Quantcast
Channel: ThreatConnect
Viewing all 483 articles
Browse latest View live

ThreatConnect: Mission Control for U.S. Government Cyber Operations

May 5, 2020, 8:41 am
$
0
0

Across the United States Federal Government there are multiple initiatives underway aimed at improving the Nation’s cybersecurity posture. You may be focused on requirements outlined under the Modernizing Government Technology (MGT) Act, FITARA, The Presidential Executive Order on Strengthening the Cyber Security of Federal Networks and Critical Infrastructure, or any number of others. Across the board you will find common threads related to developing a better understanding of evolving cyber risks; enhancing the effectiveness of your teams; improving the efficiencies of many vendor technologies; managing your risks, and sharing of critical intelligence related to those risks across your Agency and in a Government wide capacity.

Sounds simple, right?

Unfortunately, there is a lack of specificity as to how these goals are to be accomplished. From these mandates you might ask yourself;

  • What technology solutions should be implemented to meet these requirements?
  • What processes need to be in place?
  • Am I taking full advantage of my existing technologies?

Enter ThreatConnect – a silver bullet for answering these questions and checking mandated priorities off your list, and inside this fiscal year at that!

ThreatConnect is a behavior based, analytic Security Orchestration, Automation and Response (SOAR) platform enriched by external and internal intelligence that serves as mission control for cybersecurity operations. ThreatConnect was built on the expertise and experience of threat analysts and hunt teams for the purpose of meeting the growing need for a Threat Intelligence Platform (TIP) and SOAR solution for the United States Federal Government.

Efficiency Through Automation and Orchestration

The only way for cybersecurity teams to simultaneously address the daily pressures of alert triage, incident response, SOC operations, case management, and forensic analysis is to maximize the efficiency of existing staff with repeatable, documented automation and workflows. That’s why ThreatConnect evolved from its origins as a TIP to include industry leading SOAR capabilities.

Cloning the workflows of your most experienced analysts and operators and automating their processes might seem an impossible ask. But, the ThreatConnect Platform allows you to easily take those manual tasks and turn them into repeatable process templates to ensure consistency across operations, minimizing the risk of missing critical steps or evidence. Reducing the time to uncover relevant threats is also critical. ThreatConnect improves efficiencies and gives operators an easy to use experience, not a “black box” approach. So, silos between SOC, IR, and threat intel teams are effectively eliminated. Now, the entire cyber group can seamlessly collaborate to solve mission problems.

Effective Risk Management

Effective risk management can only be achieved by having all of the information you need readily available to make effective decisions. ThreatConnect ingests intelligence from a wide variety of class/unclass/OSINT sources which is then normalized and operationalized resulting in unparalleled situational awareness.

The effect is game changing. Decisions can now be made on real actionable data, (artifacts) in real time, ensuring that humans and machines are driven by the highest fidelity intelligence.

ThreatConnect makes it possible for these artifacts to be refined into intelligence to inform decisions for future operations. Threat intelligence may be the catalyst for taking an action or starting a process and informing how the process and decision making are done throughout. As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. An OODA loop is created using threat intelligence to drive orchestration, and orchestration to enhance threat intelligence thus reducing the risk to your organization.

Advance the Mission!

Think of ThreatConnect as the central nervous system for your cybersecurity ecosystem. It is a place for the entire security team to work faster, smarter, and together. It drives efficiencies in your security operations by delivering enriched, fortified, context-filled intelligence signaling a single source of truth.

The Platform natively delivers tremendous benefits for cyber operators while supporting leadership and the requirements to minimize risk and reduce the technologies in your security stack. TIP and SOAR are now a single solution, no longer two separate technology buys with separate support teams and integrations.

With ThreatConnect, your intelligence feeds operations and operations informs intelligence for future actions, continually improving the time to detect and respond to threats. ThreatConnect provides an approach that allows you to filter down to what matters most — actionable intelligence and the ability to better protect high risk Agency assets.

Learn more about ThreatConnect today – request a demo and we’ll show you how you can get your Agency on the pathway to meeting mandates and improving cyber operations inside this fiscal year!

The post ThreatConnect: Mission Control for U.S. Government Cyber Operations appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Search

How to Improve Collaboration with Security Teams and Technology using ThreatConnect

May 7, 2020, 11:45 am
$
0
0

ThreatConnect is an intelligence-led, SOAR Platform. We bring a critically important solution to market for our clients as we combine our world-class Threat Intelligence Platform with SOAR under one banner. This ensures that intelligence feeds operations and operations informs intelligence for future actions, continually improving the time to detect and respond to threats.

In our other recent posts, we talked about building a single source of truth with ThreatConnect, and how to improve accuracy and efficiency of your security operations through our unique approach to SOAR. But did you know that with ThreatConnect, you can improve collaboration across your teams and technology?

With ThreatConnect you can:

  • Breakdown the silos of disparate tools and teams to fully leverage security investments
  • Reduce staff workload through extensive automation of repeatable processes and tasks, and
  • Share intelligence with technology, teams, executives, and industry peers

Using the ThreatConnect Platform, you are able to continuously share information across your team and technology to provide the information needed to do their jobs better. By working out of a central location everyone is kept informed and up to date on what needs to be done. ThreatConnect provides multiple ways of supporting integrations which lets your team work collaboratively with the technology they’re currently using while allowing for changes.

Fully Leverage Security Investments

Leveraging multiple SDKs and an App Framework for community development, the ThreatConnect Platform incorporates hundreds of intelligence sources as well as hundreds of enrichment, processing, and integration apps that can be used to improve intelligence and drive operations across any process in your security team’s technology stack. Our focus is not simply to take feeds of data from the internet and fire hose them into our customers’ networks, but rather to refine data a customer has from any relevant source into an intelligence service for various security teams. Each of these services enables the business to integrate data, analyze it to add context and determine relevance, provide insights and recommendations, and most powerfully – to orchestrate and automate to take immediate action when appropriate.

A true SOAR platform should allow you to grow the technology to suit the needs of your people and processes. ThreatConnect’s SDKs and App Framework have enabled our customers to grow far beyond our hundreds of supported out-of-the-box applications to ensure that ThreatConnect works the way they want. Of course, these user-built apps (and Playbooks, see below) shouldn’t serve only the individual who built them. If someone solves a difficult security problem, we believe that the entire infosec community should benefit. To that end, we’ve provided mechanisms for sharing in a variety of ways for teams through in-platform features like Comments and Posts, through third-party integrations with tools such as Slack, or through our GitHub repository. These resources allow ThreatConnect users and engineers to contribute and collaborate on apps and Playbooks built using our Platform.

Enable Repeatable Processes and Tasks

Orchestration and automation can help by delegating certain tasks to machines and removing unnecessary human roadblocks. Using Playbooks, teams can automate almost any cybersecurity task using an easy drag-and-drop interface. Once enabled, Playbooks run in real time and provide you with detailed information about each execution. When paired with real-time team collaboration functionality, your team will be able to reduce the response time, including containment and remediation, to seconds — not days or weeks. Using an intel-led SOAR Platform like ThreatConnect can help incident response teams coordinate multiple streams of activity handled by different people, all with different roles and expertise, to support a comprehensive response to a security incident.

Sharing with Technology and Teams 

Documenting your processes, while still allowing for the necessary flexibility required with investigations, allows response efforts to begin more quickly and creates consistency across your team. With ThreatConnect, you can design Workflow templates or leverage ThreatConnect-built templates, then import those templates into your organization’s instance for further customization and usage.

With Workflow, your team has a central location to interact with all information related to the case at hand. ThreatConnect’s in-platform case management solution allows you to not only manage active cases, but also enrich them with both internal and external threat intelligence. Then, add new intelligence from those cases back into the Platform. And, within a Case, add Notes for additional context to what’s happening during an investigation and communicate that with other team members.

With ThreatConnect, your entire security team can work out of a single Platform to ensure efforts are being streamlined across case management, security orchestration, and threat intelligence initiatives.

Think of ThreatConnect as the central nervous system for your cybersecurity ecosystem. It is a place for the entire security team to work faster, smarter, and together.

