acrypthash👨🏻‍💻 · @acrypthash
304 followers · 313 posts · Server infosec.exchange
Kevin Neely :donor: · @ktneely
261 followers · 557 posts · Server infosec.exchange

@patrickcmiller Started reading the blog post because I couldn't figure oout what this would do for me. Ah-ha! it's for people that don't know or understand

#mitreattack

Last updated 2 years ago

TropChaud · @IntelScott
213 followers · 39 posts · Server infosec.exchange

is a highly active banking Trojan-turned-loader that has recently appeared on multiple vendors’ priority threat lists, attacking organizations in a wide range of verticals & countries. If your leadership or other stakeholders asked for a list of this threat's most common TTPs, would you be able to provide it quickly?

Now you can, with the Gootloader matrix available in Tidal’s free Community Edition: app.tidalcyber.com/share/796ca

Gootloader, also referred to by its related payload, , first emerged in 2014 but has been especially active since 2020. Despite this, technical reporting around its TTPs has been relatively light until even more recently. In the past two years alone, verticals including finance, , defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, (a common precursor), & more. Industry-based profiling can be a powerful tool, but even if your industry (or your corner of it) hasn’t yet directly observed Gootloader activity, we believe broad-based threats like this should be on most teams’ radars

Our matrix summarizes Gootloader TTPs detailed across several great recent technical reports. Reports from SentinelLabs, Cybereason, & The DFIR Report were helpfully pre-mapped to , and we mapped a couple other detailed analyses. Procedural details are even available for nearly all the included technique mappings – be sure to click the Technique Set’s label in the ribbon at the top of the screen to pivot into the Details page with this information & relevant source links throughout

Red Canary & The DFIR Report helpfully provided tool-agnostic suggested logic for key behaviors observed during recent Gootloader campaigns here redcanary.com/blog/gootloader/ and here thedfirreport.com/2022/05/09/s. Take a wider view by layering entire segments of your defensive stack over the back in the Community Edition, by toggling on any of the mappings available in @tidalcyber's Product Registry app.tidalcyber.com/vendors

#detection #cti #sharedwithtidal #threatinformeddefense #cobaltstrike #initialaccess #blueteam #Gootloader #malware #ttp #Gootkit #healthcare #icedid #ransomware #threat #mitreattack

Last updated 2 years ago

Tidal Cyber · @tidalcyber
15 followers · 19 posts · Server infosec.exchange

We're starting a new blog series! Every month, look for our Making Waves blog post to review the techniques our adversary intelligence team observed in public threat research and reporting in the last month, and learn how you can reinforce your defenses.

In our first post of the series, we're looking back at January with information around Masquerading, Install Digital Certificate, and others. Check it out!

tidalcyber.com/blog/making-wav

#mitreattack #cybersecurity #ttp #threatintel

Last updated 2 years ago

ath0 · @scottlink
229 followers · 346 posts · Server infosec.exchange

: day 28d : Doing some Attack Chain threat modeling. After getting a and playing with BadUSB, I've gotten my hands on a Rubber Duckie. Looking at I notice the only BadUSB references are in footnotes! I think it fits as either Hardware Additions or as a Phishing technique. What say you and , since it's not explicitly called out as a technique, do I infer this as "not likely"?

#hack100days #FlipperZero #hak5 #mitreattack #redteam #blueteam #infosec

Last updated 2 years ago

TropChaud · @IntelScott
192 followers · 36 posts · Server infosec.exchange

seems to be having a moment right now. Quick rundown on what we know about infection trends & its post-exploit TTPs

Discovered last summer, it's one of several popular & emerging with new/improved evasion and/or theft capabilities observed in recent months. Like many popular families, Rhadamanthys initial infections occur via multiple vectors, including & email attachments and - increasingly - legitimate web search ads: malware-traffic-analysis.net/2, blog.cyble.com/2023/01/12/rhad

In our broad analysis of the infostealer threat landscape, we identified TTPs associated with 16 families across dozens of public reports. We've already added more reported techniques to Rhadamanthys' set since the report dropped this week tidalcyber.com/blog/big-game-s

Still somewhat limited public reporting on this threat to date, although we've identified 22 (sub-)techniques associated with Rhadamanthys so far. Visualize them and pivot to associated defensive & offensive testing capabilities here: app.tidalcyber.com/share/techn

In addition to the reports above, two other resources here: accenture.com/us-en/blogs/secu, threatmon.io/rhadamanthys-stea. Thanks to the teams that published great reporting & analysis around Rhadamanthys so far, including ThreatMon Accenture @malware_traffic & Cyble

#rhadamanthys #stealer #infostealer #malware #phishing #spam #mitreattack #threatinformeddefense #credentials #cookies #mfa #2fa

Last updated 2 years ago

Michalis Michalos · @cyb3rmik3
5 followers · 2 posts · Server infosec.exchange

Recent TA developments surfaced from Uber & Cisco breaches along with tools including EvilProxy campaigns, led to MFA improvements. introduced passwordless MFA along with further configuration options for additional context including sign-in location and application.

