Flashback to the system breach you stumbled across several hours ago. Your team discovered a ransom note on a compromised company laptop, set to expire four days from now with the slogan “Pay for Peace” above the message addressed to your company. Without the ransom paid, the note explains, the threat actors will make your proprietary documentation public.
In our breach scenario, your incident commander asks the cyber forensic retainer to find out who breached your company, what other organizations are on the victim list, and what TTPs (tactics, techniques, and procedures) they used to get into your network.
If you called Ascent, our threat intelligence cell under our Modern SOC would consider a couple factors:
1: Integrating OSINT
Open-source intelligence (OSINT) is the practice of collecting and analyzing publicly available information to generate actionable intelligence. When OSINT is paired with events like alerts and detections, it provides vital context behind other events as reported by security researchers. Additionally, an effective OSINT program can and will provide a consistent stream of relevant information, improving your organizations’ situational awareness.
It is critical to a business’ safety to assess which threat is most likely to target your business before a breach happens and plan how you might defend against the common TTPs threat actors leverage. If you’ve already been breached, OSINT is still an exceptionally valuable tool.
2: Investigating Indicators of Compromise (IOC)
While the mobilized security team is focused on triaging the data breach, they will discover IOCs (malware, ransomware, IP addresses from the threat actor, CVEs exploited, etc.) along the way. If the mobilized security team were to disseminate these specific details discovered during the investigation to the intelligence team, intel could concurrently identify which threat actors are exhibiting that behavior using those malicious tools. This is helpful as it provides the security team with an understanding of the modus operandi, toolkits of the threat actor(s), and discerns any recent behavior the threat actor(s) exhibited.
For example, the Cl0p ransomware gang has recently exploited the myriad vulnerabilities surrounding MoveIT software. If MoveIT was the source of the data breach, there is a high likelihood that the threat actors responsible for the breach were from the Cl0p ransomware gang. At this point, the intelligence cell could curate and provide the mobilized security team with recently reported Cl0p ransomware gang behaviors, MITRE ATT&CK techniques, monitor their victim page for your organization, and provide artifacts other security researchers have compiled and published. This will help the mobilized security team scope where else, and with what tools, Cl0p ransomware gang actors may have deployed within the network – further isolating the threat actor from establishing persistence somewhere else in the network. At Ascent Solutions, our intelligence team consistently provides our Cy:lent software with the latest reports specific to a variety of criminal or state-sponsored threat actors.
3: Decoding the Ransom Note
If ransomware was involved with the event, chances are the threat actor left a ransom note with contact information, crypto wallet address, etc. If the mobilized security team provides the ransom note to the intelligence team, the intelligence team can analyze the threat actor(s) involved and research what behaviors, MITRE ATT&CK techniques, and other IOCs other security researchers have compiled and published. Using OSINT analysis, the security team can image search the ransom note, identifying which other organizations the threat actor breached, what tactics they commonly use, and any other information the group disclosed about itself. You can also research the crypto wallet address and see if it’s linked to any threat actors through multiple different publicly available resources.
Stay ahead of a data breach
Monitoring ransomware victim pages for victims that are within your industry is a proactive action towards prevention. If the same threat actors keep targeting a specific industry, the security team should consider having the intelligence cell compile the threat actor(s) behaviors to evaluate against your network. At Ascent Solutions, our custom Cy:lent software suite does just that.
Modern SecOps and incident response
At Ascent Solutions, our team embraces Modern Security Operations in all aspects of protecting our customers and our own environment—including an incident response. Watch for the next blog in this series covering the value of cyber threat intelligence to an incident response plan. At Ascent Solutions, our proprietary Cy:lent software is the hub we utilize to curate timely and relevant information that is ready to be operationalized within our Modern SOC.
If you have been breached or you do not have a tight incident response plan, let our experts assist you. Reach out to info@meetascent.com for more information.
