Cyber Threat Intelligence: what it is and how it helps against online banking fraud

SharkBot, TeaBot, Revive, SpyNote, Copybara. 

These might sound like random names to some, while others may recognise them immediately.

In either case, these are all examples of banking malware that Cleafy’s Threat Intelligence team has uncovered over the past few years. Their work has enabled some of the biggest banks in Europe to defend against these threats and protect their customers swiftly.

That’s right – our Threat Intelligence team is like an in-house team of Avengers, always ready to combat cybercrime and safeguard your money.

Given that Threat Intelligence has become the core of Cleafy’s activities in recent years, we have dedicated this article to explaining in depth what Threat Intelligence is and why it is crucial in the fight against online banking fraud.

For this article, we interviewed Federico Valentini, Head of Cyber Threat Intelligence & Response, and Cleafier since 2019.

If we look at general definitions, Cyber Threat intelligence refers to a collection of information organisations use to prepare, prevent, and identify past or potential cyber threats that might target them. Threat intelligence is derived from data collected from various sources and analysed to produce actionable insights. Thanks to these insights, organisations can make informed decisions about their cybersecurity measures and strategies.

There are different types of threat intelligence, each serving distinct purposes:

1. Strategic Threat Intelligence: High-level information that provides insights into the overall threat landscape, trends, and emerging threats. Senior executives and decision-makers use it to inform long-term security strategies and policies.

2. Tactical Threat Intelligence: Detailed information about specific threats, including Tactics, Techniques, and Procedures (TTPs), indicators of compromise (IOCs), and threat actor profiles. Security teams use it to enhance their defensive measures and respond to threats in a timely manner.

3. Operational Threat Intelligence: Information that supports real-time decision-making and incident response. It includes details about ongoing attacks, attack vectors, and potential targets.

4. Technical Threat Intelligence: In-depth technical details about cyber threats, such as malware signatures, IP addresses, domain names, and vulnerabilities. IT and security professionals use this type of intelligence to configure and update security tools and systems.

I prefer to consider Threat Intelligence as the practice of connecting the dots between customer incidents, attack patterns, and specific malware discoveries. The outputs provide a way for customers to proactively identify what will happen and be ready to deal with it so they can strengthen their security posture over time. 

The quality and quantity of data analysed distinguishes an excellent TI from an average one. This usually depends on the number of banks and users the team monitors. 

For example, when a specific incident comes from a customer, the team analyses whether models are shared with incidents seen previously in other customers and understands the best way to respond. 

It is important to underline that Threat Intelligence aims to build an “identikit” of cyber attacks rather than identifying a single “enemy,” such as malware. Malware alone is useless, but what matters is how it is used in an attack campaign and from which family groups. 

Building an identikit of the various actors allows you to understand who is moving and how they are moving, which techniques are used and when. This is important because, for attackers, it is very expensive to change the way of doing fraud once they have been caught. 

I would definitely say the rise of mobile malware threats. 

Traditionally, retail banking fraud was mainly performed on workstations. With the explosion of mobile devices, fraudsters knew they had to change how they worked and focus their activity on the only place where customers really were. As you know, today, almost nobody uses banking applications from PCs anymore. 

The few cybercriminal groups in the workstation world had to specialise in corporate fraud, as  PCs are still used there. So, only the "strongest" ones who had made significant investments remained—a sort of natural selection of cyber criminality, I would say. Now, getting into a corporate PC is much more complex, while mobile is easier to attack.

With mobile, things move very quickly, and fraudsters can cause a lot of damage in a very short time. You must be fast and able to identify, classify, and communicate threats across the entire network in real time. Since everything happens so quickly, if you mistakenly send out an incorrect signature (e.g., blacklist Facebook), the bank could block the banking app for all its customers, causing pointless friction.

‍False positives are one of the fundamental problems in malware analysis.

It is paramount to adopt a cyber-fraud approach, where these two areas work together instead of being managed in silos by two separate teams.

The fraud team focuses on the transaction part and lacks the "context" data needed to understand the background better, while the cyber team could lose detailed information about how fraud happens. This makes protection very limited and often leads to completely incorrect identification of fraud scenarios.

Today, advanced fraud management requires these two silos to work strictly together to have a holistic and prompt understanding of all possible threats. 

This is a key shift of mindset as, for years, fraud could be solved only once it happened, as specialists could understand from a “reverse engineering” kind of process how to stop it in the future. Today, the cyber-fraud approach that innovative companies such as Cleafy adopt to protect their customers is essential to avoid economic and reputational damage at scale. 

Having a Threat Intelligence team working with internal anti-fraud or cyber teams is extremely helpful for raising awareness and educating people about what to look for and how to look for it. 

The advantage of integrating TI experts within the bank security department is mainly linked to the expertise gained over time and the vertical skills that can support internal people. 

Having individuals who can effectively utilise and contextualise data within the banking sector is crucial. 

Our team is not only precise but also highly practical, ensuring that data application is both feasible and advantageous. It’s not just about handling raw data; it’s about conducting comprehensive contextual analyses that give the data meaning and relevance. 

By examining a wide spectrum of clients, we can provide tailored guidance, leading to more precise and informed decision-making. 

‍

Having prior experience with various aspects of cybersecurity, such as penetration testing and vulnerability assessment, is crucial for thriving in the domain. These foundational skills are necessary before navigating the more specialised and complex area of threat intelligence and response. 

Additionally, individuals often enter this field through CTF (Capture The Flag) competitions, which provide practical and engaging challenges like hacking satellites or breaking web applications. These competitions hone problem-solving skills and technical expertise in a competitive environment.

‍Curiosity is a key trait for success in cybersecurity. The field is dynamic and rapidly changing, constantly emerging new threats and technologies. Staying curious drives continuous learning and adaptation, ensuring one remains current with the latest trends, techniques, and developments. This proactive approach is essential for understanding and mitigating the evolving landscape of cybersecurity threats.

What makes Cleafy’s Threat Intelligence a game-changer in fraud prevention?

After many years of experience in the banking and financial online fraud detection industry, we own a deep knowledge of a wide range of threats and we can develop the optimal prevention and protection strategy tailored to your overall system architecture and business needs. That’s why we call it Tailored Threat Intelligence. 

The advantages of Threat Intelligence services tailored to your business are multiple, and they refer mainly to the ability to discover in advance the most complex threats that

could target your services and users specifically. We integrate what we observe externally, the trends in anti-fraud activities, and the actual damage being caused - linking the world of pure threat intelligence (research) with incident response (working side by side with anti-fraud teams, extracting information) - connecting the dots and building, disseminating solid knowledge.

Moreover, all the information gathered by the Threat Intelligence team is available on the platform, including malware variants and capabilities, bank account reputation (e.g. mules), and device and user reputation. So you will be constantly updated on what’s happening in your systems.

With all this information, you’ll be able to set your optimal security posture, configure your automated responses, and minimise your risk exposure, benefiting from the insights gathered across Cleafy's network of customers.

Thank you, Federico, for taking the time to share your thoughts and answer our questions. Keep following Cleafy to learn more about future events and where to meet our fraud experts!