Search Results

For this research, we partnered with Proofpoint’s Threat Research team in a collaborative effort to provide a comprehensive overview of the Latrodectus loader malware. Latrodectus was first identified in the wild in October 2023 and was detected by Proofpoint being used for email threat campaigns in late November 2023. Whilst it shares some similarities to IcedID, Latrodectus is assessed to be a wholly new malware family, and our joint analysis indicates the IcedID developers likely created it. Other key points from the research include: While use of Latrodectus decreased in December 2023 through January 2024, Latrodectus use increased in campaigns throughout February and March 2024. It was first observed in Proofpoint data being distributed by threat actor TA577 but has been used by at least one other threat actor, TA578. Latrodectus is an up-and-coming downloader with various sandbox evasion functionality. Latrodectus shares infrastructure overlap with historic IcedID operations. While investigating Latrodectus, researchers identified new, unique patterns in campaign IDs designating threat actor use in previous IcedID campaigns. The full report can be read here. Conclusion We share Proofpoint’s assessment that Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID. This research highlights the value of collaborative work between commercial threat intelligence companies, piecing together distinct viewpoints to provide a more complete picture of malicious activities.  We hope to continue these collaborations to enable defenders and threat analysts to shut down cybercriminals.

Insights into Internet Outages along Africa's Western Coast About Team Cymru: Internet Weather Reports Our Internet weather reports are intended to provide data and technical analysis of significant events occurring across the Internet. The information aims to equip readers with insights that contribute to their own conclusions and provide additional context. Introduction On 14 March 2024, a series of major Internet outages were reported, affecting thirteen African countries situated along the continent’s western coast. Up until the time of this blog post, there has been no conclusive reason as to why this happened. This piqued our curiosity, prompting us to leverage our tools and data for a multinational and cross-continental analysis based on observed traffic patterns. The impacted countries are highlighted in the map (of Africa!) above. However, for the cartophobic, the list from north to south, including country codes, is as follows: Niger (NE) Burkina Faso (BF) Nigeria (NG) The Gambia (GM) Cameroon (CM) Guinea (GN) Benin (BJ) Ghana (GH) Togo (TG) Côte d'Ivoire (CI) Liberia (LR) Namibia (NA) South Africa (ZA) Over a week later, in this blog post, we will examine the current status of the situation by analyzing high-level network telemetry data derived from Pure Signal™. Key Findings At the time of writing, Cameroon is still experiencing ongoing Internet outages, over a week after the initial reports. Impacted countries faced varying degrees of impact, ranging from minor blips within a 24-hour period to widespread outages lasting several days (or ongoing in the case of Cameroon). Status Update Cameroon (CM) Based on our vantage point, it is apparent that at least one country, Cameroon, is still impacted by the outages. As depicted in the chart above, a decline in client (user) activity was observed on March 14 and has yet to return to the levels observed before the outages were reported. Server records were also affected, albeit on a smaller scale, primarily due to limited inbound connections to services and websites in Cameroon from other countries in general. For clarity, client flows are those originating from an IP address located in the country of interest (e.g., country code CM in the chart above). Server flows are those where the destination IP address (server/service) was located in the country of interest. For example, a user in the United States accessing a website hosted in Cameroon. Benin (BJ) & Ghana (GH) Several other countries appear to have been impacted for several days. In the case of both Benin and Ghana, connectivity was dramatically and almost completely restored on 20 March. Nigeria (NG) A similar situation is observed in Nigeria, where, as of 20 March, normal service appears to have resumed. However, the 'return' seems to have been gradual over several days. Looking at server flow data for Ghana and Nigeria, it is evident that both countries host comparatively more services that are accessed by foreign users when compared with countries like Benin and Cameroon. Niger (NE) Much like the other countries already reviewed, Niger appears to have experienced outages lasting several days. However, since 18 March, there has been a surge in Internet usage to 150-200% of the "usual" levels. This surge potentially indicates a nation catching up on “what was missed” over the preceding days. Gambia (GM), Liberia (LR), Namibia (NA) & South Africa (ZA) In some cases, impacts of the outages were limited to a single day, or not fully discernable in our daily snapshots. Liberia, for example, appears to have been impacted within a 24-hour period before returning to business as usual levels. In Namibia, there was a small reduction in traffic, but nothing which would indicate wide-scale Internet outage. Burkina Faso (BF), Côte d’Ivoire (CI), Guinea (GN) and Togo (TG) For the final four countries affected by the Internet outages, we witness a different phenomenon as a result of the intricacies of our vantage points into these particular countries. Instead of a drop in traffic, we see a sharp increase in the case of Burkina Faso, Côte d’Ivoire, Guinea, and Togo. In each case, this increase lasts for 4-5 days. What we are observing here is likely attributable to one of two things (or a combination of both): Attempted and ultimately failed connections to external resources were being observed. Traffic rerouted via indirect paths across the Internet were being observed. Digging deeper into the data for these four countries combined to examine the top TCP ports observed strengthens this assessment. As can be seen in the image below, the large increase in network traffic is a result of an increase in TCP/443 (generally associated with web browsing) traffic, which is highlighted in green. Conclusion In conclusion, the recent Internet outages affecting multiple countries along Africa's western coast have highlighted the vulnerability of digital connectivity in the region. While some nations experienced minor disruptions lasting less than a day, others faced prolonged and ongoing outages, exemplified by the situation in Cameroon.

Where to find Pure Signal product reviews and share views anonymously Introduction In this blog, we’ll cover why reviews of our products are important during your journey of discovery about each one.  We’ll also cover how peer reviews are two-way, enabling you to make better decisions and informing us how to improve our products. And since we’re all in Cyber Security, we’ll show you how to post your reviews anonymously. Reviews matter to you and us Making decisions about which Cyber Threat Intelligence provider or Attack Surface Management platform in today’s market is challenging for a buyer.  To make this journey as easy as possible for you, we want to be fully transparent and put you in front of our product reviews - the voice of our customers is important to us, and it is to you. As with any critical business decision, understanding the value solutions can bring to your organization is paramount. This is where the power of peer product reviews becomes invaluable to you. Reviews are equally important for us, feedback from peer reviews helps us to continuously refine and enhance our products, ensuring that once onboarded as a customer, your collective voices enable us to address emerging challenges and user needs. This cycle of improvement is crucial for maintaining our high levels of customer satisfaction, and enabling our users to stay ahead. Gain Trust from Credible Users The cybersecurity market is crowded with solutions promising unparalleled protection and insight. Peer reviews cut through the marketing noise, offering transparent and credible insights from users who have experienced Team Cymru's products first-hand. These testimonials provide you with confidence each product has been proven effective in real-world scenarios. Making Better Informed Decisions When it comes to your organization's digital health, choosing the right solution is a significant decision that impacts multiple stakeholders. Peer reviews of Team Cymru's offerings give a rounded view of the products, from their usability and integration capabilities to their effectiveness in identifying risks and mitigating threats. This helps you focus on your specific security needs and objectives and ensure they will be met. Where to read our product reviews Please note, each of these links below will take you to a third-party website. How to start a review. Both G2 and Gartner make the process very easy and have some mechanisms to ensure reviews are fair and from trusted and validated sources. For each you will need the following: A public LinkedIn profile that is up-to-date A business email account with your current employer or An existing G2 or Gartner account Each provider will ask a variety of questions that are specific to you, your role, organization, and experience as part of the validation process and terms.  Expect reviews to take around 10 to 15 minutes, so definitely have your Top 5 playlist ready or your favorite Cyber Security podcast in the background! Once you have access, G2 and Gartner provide a search function to find Team Cymru’s products.  Simply type ‘Team Cymru’, or, the full product name, such as ‘Pure Signal Recon’, and you will locate the product you wish to leave a review for immediately. For G2: you can start the review process here: https://www.g2.com/wizard/new-review For Gartner Peer Insights: you can start the review process here:https://www.gartner.com/reviews/survey/vendor-product?source=faq How to post your review Anonymously G2 According to the G2 website here, the option to leave an anonymous review is very straightforward. After completing the survey, there is a question that will ask, "Allow my review to show my name and face in the G2 community?" To ensure your review is anonymized on the G2 website, select ‘No’, and your review will be displayed as below: If you wish to return and make an existing review anonymous, simply visit the G2 website here Gartner Peer Insights Gartner automatically makes their reviews anonymous; more can be read here. They specify the following: INCLUDED IN REVIEW: Demographic data about the reviewer and their company, such as job title, role, industry, and company size EXCLUDED FROM REVIEW: Reviewer's actual name or company name to prevent personal identification. Community Opinions Matter We thank you for taking the time to consider leaving a review or researching what your peers think about the value and user experience of our products. Our team of experts is here to answer any further questions about reviews or our products. For existing customers, our team is available via email here: support@cymru.com For new customers, please engage our Sales team directly here.

