Blog

An important role in data handling for Threat Intelligence plays knowledge for understanding of threats’ context and their interconnections to certain tactics or hacker groups. Therefore, the lack of necessary data leads to an incomplete understanding of different cybercriminals’ approaches for their attacks. Companies need context regarding indicators, interconnections between threats and attacks to easily identify more dangerous threats and prioritize the ways to eliminate them.

The Defensys TIP is integrated with the knowledge base MITRE ATT&CK®. Thanks to this, users can apply the information regarding hackers’ techniques and tactics to determine the possible ways of threats’ development and preventive protection of information infrastructure.

Threat Intelligence with MITRE ATT&CK®

MITRE ATT&CK® (Adversarial Tactics, Techniques & Common Knowledge) is the knowledge base, that describes and classifies attackers’ behavior based on the analysis of their actions during real attacks. This is a structured list of known behavior types, that are united according to tactics and techniques and grouped in several matrices.

The matrix ATT&CK for Enterprise was created to classify attacks on corporate infrastructure and includes techniques and tactics for Windows, Linux and/or MacOS operating systems. The matrix also describes behavior types of cyber criminals while attacks against corporate systems.

More

Cybersecurity News

• Lumma Stealer, the stealer malware, now features a new anti-sandbox technique that leverages the mathematical principle of trigonometry to evade detection and exfiltrate valuable information from infected hosts.
• The Tor Project has explained its recent decision to remove multiple network relays that represented a threat to the safety and security of all Tor network users.
• Google has officially announced plans to gradually eliminate third-party cookies, a key aspect of its Privacy Sandbox initiative.
• Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.
• The Federal Communications Commission has revealed new rules to shield consumers from criminals who hijack their phone numbers in SIM swapping attacks and port-out fraud.
• The WordPress plugin WP Fastest Cache is vulnerable to an SQL injection vulnerability that could allow unauthenticated attackers to read the contents of the site’s database. Currently, more than 600,000 websites still run a vulnerable version of the plugin and are exposed to potential attacks.
• Intel has addressed the vulnerability in its current desktop, server, mobile and embedded processors, CPUs, including the microarchitectures Alder Lake, Raptor Lake, and Sapphire Rapids.

More

Challenge

Before the project launch, the Company already had its SIEM system and the implemented Defensys SOAR. During this project, our target was to update the system for cybersecurity compliance with the national state standards.

Implementation

The SOAR is used for handling both IT and OT incidents and is integrated with the company’s CMDB.

Following purchasing of the new license, a part of the existing processes had to be reconsidered. According to the new role model, all company’s network segments were divided into critical and non-critical. Depending on the segment status, the responsible department receives an incident notification and gets involved in its processing.

After discussing of the new incident handling policy, Defensys modified asset cards to meet company’s demands and created 60 response instructions. They’re being automatically pulled into the incident card according to the certain incident parameters. Besides, these cards contain necessary fields for the cybersecurity authority notification and allow data mapping, when an incident occurs on the critical network segment.

The rich customization features of the Defensys SOARmade possible the notification of the cybersecurity authority in a report form by pushing a button.

All incidents in the company are categorized based on the state-approved hierarchy.

More

Cybersecurity News

• Cybersecurity researchers have discovered a stealthy backdoor named Effluencethat’s deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server.
• WhatsApp is rolling out a new privacy feature that helps Android and iOS users hide their location during calls by relaying the connection through WhatsApp servers.
• Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims’ files using Cerber ransomware.
• Threat actors infected more than 10,000 devices worldwide with the ‘PrivateLoader’ and ‘Amadey’ loaders to recruit them into the proxy botnet ‘Socks5Systemz.’
• Apple’s “Find My” location network can be abused by malicious actors to stealthily transmit sensitive information captured by keyloggers installed in keyboards.
• A WhatsApp mod has been discovered that contains previously unknown malware – a spyware Trojan for Android. It’s called CanesSpy.
• A scientist claims to have developed an inexpensive system for using quantum computing to crack RSA, which is the world’s most commonly used public key algorithm.
• MITRE has announced the release of version 14 of ATT&CK, the widely used knowledge base of adversary tactics and techniques.

More

Cybersecurity news

• The APT36 hacking group has been observed using at least three Android apps that mimic YouTube to infect devices with their signature remote access trojan (RAT), ‘CapraRAT.’ Once the malware is installed on a victim’s device, it can harvest data, record audio and video, or access sensitive communication information, essentially operating like a spyware tool.
• Apple has released emergency patches for outdated versions of the iPhone and Mac. The update eliminates the CVE-2023-41064 vulnerability and eliminates the possibility of remote hacking of devices for the purpose of subsequent monitoring of users using spyware.
• A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show. The flaw could allow an attacker to exploit a race condition within GitHub’s repository creation and username renaming operations.
• A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium.
• A critical vulnerability impacting the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow remote attackers to forge credentials and bypass authentication.

More