I'm excited to set this up tomorrow:
https://www.darkreading.com/threat-intelligence/cisa-mitre-look-to-takeattack-framework-out-of-the-weeds
@patrickcmiller Started reading the blog post because I couldn't figure oout what this would do for me. Ah-ha! it's for people that don't know or understand #mitreattack
#Gootloader is a highly active banking Trojan-turned-loader #malware that has recently appeared on multiple vendors’ priority threat lists, attacking organizations in a wide range of verticals & countries. If your leadership or other stakeholders asked for a list of this threat's most common TTPs, would you be able to provide it quickly?
Now you can, with the Gootloader #TTP matrix available in Tidal’s free Community Edition: https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2
Gootloader, also referred to by its related payload, #Gootkit, first emerged in 2014 but has been especially active since 2020. Despite this, technical reporting around its TTPs has been relatively light until even more recently. In the past two years alone, verticals including finance, #healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, #IcedID (a common #ransomware precursor), & more. Industry-based #threat profiling can be a powerful tool, but even if your industry (or your corner of it) hasn’t yet directly observed Gootloader activity, we believe broad-based threats like this should be on most teams’ radars
Our matrix summarizes Gootloader TTPs detailed across several great recent technical reports. Reports from SentinelLabs, Cybereason, & The DFIR Report were helpfully pre-mapped to #mitreattack, and we mapped a couple other detailed analyses. Procedural details are even available for nearly all the included technique mappings – be sure to click the Technique Set’s label in the ribbon at the top of the screen to pivot into the Details page with this information & relevant source links throughout
Red Canary & The DFIR Report helpfully provided tool-agnostic suggested #detection logic for key behaviors observed during recent Gootloader campaigns here https://redcanary.com/blog/gootloader/ and here https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/. Take a wider view by layering entire segments of your defensive stack over the #CTI back in the Community Edition, by toggling on any of the mappings available in @tidalcyber's Product Registry https://app.tidalcyber.com/vendors
#SharedWithTidal #threatinformeddefense #CobaltStrike #initialaccess #blueteam
#detection #cti #sharedwithtidal #threatinformeddefense #cobaltstrike #initialaccess #blueteam #Gootloader #malware #ttp #Gootkit #healthcare #icedid #ransomware #threat #mitreattack
We're starting a new blog series! Every month, look for our Making Waves blog post to review the #mitreattack techniques our adversary intelligence team observed in public threat research and reporting in the last month, and learn how you can reinforce your defenses.
In our first post of the series, we're looking back at January with information around Masquerading, Install Digital Certificate, and others. Check it out!
#cybersecurity #ttp #threatintel
https://www.tidalcyber.com/blog/making-waves-ttp-intelligence-highlights-in-january
#mitreattack #cybersecurity #ttp #threatintel
#hack100days : day 28d : Doing some Attack Chain threat modeling. After getting a #flipperZero and playing with BadUSB, I've gotten my hands on a #Hak5 Rubber Duckie. Looking at #mitreattack I notice the only BadUSB references are in footnotes! I think it fits as either Hardware Additions or as a Phishing technique. What say you #redteam and #blueteam, since it's not explicitly called out as a technique, do I infer this as "not likely"? #infosec
#hack100days #FlipperZero #hak5 #mitreattack #redteam #blueteam #infosec
#Rhadamanthys #stealer seems to be having a moment right now. Quick rundown on what we know about infection trends & its post-exploit TTPs
Discovered last summer, it's one of several popular & emerging #infostealer #malware with new/improved evasion and/or theft capabilities observed in recent months. Like many popular families, Rhadamanthys initial infections occur via multiple vectors, including #phishing & #spam email attachments and - increasingly - legitimate web search ads: https://www.malware-traffic-analysis.net/2023/01/03/index.html, https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
In our broad analysis of the infostealer threat landscape, we identified #mitreattack TTPs associated with 16 families across dozens of public reports. We've already added more reported techniques to Rhadamanthys' set since the report dropped this week https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w
Still somewhat limited public reporting on this threat to date, although we've identified 22 (sub-)techniques associated with Rhadamanthys so far. Visualize them and pivot to associated defensive & offensive testing capabilities here: https://app.tidalcyber.com/share/techniqueset/48405ee2-b243-4bda-a6c2-75eb80869056
In addition to the reports above, two other resources here: https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web, https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/. Thanks to the teams that published great reporting & analysis around Rhadamanthys so far, including ThreatMon Accenture @malware_traffic & Cyble
#rhadamanthys #stealer #infostealer #malware #phishing #spam #mitreattack #threatinformeddefense #credentials #cookies #mfa #2fa
Recent TA developments surfaced from Uber & Cisco breaches along with tools including EvilProxy campaigns, led to MFA improvements. #Microsoft introduced passwordless MFA along with further configuration options for additional context including sign-in location and application.
➜ A guide to enable and configure MFA number matching & additional context.
➜ Mapped MITRE ATT&CK tactics, techniques and mitigations.