➜ A guide to enable and configure MFA number matching & additional context.
➜ Mapped MITRE ATT&CK tactics, techniques and mitigations.

cyb3rmik3.github.io/microsoft3

#microsoft #microsoft365 #microsoftazure #microsoftsecurity #mitreattack #cybersec #cybersecurity #cti #threatintel #microsoftcloud #cloudsecurity

Last updated 2 years ago

Abdullah Baghuth · @0xCyberY
5 followers · 5 posts · Server infosec.exchange

𝙈𝙞𝙩𝙧𝙚 𝘼𝙨𝙨𝙞𝙨𝙩𝙖𝙣𝙩

The Mitre-Assistant surfaced as a collaboration tool amongst many people and skillsets that needed to work with The Mitre Corporation's ATT&CK Matrix.

docs-ma.vercel.app/docs/projec

#mitreattack #cybersecurity

Last updated 2 years ago

grep_security · @grep_security
104 followers · 97 posts · Server infosec.exchange

Recently learned about threat-informed defense strategy and got to know a platform @tidalcyber, I was able to quickly draw the coverage of TTPs that Threat Actors targeting the Healthcare industry against the OSS analytics available as a feed just to know which techniques weren't covered in the analytics. I would say, we can capture OSS Matrix as a baseline to deduce what's missing in your defense.

Here's the MITRE ATT&CK coverage for publicly available analytics from "detection-rules" and "security_content" vs Known Threat Actors targeting the Healthcare industry.

app.tidalcyber.com/share/f09fa

#elastic #splunk #threatintel #infosec #threathunting #mitreattack #healthcare #cybersecurity

Last updated 2 years ago

Eric Sheesley · @esheesle
33 followers · 90 posts · Server infosec.exchange

Even Santa can be categorized using .
"Knows if you've been bad or good" - Gather victim host information
Coming down the chimney - External remote services
Leaving presents - Create or modify system processes
Makes everyone love him - Firmware corruption

That said, let's embrace the holiday magic everyone!

#mitreattack

Last updated 2 years ago

TropChaud · @IntelScott
162 followers · 24 posts · Server infosec.exchange

⚠️ Cuba Ransomware resources drop ⚠️

A new ransomware advisory comes in hot to one of your intelligence channels – what are your next steps? In our latest video, we walk through our approach to a situation like this, which analysts face almost every day amid growing volumes of CTI shared in the community today youtube.com/watch?v=K1a6Mac1-y

Link to the latest @CISA @FBI alert on Cuba Ransomware, published Dec 1 (and updated just yesterday) cisa.gov/uscert/ncas/alerts/aa

Past advisories on five other highly active in targeting U.S. critical infrastructure – and many other – organizations just this year: cisa.gov/stopransomware/stopra

According to the alert, “Since spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims.” We’re likely to see more of this “TTP evolution” theme in 2023. As adversaries continue to evolve their TTPs rapidly and often, we had the chance to write more about this trend on our blog recently: tidalcyber.com/blog/adversary-

(And here’s another piece covering TTP evolution relative to another top malware, QakBot tidalcyber.com/blog/identifyin)

In the walkthrough, we highlight metrics around threats made on ransomware “extortion blogs” as just one public data point around Cuba’s growing threat in recent months. The figures come from this incredible public dataset github.com/joshhighet/ransomwa

The rest of the walkthrough centers on our free Community Edition tool. Jump into it here: app.tidalcyber.com/. No registration is required to access a ton of features (including everything shared below) but you know the drill: you’ll ultimately find the most value with a quick email sign-up 📋

Ransomware details from app.tidalcyber.com/software/09

Technique set for Cuba TTPs published in February app.tidalcyber.com/share/6fbf9 (source: mandiant.com/resources/blog/un)

Cuba technique set based on CISA’s/FBI’s new alert: app.tidalcyber.com/share/11c63

Script to quickly convert techniques & procedures from recent into a technique “layer” json file: github.com/mitre-attack/attack

LSASS Memory technique details page, with pivots to aligned defensive capabilities, detection analytics, & tests: app.tidalcyber.com/technique/a

Cuba Ransomware report referencing LSASS Memory & Disable or Modify Tools techniques: unit42.paloaltonetworks.com/cu

Disable or Modify Tools technique details page: app.tidalcyber.com/technique/9

Final Cuba Ransomware technique time series comparison/overlay: app.tidalcyber.com/share/7631b