Cyber leaders need to take action or face the consequences Introduction Our recent blog aimed at security analysts has significant financial implications for CISOs and senior Cyber Risk stakeholders.  This briefing guide will help you understand what you need to address this growing threat, and why. Multi-legged Risk Octo (otherwise known as Coper) malware is a dynamic and sophisticated threat that is actively used to target the Financial sector, yet all organizations are at risk.  Financial impact is the single largest outcome of Octo malware infection, as it equips cyber criminals with unauthorized access to sensitive information used to gain access to customer and corporate accounts. David Monnier, Team Cymru’s Chief Evangelist, explains why senior stakeholders need a plan for Octo Malware: “For banking and financial organizations, addressing Octo malware risks is critical due to its targeted approach within your sector.  However, this applies to all organizations and impacts some of your highest financial risks.  These can include customer and corporate fraud, financial systems security, data leakage, loss of customer trust, and fines for regulatory non-compliance” Why Octo is a particularly high cyber risk It has the potential to become widespread as it is attractive to cybercriminals Octo is fairly trivial to operate, which lowers the bar to entry, reduces operating costs for criminals, and leads to exponentially more private individual targets and corporate victims as a result. Octo is an attractive malware for cybercriminals because it features capabilities designed to target sensitive data. This information can be used to infiltrate company networks and amplify their impact. Combatting this threat is highly challenging as the threat landscape is complex Because it is offered as a ‘Malware-as-a-Service’ mode’, many unsophisticated cyber criminals can exploit Octo resulting in an increasing number and variety of adversaries, making defense much harder.  In addition, the highly proficient operators of Octo malicious infrastructure use sophisticated techniques to avoid detection and stay ahead of traditional threat intelligence techniques. Octo developers and sellers are continuously evolving their software, further enabling cyber criminals through their support program. Larger organizations are vulnerable as it requires a multi-threaded strategic approach As we will detail further, mitigating Octo requires planning, and that takes time.  Defensive measures involve enhancing authentication methods, educating stakeholders, customers, and employees on secure practices, creating specific cyber defense policies to discover and block malicious or suspicious activity, and empowering threat intelligence analyst teams to detect its presence across your entire digital landscape and third-party ecosystems. Financial Fraud and Loss: One of the primary risks is direct financial loss. Given that Octo malware targets financial institutions and their customers, organizations may suffer substantial financial fraud. This can result from unauthorized transactions, theft of funds, or compromise of financial credentials leading to broader financial exposure. Data Breach and Loss of Sensitive Information: Octo malware's capabilities, such as keylogging and screen capturing, pose a significant risk of a sensitive data breach. This could include the theft of confidential corporate information, customer data, intellectual property, and more. Such breaches can lead to significant legal, financial, and reputational damage. Regulatory and Compliance Violations: For organizations under strict regulatory frameworks (such as GDPR, HIPAA, or financial regulations), a malware-induced data breach could lead to non-compliance issues. This might result in hefty fines, sanctions, or other regulatory actions, alongside the costs of remediation and implementing measures to prevent future incidents. Reputational Damage: The public exposure of a malware attack can severely damage an organization's reputation. Customers and partners may lose trust in the organization's ability to safeguard their financial assets, leading to loss of business, strained relationships, and difficulty in attracting new customers or partners. Operational Disruption: Beyond financial and data-related impacts, Octo malware infections can lead to significant operational disruptions. This could include the loss of access to critical systems, disruption of business processes, and the need to allocate significant resources to incident response and recovery efforts. For organizations in the Global 2000, such disruptions can have far-reaching ramifications, affecting operations worldwide and leading to substantial financial and operational setbacks. Effective mitigation against Octo malware is something that requires your team to leverage multiple tools, processes, and procedures. This will likely include all of the following: Enhancing Detection and Response Capabilities: Ensure you have advanced threat detection systems and train incident response teams to recognize and respond to sophisticated malware incidents such as Octo. Strengthening Endpoint Security: Ensure all corporate devices, particularly Android, accessing your corporate networks have updated antivirus software and endpoint protection, in addition to the latest operating system updates and security patches. These updates often include fixes for vulnerabilities that malware like Octo/Octo may exploit. Enforce gateway security and improve customer support: Ensure all devices accessing financial systems and customer services can be identified and categorized.  Octo specifically targets Android devices, so ensuring your perimeter security can distinguish the mobile device and OS is critical.  When correlated with customer login credentials, your Customer Service team can proactively alert there is a threat. Promoting Cybersecurity Awareness: Ensure that mobile security-specific training sessions that include Octo attributes are made available for employees and customers, focused on recognizing account compromise attempts and securing personal devices. Implementing Alternative Strong Authentication Processes: Octo can intercept and read SMS on the device.  Multi-factor authentication for all banking applications and services, and access to corporate VPNs and networks should avoid the use of SMS to reduce the risk of unauthorized access and fraudulent activity. Tactical steps from discovery to defense using the CTEM process Improve external visibility of digital assets & threats using the Pure Signal™ platform Our recent research, The Digital Risk Landscape: A Report on Top Financial Institutions & Third Party Risk, highlights the need to improve external visibility of external digital assets, and those of third parties.  This ensures that the entire risk landscape is fully scoped and includes every possible source of risk and threat. Start with Pure Signal™ Orbit’s asset discovery feature to discover, inventory, and manage external assets. Measure levels of risk by classifying external assets Once the asset landscape has been fully discovered and scoped, the next step is to assess the cloud platforms, systems, and technologies that are internet-facing.  This will create a list of assets that the Threat Intelligence Team can constantly monitor for suspicious or malicious activity related to Octo. Pure Signal™ Orbit’s cloud platform and technologies features autonomously classify assets and provide a full view of the external systems that cybercriminals could potentially target, with information gained from using Octo malware. Ensure there is a plan to monitor and prioritize Octo-related activity By leveraging the integration and automation capabilities of Pure Signal™ products, a real-time alert of suspicious or malicious activity will generate an action for assessment. Pure Signal™ Scout is a simplified threat research analyst platform that enables team members of all experiences to triage a possible threat quickly, Octo will feature as a predefined Tag creating instant insights.  Using the combination of assets discovered in Pure Signal™ Orbit, and cross-referencing with Pure Signal™ Scout, a quick assessment can validate if action is needed, or not.  Use IoCs from the Octo blog to start. Use advanced tools and analysts to assess and validate Once a possible or potential threat has been prioritized to a senior analyst to assess further, this is where real-time insights and expansive visibility outside network borders become a strategic advantage, as outlined in this case study. Pure Signal™ Recon enables experienced analysts to expand the details and scale the analysis.  Octo leverages specific ports, and protocols, and appears legitimate by using self-signed certificates - all this is available to filter and query among 40+ datasets.  This method also expands across adversary and third-party infrastructure, enabling monitoring for external threats across a large threat landscape. Use IoCs from the Octo blog to start. Identify octo-infected devices and take action Applying insights gained from the activities and processes above can enable various actions, such as: Identify new and emergent infrastructure associated with the Octo malware. Monitor for outbound communications from your own networks to both known Octo infrastructure, and potential new C2 servers as they are stood up over time. Assess when victims of Octo are interacting with your own, or third party, infrastructure and networks.