To learn more, let us give you a demo.

The post How to Improve Collaboration with Security Teams and Technology using ThreatConnect appeared first on ThreatConnect | Intelligence-Driven Security Operations.

ThreatConnect’s Developer Partner Program: We Meme Business

May 11, 2020, 7:43 am
$
0
0

Integrations have always been at the heart of ThreatConnect’s product and company strategy. Never has that been more true than when we made the decision to move into the SOAR (security orchestration, automation, and response) market: integrations have become even more vital. A broad and open ecosystem of apps and integrations is crucial for the success of any SOAR platform. So when it came time for us to launch our Developer Partner Program, giving partners the ability to build their own apps and integrations, we don’t just mean business, we meme it.

But before we dive in, allow me to take you on a quick trip down memory lane.

 

A Trip Down Memory Lane

When ThreatConnect originally launched as a TIP (Threat Intelligence Platform) nine years ago, the goal was always to leverage the power of third-party technologies through integrations. Integrations were at the heart of our product strategy and allowed us to exponentially extend the functionality of the Platform. Through integrations, we were able to combine our own data model and intelligence with third-party technologies that gave analysts real-time insights that helped them more efficiently prioritize and investigate threats, and gave security leadership the tools, insights, and resources they needed to make better business decisions. But when it came to building and developing those integrations, the bulk of the technical load was taken on by internal ThreatConnect teams.

At first, this was great! It allowed us to maintain control over the quality of integrations and ensured that we were closely aligning them with the use cases that our users and customers were requesting. In a handful of short years, it’s really amazing to look at the number of integrations we were able to build, support, and take to market. We’ve worked with some of the top security vendors in the industry and solved some of the most complex and unique business challenges for our customers and prospects.

As the Platform has grown and evolved, it’s become even more integration friendly. A few years ago, we introduced orchestration functionality via ThreatConnect Playbooks. Playbooks allow ThreatConnect users to connect multiple technologies together and easily automate workflows without having to write any code. Even more recently, we’ve added Workflow and Case Management; further allowing SOC and security teams the ability to investigate, track, and collaborate on information related to threats and incidents.

And as the functionality of the Platform increased, so did the requests from vendors wanting to build their own apps. So after years of planning (that’s not hyperbole… we’ve literally been planning this for years), I’m happy to announce that ThreatConnect has officially launched our Developer Partner Program and it is now available to any technology vendor with the interest, resources, and technical ability to build their own app or integration for the ThreatConnect Platform.

So how does it work? 

Building an app for ThreatConnect might not be as complicated as you might think. To get started, simply fill out the Become a Partner form on our website. A member of the technology partnership team will reach out to you with a business to kick off the qualifying process.

Business Qualifying

When we chat with a vendor for the first time, we really want to get to know your business. We’ll ask questions about your company, your product, your target market, etc. Through this process, we’re gauging the value of a potential technical partnership. ThreatConnect works with some of the largest, best security vendors in the market. We’ve been successful building these partnerships because we really take the time to understand our partners and how we can best align our goals and expectations to help to drive mutually beneficial business outcomes.

Technical Qualifying

There’s more than one way to integrate with ThreatConnect. In fact, there are many. And let’s be real. All integrations not created equal. At ThreatConnect, we’re not simply trying to push out the maximum number of apps and integrations in an attempt to boost numbers. Quality and value matter.

During the technical qualifying phase, we take a consultative approach. We’ll share with you our best practices, common integration use cases based on your technology type, and provide you with the information you need to ensure that you’re building a valuable integration that joint users can benefit from. We want to help put together an integration that makes sense and highlights the value of both technologies.

 

Design and Development

Once we get to the design and development phase, we provide you with all the tools and resources you need to build your app. Developer Partners get access to the ThreatConnect Sandbox for development and testing, as well as access to our Tech Partner Slack Workspace so we can communicate with you and your team in real-time. In addition, you can access our robust developer documentation through our Developer Community Site. This site provides you with training, documentation, best practices, common integration use cases, and more. Everything you need to build your app or integration with ThreatConnect.

Launch Phase

For me, this is the most exciting part. We’ve spent all this time time planning and developing this app, and now we get to set it free in the wild and promote it to our joint users. As part of the launch, we’ll host your app on the ThreatConnect Github (this part is optional) along with any accompanying documentation. In addition, we’ll add your integration to our robust list of integrations on the Integrations Page of our website, and we’ll promote our partnership through our Technology Partnerships page. We’ll also work with you on other joint marketing and promotion, whether that be press releases, social media announcements, or other joint marketing collateral.

How long does the process take? 

The process of building an app for ThreatConnect might not take a long as you’d think. With the partner primarily responsible for the development of the app, we move at your speed. If you’re looking to satisfy an urgent customer or prospect request, we can move things along quickly. If priorities have shifted and your need isn’t so urgent, we can work with that too. Our team is responsive and flexible, and we’ll work with your timeline.

So, what now? 

ThreatConnect’s SOAR capabilities are now available and we’re ready to work with you. Whether you’re a long time ThreatConnect Technology Partner looking to build out some new SOAR use cases, a new vendor looking to bring a new product to market, or somewhere in between, we want to hear from you! To get started, simply fill out the Become a Partner form and we’ll be in touch. We’re excited for all the opportunities the Developer Partner Program brings and the flexibility it gives us to work with new vendors, new technologies, and bring new apps to market.

 

The post ThreatConnect’s Developer Partner Program: We Meme Business appeared first on ThreatConnect | Intelligence-Driven Security Operations.

ThreatConnect Research Roundup: Spoofing SharePoint

May 13, 2020, 12:41 pm
$
0
0

May 13 2020 Edition

Howdy, and welcome to the ThreatConnect Research Roundup: Threat Intel Update (blog edition)! Here we will be sharing a collection recent findings by our Research Team, as well as items from open source publications that have resulted in observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post require a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

Roundup Highlight: Rickrolling Researchers! Really?

Our highlight in this Roundup is a collection of suspicious network infrastructure registration activity using the brand name SharePoint (Microsoft team collaboration software) and spoofing legitimate domains belonging to organizations in a variety of industries, including automotive, energy, engineering, industrial control systems, manufacturing, and mining:

Associated Indicators

152.44.46[.]101

217.8.117[.]152

47.241.107[.]199

8.208.79[.]16

95.174.65[.]244

axiomatics-my-sharepoint[.]com

bhawkmining-my-sharepoint[.]com

bhmining-my-sharepoint[.]com

blackhawk-my-sharepoint[.]com

blackhawkm-my-sharepoint[.]com

blackhawkmining-my-sharepoint[.]com

britishsugar-my-sharepoint[.]com

cablecraft-my-sharepoint[.]com

cablecraftuk-my-sharepoint[.]com

easterns-my-sharepoint[.]com

ellex-my-sharepoint[.]com

ethosenergygroup-my-sharepoint[.]com

garry-you-are-the.best

hpienergy-my-sharepoint[.]com

invoice-my-sharepoint[.]com

invoices-my-sharepoint[.]com

login.blackhawkmining-my-sharepoint[.]com

login.britishsugar-my-sharepoint[.]com

login.cablecraftuk-my-sharepoint[.]com

login.easterns-my-sharepoint[.]com

login.ellex-my-sharepoint[.]com

login.hpienergy-my-sharepoint[.]com

login.invoice-my-sharepoint[.]com

login.invoices-my-sharepoint[.]com

login.net4gas-my-sharepoint[.]com

login.petrofac-my-sharepoint[.]com

login.roxteccom-my-sharepoint[.]com

login.tecom-my-sharepoint[.]com

login.toyota-indistries-my-sharepoint[.]com

maximumturbinesupport-my-sharepoint[.]com

naturewood-com-my-sharepoint[.]com

naturewood-my-sharepoint[.]com

naturewoods-com-my-sharepoint[.]com

naturwood-my-sharepoint[.]com

net4gas-my-sharepoint[.]com

petrofac-my-sharepoint[.]com

roxtec-my-sharepoint[.]com

roxteccom-my-sharepoint[.]com

score-group-my-sharepoint[.]com

serveleccontrols-my-sharepoint[.]com

te-my-sharepoint[.]com

tecom-my-sharepoint[.]com

toyota-indistries-my-sharepoint[.]com

Other commonalities include name servers, domain resolutions to dedicated servers, and Let’s Encrypt SSL certificate usage, as described in the Campaign shared to the ThreatConnect Common Community and the associated Incidents (also listed at the top of the next section of this blog post). One particularly peculiar feature of this activity is the configuration of subdomains like login.invoice-my-sharepoint[.]com, several of which were redirecting to a video of Rick Astley’s “Never Gonna Give you Up” on Youtube at the time of analysis.

