Cyber Threat Intelligence and the Law of the Jungle

Nowadays, the internet can be viewed as the closest thing humans have to a predator and prey food chain where it’s truly a free-for-all. One novel method of threat modelling could be to examine what threats prey face in the animal kingdom. 

By evaluating what potential predators are out there we can identify vulnerabilities and risks, before they become a threat. The main aim of this blog is to explain clearly to non-technical people how certain persistent threats exist in the wild with memorable analogies.

All Artwork is from

The Law of the Jungle

The Venus Flytrap is a good example of how prey can be lured in, away from safety, into the clutches of the predators. This carnivorous plant uses a special nectar that entices insects to fall for the trap and end up in its jaws. This process in nature is comparable to that of phishing lures with decoy documents, malvertising, free Trojanised apps, pirated games, films or eBook, fake competitions and many many other techniques that are used by millions of cybercriminals every day. The internet is full of virtual venus flytraps waiting to steal your sensitive information, spy on you, and install malware to take over your device.

Flying insects can often be found embroiled in a sticky net belonging to a certain hungry arachnid. Virtual Spider Webs exist online in the form of very similar looking websites sitting on the internet, hoping someone mistakenly enters their credentials into a fake login page or downloads a piece of software which comes packed with malware. Cybercriminals set up typosquatting sites (websites with a typo in the URL, very similar to a legitimate domain names) to masquerade as a target site. If someone mistypes this in the browser they may visit the wrong site, effecting flying into the spider’s web. Legitimate websites can be also compromised and have files replaced with malware or redirect visitors with malicious URLs. It always pays to have decent antivirus software, with Windows Defender enabled at the very least.

The Angler Fish is a perfect example of the dangers of phishing and business email compromise (BEC). The FBI’s IC3 2019 report recorded 23,775 complaints about BEC, which resulted in more than $1.7 billion in losses. All of which could have been prevented if the victims spotted the phishing lure or if it was picked up and remediated by detection systems and the security team. Spam emails are automated nowadays with millions of them sent per day, these are relatively simple to mitigate. The difficulty comes when the predators have done their research on the targets and craft bespoke spear-phishing emails, with typosquatting domains, real names, logos, and addresses. We can then clearly see how BEC is a widespread and costly problem.

The ‘Internet of Things’ (IoT) is a good idea, until it has been corrupted by cybercriminals for their own maleficent activities. Bee hives or Ant colonies interact in a similar way many IoT devices might with a central command and control server (the Queen). Instructions are sent and received from along a communications channel. Uncovering the C2 server of a botnet can be difficult as these channels are usually encrypted, although it is the key to taking down large botnets. On their own a bee or an ant is nothing more than a nuisance, however, when together as a full swarm (like a DDoS attack) it can become an overwhelming force.

The Jungle Cordyceps is an unusual type of fungus that has become renowned for corrupting the minds of insects into doing its bidding. This is comparable to a potential insider threat. When defending an organisation we often prepare for external attackers, however, those with access to everything from the inside are likely to do the most amount of damage, like the CapitalOne attack for example. Insiders can be extorted into committing actions on behalf of an external attacker. It is not uncommon, especially in the finance sector, for a member of staff to be blackmailed this way. This can be especially exacerbated after a large compromising data breach is released, such as the infamous Ashley Madison leak in 2015.

A certain species of Crab molts once a year, all shedding their shells in unison. They do this all at the same time, however, which alerts any predators that the crab colony is vulnerable and many are in a compromised position, open to attack. Just like after a 0day vulnerability is publicly disclosed, many organisations are in the same precarious position as these crab colonies. The predators then come out and it is free pickings for those still vulnerable. 

Sophisticated malware often uses code signing certificates to bypass detection systems. It blends in and poses as legitimate software, just like a Chameleon. Advanced persistent threat groups are known to even steal certificates from code-signing machines from large enterprises such as Asus. However, common cybercriminals constantly use leaked private keys from GitHub and other code repositories to sign their malware with, camouflaging it amongst the forest of internet traffic.

Cannibalism plays as much of a part in the Chimpanzee world as it does in the world of cybercriminals and malware. Unbeknownst to average internet users, botnets and Trojans are constantly battling for control over IoT and server territory. Malware and botnets will cannibalise anything on a vulnerable device before locking out competitors and establishing control, just like Chimps constantly battling for areas of the jungle.

Like a pack of wolves, cybercriminals work in complex organised crime groups that can efficiently take down an organisation, usually for financial gain. From ransomware groups such as the infamous REvil, Maze, or DoppelPaymer ransomware operators to Point-of-Sale system attacks from APTs like Silence, FIN6, FIN7, or FIN8. These are highly trained and professional cybercriminals that know every trick in the book to successfully infiltrate heavily defended networks for large sums of money. 

Other organised cybercrime gangs, however, such as EvilCorp or TA505 behave like merciless Hyenas. They scavenge and attack the weak, going after any target they can make a meal out of. The most vulnerable often fall for the delivery techniques employed by banking Trojans and infostealers, like Dridex, AgentTesla, Remcos RAT, Formbook, and other malware used by these groups. This malware can clear out life savings and hijack any other accounts, without mercy. Any private and confidential information is to be sold to the vultures on darknet markets.

Great White Sharks can detect one drop of blood in 25 gallons (100 liters) or water and they can sense even a little blood up to 3 miles (5 km) away, according to National Geographic. Cybercriminals can also use internet scanners and sensors to uncover your exposed cloud servers and databases containing thousands of user records. Opportunistic attackers from all over the world can look for misconfigured or even vulnerable instances which, with just the URL, can be accessed and have data stolen. Organisations must remember that the sharks are always circling.

Another fun analogy which may demonstrate the spread of cybercrime across the internet could be a sardine bait-ball feeding frenzy filmed on Blue Planet. Many different predators travel from all over to target these sardines (internet users) which have been confined to a tight formation. Each predator takes it in turn to have at the sardines, splitting them up, working together - something that would not usually happen. However, when there is this much food to go around, the predators don’t waste time fighting amongst each other and just focus on the prey. Watch this video until the end!


Hope you enjoyed this fun article and can refer back to some of these in your next meeting with upper management 😁

I'm continuing on with my new series called 'This Week in Malware' to help Blue Teams and SOCs keep up with the latest and greatest cyber threats challenging organisations worldwide. The most recent This Week in Malware for the week of 11 May can be found here.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks