Did you know that GMV has its own intelligence agency?

As a member of GMV’s digital surveillance and threat intelligence service, I have written this article with the aim of giving you a brief explanation of the work we do and the capabilities of our team, and to help you understand how we can assist our clients and the benefits we provide to them. 

Perhaps you are wondering who we are? We are a multifaceted and multidisciplinary group of technical and non‑technical cybersecurity specialists. Our team consists primarily of telecommunications engineers, computer scientists, and cybersecurity experts, but we also have other types of members, such as a criminologist, a document manager, a philologist, and an attorney. But regardless of our individual specializations, we all have the same goal: to determine which kinds of threats could be affecting our clients, and then analyze those threats. This makes it possible to give our clients a warning before they are attacked by cybercriminals. 

To do this successfully, our team has two subgroups: Digital Surveillance and Threat Intelligence.

Digital Surveillance: these team members are observers of cybercrime. They try to take on the mentality of a cyberattacker, so they can monitor activities that include the following, among others:

• Places where these criminals tend to be found (dark web and deep web forums, messaging services like Telegram and Discord, etc.) 

• Campaigns being carried out by cybercriminals that could harm the interests of our clients

• Potential forms of economic, reputational, and business-related damage 

• Data breaches that could give criminal groups a means of initial access 

These members represent our team’s response force, because they are also able to alert our clients about the existence of potential threats. To better understand this, it might be best to give you a real example:

We perform continuous monitoring of the criminal landscape, with the help of specialized threat intelligence platforms and tools (either acquired from leading companies, or developed in‑house to allow better adaptation to the dynamic cybersecurity environment). During this work, we frequently detect potential exposures or breaches related to third parties, which may represent a security risk for our clients. When we make these discoveries, our team quickly analyzes and confirms the information gathered, to determine whether any passwords have been compromised, or whether there are other any other vulnerabilities that malicious actors might be able to exploit. This proactive approach gives us the ability to anticipate potential high-impact attacks, such as those based on ransomware, unauthorized access, cyber espionage, or cyber sabotage. In turn, this allows us to protect our clients’ assets and information integrity.

Our clients are notified as quickly as possible, so that they can apply their own detection or prevention processes, or respond to any business impacts that may have already occurred. This allows them to prevent economic losses, reputational damage, legal consequences, etc. 

What makes this possible is not only having specialized and proprietary tools available, but also a highly qualified team that is able to make use of several types of sources, such as open-source intelligence (OSINT) and human intelligence (HUMINT), among others. 

Threat Intelligence: this subgroup of our team consists of our cyber threat researchers. These specialists analyze the events that have been detected by the Digital Surveillance subgroup, in order to interpret, assess, and contextualize them and provide actionable information (intelligence) to our client (the decision-maker). 

These team members have a solid understanding of how criminal groups act and the methods they use (i.e., tactics, techniques, and procedures, or TTP). They also know how cybercriminals tend to move through their victim’s system, what they are trying to find with each of their actions, where they have come from, the infrastructure they use, the types of malware they typically rely upon, etc. These specialists also have knowledge of the kinds of trends, threats, and geopolitical events that will play a role in shaping the existing risks that clients may be facing, and the evolving criminal landscape. For example, changes in the existing global trade paradigm could lead to state-sponsored cyber espionage campaigns that have the aim of obtaining information about competitors, and knowing this allows us to be prepared. 

Understanding changes like these is essential, because cyberattackers are constantly adapting their modus operandi and capabilities to the arrival of new technologies, and to the existing overall context (cloud computing, AI, new detection capabilities such as EDR and XDR, etc.). This means that our team must also adapt our cyberintelligence reports to these trends, so that our clients can focus their decision-making on maximum accuracy. 

The Threat Intelligence subgroup also identifies active attack campaigns that are affecting industries and regions that are relevant for our clients. For example, when they detect vulnerabilities being exploited in commonly used technologies, such as software or VPN systems, they analyze the types of techniques and exploits being used, along with the potential actors involved and their attack methods (TTPs). If our clients are using those same technologies, their exposure is assessed and indicators of attack (IOAs) are quickly generated. This facilitates early detection and response and threat anticipation, which are ways of reducing the risk of impacts such as data theft and financial losses. 

The next objective is to produce documents that contain operational and strategic information, which can help our clients’ own cybersecurity departments make more effective decisions (about how to prioritize their vulnerabilities, design offensive security exercises, monitor the technologies being exploited, develop specific detection rules, etc.).

Our team also has additional capabilities, such as the ability to collaborate with other forensic and threat-hunting teams to better understand and detect an existing threat, then resolve it more quickly (which can reduce its impact). We are also able to provide information about the modus operandi of real criminals to members of pentesting teams and red teams, so that they can better adapt their penetration tests to the existing criminal realities, while also helping blue teams become better prepared. We are also able to support the work of security operations centers (SOCs), by providing intelligence about alerts or collaborating in the process of adding information to their detection tools.

I hope that you will now have a better understanding of how our team is able to make our clients more secure, thanks to our ability to anticipate threats. All of this work has allowed us to assist companies and entities in a wide range of industries and areas: banking, telecommunications, government agencies, etc. At GMV we are committed to security, and our mission is to keep improving every day. 

Autor: Daniel Juanes Fernández