At this time, we don’t know the extent to which these domains have been used maliciously or who they are associated with, but we will continue to monitor for related suspicious or malicious activity.

ThreatConnect Research Team Intelligence:

These are items recently created or updated in the ThreatConnect Common Community by our Research Team. They include threat actor profiles, malware families, campaigns, signatures, and incidents based on our research and threat hunting activities. This week, we highlight ongoing activity spoofing organizations in the ICS, energy, and mining sectors, as well as domain activity spoofing Windows, Cloudflare, and AWS.

At this time we don’t have any indication of the extent to which, if any, this infrastructure has been used maliciously.

In addition to the use of “my-sharepoint” strings, similar to the infrastructure identified in previous incidents, a login.petrofac-my-sharepoint[.]com subdomain was identified for one of the domains in a Let’s Encrypt SSL certificate, per Censys. Like the previous infrastructure, per urlscan.io, this login subdomain redirects to Rick Astley’s “Never Gonna Give You Up” on Youtube. At this time, we don’t have any information on the extent to which this infrastructure has been used maliciously.

Update 5/12/2020

ThreatConnect Research identified three additional “my-sharepoint” themed domains registered on May 11 2020 and hosted at the aforementioned 217.8.117[.]152. The additional domains include the following:

“Login” subdomains were also identified for these domains and several of those previously identified. Additionally, another domain — garry-you-are-the.best — and its subdomains are also hosted at 217.8.117[.]152. At this time, we do not know whether this domain is associated with the same actor behind the “my-sharepoint” themed infrastructure.

Update 5/6/20

Two related domains — mfaaws[.]com and mfa-aws[.]com — were registered through OrangeWebsite on May 4 2020. The mfa-aws[.]com is hosted at the aforementioned IP 95.179.158[.]42, while the mfaaws[.]com is hosted on non-dedicated infrastructure. Per Censys, the following subdomains were identified in a Let’s Encrypt SSL certificate and are also hosted at the same IP:

Per urlscan.io, as of May 6 2020, both the mfa-aws[.]com domain and subdomains redirect to Amazon Web Services’ (AWS) legitimate site.

Technical Blogs and Reports Incidents with Active and Observed Indicators:

The ThreatConnect Technical Blogs and Reports Source is a curated collection of open source blogs and reports that are automatically aggregated and parsed for Indicators on a daily basis. Incidents listed here are associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

 

 

To receive ThreatConnect notifications about updates to these Groups or their associated Indicators or Tags, remember to check the “Follow Item” box on that item’s Details page.

 

 

 

 

 

 

 

The post ThreatConnect Research Roundup: Spoofing SharePoint appeared first on ThreatConnect | Intelligence-Driven Security Operations.

ThreatConnect and Jira: Automating Processes Made Easier

May 15, 2020, 7:14 am
$
0
0

We’ve expanded our Jira integrations and now support more use cases with new ThreatConnect Apps. The existing ThreatConnect Playbook App for Jira Core has been improved and a brand new Playbook App that works with Jira Service Desk has been released. Users are now provided with more opportunities to coordinate activities between ThreatConnect and Jira products. These Playbook Apps are the key building blocks for automating processes between the two Platforms.

Now you’re able to manage any Jira Issue or Service Desk Request— built-in or custom — as part of a ThreatConnect Playbook. Repeatable and mundane tasks like copy and pasting information from ThreatConnect to Jira or opening a Jira issue can now be completely automated.

The following actions are now available via ThreatConnect Playbook Apps :

  • Get, Create and Update Jira Issues and Service Desk Requests
  • Add Attachments and Comments to Jira Issues and Service Desk Requests

Jira Core Playbook App

Jira Service Desk Playbook App

If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on utilizing the Jira Playbook Apps. If you’re not yet a customer and interested in ThreatConnect, contact sales@threatconnect.com

 

The post ThreatConnect and Jira: Automating Processes Made Easier appeared first on ThreatConnect | Intelligence-Driven Security Operations.

10 Things Security Analysts Can Do for Free in TC Open - UPDATED

May 19, 2020, 10:05 pm
$
0
0

Find Relevant Intelligence and Stay “In the Know”

TC Open™ is the free edition of ThreatConnect. It gives you access to intelligence from many open sources (OSINT), all aggregated in one place under a unified framework.

One of the most valuable sources is our “Technical Blogs and Reports” source, which scans hundreds of popular threat intelligence and security blogs and makes them easily searchable and actionable in TC Open.

A sampling of some of the sources available in TC Open

 

We’re constantly adding new content and features for our free users, so look for the 💥symbol in this article for brand new updates!

[Learn more about the differences between our free and paid edition.]

See 10 things security analysts can do in TC Open:

  1. Search OSINT for intel on indicators, CVEs, and adversaries
  2. Check out the latest intel from your favorite security blogs
  3. Find Indicators related to a specific malware family or CVE
  4. Subscribe to your favorite intel topics
  5. Scan a text file to uncover relevant intel
  6. Download a PDF report and share it
  7. Export indicators for use in another tool or for further analysis
  8. Grab some Snort and YARA rules you can use immediately
  9. Create some daily or weekly habits using dashboards
  10. Explore and contribute to our Common Community
  11. 💥BONUS: Stay on top of COVID-Related Activity

Search OSINT for intel on indicators, CVEs, and adversaries

Click the magnifying glass in the upper right of any page in ThreatConnect. Enter an indicator* of compromise, the name of an adversary, a malware family, a CVE, and more. Get results!

From here, click “Technical Blogs and Reports” to get some context on this indicator.

 

It’s a scam!

Even if our free sources don’t return results, we’ll provide you links to dozens of popular enrichment sources so that your search doesn’t have to end.

 

Click an Investigation Link to uncover more about an Indicator, or select “Open All” to view them all at once.

*Supported Indicators include IP Address, Host/Domain, URL, File Hash (MD5, SHA1, SHA256), Email Address, CIDR, ASN, User Agent, Mutex, and Registry Key.

Check out the latest intel from your favorite security blogs

Our Technical Blogs and Reports source (a/k/a “Tech Blogs”) collects data from hundreds of popular security blogs and turns it into MRTI in ThreatConnect. To see what’s new, select “Browse” from the main navigation menu, select “Technical Blogs and Reports” from the My ThreatConnect dropdown, then sort by date added.

💥The Tech Blogs source now includes MITRE ATT&CK Tactics and Techniques!

Browse is a tabular view of all the intelligence you can access in ThreatConnect. Using the options on this page, you can filter on Indicators, Adversaries, Incidents, and more. The OSINT Dashboard (available from the “Dashboard” dropdown in the main menu) also shows the latest intel reports from Tech Blogs.

 

A sampling of some of the blogs we collect. You can request new ones by emailing research@threatconnect.com

💥 We just added a sister source to Technical Blogs and Reports: Spamtastic, which collects information specifically from spam-related blogs.

Find Indicators related to a specific malware family or CVE

Tags in ThreatConnect let us effectively categorize intel. Popular tags include specific CVEs, malware families, industry, and much more. You can filter the Browse screen by Tag by clicking the “Filters” button, entering a Tag (or Tags!) and clicking “Apply.”

 

All Incidents tagged “coinhive.”

 

You can also select the “Tags” option on the Browse screen to view a list of all Tags available to you, drill down on the Tag, and see all related intelligence.

 

Coinhive is a busy malware.