#Microsoft365 #MicrosoftAzure #MicrosoftSecurity #MITREATTACK #CyberSec #CyberSecurity #CTI #ThreatIntel #MicrosoftCloud #CloudSecurity
#microsoft #microsoft365 #microsoftazure #microsoftsecurity #mitreattack #cybersec #cybersecurity #cti #threatintel #microsoftcloud #cloudsecurity
𝙈𝙞𝙩𝙧𝙚 𝘼𝙨𝙨𝙞𝙨𝙩𝙖𝙣𝙩
The Mitre-Assistant surfaced as a collaboration tool amongst many people and skillsets that needed to work with The Mitre Corporation's ATT&CK Matrix.
Recently learned about threat-informed defense strategy and got to know a platform @tidalcyber, I was able to quickly draw the coverage of TTPs that Threat Actors targeting the Healthcare industry against the OSS analytics available as a feed just to know which techniques weren't covered in the analytics. I would say, we can capture OSS Matrix as a baseline to deduce what's missing in your defense.
Here's the MITRE ATT&CK coverage for publicly available analytics from #Elastic "detection-rules" and #Splunk "security_content" vs Known Threat Actors targeting the Healthcare industry.
https://app.tidalcyber.com/share/f09fa1b1-51a6-4a6f-98ff-de2b86cee0cd
#threatintel #infosec #threathunting #mitreattack #healthcare #cybersecurity
#elastic #splunk #threatintel #infosec #threathunting #mitreattack #healthcare #cybersecurity
Even Santa can be categorized using #mitreattack.
"Knows if you've been bad or good" - Gather victim host information
Coming down the chimney - External remote services
Leaving presents - Create or modify system processes
Makes everyone love him - Firmware corruption
That said, let's embrace the holiday magic everyone!
⚠️ Cuba Ransomware resources drop ⚠️
A new ransomware advisory comes in hot to one of your intelligence channels – what are your next steps? In our latest video, we walk through our approach to a situation like this, which analysts face almost every day amid growing volumes of CTI shared in the community today https://www.youtube.com/watch?v=K1a6Mac1-y4
Link to the latest @CISA @FBI #StopRansomware alert on Cuba Ransomware, published Dec 1 (and updated just yesterday) https://www.cisa.gov/uscert/ncas/alerts/aa22-335a
Past advisories on five other #ransomware highly active in targeting U.S. critical infrastructure – and many other – organizations just this year: https://www.cisa.gov/stopransomware/stopransomware
According to the alert, “Since spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims.” We’re likely to see more of this “TTP evolution” theme in 2023. As adversaries continue to evolve their TTPs rapidly and often, we had the chance to write more about this trend on our blog recently: https://www.tidalcyber.com/blog/adversary-ttp-evolution-and-the-value-of-ttp-intelligence
(And here’s another piece covering TTP evolution relative to another top malware, QakBot https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps)
In the walkthrough, we highlight metrics around threats made on ransomware “extortion blogs” as just one public data point around Cuba’s growing threat in recent months. The figures come from this incredible public dataset https://github.com/joshhighet/ransomwatch
The rest of the walkthrough centers on our free Community Edition tool. Jump into it here: https://app.tidalcyber.com/. No registration is required to access a ton of features (including everything shared below) but you know the drill: you’ll ultimately find the most value with a quick email sign-up 📋
#Cuba Ransomware details from #mitreattack https://app.tidalcyber.com/software/095064c6-144e-4935-b878-f82151bc08e4-Cuba
Technique set for Cuba TTPs published in February https://app.tidalcyber.com/share/6fbf994c-d6c9-42fd-8ee9-8954865d6d6f (source: https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware)
Cuba technique set based on CISA’s/FBI’s new alert: https://app.tidalcyber.com/share/11c631bc-be34-463d-9d24-852a6f414b2a
Script to quickly convert techniques & procedures from recent #CTI into a technique “layer” json file: https://github.com/mitre-attack/attack-navigator/blob/master/layers/attack_layers/attack_layers_simple.py
LSASS Memory technique details page, with pivots to aligned defensive capabilities, detection analytics, & tests: https://app.tidalcyber.com/technique/ab0da102-5a14-42b1-969e-5d3daefdf0c5-LSASS%20Memory
Cuba Ransomware report referencing LSASS Memory & Disable or Modify Tools techniques: https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/
Disable or Modify Tools technique details page: https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6-Disable%20or%20Modify%20Tools
Final Cuba Ransomware technique time series comparison/overlay: https://app.tidalcyber.com/share/7631b2a7-2c0d-49ee-ac12-ca9c92ad4a72
Dashboard we’re maintaining covering all TTPs from the #StopRansomware alert series, currently spotlighting six high-priority ransomware and updated each time CISA publishes a new alert: https://app.tidalcyber.com/share/9c1f08a2-b823-4e11-a8a5-01335fb0215e
Join the Tidal Community Slack channel to engage with & learn from others throughout the #threatinformeddefense space https://join.slack.com/t/tidalcommunity/shared_invite/zt-1ljrtdtkm-VGi8fa5VYhLma4o1Vu33nA
Catch this and other walkthroughs on the @tidal Cyber YouTube channel https://www.youtube.com/@tidalcyber6071
#cyberthreatintelligence #cybersecurity #OSINT #SharedWithTidal
#stopransomware #ransomware #cuba #mitreattack #cti #threatinformeddefense #cyberthreatintelligence #cybersecurity #osint #sharedwithtidal
We are searching for multiple R&D sponsors to support R&D efforts leading to the publication of a meta-study of MITRE ATT&CK tactics and techniques. Reach out to our #research team for more information on how you can become a #sponsor!