Analysis of an Android Malware-as-a-Service Operation Coper, a descendant of the Exobot malware family, was first observed in the wild in July 2021, targeting Colombian Android users. At that time, Coper was distributed as a fake version of Bancolombia’s “Personas'' application. Its capabilities included keylogging, interception of push notifications and SMS messages, as well as control over the infected device’s screen. In early 2022, researchers at ThreatFabric identified a post on an underground economy forum where the author sought information on the ‘Octo Android botnet’. Their analysis of this post established a direct link to ExobotCompact, a “lite” version of the aforementioned Exobot, which had been updated and rebranded as Octo. Therefore, Coper and Octo are considered synonymous names for the same malware family, which has evolved over time from its Exobot origins (circa 2016). Today, Coper/Octo is offered as malware-as-a-service, where customers are provided access to a panel and builder used to coordinate and execute campaigns. As a result, we observe Coper/Octo being used to target many countries across the globe in campaigns crafted to ‘appeal’ to specific audiences. The aforementioned fake “Personas'' application serves as a good example of the level of regional focus that the service can provide its customers. In this blog post, we will detail our analysis and understanding of the Coper/Octo Android malware, examining the malware’s continued development, as well as providing insights into attack patterns, infrastructure utilization and management, and hunting tips. Key Findings Coper/Octo, originating from the Exobot malware family, has evolved from its initial observations in 2021 targeting Colombian Android users. It has transformed into a malware-as-a-service operation, providing customers with a range of malicious capabilities. The malware's distribution includes tactics such as impersonating legitimate applications like banking apps to deceive users into installing it. The malware offers a variety of advanced features, including keylogging, interception of SMS messages and push notifications, and control over the device's screen. It employs various injects to steal sensitive information, such as passwords and login credentials, by displaying fake screens or overlays. Additionally, it utilizes VNC (Virtual Network Computing) for remote access to devices, enhancing its surveillance capabilities. Coper/Octo operates through a complex command-and-control (C2) infrastructure, encrypting communications to evade detection. Analysis of C2 servers reveals an understanding of victim targeting, with notable concentrations in countries like Portugal, Spain, Turkey, and the United States. The malware employs techniques to filter out certain regions, ensuring its operations align with the interests of its operators while evading detection in specific geopolitical areas. Malware Analysis Initial Command and Control Capabilities Firstly, we will examine the Coper/Octo malware payload which has been updated over the last few years to include new features and provide greater "user" flexibility. This flexibility becomes evident when we examine the malware configuration, which is set by each customer/operator. After the initial compromise and once communication with the C2 server is established, the Coper/Octo bot payload is passed to the victim device. The payload includes the configuration file, the parameters of which include: block_push_apps: blocks push notifications for the listed applications. desired_apps: specifies the applications targeted by the malware. domains_bot: provides the C2 server for bot communications. This field is combined with the extra_domains field, which serves as backup C2 information. keylogger_enabled: a binary field determining whether the keylogging function is switched on or off. injects_list: the chosen injects the bot will deploy when a targeted application is accessed. Used in conjunction with injects_to_disable. We will cover injects in further detail below. net_delay: determines the time delta for network requests, i.e., communications with the C2 server. smarts_ver: determines the inject version to be utilized. Again we will cover this field in further detail below. uninstall_apps: a list of applications to be uninstalled from the infected device. Used in tandem with uninstall_delay to specify the interval when this action takes place. The aforementioned smarts_ver configuration field relates to the injects functionality embedded into the Coper/Octo bot and the C2 infrastructure used to manage it. The smarts information is further broken down into a separate table, likely to facilitate easier management. This table contains information such as the inject and target type, as well as specific characteristics of the inject, such as how extracted data should be formatted and whether the inject is currently active or not. An example of this table is provided below. From left to right, the data in the table is explained as follows: 1, 2, 3 are the inject IDs HTML is the inject type specials indicates that the inject is part of the default build provided when the bot is installed; these injects cannot be removed Gmail, pattern, pin are the inject payloads, followed by the path (denoted by the %FIELD_ value) 1 is an “is alive” value, where in the case of the three injects shown this is “true” Coper/Octo supports several injects, for example: Accessibility Index: Displays instructions on how to enable Accessibility Services, which are required to be activated in order to facilitate remote interactions with the infected device. A degree of social engineering is employed to encourage the victim to take this action Fake Pattern: Displays a ‘fake’ unlock pattern screen to the victim user. This allows for the capture of the unlock pattern required to access the device, which is of particular value for VNC interactions Gmail Fake: Displays a ‘fake’ Gmail login form to the victim user. Steps are taken to make this form feel/look realistic, for example the user’s email address is prepopulated requiring only the password to be submitted. The obvious end goal being the theft of email login credentials URL Inject: Displays an overlay web page, such as an authentication form, when the victim user accesses an app. The URL inject allows for the harvesting of credentials from any accounts or applications the operator wishes to target. The inputted data and cookie information are transferred back to the control server as with the other injects. In addition to the configuration file and injects, the operator can further interact with the malware using a series of commands. All requests to/from the C2 infrastructure are AES encrypted and Base64 encoded. Examples of these commands include: delete_bot: delete the Coper/Octo bot intercept_off / _on: disables or enables SMS interception lock_off / _on: unlock or lock the infected device open_url: open a web page in the infected device’s default browser set_vnc_task: provide a remote action command, e.g., a gesture sms: used to send an SMS message from the infected device (to a specific phone number) start_ / stop_keylogger: starts or stops keylogging on the infected device vnc_start / _stop: starts or stops VNC functionality - i.e., remote control of the device/screen Operators can also set further parameters to extract detailed information from the infected device, as summarized in the table below. Many of these parameters existed in earlier versions of Coper/Octo from around mid-2021, and Exobot dating as far back as 2018, indicating the malware's development over time and the connections between the families. With an understanding of how the operators communicate with each infected device (or “bot”), we can now delve into more detail about how this story unfolds, with the support of examples and images. Victim Registration and Filtering When a victim device is initially registered with the bot C2 server, essential information such as the IMEI number, phone model, Android version, device uptime, etc., is collected and stored in an SQL database. This data serves as a reference for the threat operator and can be reviewed in the future. Following registration, the victim device continues to send updates to the C2 server on a daily basis. These updates allow the threat operator to monitor their infections and compile user interactions with the victim devices. The screenshot below illustrates the bot registration script, providing a detailed view of these information values, denoted as $value (e.g., $imei and $model). Two values hold particular significance during the bot registration stage: $country and $lang. Like many malware families, Coper/Octo prohibits the infection of devices in Commonwealth of Independent States (CIS) countries and/or devices utilizing the official languages of these countries. This means that for customers of Coper/Octo, victims in Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, and Uzbekistan are strictly out of scope. The filter is applied by the malware authors and is present in all standard distributions of the malware. Additionally, eagle-eyed readers will notice that victims in China (cn) and Ukraine (ua) are also prohibited. The process of checking against language and country filters occurs alongside checks to ensure that the victim device is not an emulator or running on a virtual machine, resulting in three distinct reasons why a bot may be rejected in the registration process.. Once the registration process has successfully occurred and regular updates are being received from the bot, the threat operator can begin to interact further using the commands and features outlined previously. Encryption / Evading Detection To evade detection, all Dex classes associated with Coper/Octo are encrypted using a hardcoded RC4 key, following the encryption routine illustrated below. With knowledge of the routine and the hardcoded key (lU0jgv9f6hgMZI48x) we are better equipped to understand the Coper/Octo code, including its functionalities and interactions with the C2 infrastructure. Using CyberChef, we can input encrypted strings as follows, with the output being the decrypted string in plain text. We can then use this process to decipher the encrypted information described above, for example the below screenshot has the plain text values for a number of encrypted strings commented out. In addition to the usage of encryption, Coper/Octo seeks to hide its tracks in other ways. Indeed, the use of certain permissions like REQUEST_COMPANION_RUN_IN_BACKGROUND and REQUEST_COMPANION_USE_DATA_IN_BACKGROUND indicates a level of stealthiness sought by Coper/Octo. These permissions are commonly utilized by Android malware to ensure their operations remain inconspicuous in the background, reducing the likelihood of detection by the device's user. By running discreetly and utilizing data in the background, the malware can execute its malicious activities without drawing attention to itself, thereby maximizing its effectiveness in compromising the victim's device. Capabilities in Action Keylogging The keylogger functionality is a primary feature of Coper/Octo, enabling it to log every keystroke made on the victim’s phone. Upon activation, Coper/Octo checks the status of the keylogger by verifying the value "keylogger_enabled=1". If enabled, it captures all information entered by the victim via the keyboard, including events and taps on the device. This encompasses application passwords, graphical patterns, PINs, push notifications, and screen passwords. Furthermore, the keylogger retrieves data from the device's web browser. In cases where the keylogger is not initially enabled, it can be activated later through the C2 panel. All keylogged information is stored in a file within the device's data directory. Once the contents of the keylogger data file have been fully read, the file is deleted. This indicates a policy of utilizing the storage space once and temporarily, potentially for operational security reasons and to prevent sensitive data from remaining accessible on the filesystem, which could serve as evidence of the device's compromise. Injects Injects also play a crucial role in the Coper/Octo service offering, providing customers with a wide range of data theft mechanisms, as previously described. These injects are initially configured