Top 5 Actionable Cyber Threat Intelligence InsightsGet Advice and Knowledge From Secureworks' Threat Intelligence (TI) Experts By: Stacy Leidwinger, VP of Portfolio Marketing
Secureworks® recently held its virtual 2021 Global Threat Intelligence Summit. The event featured a dozen sessions led by our Counter Threat Unit™ (CTU™) on a wide range of relevant topics for cybersecurity professionals. You can still watch all the sessions, which are available on-demand here. Here’s a taste of the top actionable cyber threat intelligence insights offered by our world-class TI experts.
Global Threat Intelligence Summit 2021 - Free On-demand sessions available to view
Top Insight #1: Impeding Cobalt Strike
From CTU Cyber Intelligence Cell Director Mike McLellan’s “Defending at Scale: Identifying and Protecting Against Cobalt Strike” session 9
Cobalt Strike is a popular, commercially available pen testing tool. Unfortunately, the same attributes that make it great for pen testing also make it very useful for attackers seeking an initial foothold in your environment. After all, it’s ready-made, easy-to-access software that’s covert by design. And because it’s so widely used, it can be difficult to attribute its use to any specific bad actor. That’s why it’s present in almost 20% of the incident response engagements Secureworks has worked in 2021.
That said, Cobalt Strike and the techniques by which attackers use it are both very well-understood. Secureworks CTU researchers have developed a wealth of host and network countermeasures designed to detect how Cobalt Strike behaves in a network. In addition, by combining infrastructure fingerprinting and other techniques with automation and orchestration provided by the Secureworks CTU’s threat intelligence management system, CTU researchers are able to proactively identify Cobalt Strike attack infrastructure and publish those threat indicators to customers before they can be used in attacks.
What’s more, Secureworks CTU researchers have been able to take this same approach for a range of other malware threats, from other popular post-exploitation toolkits like Covenant, to commodity cybercrime malware like QakBot and SquirrelWaffle, to custom APT malware like PlugX and ShadowPad.
As this session showed, the two keys to success in protecting yourself against threat actors using prevalent malware threats like Cobalt Strike are 1) ensuring that you have access to the full range of behavioral and reputational attack indicators and 2) being able to quickly put that cyber threat intelligence to work, preferably through automation.
Top Insight #2: Applying TI to Your Environment
From CTU Threat Research Director Chris Yule’s “Threat Unintelligence: The Myths and Pitfalls of Threat Intelligence” session 10
The tired old saying may be that “Knowledge is power”— but when it comes to cybersecurity, that’s simply not true. Threat intelligence alone is not power. It’s the effective application of threat intelligence that gives you power against cyber threats.
This session tackled that challenge head-on with several worthwhile tips, like not just using TI to detect indicators of compromise, as many organizations do. Once you've detected a threat, making sure you understand what that threat really is, by using a combination of cyber threat intelligence and business context of your environment, will enable your teams to be much more effective than just blocking individual indicators.
Another tip: Beware an overly simplistic view of the “false positive.” Many teams will call it a “false positive” if, say, they detect a threat indicator that was successfully blocked by a firewall. But that’s not really a false positive. It’s a true positive that fortunately was benign.
It’s not always necessary to digest the entirety of a published threat intelligence report all at once. Some TI is about the early indicators and signs to watch out for. It is essential to be proactive about applying that TI. Other TI is about how a given attack may progress. It’s good to have a cursory understanding of that TI. But what’s really important is to simply know that such TI exists—and that it’s available to you if and when you have to be reactive to an actual incident.
Top Insight #3: Ransomware Tests SecOps Vigilance
From Senior Security Researcher Marcelle Lee’s “Ransomware…Where Next?” session 2
Ransomware keeps getting more and more troublesome. One reason is the increasing resources and sophistication of ransomware gangs. Related to that, the ransomware ecosystem is becoming more specialized—which also makes it more scalable. Ransomware developers now monetize their malicious creations by selling them to “affiliates” under some kind of Ransomware-as-a-Service (RaaS) arrangement. Those affiliates, in turn, can save themselves the time and effort of scanning for targets by simply buying ready-made footholds from “initial access brokers” (IABs) who specialize in finding and compromising vulnerable targets of opportunity.
