Cyber Threat Intelligence (CTI), focuses on data collection and information analysis so that we can gain a better understanding of the threats facing an organization. This helps us protect its assets. The objective of any CTI analyst is to produce and deliver relevant, accurate, and timely curated information, that is, intelligence so that the recipient organization can learn how to protect itself from a potential threat.
The amount of information on Underground forums and marketplaces is enormous, filtering this raw data and creating actionable items to protect Governments or Companies are the key achievement for us. Cybercriminals using Dark Web (Onion routing) for Privacy purposes, Social Networking, Stack Exchange and as a marketplace.
The intelligence cycle
“Intelligence is a corporate capability to forecast change in time to do something about it. The capability involves foresight and insight, and is intended to identify impending change, which may be positive, representing opportunity, or negative, representing threat.”
The cybercrime underground maintains its own economy by easy to use products and services.Financial transactions have been increased with accessibility of anonymous cryptocurrencies such as Bitcoin, which is commonly used by malicious actors amongst themselves as well as for accepting payments from victims (e.g., ransomware).
Ransomware attacks are on the rise, but the question is, how could a group of cyber criminals compromise thousands of computers from various companies ? Short answer is; underground markets being used by these Ransomware Groups to buy remote access on multiple victims, these remote access sellers are called Initial Access Brokers.
According to SBIR “Cybercrime costs the global economy about $445 billion every year, with the damage to business from theft of intellectual property exceeding the $160 billion loss to individuals. Cybercrime is becoming a growing and significant concern for small businesses.”
The services offered within the cybercrime economy utilizes a leasing structure, in which access to a product is promised at a set rate for a fixed period of time. The sellers benefit from a guaranteed source of recurrent revenue throughout an extended period of time, and buyers benefit from the continued availability and performance of malicious tools
Products can be broken down into two main categories: information and resources :
Stolen personally identifiable information (PII): Including everything from mass email lists used by spammers to full identity theft packages to commit financial fraud
Exfiltrated organizational information: Including intellectual capital / property, non-public internal data, and internal operational details
Harvested authentication credentials: Stolen username and password combinations continue to present a significant risk these days, especially when those credentials are re-used across multiple sites
Pilfered financial / payment data: Unauthorized withdrawals from accounts or charges against credit lines continue to plague account holders
Selling CVV data
Resource products include elements such as:
Access to feature-rich malware: Malware across varying capabilities (e.g., information stealers, remote administration tools – RATs, ransomware, purpose built utilities) that demonstrate consistent results and avoid source code leakage can generate significant revenue for associated authors and distributors
MemPOS – POS/Cvv Malware
Advertisement of MemPOS Malware
Source code leakage of Dark Rat
Ransomware actors wanted to get Initial Access on corporate networks without being detected by EDR/AVs, oftentimes 0-day exploits may be so expensive to achieve that so they can use private malware loaders for evading the detection.
Malware Dropper with Excel XLL
Purchase of system or software exploits: While many white hats elect to support bug bounty initiatives by vendors, there remains a lucrative underground market for reliable, unpatched exploits
Alongside with 0days, oftentimes Threat Actors sharing their experience on widely abused Vulnerabilities, this information is so valuable for the Ransomware groups that could help them for mass infection.
VMware Workspace – Remote Code Execution Exploit
Malicious actor training: Guidebooks or tutorials on effective tool usage or specific Tactics, Techniques, and Procedures (TTPs)
AV/EDR Evasione Techniques
Usage of Invoke-PSImage
Services include the following:
Distributed denial of service (DDoS): These are botnet powered attacks that affect the availability of targeted servers and capabilities.
Exploit kits (EKs): As part of the service offering, exploit kits are typically leased with a monthly rate for access to the exploit toolkit, allowing for customized end payloads.
Infrastructure rental: These include hosting services for attack platforms, malware updates, configuration, command and control (C2), and other attack lifecycle functions.
Money laundering: This is known as the transfer (“money muling”) of illegally obtained funds through accounts and mechanisms in money haven countries remains a key service.