Subscribe to your favorite intel topics

If there’s a Tag you’re interested in, we’d recommend Following it so you can get notified whenever something new comes in. It’s like subscribing to a topic across dozens of blogs instead of just following one blog. Just click the “Follow” option in the upper right when viewing the details of a particular Tag or other piece of intelligence.

 

Try it! Check out the [coinhive] Tag and click “Follow Item”.

You can click on the Notification bell in the main navigation to adjust your notification preferences, e.g. instant email vs digest email.

Scan a text file to uncover relevant intel

Search lets you look for more than just one indicator or adversary or incident at a time: you can upload an entire file and have ThreatConnect scan it for indicators. For example, if you have a log file that’s full of IP addresses (among other things), just save it as a text file; ThreatConnect will recognize the IPs and correlate them to known intelligence.

Correlations between a log file and intelligence in ThreatConnect

Download a PDF report and share it

Indicators of Compromise are the atomic units of threat intelligence, and in ThreatConnect the “molecules” – the higher level objects like Adversary, Incident, Campaign, etc. – are called “Groups.” You can find Groups be selecting the Groups option on the Browse screen. Once you’ve opened up a Group, you can download it as a PDF report. This can be shared with colleagues or retained for future use.

Export indicators for use in another tool or for further analysis

Any data you find on the Browse screen can be exported to a CSV. For example, you can take all of the Indicators related to a particular CVE and export them for blocking and analysis. Or you can take all Indicators (up to 5,000 at a time) tied to an Adversary and graph them in a dataviz tool like Tableau to show activity over time.

 

An adversary activity report we created in Tableau from data exported for free from ThreatConnect.

Grab some Snort and YARA rules you can use immediately

Most of the intelligence is the Tech Blogs source will have Snort or YARA rules/signatures associated to it. Grab one of these signatures to easily deploy intel to your EDR, network monitoring, or threat hunting tools.

 

This Incident can be acted on pretty quickly.

Create some daily or weekly habits using dashboards

TC Open users get access to four free dashboards, accessible from the Dashboard dropdown on the main nav. Each dashboard presents some interesting opportunities for creating some daily habits that can make you a better security professional. See this blog for more on the importance of habits in security. Here are just a few suggested habits you can get into using these dashboards:

  • My Dashboard – Once a week, take a look at some of the items in “My Recent History.” How have they changed? Has any new intel been uncovered?
  • Operations Dashboard – Once a week, review the “Popular Tags” section. What’s changed? Why are different things trending week to week?
  • OSINT Dashboard – Once a day, see what’s new in Tech Blogs!

Explore and contribute to our Common Community

TC Open is not limited to just consuming intelligence – you can create your own! We believe that, like life, threat intelligence is best when shared. We’ve written a lot on sharing in our Common Community, but in a nutshell: you can add Indicators and Groups, tell a story around an Incident or an Adversary, and most importantly get additional context from other TC Open users. And of course, you can Browse what others are doing and collaborate with them!

💥Formerly available only in our premium products, Common Community now offers professionally curated intelligence from our own Research Team.

💥BONUS: Stay on top of COVID-Related Activity

Plenty of bad guys are trying to take advantage of our collective global tragedy. Our analytics team has been hard at work on a new intelligence feed covering newly-registered domains related to COVID-19. You can access the feed from the Browse screen by selecting it from the My Intel Sources dropdown. You can read more about what makes this source unique in this blog post.

Our Research Team also offers a free COVID-19-Related Activity dashboard.

And there you have it! There’s plenty more you can do for free, but to unlock ThreatConnect’s full potential, be sure to check out what we offer in our paid product.

The post 10 Things Security Analysts Can Do for Free in TC Open - UPDATED appeared first on ThreatConnect | Intelligence-Driven Security Operations.

ThreatConnect Research Roundup: Possible APT33 Infrastructure

May 21, 2020, 11:27 am
$
0
0

May 21 2020 Edition

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

Roundup Highlight: Possible APT33 Infrastructure

Our highlight in this Roundup is Incident 20200518A: Suspicious Realhosters Name Server Domain taskreminder[.]net, which identifies network infrastructure possibly related to APT33. The domain taskreminder[.]net was registered on May 14 2020 using wayne.williams1986@protonmail[.]com and uses a ns1.realhosters.com name server. As of May 18 2020, this domain is hosted on a probable dedicated server at OVH IP 137.74.157[.]84.

While not definitive in terms of attribution, it’s worth noting that some APT33 related infrastructure like times-sync[.]com has previously used the same name server and OVH IP space for hosting. For example, the 137.74.157[.]84 IP was identified in a December 2019 Trend Micro report on APT33 obfuscated botnets. Previously identified infrastructure was documented in 20200106A: Suspicious Realhosters Name Server Domains.

We don’t have any information on the extent to which, if any, this domain has been used maliciously. However, given the minimal use of the ns1.realhosters.com name server and APT33’s potential reuse of it, any domains using it merit scrutiny as possible APT33 domains.

Update 5/21/20: The taskreminder[.]net domain is now hosted on a probable dedicated server at OVH IP 91.134.187[.]25. To receive ThreatConnect notifications about updates to Host DNS changes, remember to check the “Follow Item” box on that item’s Details page. 

 

ThreatConnect Research Team Intelligence:

These are items recently created or updated in the ThreatConnect Common Community by our Research Team. They include threat actor profiles, malware families, campaigns, signatures, and incidents based on our research and threat hunting activities. This week, we highlight new infrastructure registered using previously observed APT33 techniques, suspicious domains spoofing Poste Italiane, and an update to previously reported domains using “msupdate” strings.

Update 5/13/20: The aforementioned domains are now hosted on a probable dedicated server at OVH IP 158.69.30.194. Additionally, the domains are also now using their own name servers.

Technical Blogs and Reports Incidents with Active and Observed Indicators:

The ThreatConnect Technical Blogs and Reports Source is a curated collection of open source blogs and reports that are automatically aggregated and parsed for Indicators on a daily basis. Incidents listed here are associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

 

The post ThreatConnect Research Roundup: Possible APT33 Infrastructure appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Strengthen Business and Security Alignment with ThreatConnect

May 26, 2020, 5:52 am
$
0
0

ThreatConnect is changing the way security works and that means better alignment with, and transparency to, the business. ThreatConnect’s intelligence-driven, security operations solutions include both Threat Intelligence (TIP) and Security Orchestration, Automation and Response (SOAR) platforms. These solutions are designed to put intelligence at the core of every security decision, improve the way your security teams work together and also help align your security focus to the issues that matter most. With ThreatConnect you align your team to a common, shared vision that maps back to business priorities. This ensures that security is defending against the right threats and helps demonstrate the value of security to the rest of the business. This is accomplished through dashboards that drive and streamline action for maximum effect and efficiency and through defined, demonstrable ROI, and metrics that matter.

Dashboards and Reporting

Using ThreatConnect’s Dashboards, you can easily visualize data that helps you gain a better understanding of the threats your organization faces, helps you orchestrate and automate actions to counter those threats, and shows the overall impact of your security efforts. You can automatically monitor your security operations and intelligence in a way that is actionable and meaningful for you and your team. With customizable reports you can access the information you need in a digestible format. View, edit, or create custom dashboards to track the metrics that will inform critical decision-making for your security operations and your business.

With ThreatConnect you can:

  • Choose from pre-built dashboards to view the data that is most critical and useful for your team, to monitor the most urgent security operations needs, or to get more direct insight from your intelligence sources
  • Monitor recent history, open tasks, active incidents, observations, false positives, and more with pre-built and configurable cards
  • Easily drill down from charts and data tables to dig deeper into more specific information
  • Clearly articulate impact and actionable insights by presenting your data in the most effective formats including sparklines, bar charts, tree maps, and datatables

Demonstrate Cost Control with Customizable Metrics

Security is seen as a huge cost center in most organizations. Demonstrating consistency in tracking your team’s spend shows that you’re always considering costs when making decisions. The savings seen when implementing automation can be seen through ThreatConnect’s ROI Calculator built into every Playbook. Customizable values tell you, based on how many times any given Playbook has been run, how much your organization has saved to date by implementing an automated workflow.

