Threat Activity Clusters: Defenders' Way to Fight Ransomware

Sophos' John Shier on Including Threat Activity Clusters in Cybersecurity Strategy
John Shier, field CTO, Sophos

As threats continue to advance, organizations should consider using threat activity clusters for faster detection of ransomware, advised John Shier, field CTO at Sophos.

Threat activity clusters offer advantages over traditional attribution in cybersecurity strategies by identifying patterns of malicious behavior, Shier said. These patterns can be used to develop early warning systems and to prepare incident response.

Sophos X-Ops recently analyzed four distinct ransomware incidents involving three different groups. The team found several similarities in the groups' behavior, as ransomware gangs are increasingly using affiliates to target organizations.

"As humans, we have an emotional attachment to finding out who did the crime," Shier said. "What we're trying to get across is that with threat activity clusters, it's more about behaviors. So if you're trying to protect your organization, do you want to protect against LockBit specifically or do you want to protect against ransomware? For most people, it would be the latter: They want to protect more broadly against ransomware."

In this video interview with Information Security Media Group at Black Hat USA 2023, Shier also discussed:

  • Why most ransomware attacks happen outside business hours;
  • How small firms can protect themselves 24/7 without hiring more analysts;
  • Sophos' observations related to Royal ransomware.

Shier, a 16-year veteran of Sophos, constantly studies emerging cyberattacks and the technology that combats these threats, including encryption and synchronized security. He previously served as channel sales engineer and senior field sales engineer in North America at Sophos.

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.