in the bot but can be later modified from the customer's C2 panel. Below is an example of a URL inject designed to target Gmail user information, using an overlaid “spoofed” login form to capture the victim’s credentials. Breaking this screenshot down step by step: Firstly, the inject type is defined, in this case, “url” Next, it injects “onblur” event handlers in order to capture user inputs Then, the HTML content of the page is updated with genuine device and application information, increasing ‘realism’ Finally, the captured Gmail credentials are stored in the file “gmail_login” Injects can also be used, as referenced previously, to obtain the infected device’s screen password or PIN, enabling remote access and management of the device. VNC (Remote Access) Coper/Octo is not unique among Android malware families in adopting VNC into its bag of tricks, with other notable examples including Godfather, Hook, and Vultur. VNC provides an alternative option for monitoring user input, such as using its screen recording capabilities to capture information inputted into things like banking services, or applications and websites of interest. In this way, VNC serves as the third "alternative" to inject and keylogging capabilities. To execute all of its VNC features, Coper/Octo requires permissions for the Accessibility Service to be granted; we previously covered an inject used to socially engineer the victim into activating this. Once permissions are granted, VNC is utilized for a number of purposes, including: Enabling or disabling device sounds, which is useful when the operator wants to capture things like SMS messages or push notifications Enabling the virtual keyboard, allowing the operator to enter information into the infected device. Modifying the device backlight, which can potentially be used to interact with the device while it appears to be in sleep mode Sending pattern codes to unlock the device Taking device screenshots (the process of which is illustrated in the screenshot below) Referring to the table of parameters used by Coper/Octo, we can observe that an action request is made (xc) for a screenshot to be taken (vncScr), with a filename defined (fn) and an image body to be saved (bs) as a Base64 string. SMS Message Interaction The final capability we'll examine is Coper/Octo's ability to interact with SMS messaging services, allowing it to intercept, read, and send messages within the device. As with other aspects of the malware, the initial step is to ensure that the required permissions are granted. Once confirmed, the bot will initiate the SMS interception process, whilst simultaneously aborting the SMSReceived broadcast to the victim (using the command “EXC_SMSRCV”), meaning notifications for new messages are no longer served to the victim user. In the below screenshot we have used the aforementioned decryption process (see the section on Encryption / Evading Detection) to help illustrate the SMS interception process. Once again, referring to the table of parameters used by Coper/Octo, we can observe that the SMS address (sender) is defined (sA), along with the message body (sB) and timestamp (sT). As mentioned earlier, this capability enables the operator to read messages received by the victim and send out new messages from the compromised device. This functionality might be utilized as a method for further onward infection of other devices, possibly by persuading the recipient(s) to download a malicious application. C2 Infrastructure Overview & Stats Before looking into campaign and victim statistics, let's delve deeper into how the Coper/Octo bot communicates with operator C2 infrastructure, expanding on the previous section discussed at the beginning of this blog post. We will outline the process by which the C2 server gathers information from the bots, explain how we decrypt this data, and then transition into examining the characteristics of the C2 servers, facilitating the discovery of other infrastructure connected to Coper/Octo. As referenced previously, communications between the bot and C2 server are AES encrypted and Base64 encoded. Thankfully, there is a means to decrypt the traffic and subsequently have a clear view of the communications, providing us with context on who is being targeted and what types of information the threat operators are particularly interested in We will use the public sandbox from Triage for our analysis, as they have developed a configuration extractor for Coper/Octo, which makes all our lives easier (thanks for that!). Once we have submitted the payload to the sandbox, a few interesting findings become available to us: C2 information associated with the payload (in this case, a number of similar domains which resolve to 94.156.68.191) The applications targeted by the malware, which include a large number of banking applications The AES key, which we can use to decrypt the C2 communications The communications captured during the sandbox run can be downloaded in PCAP format, which can be analyzed further using a tool such as Wireshark. At this stage, the data remains encrypted. However, we can extract it as a hex stream to transfer it to a decryption tool. Also, note the aforementioned C2 server, 94.156.68.191, observed in the captured communications. The final step is to combine the extracted data from Wireshark with the AES key provided in our sandbox run. As before, we will use CyberChef to assist us with this step. The output corresponds to the decrypted data, which contains all the parameters for this payload. Once beautified, it becomes easier to read and understand. In this case, the payload is impersonating the Facebook application. We can also observe the language used in the prompt to encourage the victim to activate the Accessibility Service permissions required for the bot to operate fully. In the bottom half of the screenshot, we observe further parameters being passed to provide information about the victim host, for example: iA = 0: the trojan is NOT the default SMS manager iAc = 1: the trojan has Accessibility Services access iBC = 100: the device is at 100% charge kL = 1: the keylogger is enabled rTS = 1707298428: the timestamp for the information provided (unix time corresponding to 7 February 2024 09:33:48) The final bullet point serves as a lasting alibi for our malware analyst in case of the question “where were you on 7 February at 9:30 am?”. Having repeated this process on numerous occasions with different payloads, we found that the parameter lB can offer up some interesting data points. In the case we have described in this blog, the lB parameter indicated the identity of the malicious spoofed application (Facebook) used as a lure. In addition to Facebook, we have seen recent campaigns impersonating Google Chrome, as well as a number of Poker applications. However, in other cases, we have often observed the lB parameter containing the value ‘apkcrypt’, indicating that a different crypter had been used compared to the usual one we observe in the analysis of Coper/Octo. It is not clear why this happened, but it may suggest that the malware author collaborates with more than one crypter service. It's the Same, but Different As mentioned previously, Coper/Octo operates as a Malware-as-a-Service (MaaS) offering, with customization placed into the hands of its customers. However, there are some constants (outside of elements of the malware code) that we can focus on to identify connected infrastructure. One such constant is the X.509 certificate utilized for Coper/Octo C2 servers. Examining another C2 server to the one mentioned above, 91.240.118.224 appears to have been used in Coper/Octo campaigns commencing on 5 February 2024, based on uploads to VirusTotal. Our own analysis of the IP also identifies it as a Coper/Octo controller. According to our data holdings, 91.240.118.224 appears to be hosting what seems to be a fairly generic X.509 certificate. However, when expanding our query to seek further examples of IPs hosting an X.509 certificate with a subject value of ‘CN=www.example.com,OU=Department,O=Company’, we find that there are surprisingly few candidates. In total, we found 84 other IPs hosting a certificate that matched the same subject value, dating back to mid-January 2024. A search of Censys records returned a similarly low number of results. When we analyzed the resulting IPs, we found that, aside from a small number of false positives, this certificate value was a strong indicator of Coper/Octo infrastructure. The majority of the servers we identified as Coper/Octo were located in Russia or the Netherlands. Additionally, we observed that while the certificates mainly appeared to be generated for each new C2 server, there was also evidence of Coper/Octo customers moving their infrastructure. In these cases, we found that the certificate serial number and associated C2 URL string remained the same, even when moving from one IP address to another, as illustrated below. Having filtered out false positives, we are now able to monitor all active C2 servers to gain a high-level understanding of current campaigns, drawing out the number of victims and the regions targeted. Returning to 91.240.118.224 as an example, at the time of our analysis we found that it had 486 bots connected to it, with approximately 80% of these victims located in Turkey. Expanding this to look at all active Coper/Octo C2 servers we were aware of at the time of this analysis, we found there to be a total of nearly 45,000 bots, with nearly 700,000 SMS messages intercepted from them. When mapping out the locations of the victims, four countries stand out in particular as being heavily targeted by Coper/Octo campaigns (disclaimer - at the time of our analysis): Portugal, Spain, Turkey, and the United States. Conclusion In conclusion, this analysis of the Coper/Octo Android malware-as-a-service operation sheds light on the sophisticated and evolving nature of mobile malware threats. From its origins in the Exobot family to its current status as a full-fledged malware service, Coper/Octo represents a potential risk to Android users worldwide. Its range of capabilities, including keylogging, injects, and VNC remote access, underscores the need for heightened vigilance and security measures among mobile device users. Furthermore, the examination of Coper/Octo's infrastructure and targeting strategies highlights the global reach and strategic focus of its operators. By understanding the intricacies of its command-and-control infrastructure and victim targeting patterns, security researchers can better mitigate the threat posed by this malware and protect users from falling victim to its malicious activities. As the threat landscape continues to evolve, it is imperative for both users and security professionals to remain proactive in identifying and addressing emerging threats like Coper/Octo. By staying informed about the latest developments in mobile malware and implementing robust security measures, we can collectively work towards a safer and more secure mobile ecosystem for all users. Recommendations Users of Pure Signal™ Recon can identify Coper/Octo infrastructure based on tags, and gain more precision with an X.509 query using the following parameters: O: Company CN: www.example.com Subject: OU=Department Port: 443 Users of Pure Signal™ Scout can use the advanced query language to identify Coper/Octo infrastructure based on tags. Ensure that all mobile devices, particularly Android devices, are running the latest operating system updates and security patches. These updates often include fixes for vulnerabilities that malware like Coper/Octo may exploit. Consider installing reputable antivirus software on Android devices to detect and remove malware infections. Regularly scan devices for suspicious activity and malware signatures. Be vigilant when downloading and installing applications from third-party sources or unknown developers. Indicators of Compromise https://karmelinanoonethousandbaby[.]net/YzI4MGFhZjI2MmM5/ https://185.198.69[.]111/NTBiZmM4ZDQ2MWY2/ https://2.57.149[.]150/ZTIwNDEzZjM4YjYw/ https://2istanbullu2586[.]xyz/ZTIwNDEzZjM4YjYw/ https://83.97.73[.]195/MzZhMGJjZTJkOGI3/ https://o3c31x4fqdw2[.]lt/MTU2OWE0NzJjNGY5/ https://0n75w55jyk66[.]pw/MTU2OWE0NzJjNGY5/ https://91.240.118[.]224/NjQyNDcyMjE3ZWU3/ https://sanagerekkalmaz1453[.]shop/MTFiMzQ4NGQ2MWU4/ https://185.122.204[.]122/MDViMDU3NDYwMTBm/

