According to cybersecurity experts, there are currently about 2,000 organizations in Lithuania that are required to analyze and assess cybersecurity threats. This is relevant for all companies whose operations involve various types of data—personal, payment, confidential, and more. Unfortunately, not all companies are willing to invest in monitoring cyber threats.

Cyber Threat Intelligence (CTI) refers to the information and insights that are collected, analyzed, and shared to understand current and future cyber threats and how to defend against them. According to Modestas Sadauskas, Head of cybersecurity consulting at NRD Cyber Security, CTI is essential for organizations operating critical infrastructure (water, electricity, telecommunications, banks, and major healthcare institutions). “The Cyber Security Law requires companies critical to national security and the economy to assess and analyze threats—in other words, to conduct cyber threat intelligence. Special requirements also apply to companies in the aviation sector, while the financial sector must additionally comply with the Bank of Lithuania’s strict regulatory framework—the DORA Regulation,” explains M. Sadauskas.

From Assessment Reports to SOC Services

A company’s ability to analyze cyber threats may vary depending on its size, needs, and resources. According to M. Sadauskas, small companies with 5–10 employees are advised to use the pre-prepared threat assessment reports from ENISA (The European Union Agency for Cybersecurity) or the National Cyber Security Center, monitor publicly available information on cyber fraud methods, and stay informed about cyberattacks specific to their sector.

“Small organizations can configure their IT systems to receive alerts about unusually high data transfers from email and business applications. Of course, protection is much stronger if companies use internal or external SOC (Security Operations Center) services to assess threats and respond proactively to cyberattacks by monitoring both computer activity and network traffic. “This is typically available to larger organizations that are able to identify risks and plan in advance how to mitigate them,” says M. Sadauskas.

Monitoring, intelligence, and key sources

According to Šarūnas Grigaliūnas, an information security expert and head of the KTU Cybersecurity Competence Center, a cyberattack is a violation or disruption of the confidentiality, integrity, and availability of information systems, with the aim of seizing information or data, damaging systems, taking control of them, or negatively impacting an organization’s operations. Various malicious groups often announce their attacks against organizations in a specific sector or country before they take place. According to Š. Grigaliūnas, the best defensive measure is threat intelligence—though its value is often difficult to quantify financially, because, if done well, it is hard to calculate exactly how many and what kinds of attacks were successfully prevented, and such information is not publicly disclosed.

“I would distinguish between monitoring and intelligence. Monitoring is when we observe the situation here and now, see that an attack is taking place, and respond to it, whereas intelligence prevents an incident before the attack even occurs. As an example, I would mention the disconnection from the BRELL ring. Almost a year prior to that, the CTI began operating in the country’s energy sector, monitoring sources of potential threats. All intelligence resources were directed toward the energy sector. No information about the incidents was made public, so it is likely that the impact of the threats was contained,” says Š. Grigaliūnas. The information security expert recommends that organizations monitor sources such as the social networks “Telegram” and “X,” where various information about cyberattacks and activities is published, as well as the TOR (Dark Web) network—specifically the Breach, Dread, and Pitch portals.

How is the academic community protected?

Š. Grigaliūnas points out that the academic community, which is connected through the Lithuanian Science and Studies Computer Network (LITNET), places particular emphasis on cybersecurity.

“With a single channel like LITNET, it’s easier to monitor and proactively prevent threats. Each academic institution has its own CERT (Computer Emergency Response Team), which collects threat intelligence from the National Cyber Security Center and other CERTs, can determine the region where an incident occurred based on an IP address, and can notify other institutions. Furthermore, LITNET is part of an even larger international academic network—the global research and education network infrastructure GÉANT. This makes it possible to manage traffic and specifically target, for example, DDoS attacks,” explains Š. Grigaliūnas.

Recently, sophisticated social engineering cyberattacks have become increasingly prevalent in the academic community. Researchers receive requests to publish articles about their research in scientific journals, but it later turns out that the landing page for the publication system was created by scammers seeking to profit.

“It takes a lot of meticulous work to submit a scientific publication, and scammers take advantage of researchers’ trust in the information they receive—they enter their login credentials and passwords, submit the publications, and the institutions’ finance departments end up paying for them. These scams began during the COVID-19 pandemic and have persisted to this day,” explains the information security expert.

The article was published in Lithuanian at 15min.lt news portal: https://www.15min.lt/verslas/naujiena/mokslas-it/kibernetiniu-gresmiu-stebesena-kokioms-imonems-aktualu-ir-kokius-saltinius-stebeti-1290-2578102