ThreatConnect is the only solution that combines intelligence, orchestration and automation, analytics, and templated workflows relevant for each member of the security team. It contains all the functionality you need to drive informed decision-making based on the power of your organization’s threat intelligence. We provide not only the ability to orchestrate your security functions, but also the confidence that you are basing your tasks and decisions on vetted, relevant threat intelligence. With ThreatConnect, organizations are able to better align their teams, streamline processes and technology, and measure the impact of their efforts against core business goals.

 

The post Strengthen Business and Security Alignment with ThreatConnect appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Search

ThreatConnect Research Roundup: Suspected Naikon DGA Domains

May 28, 2020, 12:37 pm
$
0
0

May 28 2020 Edition

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

Roundup Highlight: Suspected Naikon DGA Domains

Naikon related intelligence in ThreatConnect Common Community

Our highlight in this week’s Roundup is Incident 20200519B: Suspected Naikon DGAs. After reviewing research published by Check Point and Kaspersky, our team identified additional suspected Naikon DGA domains consistent with registration and hosting data of previously identified Naikon domains:

Additional domains identified based on registration and hosting consistencies:

We don’t have any information on the extent to which, if any, these domains have been used maliciously. However, given the commonalities identified, these domains merit scrutiny as possible Naikon DGA domains.

 

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

ThreatConnect Research Team Intelligence:

These are items recently created or updated in the ThreatConnect Common Community by our Research Team. They include threat actor profiles, malware families, campaigns, signatures, and incidents based on our research and threat hunting activities.

  • 20200526B: Possible APT34 Domain lebworld[.]us ThreatConnect Research identified the possible APT34 / Helix Kitten / OilRig domain lebworld[.]us, which has registration and hosting consistencies with previously identified APT34 infrastructure. This domain was registered through MonoVM on May 18 2020 using jame@protonmail[.]com, and is hosted on a probable dedicated server at 23.19.227[.]117. We don’t have any information on the extent to which, if any, this infrastructure has been used maliciously. It’s important to note that the identified registration and hosting consistencies are not enough to definitively attribute this infrastructure to APT34.
  • 20200526A: Server Support Domains Registered Through ITitch ThreatConnect Research identified two domains — login-server[.]support and domain-server[.]support — that were registered through ITitch within about a minute of each other on May 22 2020 and most likely were registered by the same actor. Start of authority (SOA) records show the login-server[.]support domain was registered using trabant@cock[.]li. This domain is currently hosted on a probable dedicated server at 102.152[.]107 and, per urlscan.io, redirects to CNBC’s legitimate website.

SOA records show domain-server[.]support was registered using jirajira@cock[.]li. This domain is hosted on a probable dedicated server at 185.10.68[.]163, has switched to using its own name server, and hosts a mail-in-a-box server.

At this time we don’t have any information indicating the extent to which these domains have been used maliciously.

Technical Blogs and Reports Incidents with Active and Observed Indicators:

The ThreatConnect Technical Blogs and Reports Source is a curated collection of open source blogs and reports that are automatically aggregated and parsed for Indicators on a daily basis. Incidents listed here are associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

 

 

The post ThreatConnect Research Roundup: Suspected Naikon DGA Domains appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Empowering Better Security Operations with Intelligence

June 1, 2020, 10:25 am
$
0
0

The Möbius strip has several curious properties. A line drawn along the edge travels in a full circle to a point opposite the starting point. If continued, the line returns to the starting point, and is double the length of the original strip: this single continuous curve traverses the entire boundary¹. This process naturally creates a continuous feedback loop, much like threat intelligence and security operations should.

Using ThreatConnect’s security operations solutions, which combine Threat Intelligence (TIP) Platform and Security Orchestration, Automation and Response (SOAR) capabilities, enables you to make intelligence-driven operations a reality. ThreatConnect places intelligence at the core of the decision making process in security. As threat intelligence drives operational decision making, the result of those actions can be used to create or enhance existing threat intelligence which creates that feedback loop.

In ThreatConnect:

Intelligence ~ Exists to inform decisions for security operations, tactics, and strategy; and
Operations ~ Captures data on adversaries, attacks, & attempts that can be refined into intelligence.

Intelligence and operations as functions on the security team should be cyclical and symbiotic. Intelligence informs decisions for operations resulting in actions being taken based on those decisions. Those actions (such as cleanups, further investigations, or other mitigations) will beget data and information in the form of artifacts such as lists of targeted or affected assets, identified malware, network-based IOC’s, newly observed attack patterns, etc. These artifacts can be refined into intelligence that can thus inform decisions for future operations.

While some organizations do not have a formally defined intelligence function, the concept of using what you know about the threat-space to inform your operations should exist in all organizations. Regardless of whether an explicitly named threat intelligence analyst is on staff, the relationship between intelligence and operations is fundamental to driving better security outcomes.

Threat intelligence acts as a catalyst for taking an action or starting a process and informing how the process and decision making are done throughout. As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.

When your threat intelligence is stored in a data model you’re familiar with and assigned appropriate threat scores to understand severity and relevance, you can set your processes to automatically adjust if the threat landscape changes.

Orchestration is facilitating human and automated processes by integrating multiple security tools and systems. It should be the connective tissue that facilitates efficiency and scale across people, processes, and technology. Orchestration informed by threat intelligence is more effective, resilient, and adaptive. It uses available relevant information on threats and information about your own environment to adjust and improve your processes dynamically.

Using threat intelligence and orchestration together, situational awareness and historical knowledge determine what and how processes should be handled. So you build this cyclical relationship. Threat intelligence allows the process to automatically adjust itself and helps you drive further decision making. You ultimately want to be able to observe what is happening in your environment and across the greater security landscape. With threat intelligence, you can. Taken one step further, threat intelligence allows you to cross reference what you observe with historical knowledge and situational awareness. This information provides insight that enables you to decide which action to take. And then, you can automate that action. Using threat intelligence to determine automation empowers you to be proactive in mitigating threats to your organization.

ThreatConnect’s SOAR Platform combines intelligence, orchestration and automation, analytics, and response into one place. It is the perfect technology to create your own single source of truth, enabling team members to assign each other tasks, work from the same data, and easily collaborate about the threats they are seeing. ThreatConnect can also become your system of record, because it stores every piece of threat data, all of the additional context added to it, and all of your processes in one place. Plus, the Platform enables automation by incorporating advanced orchestration capabilities (Playbooks), which allows you to connect to any other tool in your environment.

ThreatConnect changes the way security works by placing intelligence at the core of the decision making process. Our solutions unify security teams in response to intelligence and streamline and automate the work needed to act upon it.

¹https://en.wikipedia.org/wiki/M%C3%B6bius_strip

The post Empowering Better Security Operations with Intelligence appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Do Androids Dream of Electric CALFs?

June 2, 2020, 8:19 am
$
0
0


CAL 2.5 introduces an additional CAL Feed that uses defined criteria to identify NRDs that we believe have been created using a domain generation algorithm (DGA). 

Just a few short months ago we announced the introduction of CAL Feeds as a part of our CAL 2.4 updates. That release included four new CAL Feeds (CALF), one of which provides a steady stream of suspicious Newly Registered Domains (NRDs) to ThreatConnect. As we noted in that release announcement, NRD’s aren’t inherently malicious – new domains get registered every day. But some subset of those that are registered daily are at least suspicious or interesting. We’ve identified NRDs that we think are leveraging suspicious infrastructure and those are what are populated in the ‘CAL Suspicious Newly Registered Domains Feed’.

CAL 2.5 takes this concept one step further. It introduces an additional CAL Feed that uses defined criteria to identify NRDs that we believe have been created using a domain generation algorithm (DGA). DGAs are very specific techniques that some groups and/or malware families (APT41 and CHOPSTICK for example) use to generate a large possibility space of domains that they can easily switch between. Attackers use DGAs so that they can evade detection and mitigation techniques by security professionals, turning something like command and control into a game of whack-a-mole.