You can no longer consider yourself safe from ransomware just because you have current backups that you can revert to if an attacker encrypts your high-value data. That’s because ransomware operators have begun exfiltrating data, rather than just encrypting it in place. Now they have even stronger leverage in negotiations with their victims.
The good news is you can still protect yourself against ransomware by focusing on prevention and, where that fails, on early detection and response. Proper implementation of security fundamentals around vulnerability prioritization, multi-factor authentication, and endpoint detection can deter these opportunistic threat actors. Even where prevention fails, as inevitably it sometimes will, there is a window within which these attacks can be detected and contained – if you have sufficiently robust cyber threat intelligence, the right detection tools, and a real commitment to threat-hunting vigilance.
Top Insight #4: The China-COVID-SOHO Connection
From Security Researcher Marc Burnard’s “Levelling Up: The Evolving Threat from China” session 3
We all know that China is among the top state actors engaged in cyber espionage and other activity. We also know that, thanks to its considerable resources, the technical sophistication of China’s attacks is rapidly advancing.
That general knowledge alone, however, does little to help organizations defend themselves against Chinese state-sponsored threats — which are responsible for China’s assaults upon other countries’ digital infrastructure.
Fortunately, Secureworks security researchers are closely studying these threats to help both public- and private-sector organizations better defend themselves. In this session, Marc Burnard analyzed how reorganization of the People’s Liberation Army (PLA) – one of the two main players when it comes to Chinese cyber espionage – has influenced the targeting that CTU researchers have observed from PLA-associated threat groups. This matters, because by knowing where the different threat groups are focused, organizations can better prioritize for those that are most likely to target them.
At a more tactical level, Marc identified some other evolutions in Chinese cyber espionage activity. One was the shift to using compromised SOHO routers for ‘command and control’ of network intrusions so that the attack traffic appears to originate from the same country where the victim is located, making it look less suspicious. Another was the use of increasingly complex techniques to load malware, as demonstrated by BRONZE ATLAS, a Chinese state-sponsored group likely affiliated with the Ministry of State Security, the other major player when it comes to Chinese cyber espionage.
While multi-factor authentication (MFA) should theoretically help organizations prevent many kinds of attacks, that’s not always the case. Secureworks has detected instances where Chinese threat actors have been able to identify accounts that have not yet been enrolled for MFA, compromise those accounts, and then enroll their own devices – effectively bypassing the security control. MFA is incredibly important, but it needs to be implemented properly.
Top Insight #5: Learning About Diamonds from North Korea
From CTU Senior Security Researcher Rafe Pilling’s “Op Rainbow Safari: A North Korean Supply Chain Attack” session 7
This session actually offered three great takeaways in one. The first came from a campaign likely waged by North Korea’s Reconnaissance General Bureau (RGB) against an organization involved in COVID-19 research. North Korean threat groups are engaged in science and technology intellectual property theft and will target international companies involved in research they are interested in. Commonly this includes energy production, nuclear technology, and defense technology ,but during a specific crisis like COVID-19, tasking will pivot to relevant topics like medical research.
Rafe provided significant detail of the campaign, highlighting a variety of specific malware variants that were used during the attack, comprising both custom malware and off-the-shelf commercial or publicly available tools.
The second takeaway comes from the fact that the compromise was perpetrated through the organization’s supply chain. This exploit underscores how important it is to understand the trust relationships your organization has with third parties—particularly those who have direct network connections into your environment—and mitigate the associated risk through controls such as network segmentation, MFA, and effective security monitoring of the IT environment. The attack was conducted by state-sponsored threat actors, but the tradecraft would have been detectable with the right controls in place.
Last but not least, this session started with the presentation of the “diamond model” for threat attribution. First coined in 2013, this model has been utilized for years by top TI researchers. It models attacks using four points of a “diamond”—attacker, victim, infrastructure, and capability – and by plotting data points from identified activity against this model, it is possible to cluster observed activity into what Secureworks CTU researchers describe as “threat groups.” If your job involves tracking cyber threats and you’re not already familiar with this model, you should be!
In addition to these insights, Secureworks has published more detailed information in our 2021 State of the Threat Report. Also, if you want to learn how Secureworks delivers this threat intelligence, at scale, to organizations at the point in time they need it, check out how we create high quality, actionable threat intelligence.