Threat Activity Clusters: Defenders' Way to Fight Ransomware
Sophos' John Shier on Including Threat Activity Clusters in Cybersecurity StrategyAs threats continue to advance, organizations should consider using threat activity clusters for faster detection of ransomware, advised John Shier, field CTO at Sophos.
Threat activity clusters offer advantages over traditional attribution in cybersecurity strategies by identifying patterns of malicious behavior, Shier said. These patterns can be used to develop early warning systems and to prepare incident response.
Sophos X-Ops recently analyzed four distinct ransomware incidents involving three different groups. The team found several similarities in the groups' behavior, as ransomware gangs are increasingly using affiliates to target organizations.
"As humans, we have an emotional attachment to finding out who did the crime," Shier said. "What we're trying to get across is that with threat activity clusters, it's more about behaviors. So if you're trying to protect your organization, do you want to protect against LockBit specifically or do you want to protect against ransomware? For most people, it would be the latter: They want to protect more broadly against ransomware."
In this video interview with Information Security Media Group at Black Hat USA 2023, Shier also discussed:
- Why most ransomware attacks happen outside business hours;
- How small firms can protect themselves 24/7 without hiring more analysts;
- Sophos' observations related to Royal ransomware.
Shier, a 16-year veteran of Sophos, constantly studies emerging cyberattacks and the technology that combats these threats, including encryption and synchronized security. He previously served as channel sales engineer and senior field sales engineer in North America at Sophos.