This new CAL Feed, called ‘CAL Suspected DGA NRDs’, consists of a list of recently registered algorithmically-generated domains (AGDs), as determined by our machine learning model. How does this work? Well, everyday as CAL aggregates hundreds of thousands of domains, they’re run through our neural network with the goal of identifying domains that are “suspiciously junky”.

Neural networks are a fascinating subject, and warrant a lot of discussion of their own. We will be releasing a white paper outlining the various machine learning techniques we applied to create our statistical model in detail. In layman’s terms, we’ve been able to use our massive dataset to train our model. The neural network identifies “features” of a domain, such as how long it is or how often certain character combinations appear. The beauty of machine learning, and neural networks specifically, is that it can discover (and weigh!) features through training to come up with a 0-100% confidence range that something is suspiciously junky. We take the top slice of that confidence range to populate our CAL Feed, because we think those are so suspicious that they may have been generated via a DGA.

This new CAL Feed joins the others in providing ripe hunting grounds for analysts.

Ready to get started? Just like our supported open source feeds, CALFs are available to system administrators through our TC Exchange Feeds Catalog. And just like the other feeds, they’ll get a report card and can be enabled with the click of a button Upon enabling a CAL Feed, its Source will be automatically created and configured. It will start populating automatically, with a predefined window of historical data being created and aged out appropriately.

Let us know if you have any questions about CAL Feeds via Twitter @ThreatConnect!

 

 

The post Do Androids Dream of Electric CALFs? appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Take a Deep Dive into ThreatConnect’s Workflow Capabilities

June 8, 2020, 6:29 am
$
0
0

Interested in learning more about ThreatConnect’s Workflow capability for case management? With Workflow, you can continuously improve security processes with a single Platform for process documentation, team collaboration, and artifact enrichment.

Sure, tell me more…
In our most recent product release, we added the Workflow capability to our Platform, which enables analysts and their teams to define and operationalize consistent, standardized processes for managing threat intelligence and performing security operations. This function is essential in any security orchestration, automation and response (SOAR) platform. Analysts and administrators can use Workflow to investigate, track, and collaborate on information related to threats and incidents, all from within one central location in ThreatConnect. A primary use case for Workflow is case management, in which data tied to specific events and incidents are collected, distributed, and analyzed for effective and efficient completion of critical tasks.

If you didn’t see the blog article that started it all, please read: How to Build a Basic Workflow in ThreatConnect. From a simple notification email to threat-bending phishing triage, this is your first step.

Ok, what now?
We have five (5) Knowledge Base articles that provide step-by-step instruction and description on how to best use ThreatConnect’s Workflow.

  • Workflow Overview provides a high-level overview of Workflow, covering terminology and process flow.
  • Workflow Templates – are codified procedures for the steps to be taken within a Case. ThreatConnect provides a set of out-of-the-box Workflow Templates via TC Exchange™, or users and administrators with the requisite permissions can create Workflow Templates from scratch. This article demonstrates how to view and build Workflow Templates, covering topics such as how to add and configure Tasks and Phases and how to define Artifacts to be collected.
  • Workflow Tasks – provides instruction on the features of the Tasks tab, covering viewing, assigning, removing, sorting, and filtering Tasks. The Tasks tab of the Workflow screen serves as a dashboard where users can monitor and track Tasks across all Workflow Cases in their Organization. This article provides instruction on the features of the Tasks tab, covering viewing, assigning, removing, sorting, and filtering Tasks.
  • Workflow Playbooks – discusses how to create a Workflow Playbook. Workflow Playbooks are configured in a manner similar to that for Playbook Components, and they operate similarly to Playbooks in general.
  • Workflow Cases – discusses how to view, build, configure, and administrate Workflow Cases. A Workflow Case is a single instance of an investigation, inquiry, or other procedure. Within a Case, manual and automated Tasks are assigned and run, Artifacts are collected, freeform notes are taken, and a timeline of all events is maintained.

All five articles can be found here.

If you are a current ThreatConnect customer and have questions or need help, please reach out to your customer success representative. If not, these articles are really good resources for anyone evaluating the ThreatConnect Platform. Get a demo today! 

 

The post Take a Deep Dive into ThreatConnect’s Workflow Capabilities appeared first on ThreatConnect | Intelligence-Driven Security Operations.

ThreatConnect and Cylance: Better Endpoint Remediation

June 9, 2020, 5:59 am
$
0
0

ThreatConnect has partnered with Blackberry Cylance, a leader in the Endpoint Detection and Response space, and built two Playbook Apps for our joint customers to leverage. With the addition of these new Playbook Apps, immediate actions can be taken to investigate, stop, and remediate potential threats at the endpoint based on external threat intelligence.

CylancePROTECT Playbook App

CylancePROTECT® is an AI-based endpoint security solution that prevents breaches and provides added controls for safeguarding against sophisticated threats. The CylancePROTECT Playbook App will allow you to immediately deploy new high-risk indicators from ThreatConnect to Cylance’s Global Block List anytime that a new threat is received. By automating this process, you ensure that high fidelity intelligence is being sent between the two solutions and that you and your team have all the information needed to make informed decisions. Additionally, your Security Operations and Incident Response teams will be able to automate investigative actions such as getting device information and take containment actions such as updating a device.

The following actions are now available:

  • Get Threat
  • Get Threats
  • Get Threat Devices
  • Get Threat Download URL
  • Get Global List
  • Add to Global List
  • Delete from Global List
  • Get Device
  • Get Devices
  • Get Device Threats
  • Update Device

A look at the CylancePROTECT Playbook App from within the ThreatConnect Platform

CylanceOPTICS Playbook App

CylanceOPTICS® pushes all detection and response decisions down to the endpoint, eliminating response latency that can mean the difference between a minor security event and a widespread, uncontrolled security incident. The CylanceOPTICS Playbook App allows you to download recent detections from CylanceOPTICs and run them against validated Threat Intelligence from ThreatConnect. If we find a match between the two, you can update the detection info with further context. Additionally, your Security Operations and Incident Response teams will be able to automate investigative actions such as retrieving a file from a device and take containment actions such as locking down a device.

The following actions are available:

  • Get Detections
  • Update Detection
  • Get Detection
  • Get Recent Detections
  • Get Detections CSV
  • Lockdown Device
  • Request File Retrieval from Device
  • Check File Retrieval Status from Device
  • Get Retrieved File Results

A look at the CylanceOPTICS Playbook App from within the ThreatConnect Platform

 

Together, ThreatConnect and Blackberry Cylance provide a complete solution for security teams that enables them to detect threats and perform remediation quickly and precisely by utilizing tools that communicate with each other.

If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on utilizing the Cylance Playbook Apps. If you’re not yet a customer and are interested in ThreatConnect, contact sales@threatconnect.com.

 

The post ThreatConnect and Cylance: Better Endpoint Remediation appeared first on ThreatConnect | Intelligence-Driven Security Operations.

ThreatConnect Research Roundup: Probable Sandworm Infrastructure

June 12, 2020, 9:34 am
$
0
0

June 12 2020 Edition

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

In this edition, we cover:

Roundup Highlight: Probable Sandworm Infrastructure

 

Sandworm Related Intelligence in ThreatConnect

 

 

Our highlight in this Roundup is Incident 20200529A: Network of Probable Sandworm Infrastructure. Sandworm, also known as Sandworm Team, Quedagh, and VOODOO BEAR, is a Russian threat actor group that has historically targeted energy, industrial, government, and media organizations in Ukraine.

ThreatConnect Research, in conjunction with industry colleagues, identified a network of probable Sandworm infrastructure dating back to at least 2018. NSA released a report on Sandworm activity on May 29 2020 that identified the domain hostapp.be (IPs: 95.216.13[.]196, 103.94.157[.]5). This domain was registered on December 24 2018 through Njalla. In reviewing historical registrations, we were only able to identify seven other domains that were registered on that date through Njalla. While we were unable to directly associate any of these domains to hostapp.be due to its lack of a creation timestamp, three of the other domains — fbapp[.]top, fbapp[.]info, fbapp[.]link — appeared notable and possibly related.

