Dell SecureWorks Counter Threat UnitTM (CTU) researchers have previously discussed ways for enterprises to exploit threat intelligence to better detect and respond to compromises. IT professionals should ask themselves: “If these techniques, tactics, and procedures (TTPs) were used in an intrusion against my company, would we detect them?” By working to answer this question, organizations can best determine how to prioritize resources for Computer Network Defense (CND).
CTU researchers use data obtained from targeted threat response engagements to identify patterns and trends in adversary operations. In one example that addresses the prioritization question, intrusions attributed to Threat Group-0416 (TG-0416) were plotted over time and by industry vertical (see Figure 1). The findings revealed TG-0416 playing a game of “vertical hopscotch.”
Figure 1. TG-0416 compromises by vertical. (Source: Dell SecureWorks)
Starting in 2011, TG-0416 focused on breaching technology, manufacturing, and government verticals. In 2012, the threat actors transitioned to compromising the healthcare vertical and have continued uninterrupted through 2015. In addition, TG-0416 victimized utility and membership verticals in early 2013. CTU researchers assess with high confidence that TG-0416 will continue to compromise enterprises across numerous verticals.
While the data used in Figure 1 only represents TG-0416 activity observed by CTU researchers, it demonstrates that threat groups victimizing a particular vertical today may infiltrate new verticals tomorrow. Organizations should never dismiss the threat from groups that seem to only target other verticals. CTU researchers recommend carefully mapping threat group tactics, techniques, and procedures (TTPs) to security controls and planning mitigation strategies as feasible.
TG-0416 is another threat group known for living off the land. The threat actors move laterally using scheduled tasks to execute binaries on target systems. The CTU research team advises organizations to hunt for anomalous and illegitimate activity involving remote access solutions where two-factor authentication (2FA) is not implemented.
 The Dell SecureWorks Counter Threat Unit™ (CTU) research team tracks threat groups by assigning them four-digit randomized numbers (0416 in this case), and compiles information from external sources and from first-hand incident response observations.