vulnerabilities and active campaigns launched by cyber criminals.
• Technical threat intelligence – information that refers to the technical details of cyber threats, as can be inferred from the title. These can include, for example, email addresses used in phishing attacks, IP addresses and malware signatures, updates for antiviruses, analyses of new variants of malware, and also infection vectors and malware behaviors. This information is valuable to cyber security teams in helping them prepare targeted responses to specific threats.

What are threat intelligence platforms, and how are they useful?

Threat intelligence platforms enable gaining an understanding of cyber threats, anticipating them, and initiating an appropriate response. They can be regarded as threat intelligence tools in the sense that they facilitate information sharing among cyber security professionals and relevant stakeholders who can then study the information and determine the best course of action going forward to protect IT systems and data.

Threat intelligence platforms streamline data collection, detect threats and monitor them, uncover valuable details about vulnerabilities and the risks arising from them, and keep abreast of new tactics employed by cyber criminals. They also organize the information and glean insights from it, to share with relevant parties.

By providing organizations’ IT security teams with information on various threats – newly detected ones, as well as updated information on known ones – threat intelligence platforms spare them much time and effort, and allow them to concentrate on the solution that needs to be developed to effectively counter these threats, keep their systems safe from harm, or mitigate the harm that the threats can potentially lead to if they materialize into cyber attacks.

What is ACID’s approach to threat intelligence, and how is its effectiveness demonstrated?

Recognizing the importance of real-time, precise, detailed and actionable threat intelligence that is specifically tailored for each organization, ACID’s solution is designed to provide exactly that. Its proprietary threat intelligence tools incorporate sophisticated AI algorithms and deploy clusters of bots to scan multiple sources and platforms and perform 24/7/365 monitoring. These sources and platforms include, importantly, the dark web, but in addition, much more, to greatly increase coverage: The deep web, paste tools, dump sites, leak sites, and social media – Facebook, Twitter, Instagram, VK, and Weibo; and chats – IRC web chat, Discord, Telegram, WhatsApp and WeChat.

In order to make the monitoring of these sources as effective as possible, ACID uses search words specific to each of its clients, in the relevant languages in each case. This is particularly important to global companies operating branches in different parts of the world, or, for example, e-commerce sites that provide their customers with the multiple language options. The keywords can be changed or additional ones added at any time, as the client launches new products or services into the market or expands its reach to new markets.

ACID focuses on detecting malicious activity as early as possible, collecting all available information, and sending alerts in real-time to the client’s IT team, to give it ample time to prepare and implement a solution countering the threat.

The information detected thanks to the ongoing monitoring activity can include hints of an attack being planned, an attack in progress, and/or an attack that has been executed. Monitoring continues uninterruptedly to reveal more information on the detected threat, and provided it without delay to the targeted organization, so that it may enhance its response.

• When the information indicates an attack still in its planning stage, with an immediate alert, the targeted organization can often foil it by closing a breach that it may not have been aware of, but that the adversary has found. It can also prepare a response designed to either counter the attack once launched, or mitigate its harmful consequences – avoid a disruption or shut down of its operation, loss of data, loss of clients, heavy fines if sensitive data is compromised, and loss of its competitive edge or position in the market, which has been achieved through much investment of resources and hard work.
• Providing indications of an attack in progress can help the targeted organization’s IT team to identify the vulnerability that the adversary has exploited when breaching its systems, and implement remedial action to prevent the attack from escalating and causing more harm. It will also ensure that the door is not left open for additional attacks, by the same adversary or by others. Additionally, the organization will also be able to investigate what information has been stolen and calculate its steps accordingly.
• Indications of an attack that has taken place can include data that is being offered for sale on the dark web, or, when no buyers have been found despite what are often repeated attempts, dumped for all to access for free. Knowing precisely what is being sold provides important information on the possible repercussions of the cyber attack and allows addressing the issues to mitigate the harm.

How have ACID’s threat intelligence tools and solution helped its clients?

Some examples of the value of ACID’s threat intelligence solution are presented below, demonstrating the value gained by its clients:

Banking

• An employee of a third party that supplies services to a bank stole sensitive information and tried to sell it. ACID detected these attempts and alerted the bank, provided all known details, and continued to monitor for more. Thanks to the information supplied by ACID, the perpetrator was apprehended, the stolen data was retrieved, and the bank’s reputation remained intact. ACID continued monitoring the web for several months to verify that the data had not been copied and was still being offered for sale by possible accomplices.

• A disgruntled bank employee stole a database of 1 million customer records and 2 million credit cards from his employer and demanded ransom. ACID conducted extensive searches on multiple platforms to check whether the stolen data was also being offered for sale to others, to prevent harm to the bank’s reputation while it was negotiating with the attacker, in order to provide the police sufficient time to apprehend him. With the additional information that ACID collected, the employee behind the attack was identified and brought to justice, and the stolen data retrieved.

Healthcare

• ACID detected the attempted sale of personally identifiable information (PII) of hundreds of thousands of patients on the dark net. The information included patient treatment records, details of therapy sessions with psychologists and X-rays, among others. The targeted healthcare institutions were immediately alerted and provided with all available data on the attack. In one case, the perpetrator was unable to sell the stolen information and posted chunks of data in Pastebin. ACID detected the posted chunks and informed the relevant institution in real time. It also detected activity aimed to defraud health insurers with fake certificates. Thanks to ACID’s threat detection services, the institutions were able to mitigate the consequences of the attack, close the security breach and prevent future attacks. The targeted institution also had time to prepare a PR response before the theft became public knowledge.

Energy

• ACID detected that a cybercriminal had hacked into a thermal power plant’s management system and gained full control. It immediately informed the client, who, with the details provided by ACID, closed the security breach and regained control of its management and control systems. The client thus avoided financial losses, as well as damage to reputation. Potential harm to the environment was also avoided.

• ACID detected a utilities & power company’s classified report on a system malfunction on the dark web. It sent a real-time alert to the company, which was unaware that the report had been leaked. The information provided by ACID allowed the company to investigate who had leaked the report and take action to mitigate the consequences of the leak.

Telecommunications

• ACID detected an attempt to trade in confidential information stolen from a telecommunications company. The perpetrator stole the data from the company’s engineering network, and offered private correspondence of individual users, identified by their telephone number, for sale. ACID alerted the company in real time, providing all available details, and continued monitoring the incident to collect additional data and update the client. With the information provided by ACID, the company was able to take immediate action to mitigate the consequences of the attack.

Gambling

• ACID detected that the SSL VPN server of a gambling company’s financial system had been hacked, and that its admin access credentials were traded on the dark net. It immediately alerted the company, providing all the details known at that time, and continued monitoring in order to collect additional information as it became available. Thanks to the information provided by ACID, the company was able to eliminate the threat and mitigate its consequences, thus avoiding financial harm and damage to its reputation.

Government

• ACID detected an attempt to sell stolen personal information of hundreds of thousands of citizens on the dark web, including the ID photos of some of them. It immediately alerted the governmental body from which the information had been stolen, providing all the available details, enabling it to close the security breach.