https://www.cyentia.com/sponsors-attack-study
#infosec #cybersecurity #risk #riskmanagement #cyberriskquantification #publication #data #researchanddevelopment #CISO #riskmanager #riskmanagement #mitreattack #study
#research #sponsor #infosec #cybersecurity #risk #riskmanagement #cyberriskquantification #publication #data #researchanddevelopment #ciso #riskmanager #mitreattack #study
A great and comprehensive essay on kill chain models
#cybersecurity #security #infosec #CyberKillChain #MITRE
#MITREAttack #Diamond #defence
https://thecyberwire.com/stories/0b286a6d86a14d7aaa4eeb121c96ef31/kill-chain-models
#cybersecurity #security #infosec #cyberkillchain #mitre #mitreattack #diamond #defence
A great yet comprehensive essay on kill chain models
#cybersecurity #security #infosec #CyberKillChain #MITRE
#MITREAttack #Diamond #defence
https://thecyberwire.com/stories/0b286a6d86a14d7aaa4eeb121c96ef31/kill-chain-models
#cybersecurity #security #infosec #cyberkillchain #mitre #mitreattack #diamond #defence
@fugueish Yes, but I think your CSIRP and related processes would need to reference MITRE ATT&CK and require it before it would be widely used.
It can get you started on mapping out any possible threat, risk, or attack you can think of and help you come up with mitigations. But if everybody isn't using it, you'll have references and language that only some teams understand.
In real life, it is nice when our security tools link to MITRE ATT&CK because we can quickly understand what a particular alert is about. But we don't put that on a report that goes to anybody else, because, as of right now, they would have no idea what T1548.002 means.
#mitre #mitreattack #mitreattck #csirp #csirt #infosec
Team up with us against the dark side! We are searching for R&D sponsors to support the production & publication of a MITRE ATT&CK meta-study 👇
✵ Benefits of being a sponsor:
✓ Recognition in the published report (prominent placement of logo, short description, etc.)
✓ Recognition in promotional activities related to the report (verbally mentioned in presentations, social tagging, etc)
✓ Dedicated space (1 page) in the published study to add your perspective and recommendations on the findings
✓ Media assets that include high-resolution versions of all data visualizations to use in your own promotional activities
✓Ability to create a branded version of the study to distribute independently via your own channels (cannot alter main content)
✓ Sponsors of the optional Cybersecurity Research Library enhancements will receive additional recognition specific to those projects (to be discussed/determined as part of scoping).
✵ What’s the goal of the study?
More and more cybersecurity industry reports include statistics around commonly detected ATT&CK techniques. That’s great in terms of having more data available for defenders and decision-makers, but a challenge arises to draw collective conclusions from them regarding the most common techniques. Cloud, network, and endpoint vendors/products have different vantage points, varying levels of visibility across tactics, and thus tend to report vastly different techniques. Incident responders have a different perspective than intelligence analysts. Reports from law enforcement agencies will differ from those of law firms. And the list goes on.
This study will compare and contrast all those sources to find common threads among them that will aid organizations seeking to build a more threat-informed defense.
Reach out to our research team for more information on how you can become a sponsor: https://www.cyentia.com/sponsors-attack-study
#cybersecurity #risk #riskmanagement #cyberriskquantification #researchanddevelopment #sponsor #CISO #riskmanager #mitreattack
#cybersecurity #risk #riskmanagement #cyberriskquantification #researchanddevelopment #sponsor #ciso #riskmanager #mitreattack
Ismael Valenzuela, @Joseliyo_Jstnk y yo hemos estado trabajando en el análisis de las amenazas cibernéticas en España, Chile, México, Argentina, Brasil, Colombia y Ecuador con sus motivaciones, y sus TTPs.
Lo acabamos de publicar en https://github.com/blackberry/threat-research-and-intelligence/tree/main/Talks/2022-11-25%20-%20XVI%20Jornadas%20STIC%20CCN-CERT
#ttps #mitredefend #mitreattack #jupyternotebook #threatsighting
#ttps #mitredefend #mitreattack #jupyternotebook #threatsighting
Another badge down in my #MITREATTACK. Getting there, bit by bit.
#professionaldevelopment #cybersec #cybermonday #mitreattack
Next write-it is Task 3 from the TryHackMe MITRE Room. This task is a deep dive on the MITRE ATT&CK Framework. I loved this task so much as it felt like I was actually doing the research for an actual SOC!!! Check out the write-up and follow along!!!
https://medium.com/@haircutfish/tryhackme-mitre-room-task-3-att-ck-framework-f675c83f4fa1