A senior stakeholder explainer for Continuous Threat Exposure Management (CTEM) Cybersecurity in the Era of Continuous Threats: The Case for CTEM Traditional approaches to cybersecurity no longer provide sufficient defense. Enterprises are missing an opportunity to reduce their exposure to threats through siloed and tool-centric methods of risk and threat detection. The need for a proactive, integrated strategy is clear, and Continuous Threat Exposure Management (CTEM) stands at the forefront of this transformation. For CISOs, the key benefit of Implementing CTEM is to provide your organization with strategic advantages, aligning cybersecurity efforts with business goals. It ensures that security investments are prioritized based on actionable intelligence, reducing the likelihood of breaches. Why is CTEM so important to consider as a strategy? Gartner predicts that by 2026, organizations employing CTEM will be three times less likely to suffer from a breach. Understanding CTEM CTEM is not a fleeting trend but an essential systemic approach to refining an organization's security posture amidst a landscape where threats outpace traditional defenses. The premise is simple yet profound: zero-day vulnerabilities, while significant, are not the primary culprits behind breaches. Instead, a successful protection approach marries the readiness for unknown threats with a strategic emphasis on publicly known vulnerabilities and identified control gaps. As business environments grow in complexity, with technological expansions both on-premises and in the cloud, the attack surface widens. New technologies and business initiatives like SaaS applications, IoT, and supply chain touchpoints introduce new vulnerabilities. In response, security leaders are increasingly recognizing the inadequacy of preventative-only strategies and are turning to more mature, multi-faceted tactics that include detection and response capabilities. The Financial Imperative The shift to CTEM is not just about bolstering defenses—it's a financial imperative. According to IBM's Cost of a Data Breach Report, the average cost of a data breach reached an all-time high of $4.45 million in 2023. These staggering figures underscore the criticality of managing exposure through a structured, iterative process like CTEM.  If there’s ever a motivation to pivot to a new cyber strategy, financial implications are high up there. CTEM in Action: A Five-Step Cycle with Practical Steps A mature CTEM program encompasses a five-step cycle: scoping, discovery, prioritization, validation, and mobilization. This cycle ensures that outputs from exposure management contribute to multiple parts of the security and IT organizations, facilitating a holistic management approach to a wide set of exposures. It's a cyclical, iterative process that demands regular, repeatable steps to ensure consistent outcomes. 1. Scoping: Defining Your Battlefield Practical Steps: Inventory digital assets, including cloud instances, endpoints, and operational technology. Define business-critical systems and data, focusing on what is essential to protect. Establish governance to manage CTEM with clear roles and responsibilities. 2. Discovery: Identifying the Known and Unknown Practical Steps: Implement comprehensive scanning tools for vulnerability assessment. Engage in threat intelligence services to stay abreast of the evolving threat landscape. Conduct regular penetration testing to uncover hidden vulnerabilities. 3. Prioritization: Making Informed Decisions Practical Steps: Use risk-based vulnerability management tools to evaluate the severity and impact of each threat. Align security measures with business impact, prioritizing actions that protect the most critical assets. Foster collaboration between IT and business units to ensure risk assessments are business-aware. 4. Validation: Testing Your Defenses Practical Steps: Validate remediation and mitigation actions through simulated attack scenarios. Review security policies and practices to ensure they are effective and up-to-date. Establish metrics and KPIs to measure the effectiveness of your security posture. 5. Mobilization: Orchestrating Response and Remediation Practical Steps: Develop and test incident response plans that include CTEM insights. Train employees on security awareness and response protocols. Establish a cross-functional CTEM team to manage and act on CTEM outputs. CTEM in Action: Strategic Advantages and Outcomes Enhanced Risk-Based Decision Making In the boardrooms of companies, the conversation around cybersecurity is increasingly tied to risk management. With CTEM, organizations can pivot from a scattered approach to a risk-based decision-making process, where each security investment or response is evaluated on its potential impact on the company’s risk posture. For example, a Fortune 100 financial institution could use CTEM to not only identify and prioritize vulnerabilities in their trading platforms but also to assess the potential financial impact of a breach, thereby allocating resources more effectively. Optimization of Security Investments For any company, every security dollar spent needs to justify itself in terms of ROI. CTEM helps in optimizing these investments by identifying which security controls contribute most to reducing exposure. A multinational conglomerate could leverage CTEM to determine whether investing in endpoint detection and response (EDR) systems for their industrial control systems could yield more risk reduction per dollar than further encrypting internal communications, which may already be robust. Cross-Functional Alignment and Collaboration Large organizations with various subsidiaries are often siloed, with each department in each business operation acting independently. CTEM fosters cross-functional collaboration, bringing together IT, security, compliance, and business units. For instance, a global retailer might use the insights from a CTEM program to facilitate discussions between their e-commerce platform managers and security teams, ensuring that new digital customer experience enhancements do not introduce unmanageable risks. Proactive Compliance and Regulatory Advantage Regulatory fines for data breaches can be exorbitant for organizations within their scope, often reaching into the millions or more. CTEM enables these companies to stay ahead of compliance, not just reacting when new regulations come into effect. A pharmaceutical giant could use CTEM to continuously monitor their adherence to health data protection standards across all jurisdictions they operate in, thus proactively addressing risk and aligning with compliance to avoid penalties. Strengthened Supply Chain Security Supply chain vulnerabilities are a critical concern for larger companies, given their extensive reliance on third-party networks. CTEM provides a framework for assessing and managing risks presented by vendors and partners. A global tech company, for example, could implement CTEM to continuously evaluate the security postures of their hardware suppliers, ensuring that vulnerabilities in the supply chain are identified and addressed before they can be exploited. Data-Driven Cybersecurity Culture CTEM contributes to developing a data-driven cybersecurity culture within an organization. By consistently communicating the outcomes and effectiveness of security measures, CTEM helps in building a culture of security-mindedness. For a large energy company, CTEM can provide the data to support downstream communications and reporting needed to drive home the importance of cybersecurity practices to field operators and engineers, who may not always see the immediate relevance to their day-to-day work. Conclusion For CISOs and senior cyber security stakeholders navigating the complexities of modern cyber threats, CTEM offers a structured, business-focused approach to managing exposure. It integrates security into the fabric of business operations, fostering resilience in the face of continuous threats. As we progress into a future where cyber threats are an everyday business reality, CTEM is not just a recommendation—it's a necessity. As a strategic shift, CTEM requires commitment and a change in mindset. It's about moving from a reactive stance to a continuous, proactive management of your organization's threat exposure. By starting with the practical steps outlined above, you can begin to integrate CTEM into your cybersecurity strategy, paving the way for a more resilient and secure enterprise. To start your CTEM journey, here are some useful links to get started, based on your organizations maturity and requirements: Digital Asset Discovery - explore beyond your borders and inventory assets you own here: Attack Surface Discovery Vulnerabilities Discovery and Management - discover and assess vulnerabilities across your digital landscape here: Vulnerabilities Discovery Enable your SOC to better prioritize - leverage an easy to use threat analytics tool to triage threats quickly here: Speed up threat analysis Validate threats and expand visibility - go beyond your borders and equip experienced analysts with unmatched threat hunting capabilities here: Gain the advantage over your adversaries

Why you need to attend the RISE 2024 Conference In the rapidly evolving digital era, cybersecurity remains a paramount concern, especially in regions like Rwanda and across Africa. This May, Team Cymru’s series of RISE Conferences arrives in Rwanda and will serve as a crucial convergence point for cyber law enforcement professionals, cyber threat analysts, and senior network engineers. Here, we will delve into the heart of contemporary cyber challenges, offering insights and solutions tailored to our unique landscape. “After many years of successful events across the African continent, we’re looking forward to welcoming new delegates to advance their cyber threat knowledge and increase their network among their peers.” Steve Santorelli, Chief of Staff, Team Cymru 1. Tackling the Surge in Cybercrimes Amidst Digital Growth: As Rwanda and Africa take large strides forward in digital innovation, a surge in cybercrimes has become an inevitable challenge. The RISE Conference will allow you to discuss this trend, providing a platform to share innovative cybersecurity measures and preventive strategies. We will explore how technological advancement has altered the cybercrime landscape, necessitating updated approaches and tools to safeguard digital assets and information. 2. Cybersecurity in National Policies: A Cornerstone for Digital Economies: The integration of cybersecurity into national policy frameworks is no longer optional but a necessity. The conference will touch on Rwanda's strides in enacting data protection laws and developing comprehensive cybersecurity strategies. Attendees will gain insights into how cybersecurity policy can be effectively woven into the fabric of national governance and business strategies, ensuring a secure digital future for citizens and enterprises alike. 3. Embracing Collaborative Cybersecurity Approaches: In our interconnected world, cybersecurity challenges cross borders and sectors. The RISE Conference emphasizes the need for a collaborative approach to cyber risks. Sessions will focus on fostering international cooperation, with particular attention to protecting vulnerable online populations, such as children, and combating emerging cyber threats. This collaborative ethos is critical for developing a unified front against cyber adversaries. "Following the steps of previous successful RISE events hosted in Morocco in 2017, Kenya in 2018, and South Africa in 2022, we are excited to be working with RICTA.  Together, we will co-host and bring RISE to Rwanda in 2024.” Jacomo Piccolini, Outreach Team, Team Cymru Conclusion: The RISE Conference is more than just an event; it's a beacon for cybersecurity knowledge and collaboration in Rwanda and Africa. By addressing current and pressing cybersecurity challenges through expert-led discussions, workshops, and networking opportunities, we are paving the way for a safer digital future. Join us in shaping the conversation and solutions in the realm of cybersecurity. Event Details: For additional information on the event schedule, expert speakers, and how to register, please visit Team Cymru's Event Page.