Initial access brokers: Malicious actors that provide access to secure networks for a fee. They are often hackers but may also gain access to networks using social engineering. Their motivation is not to carry out cyberattacks themselves but rather to sell the access to another party
Wanna buy RDP is the marketplace for the Initial Access, average price for accessing compromised device in US or Canada will cost 5$
Without understanding the sensitivity of data, it is hard to properly secure it. Because of that, companies use Data Classification. Data classification is of great importance for organizations. Purpose refers to the process of analyzing data (both structured and unstructured) and then organizing that data into defined categories based on its content, file type, and other metadata attributes. In this way, a security system that is divided into parts and easier to control is created.
Access control list (ACL) is another form of breach prevention. An access control list (ACL) is a list of rules that specifies which users or systems are granted or denied access to a particular object or system resource.
Each ACL has one or more access control entries (ACEs) that consist of the name of a user or user group. It can also be a role name, such as user, programmer, or tester. Typically, the system administrator or object owner creates the access control list for an object.
Types of access control lists can be divided into two basic items:
File system ACL: Manages access to files and directories. They give operating systems instructions that determine user access permissions and privileges for the system after the system has been accessed.
Networking ACL: Manages network access by providing instructions to network switches and routers that specify the types of traffic they are allowed to interface with the network. These ACLs also specify user permissions once within the network. The network administrator predefines network communication ACL rules. In this way they work similarly to a firewall.
ACLs can also be categorized by the way they describe traffic:
Standard ACL: Blocks or allows an entire protocol packet using source IP addresses.
Extended ACL: Blocks or allows network traffic based on a different set of properties, including source and destination IP addresses and port numbers, as opposed to just the source address.
System hardening is used to reduce vulnerability in technology applications, systems, infrastructure, firmware, and other areas. The purpose of system hardening is to reduce security risk by eliminating potential attack vectors and intensifying the attack surface of the system.
Best Practices for Systems Hardening
- Audit your existing systems: Use penetration testing, vulnerability scanning, configuration management, and other security auditing tools to find flaws in the existing system and prioritize fixes.
- Create a strategy and plan based on the risks identified in your technology ecosystem and use a phased approach to address the biggest flaws.
- Fix vulnerabilities now: Make sure you have an automated and comprehensive vulnerability identification and patching system in place.
- Network hardening: Make sure your firewall is configured properly and all rules are checked regularly.
- Server hardening: Put all servers in a secure data center.
- Application hardening: Restrict access to applications based on user roles and context.
- Database hardening: Create administrative restrictions on what users can do to a database, such as controlling privileged access.
- OS hardening: Automatically apply OS updates, service packs, and patches.
- Eliminate unnecessary accounts and privileges: Apply minimal privileges by removing unnecessary accounts and privileges from your IT infrastructure.
First and foremost, a staff well-trained in cyber security poses less of a risk to the overall security of an organization’s digital network.
Security awareness training is important as it protects an organization against cyber attacks on the system that result in data breaches. The primary focus is on preventing such incidents that lead to brand reputation and financial losses.
Cybercrime: Any crime that involves the use of computers to victimize an individual or organization for financial gain.
Deep Web: Sites that make indexing by Internet search engines problematic, due to access control, dynamic content, or other prerequisite mechanisms (e.g., encryption or specialized software). In general, these sites are not accessible to standard web search engine crawlers that perform indexing. This class of sites is also sometimes referred to as the Invisible Web, Hidden Web, or Deepnet.
Dark Web: A subset of Deep Web sites that requires special software (e.g., TOR) to reach. Related infrastructure hosts criminal content such as stolen information and access to premium malware and exploits, and supports other categories of activity, such as illegal pornography, drug trade, prostitution, human trafficking, and terrorist operations. A number of these sites are transient, only up for a short time or constantly changing addresses in an attempt to minimize the risk of exposure to government agencies, law enforcement and security researchers.
Cybercrime underground: Online forums where information, tools (malware, exploits), and services are bought and sold in support of cybercrime objectives. Composite sites exist on the Indexed Web, Deep Web, and Dark Web in varying contexts.