Dashboard we’re maintaining covering all TTPs from the alert series, currently spotlighting six high-priority ransomware and updated each time CISA publishes a new alert: app.tidalcyber.com/share/9c1f0

Join the Tidal Community Slack channel to engage with & learn from others throughout the space join.slack.com/t/tidalcommunit

Catch this and other walkthroughs on the @tidal Cyber YouTube channel youtube.com/@tidalcyber6071

#stopransomware #ransomware #cuba #mitreattack #cti #threatinformeddefense #cyberthreatintelligence #cybersecurity #osint #sharedwithtidal

Last updated 2 years ago

Cyentia Institute · @cyentiainst
40 followers · 30 posts · Server infosec.exchange

We are searching for multiple R&D sponsors to support R&D efforts leading to the publication of a meta-study of MITRE ATT&CK tactics and techniques. Reach out to our team for more information on how you can become a !
cyentia.com/sponsors-attack-st

#research #sponsor #infosec #cybersecurity #risk #riskmanagement #cyberriskquantification #publication #data #researchanddevelopment #ciso #riskmanager #mitreattack #study

Last updated 2 years ago

@fugueish Yes, but I think your CSIRP and related processes would need to reference MITRE ATT&CK and require it before it would be widely used.
It can get you started on mapping out any possible threat, risk, or attack you can think of and help you come up with mitigations. But if everybody isn't using it, you'll have references and language that only some teams understand.
In real life, it is nice when our security tools link to MITRE ATT&CK because we can quickly understand what a particular alert is about. But we don't put that on a report that goes to anybody else, because, as of right now, they would have no idea what T1548.002 means.

#mitre #mitreattack #mitreattck #csirp #csirt #infosec

Last updated 2 years ago

Cyentia Institute · @cyentiainst
31 followers · 10 posts · Server infosec.exchange

Team up with us against the dark side! We are searching for R&D sponsors to support the production & publication of a MITRE ATT&CK meta-study 👇

✵ Benefits of being a sponsor:

✓ Recognition in the published report (prominent placement of logo, short description, etc.)

✓ Recognition in promotional activities related to the report (verbally mentioned in presentations, social tagging, etc)

✓ Dedicated space (1 page) in the published study to add your perspective and recommendations on the findings

✓ Media assets that include high-resolution versions of all data visualizations to use in your own promotional activities

✓Ability to create a branded version of the study to distribute independently via your own channels (cannot alter main content)

✓ Sponsors of the optional Cybersecurity Research Library enhancements will receive additional recognition specific to those projects (to be discussed/determined as part of scoping).

✵ What’s the goal of the study?

More and more cybersecurity industry reports include statistics around commonly detected ATT&CK techniques. That’s great in terms of having more data available for defenders and decision-makers, but a challenge arises to draw collective conclusions from them regarding the most common techniques. Cloud, network, and endpoint vendors/products have different vantage points, varying levels of visibility across tactics, and thus tend to report vastly different techniques. Incident responders have a different perspective than intelligence analysts. Reports from law enforcement agencies will differ from those of law firms. And the list goes on.

This study will compare and contrast all those sources to find common threads among them that will aid organizations seeking to build a more threat-informed defense.

Reach out to our research team for more information on how you can become a sponsor: cyentia.com/sponsors-attack-st

#cybersecurity #risk #riskmanagement #cyberriskquantification #researchanddevelopment #sponsor #ciso #riskmanager #mitreattack

Last updated 2 years ago

Ismael Valenzuela, @Joseliyo_Jstnk y yo hemos estado trabajando en el análisis de las amenazas cibernéticas en España, Chile, México, Argentina, Brasil, Colombia y Ecuador con sus motivaciones, y sus TTPs.

Lo acabamos de publicar en github.com/blackberry/threat-r

#ttps #mitredefend #mitreattack #jupyternotebook #threatsighting

Last updated 2 years ago

· @dritsec
1 followers · 12 posts · Server social.tchncs.de
azurechrom · @azurechrom
24 followers · 68 posts · Server noc.social

Another badge down in my . Getting there, bit by bit.

#professionaldevelopment #cybersec #cybermonday #mitreattack

Last updated 2 years ago

HaircutFish · @haircutfish
35 followers · 37 posts · Server infosec.exchange

Next write-it is Task 3 from the TryHackMe MITRE Room. This task is a deep dive on the MITRE ATT&CK Framework. I loved this task so much as it felt like I was actually doing the research for an actual SOC!!! Check out the write-up and follow along!!!

medium.com/@haircutfish/tryhac

#tryhackme #mitreattack #soc

Last updated 2 years ago