How to Sponsor the 2024 RISE and Underground Economy Conferences Sometimes in cybersecurity we lose sight of the bigger picture. Each day we're certainly aware that we're taking action to keep our organizations safe and to keep malicious actors out of networks and systems they could impact in major ways. But it's also about individuals. In an episode of Team Cymru's Future of Cyber Risk podcast, Selena Larson, Senior Threat Intelligence Analyst at Proofpoint, articulated it perfectly when she said: "There's a human being on the end of every attack. ... It's really important for us as practitioners — that includes intelligence analysts, that includes people who are writing these reports about threat activity — to remember that there's always someone on the other end that's experiencing something that really, really sucks. And … think about how we as a community and as security practitioners ourselves can make the space better so that there are fewer victims of cybercrime." This is why Team Cymru’s mission is to save and improve lives. Every day we save and improve lives through our nearly 20 years of experience and expertise at providing unparalleled threat intelligence and insight for security vendors, network defenders, incident response teams, and analysts. We also save and improve lives through our Community Services division that provides no-cost threat detection and intelligence to network operators, hosting providers, and more than 140 CSIRT teams across nearly 90 countries. And we save and improve lives by hosting four conferences every year, where industry professionals can learn how to better protect their organizations and improve the lives of people in the process. What are the Underground Economy and RISE Conferences? Launched in 2008, the Team Cymru Underground Economy Conference is our annual flagship conference with 500 attendees that takes place every year in September. In 2016, we launched three annual, smaller RISE Conferences (200 attendees), to offer four conferences annually. These events are a global gathering of cybersecurity professionals where they can learn more about cyber threats and critical investigations, and take advantage of networking opportunities. These events are academic in nature, consisting of confidential case studies and workshops on external threat hunting, threat intelligence, and cybercrime, delivered by industry professionals. Past sessions at the Underground Economy Conference and RISE have included case studies presented from the analysts and investigators responsible for thwarting recent high-profile cyber attacks, as well as those who orchestrated massive, transcontinental botnet and dark web takedowns. Past conferences have also covered topics such as: Sim swapping Fast flux botnets Ransomware OPSEC investigative leads State sponsored hackers Crypto mining malware Cyber-security AI in vehicles Ransomware toolsets Supply chain risk management Open source tool reviews The Underground Economy Conference and RISE consists of one or two days of plenary sessions followed by one to two days of training. Attendance is restricted to verified industry peers and detectives, and those wanting to attend will need to apply. The hand-picked group of up to 200 attendees for RISE and 500 attendees for the annual Underground Economy Conference includes individuals from industry and financial services, law enforcement, information security, and academia. Our upcoming conference schedule includes: RISE: January 24–25, 2024 in Latvia RISE: April, 2024 (location TBD) Underground Economy Conference: September 2024 in Strasbourg, France RISE: November 2024 in Singapore RISE and Underground Economy Conferences rely on generous sponsors in order to make our unique and high-quality conference happen — and you can learn more about sponsorship opportunities below. Who Benefits from RISE and Underground Economy Conferences? Ultimately, we all benefit from these events, both those in security and end users who are protected by that security. Because we host events around the globe, RISE and Underground Economy Conferences allow for a more geographically-targeted environment that provides security practitioners with the latest in insights and techniques to aid in the global fight against cybercrime. Miranda Bruce, a Postdoctoral Fellow in the Department of Sociology at Oxford University and a recipient of an Underground Economy Conference scholarship in September 2023, had this to say about her experience: "Underground Economy was just really great for me and it's great for anybody. Even if you don't have an academic interest in cybercrime, it teaches you new things, it gets you in touch with new people, and it gives you a new way of thinking about this area and thinking about how cybercrime is becoming more complex and also how it's becoming more simple in some ways." By bringing these unique learnings back to their organizations, attendees can not only advance their security strategy, but can ensure their teams are up on the latest trends and technology. They'll also walk away with new connections, partnerships, and friendships that will help us all combat cybercrime together. Why You Should Become a RISE and Underground Economy Conference Sponsor By becoming a sponsor of these events, you'll not only support the advancement of cybersecurity knowledge and innovation around the globe. You'll save and improve the lives of millions of people who will be less impacted by cybercrime because of it. Sponsorship also has its benefits as well. Your logo placement across various conference assets lets attendees know that you're a supporter of combating cybercrime worldwide. You'll join past sponsors like Cisco, Google, and Walmart in helping further cybersecurity innovation. You'll also receive guaranteed delegate invitations to these invitation-only conferences so that you can boost your own internal cybersecurity efforts. If you want to make a tangible impact on combating cybercrime around the globe, learn more about sponsorship opportunities for RISE and Underground Economy Conferences today. Join us in our mission to save and improve lives, and we'll see you in a few short months at RISE Latvia in January 2024!