We reviewed the hosting history, subdomains, and co-locations for these additional domains and to-date have identified a network of 30 domains, 17 IPs, and hundreds of subdomains that we assess probably are related with largely historic Sandworm activity. Further indicative of the probable association to Sandworm, some of the identified domains, such as hostapp[.]art and hostapp[.]link, share strings with the domain identified in NSA’s report.

In reviewing subdomains for the identified domains, many subdomains strings were reused across the domains. Many Twitter, Google, and Facebook-related subdomains were identified. The following notable subdomain strings were also identified and possibly are indicative of operational targets, themes, or affected countries:

passport.abv.bg.*
passport.above.bg.*
mail.bg.*
accounts.ukr.net.*
mail.adm.khv.ru.*

It’s important to note that while the identified infrastructure is largely historic, at least two domains — userarea[.]click (46.4.10[.]58) and userarea[.]eu (185.226.67[.]190) — and/or their subdomains were actively resolving in May 2020. At this time, we do not have any additional insight into how or against whom this infrastructure has been operationalized.

Update 5/31/20

ThreatConnect Research identified another set of domains and IPs that are a part of this network of probable Sandworm infrastructure. The following domains were registered through Njalla at essentially the same time as userarea[.]click and userarea[.]eu and are currently hosted on dedicated servers:

userarea[.]top (194.117.236[.]33)
userarea[.]in (5.255.90[.]243)

Three other domains were registered through Njalla about two and a half hours later:

myaccount[.]click (185.76.68[.]70)
myaccount[.]one (92.62.139[.]114)
webcache[.]one (195.211.197[.]25)

Notably, four of these IP addresses were identified by GreyNoise as exploiting the Exim vulnerability CVE-2019-10149.

Update 6/3/20

Two other domains — userzone[.]one and userzone[.]eu — are associated with this network of infrastructure. These domains were registered through Njalla on November 13 2019, the same day as those in the previous update. These domains and/or their subdomains have been hosted on a dedicated server at 141.101.196[.]50.

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

The post ThreatConnect Research Roundup: Probable Sandworm Infrastructure appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Orchestration With and Without Intelligence: What’s the Difference?

June 19, 2020, 8:28 am
$
0
0

Orchestration informed by security intelligence from within your environment, and threat intelligence from a variety of external sources, is more effective, resilient, and adaptive. An intelligence-led approach will inform your strategy for orchestration in two key ways:

  1. Intelligence on an adversary’s capabilities, attack patterns, and intent will inform how you build and configure orchestration capabilities to defend your network better.
  2. Orchestration (Playbooks) can be built to be more adaptive to changing adversary capabilities, attack patterns, and infrastructure as both internal security intelligence and external threat intelligence is available. In some cases, this intelligence allows the process to automatically adjust itself and helps you drive further decision-making.

When using intelligence and orchestration together, situational awareness and historical data determine when and how a task should be done. Intelligence allows the process to be adaptive to the changing environment. And, using it allows you to strategically plan for a better program. When taking this idea of informed and adaptive orchestration, and practically applying it to security operations and incident response to dynamically solve problems, you’re introduced to Security Orchestration, Automation, and Response (SOAR).

Threat Intelligence Deconstructed 
First, let’s talk about what threat intelligence (TI) really is. TI can be largely misunderstood as merely referring to Indicators of Compromise (IOCs) delivered via data feeds. These feeds are typically comprised of context-sparse information or data and have their place to support defensive operations, but they are far from a complete and accurate picture of what TI can be. Most IOC feeds are better characterized as information, not intelligence. Intelligence is not raw data and it is not merely information – it is knowledge of threats you can use to inform decisions and possibly allow prediction of future circumstances or events.

Intelligence fuels decision-making for taking action against a threat. Once you make contact with an adversary, you have an opportunity to collect information and store it as knowledge of their attack patterns. This can drive your knowledge of the adversary so you can block them better in the future. Knowledge of your adversaries allows you to ask better questions and find gaps in knowledge.

With threat intelligence, you go beyond knowledge to being able to predict where an adversary is likely to attack next. As a result, you can make decisions to defend against or mitigate an attack. So, as you begin to automate your processes, it is essential that you use threat intelligence to drive your decisions. Orchestration can continue to block where an adversary has been before, but using your threat intel to drive orchestration enables you to determine where the attacker will most likely go next — allowing you to become proactive.

Orchestration
Security orchestration is a coordination of multiple security tasks and decision points into an oftentimes complex process. It typically involves conditional logic to enable branched processes to enable connecting and integrating multiple security systems, applications, and teams together into streamlined workflows. It also correlates disparate data to help coordinate the right response. As a holistic solution security orchestration involves people, process, technology, and information.

Automation and orchestration have their limits when it comes to enabling speed and effectiveness at the same time. While automation can speed up a repetitive process and orchestration can automate decision making, often they can only do what you may call mundane tasks – those that require no intelligence.

Using orchestration to build an effective defense is still dependent on your knowledge of an attacker’s methodology, and your ability to detect or mitigate it. Adversaries are adaptive. If one route to their objective is blocked, they will try others. If narrowly implemented, your orchestrated processes can be circumvented by a clever or persistent adversary.

Orchestration + Intelligence
Orchestration informed by security and threat intelligence is more effective, resilient, and adaptive. It uses available relevant information on threats and information about your own environment to adjust and improve your processes dynamically.

Threat intelligence-driven orchestration goes a step further — it takes things like environment, situational awareness, and circumstances into account. Using threat intelligence and orchestration together, situational awareness and historical data determine when and how a task should be done. Threat intelligence allows the process to be adaptive to the changing environment. As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.

You may be thinking that you already have both orchestration and threat intelligence covered in your current infrastructure; that threat Intelligence ‘feeds’ can be integrated with security operations tools. It’s not that simple, though.

By using one platform that includes threat intelligence and orchestration together, you create a system of insight, enabling:

  • Alert, block, and quarantine based on relevant threat intel. Even for lower level tasks like alerting and blocking, having relevant threat intel is important. You can automate detection and prevention tasks. Having multi-sourced, validated threat intel can help ensure that you are alerting and blocking on the right things.
  • Understand context and improve over time. When you automate tasks based on threat intelligence thresholds such as indicator scores, and memorialize all of that information, you can strategically look at your processes to determine how to improve.
  • Increase your accuracy, confidence, and precision. Situational awareness and historical context is key to decision making. Working directly from threat intelligence allows you to work quicker and prevent attacks before they happen. The more you can automate up front, the more proactive you can be. By eliminating false positives and using validated intelligence you are increasing the accuracy of the actions taken. This accuracy leads to confidence and improves speed and precision.
  • Adjust processes automatically as information and context changes. Intelligence-driven orchestration is data first, while security orchestration is action first. When your threat intelligence is stored in a data model (with threat scores), you can set your processes to automatically adjust if the threat landscape changes.

If you want to start aggregating and normalizing your threat data, you can do that in ThreatConnect. If you need to conduct deep threat analysis, you can do that in the Platform too. You can orchestrate tasks based on your stored threat intelligence. The ThreatConnect Platform is built to help you through the entire lifecycle of a threat — from aggregation, to analysis and prioritization, all the way through taking necessary action to defend your network. The ThreatConnect Platform was specifically designed to help organizations understand adversaries, automate workflows, and mitigate threats faster using threat intelligence. Get a demo today.

The post Orchestration With and Without Intelligence: What’s the Difference? appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Search

ThreatConnect Research Roundup: Kimusky AutoUpdate Malware

June 19, 2020, 1:09 pm
$
0
0

June 19 2020 Edition

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

In this edition, we cover:

Roundup Highlight: Kimusky AutoUpdate Malware

20200616A: Suspected Kimsuky “AutoUpdate” Malware

 

Our highlight in this Roundup is Incident 20200616A: Suspected Kimsuky “AutoUpdate” Malware. ThreatConnect Research identified a malware sample suspected to be associated with Kimsuky (a DPRK-based group) due to behaviors similar to a sample reported on the ESTsecurity ALYac Blog.

The blog above describes recent activity related to a campaign first seen in December of 2019 dubbed Operation Blue Estimate. One of the files observed in this attack, C315DE8AC15B51163A3BC075063A58AA, was identified as a downloader in ESTsecurity’s analysis.