Learn about NIST 2.0 now to avoid becoming a statistic in the future By 2025, 45% of all organizations will have experienced a cyber-attack through a supply chain partner. This explains why we are now seeing more inquiries and discussions about the NIST 2.0 Cybersecurity Framework from our customer base, this blog seeks to discuss the topic for senior cybersecurity stakeholders.  This revised framework is not just a compliance checklist; it's a strategic tool to enhance overall security resilience and align with industry-leading practices. As a security leader responsible for threat intelligence and hunting, this blog is an excellent primer to help you navigate the new NIST 2.0 framework and align your team and organization to it. Keep reading and learn about: The new Govern section and how to align risk management to business functions and company strategies. How to use DPRM solutions for the cybersecurity risk inputs needed to fortify overall risk planning and incident response. What provisions you need to make for privacy, supply chain security, and the incorporation of new technologies. Why automating asset discovery and continual prioritization leads lower risks from supply chain partners. How to drive up the cost for a threat actor to attack your organization using collaborative efforts. Actionable insights for implementing NIST 2.0, tailored to cater to different cybersecurity maturity levels within organizations. With the significant changes that 2.0 brings, it's clear that NIST wants to make its framework more accessible. It's a smart move when you consider that the majority of news-worthy cyber-attacks happen through supply chain partners. Not only that, but the number of cyber-attacks has risen considerably. Some Other sources indicate more than a 200% YoY increase in supply chain cyber-attacks, representing a significant step forward in guiding organizations to strengthen their cybersecurity measures. NIST 2.0 Focuses on Reducing Risk For Companies of All Sizes Regardless of the industry analyst or news source, it would be hard to disagree that supply chain and third-party cyber-attacks are increasing exponentially. The challenge is that large organizations must find ways to protect what isn't theirs, as they are still held liable for cybersecurity oversights at the supply chain and third-party levels. It is too costly for a company not to strategize to find a way to ensure security using risk and threat platforms. NIST is very timely to introduce this guidance for all company sizes as supply chain and third-party cybersecurity is a problem everyone owns. It requires a unique approach that combines real-time threat intelligence, continuous asset discovery, and increased collaboration for parent companies, subsidiaries, and partners. NIST now provides guidance and examples for its 2.0 framework for companies of any size. If you have enterprise customers, you may feel the effects of the 2.0 Cybersecurity Framework as recommendations are being translated by larger organizations into new security and audit requirements for their suppliers and third-party services. There is no getting away from the fact NIST 2.0 is a sizable body of work. Instead of rattling off all the changes, let's discuss where security leaders should take note DPRM Platforms Play Center Stage in the NIST 2.0 Cyber Security Framework Are large enterprise organizations amongst your customers or your does your company play a role in the supply chain delivery of a customer or critical service? The new "Govern" function and its implementation examples show how DPRM solutions are the cornerstone to providing the cybersecurity risk inputs needed to fortify overall risk planning and incident response. Nowhere is that emphasis more apparent than in the new "Govern" function, providing cross-functional recommendations and examples aimed at better executive collaboration. The Govern functions lend more clarity to categorizing assets so that security leaders can take a more proactive approach and prioritize response. You may be one step ahead if you already use the inputs from a DPRM platform. If your team engaged in these activities, you may have a short path to show alignment with NIST 2.0 recommendations. Ensure the tools you use can keep pace and enable the benefits of proactive defense. Here are some salient points to think about when considering a threat and risk management platform to realize the advantages contained in the 2.0 cybersecurity framework recommendations. Do you have a DPRM solution that provides: Multi-score impact methodology that considers the severity of the vulnerability via CVSS scoring critical aspects of the infrastructure and includes other factors, such as manual inputs, to generate a score. Automates the impact score on an asset using CVSS scoring, combined with human and AI/ML generated input. Continual asset discovery – Shadow IT requires SecOps to diligently discover and inventory new IT systems as they are added to the external attack surface you monitor. Integration opportunities with GRC systems and other business management systems via API Supply Chain Security Measures Go Mainstream with NIST 2.0 Recommendations Many security leaders likely didn’t need reminders about supply chain risk. But, you know it's time to get even more serious about supply chain security when Homeland Security builds a new supply chain risk management office. Then, NIST released its first update to its Cybersecurity Framework. Regardless of whether you need to act now or wait until a later point, you need to know about the new NIST 2.0 recommendations and prepare. If you are with a parent company with a long list of supply chain partners, you must bring them into your cybersecurity programs. The infrastructure you need to secure is your partner's rather than yours. But at the same time, you are still responsible for any breach resulting from their cybersecurity shortcomings. If you are in an industry where a customer and/or critical system relies on third-party services, you are responsible for the breach regardless of the source. So, as a security leader, how do you put another company's assets under your purview and collaborate to reduce risk? Ultimately, you are responsible for your and your supply chain partners' security shortcomings. The NIST release of 2.0 recommendations and implementation examples highlight the minimum capabilities needed for increased supply chain security; the timing could not be better. Due diligence will always depend on human interactions and assessments, as it should be. At the same time, a lot of tedious and manual work goes into assessing risk. So, the more you can increase the efficacy, automation, and coverage of your cybersecurity programs to include key partner relationships, the better off you will be in the long term. Supporting supply chain partners by collaborating on cybersecurity is a win-win situation for everyone involved. Here are some key ways that a DPRM solution can augment your supply chain security program: Multiple risk scores – DPRM platforms enable multiple scores by business unit, subsidiary, supply chain partners, and third-party services. Create specific groups – Monitor risk by groups you create, such as function, geography, partner, or type of service, to measure individual and overall group risk scores. Benchmark – Compare business risk scores to highlight weak links. Evaluate similar groups, partners, or applications against each other to benchmark risk reduction across groups and identify security gaps. Automate scanning and discovery – Supply chain and third-party service partners should have their infrastructure scanned and assessed regularly. Partners should be able to show improvement from past scans, such as reducing the number or severity of vulnerabilities within their infrastructure. Map vulnerabilities of a group of partners to track the overall and individual risk scores and provide guidance for remediation where possible. Automate Asset Discovery and Continual Prioritization for In-Depth Situational Awareness Corporate IT environments are constantly in flux, with new applications being spun up and business units sometimes going rogue and standing up new infrastructure. It's hard to keep up with, even with visibility into your infrastructure. Nowhere is automated asset discovery needed more than for your externally exposed infrastructure. Once you have performed your initial in-depth discovery, it must be followed up with frequent scans as new software, configuration changes, and admin updates will affect the risk score of that asset. Discovery is just the beginning; it is just one facet of managing vulnerabilities. It is vital that initial discovery and continual scanning take place, but it only answers the question of where? Vulnerability management needs more; it needs business logic that enables automating the priority of assets to help answer the what? And why? Solutions that can automate prioritizing assets by bringing together CVSS severity scores along with business impact scoring will give vulnerability management teams the automation they need to weed through the noise of low-level alerts and concentrate on what matters most. So, what is the best way to prioritize assets? Because what matters most is not always a straightforward answer. Consider these attributes when looking to prioritize response. Severity – The first step is ascertaining the vulnerability severity. If exploited, how much damage would it cause? To a certain extent, business context is needed, but you can make a reasonable estimate based on your knowledge of your software and hardware environment. Likelihood – This can be defined by the exposure of a system to your external attack surface, the frequency of threats or exploits, and how much publicity the vulnerability has received. But probably the indicator of likelihood is the capabilities and motivations of attackers. This may be a more important attribute if you suffer from repeated attacks and relentless threat actors. Risk – It is always a central theme in prioritizing security response. Its calculation takes into account the loss a company might suffer in the case of a successful attack. Risk helps you examine and rank vulnerabilities by the assets they affect and how those assets may interact with other business systems. Context – Not all high-value assets are externally facing and well-known. But they carry the same weight when it comes to risk. This could include a work stoppage or business downtime as the main risk. You may place more value on that asset even if it is not externally facing or otherwise well-known. NIST 2.0 Emphasizes Real-Time Intelligence. Why should you also? We get it. Operationalizing threat intelligence is not easy. Even worse is operationalizing something that doesn’t matter anymore.You can use threat reports to block IP addresses, and that can help but only until attackers change tactics again. Things like the MITRE ATT&CK framework can tell you about possible TTPs (Techniques, Tactics, and Procedures). But they are not investigative tools that will tell you what adversary is targeting you and how to defend yourself in anticipation of an attack. The 2.0 recommendations include many examples of the need for real-time threat intelligence to complement the capabilities of a DPRM solution. The new 2.0 standard recognizes that security analysts need to be able to observe attacker behavior and conduct a more thorough investigation. The ability to do a deeper dive into an incident requires having a view beyond your perimeter that enables analysts to make queries and quickly know the nature of an incident, including: Quickly know if a suspect IP should be further investigated Understand what happened during an event. Observe attacker behavior to anticipate an attack. Attribute attackers to an incident Determine the root cause of an incident. Stop exfiltration by blocking c2 communications These actions provide security analysts with the means to create playbooks using real-time intelligence. The data generated can also be used to identify other third parties and help compromised victims with remediation advice.  The NIST 2.0 framework is a welcomed update. Implementation examples represent a better way for companies of all sizes to consume this information and build better processes while taking advantage of new collaboration opportunities. The NIST 2.0 Cybersecurity framework recognizes the need for more collaboration in cybersecurity. When we all work together, the collective efforts pay off by driving up the cost for a threat actor to attack while enriching our threat intelligence sources for a proactive cyber defense. Further Reading: Learn more about the threat vectors you should be considered about here Read our customer case study about the discoveries made when external Threat Intelligence is applied over a Threat Model. Learn more about the value of monitoring external risks and how that empowers organizational success, read our customer case study here Mature threat intelligence teams add tangible financial business value and reduction of business risk., Learn more about how our Fortune 10 customer integrated real-time threat intelligence to enact a proactive defense that goes beyond the MITRE ATT&CK framework to offer pre-compromise defense. Up the Ante on Supply Chain Security Stop the Budget Drain of Dated Threat Intelligence Don’t Inherit a Security Problem with M&A Activity Automate Real-Time Intelligence and Increase Productivity. and Morale! External Threat Hunting Prevents Data Breaches