Based on the string deobfuscation routine and URL parameters observed in the file above, an additional file FF0DDDC847825F13001B08661B2C7D0D was identified by our team, along with the hard-coded C2 domain dept-dp.lab.hol[.]es.

ThreatConnect Research Team Intelligence:

Items recently created or updated in the ThreatConnect Common Community by our Research Team.

Technical Blogs and Reports Incidents with Active and Observed Indicators:

Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

 

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

The post ThreatConnect Research Roundup: Kimusky AutoUpdate Malware appeared first on ThreatConnect | Intelligence-Driven Security Operations.

ThreatConnect Research Roundup: More Kimsuky “AutoUpdate” Malware

June 25, 2020, 10:59 am
$
0
0

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

In this edition, we cover:

  • Kimsuky “AutoUpdate” Malware
  • Mustang Panda PlugX
  • Spoofed Google Support Domain
  • GreedyWonk
  • Emotet
  • WastedLocker
  • IndigoDrop

Roundup Highlight: More Kimsuky “AutoUpdate” Malware

 

20200618A: Suspected Kimsuky “AutoUpdate” Malware

 

Our highlight in this Roundup is Incident 20200618A: Suspected Kimsuky “AutoUpdate” Malware. ThreatConnect Research identified an additional malware sample likely associated with Kimsuky (a DPRK-based group) due to behaviors similar to a sample reported on the ESTsecurity ALYac Blog, which was also referenced in last week’s Research Roundup Blog.

Like last week’s file, this sample (1E14DED758C5DD7B41FE20297935EEEF) is also similar to the downloader (C315DE8AC15B51163A3BC075063A58AA) identified in the above blog based on behaviors including a string deobfuscation routine and specific URL parameters.

Of note, it was uploaded to VirusTotal with the filename bmail-security-check.scr which shares strings with the embedded obfuscated command and control server at security-confirm.bmail-org[.]com. This server was live as of Jun 18, 2020 16:54 UTC. For more details, see the Incident in the ThreatConnect Common Community.

MITRE ATT&CK® Techniques Observed:

IOCs Identified:

 

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

 

 

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

The post ThreatConnect Research Roundup: More Kimsuky “AutoUpdate” Malware appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Playbook Fridays: Converting your IOCs to CSVs

June 26, 2020, 4:02 am
$
0
0

Welcome to ThreatConnect’s Playbook Fridays! We will continually publish posts featuring Playbooks (and sometimes Dashboards!) that can be built in the Platform.

ThreatConnect developed the Playbooks capability to help analysts automate time consuming and repetitive tasks so they can focus on what is most important. And in many cases, to ensure the analysis process can occur consistently and in real time, without human intervention. Below is our latest post:

One of the most common questions we receive in Customer Success is how can we create an automated feed of indicators of compromise (IOCs)? Because of it’s extensible nature, there are many ways to do this within the Platform. However today’s focus is on two ways of creating these automatic feeds. Whether you want to integrate ThreatConnect with your network devices, or simply need a recurring csv report of specific indicators, this video will help guide you through two of the main ways you can use to convert your threat intel into useful data.

Download the Playbook demonstrated in this video, here.

For more more training resources, visit our Learning Portal at training.threatconnect.com.

The post Playbook Fridays: Converting your IOCs to CSVs appeared first on ThreatConnect | Intelligence-Driven Security Operations.

ThreatConnect and Tanium: Improved Incident Response with Intel Packages

June 30, 2020, 8:03 am
$
0
0

ThreatConnect and Tanium’s partnership just got stronger. Recently, we released 3 Apps for Tanium Threat Response as well as developed a brand new Playbook App for Tanium Platform. With these Playbook Apps, you can take immediate action to investigate, stop, and remediate potential threats at the endpoint based on external threat intelligence.

Let’s dive in!

Tanium Threat Response

With this integration, you can send indicators and signatures to Tanium Threat Response as intel packages. This allows you to easily hunt for malware across endpoints using malware files hashes or by deploying YARA rules to Tanium Threat Response. Additionally, other IOC types such as Domains, URLs, and IP Addresses along with a customizable set of context can be sent to Tanium Threat Response for monitoring. This deployment of intelligence can be done in the background, transparent to the end user, or as part of a fully or semi-automated workflow via ThreatConnect’s Playbooks capability. All of this leads to a more informed Incident Response process initiation.

  • Tanium Threat Response – Indicators (Runtime App)
    • Enables you to send address, host, and file indicators from ThreatConnect to your Tanium Threat Response instance as intel packages based on specified criteria. This functionality allows users to operationalize intelligence from ThreatConnect in the form of searching and monitoring for malicious indicators in your endpoint environment.
  • Tanium Threat Response – Signatures (Runtime App)
    • Enables you to send signatures from ThreatConnect to your Tanium Threat Response instance as intel packages based on specified criteria. This functionality allows you to operationalize intelligence from ThreatConnect in the form of signature-based searching and monitoring for malicious activity in your endpoint environment.
  • Tanium Threat Response Playbook App
    • The following actions are available:
      • Deploy Indicator Intel Package
      • Deploy Signature Intel Package
      • Delete Intel Package

Tanium Threat Response Playbooks App

Tanium Platform

With the Tanium Platform integration, you can ask relevant questions of Tanium in regard to Indicators and Groups within ThreatConnect to better develop relevant intelligence reports during the analysis phase. This will lead to greater efficiency and a more informed Incident Response process initiation. Due to the high flexibility of this Playbook, you are also able to perform Vulnerability Identification tasks by finding endpoints in your enterprise running certain vulnerable versions of third party applications. Coupling this with ThreatConnect’s plethora of potential data via native intelligence products produced by our ThreatConnect Research Team, or via other rich third party intelligence feed integrations allows teams to operationalize Vulnerability intelligence data in real-time.

  • Tanium Platform Playbook App
    • The following actions are available:
      • Create Question
      • Get Question Results By ID
      • Get Saved Question Results By ID

Tanium Platform Playbook App

 

Together, ThreatConnect and Tanium provide a complete solution for your security teams that enables them to respond to threats and ask relevant questions of their systems. If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on utilizing the Tanium Apps. If you’re not yet a customer and are interested in ThreatConnect and this integration, contact us at sales@threatconnect.com.

 

The post ThreatConnect and Tanium: Improved Incident Response with Intel Packages appeared first on ThreatConnect | Intelligence-Driven Security Operations.

ThreatConnect Research Roundup: Microsoft-Spoofing Domains

July 2, 2020, 10:13 am
$
0
0

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

In this edition, we cover:

  • Microsoft-Spoofing Domains
  • Probable Konni Domains
  • .ics Calendar Phishing
  • Lucifer Cryptojacking/DDoS
  • DarkCrewBot
  • Emotet
  • WastedLocker

Roundup Highlight: Microsoft-Spoofing Domains

20200624A: Microsoft Spoofing Domains Registered Through Google and Hosted on a DigitalOcean IP

 

Our highlight in this Roundup is Incident 20200624A: Microsoft Spoofing Domains Registered Through Google and Hosted on a DigitalOcean IP. On June 24 2020, ThreatConnect Research identified three Microsoft-spoofing domains that were registered through Google on June 16 and 17 2020 and are or were hosted on a probable dedicated server at DigitalOcean IP addresses.

The identified domains and their hosting IPs include the following:

login-onmicrosoft[.]online (206.189.72[.]134)

login-onmicrosoftonline[.]com (159.203.57[.]75)

login-onmicrosoft[.]com (prev. 142.93.145[.]248)

Per urlscan.io, as of June 24 2020, login-onmicrosoft[.]online redirects to a Microsoft Online login URL. The login-onmicrosoftonline[.]com domain redirects to a legitimate Microsoft domain.

These domains are possibly related to a series of similar registrations through Google that are captured in associated Incidents in ThreatConnect.

 

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

 

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

 

 

 

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

 

The post ThreatConnect Research Roundup: Microsoft-Spoofing Domains appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Viewing all 483 articles
Browse latest View live
Search