Leverage DPRM Solutions in Cyber Risk Models for Better Business Outcome Risk models and frameworks span a wide range of essential topics for the business. So, it is not uncommon to see risk modeling used throughout an organization. When it comes to cyber risk models, there are many use cases for building a model to assess the risk of a business opportunity. Cyber risk models are commonly used to determine the risk vs. business opportunity for M&A initiatives, introducing new customer services and online applications, and measuring risk with their supply chain partners. There are several frameworks that GRC professionals use to gauge risk and reward for IT initiatives to help companies make good decisions about risk. NIST is one of the most well-known producers of IT frameworks for cybersecurity risk management. The newly released 2.0 version of the cybersecurity framework heavily emphasizes a new Govern function incorporating cybersecurity into a broader enterprise risk management strategy. Factor Analysis of Information Risk (FAIR) is another methodology and framework for quantifying cyber risk designed to measure, manage, and report on information risk from the business perspective. Service Organization Control (SOC) Type 2 is a trust-based cybersecurity framework and auditing standard and one of the most challenging frameworks to implement. Prioritizing Vulnerabilities and Business Risk Digital risk protection management (DRPM) solutions offer security leaders a way to aggregate thousands of data points to identify internet-facing systems and data that need to be protected. This data identifies IT security gaps, offering a view into an organization's risk profile. This information is vital for vulnerability management professionals who must prioritize CVEs by the business that pose if exploited. A zero-day attack is a high risk, but that same exploit can be higher if the CVE presents on a critical system that provides access to customer information or acts as the core system that keeps supply chain or manufacturing systems online and productive. A modern DRPM solution will consider these scenarios and prioritize mitigation to reduce business risk. Today's business environment requires versatile tools beyond numerical calculations and best estimates. DPRM platforms continually ingest and aggregate multiple sources of information to continually discover externally facing infrastructure and prioritize business risk. DPRM data fed into a risk model or GRC system is critical in evaluating the balance between risk and business opportunity. This assessment is crucial for mergers and acquisitions, new online customer services, and supply chain partnerships. Actionable Insight: Use data from DPRM systems to feed risk models to evaluate risks and opportunities across various business domains, especially in M&A, customer service innovation, and supply chain partnerships. Create a Blueprint of Cyber Risk for Better Decision-Making Cyber risk frameworks and DPRM platforms complement each other as navigational guides, offering a structured approach to assessing digital vulnerabilities to the right level of business risk. They are central to evaluating many business scenarios requiring cybersecurity and business leaders to collaborate to assess risk vs. opportunity. Business situations where this is evident include M&A evaluations, introducing online services, and gauging new supply chain vendors. They provide the business with a panoramic view of potential risks and prioritization in a way that is easy for business counterparts to understand and help them make informed choices. M&A Evaluations - M&A opportunities and subsidiaries are ripe for sophisticated attackers to find new ways to infiltrate parent organizations. Proactively searching for ongoing threats relating to M&A activities and within subsidiaries pays off in the early identification of compromise. New Online Services – Fighting fraud is essential to defending any new service and must be evaluated early and often in any new application launch. Supply Chain Partnerships – Vital to business, no company can ignore strategic partnerships supporting the launch of new products or aiding new corporate capabilities. At the same time, they represent a significant risk as every new partnership represents another way for a threat actor to access core systems. In each scenario, essential risk and threat models support a proactive defense. It is vital to any enterprise organization as most partners are smaller and more vulnerable to an attack. Actionable Insight: Develop cyber risk models using a framework to comprehensively understand digital vulnerabilities and potential impact, including qualification of the business risk. DPRM solutions, in context with the framework or model you choose, will enable well-informed decisions in areas like M&A due diligence, online service deployment, and supply chain management. Real-Time Threat Intelligence Informs Predictive Cyber Risk Models Your initial asset discovery and prioritization efforts are the tip of the spear as you get started with your DPRM solution and using risk frameworks to aid in decisions about prioritizing vulnerabilities and collaborating with the business on cyber risk. Your DPRM solution should aggregate data for discovering assets within your environment and partner infrastructure supporting external applications. Discovery must be continual to aid security leaders in identifying and safeguarding critical internet-facing systems and data. These solutions highlight vulnerabilities by analyzing multiple data points, offering insights crucial for effective vulnerability management and risk prioritization. Real-time threat intelligence complements these processes by providing up-to-date information about active threat actors and their tactics. The knowledge you get from a DPRM platform aids in risk scoring and quantifying potential financial impacts that empower organizations to focus on reducing attack risks. External Attack Surface Management (EASM) platforms, such as Pure Signal™ Orbit, is an example of a DPRM solution focusing on external digital risks that offer the benefit of informing risk with real-time threat intelligence. Actionable Insight: Leverage real-time threat intelligence to prioritize risks effectively and quantify potential financial impacts, enabling the allocation of resources to high-priority areas. Start Early and Collaborate Often Even if you don't have a DPRM solution in place or have someone on your team that is a wiz at creating bespoke models for risk analysis (most teams don't), you can start now. Involve business unit leaders to support the discovery of applications and understanding of their usage of cloud services. If you subscribe to threat intelligence, ensure that it is real-time data, not curated information that may not be timely or support proactive defenses. Find solutions like Pure Signal to support your digital risk program and assessment. Create criteria that you would use to prioritize vulnerabilities by cyber risk and evaluate your environment for weaknesses. Start asking questions to understand the company's appetite for cyber risk. Use tools like the MITRE ATT&CK framework to understand adversarial behavior and gaps in your ability to detect and mitigate attacks. Further Reading: Call to action: Read our customer case study about the discoveries made when external Threat Intelligence is applied over a Threat Model. Learn more about the value of monitoring external risks and how that empowers organizational success. Read our customer case study here Read our customer case study about the discoveries made when external Threat Intelligence is applied over a Threat Model. Learn more about the value of monitoring external risks and how that empowers organizational success. Read our customer case study here Mature threat intelligence teams add tangible financial business value and reduce business risk. Learn more about how our customer gained success integrating real-time threat intelligence to enact a proactive defense that goes beyond the MITRE ATT&CK framework to offer pre-compromise defense. Up the Ante on Supply Chain Security Stop the Budget Drain of Dated Threat Intelligence Don’t Inherit a Security Problem with M&A Activity Automate Real-Time Intelligence and Increase Productivity. and Morale! External Threat Hunting Prevents Data Breaches

Leverage Internet Telemetry & Threat Intelligence for Benefits Beyond the MITRE ATT&CK Framework The MITRE ATT&CK framework is like a blueprint of the battlefield, showcasing potential threat actors and their tactics to infiltrate an organization. It guides a security practitioner to identify gaps in an organization's capabilities by following the tactics a bad actor may use to gain access. It also covers the techniques employed by threat actors to move laterally inside a network and compromise additional systems and infrastructure. It sheds light on how vulnerabilities are exploited, leading threat actors to move laterally within networks. However, the framework remains static, providing a snapshot of known adversarial behavior. It offers security leaders and practitioners guidelines and essential attributes for threat detection, but they are not designed to guide security leaders on how to gain the visibility needed to better detect threats. Real-time threat intelligence fills this void, providing the crucial context to attribute attacks, track adversary behavior, and map their infrastructure. It is a vital source of intelligence and visibility that extends beyond boundaries to address evolving threats. It steps in and supports rapid threat analysis by offering a dynamic view of bad actors that may be targeting you and acts as a single source of truth. Real-time threat intelligence and the MITRE security framework are complementary forms of intelligence that enable analysts to defend against threat actors proactively. A security framework such as MITRE is adversarial-focused. It can help you find gaps in your capabilities and give you an idea of who may be attacking you and how they move laterally within your environment to gain further access to your business systems. Real-time intelligence gives you a way to observe the beginning stages of an attack when threat actors are performing reconnaissance on you as their target, or your third-party networks. There are few useful recommendations on how to use tools to defend an organization at this stage. But solutions do exist! This blog seeks to discuss where, why and how these blindspots can be addressed using threat intelligence derived from external threat intelligence sources, and the strategic gains there for innovative security leaders to seize. Real-Time External Threat Intelligence Complements the MITRE ATT&CK Framework The MITRE ATT&CK framework is renowned for its adversarial approach to defense. It provides a structured process for understanding threat actors' tactics, techniques, and procedures (TTPs). It reveals their modus operandi, so analysts have a starting place to understand what tools, experience and knowledge they need to track down bad actors - both inside and beyond the perimeter. It enables security teams to fortify their defenses in the right areas and bridge capability gaps in others. Frameworks offer guidelines and essential attributes for threat detection, but they are not designed to guide security leaders on how to gain the visibility you need to better detect threats. Real-time threat intelligence fills this void, providing the crucial context to attribute attacks, track adversary behavior, and map their infrastructure. It is a vital source of intelligence and visibility that extends beyond boundaries to address evolving threats. It steps in and supports rapid threat analysis by offering a dynamic view of bad actors that may be targeting you and acts as a single source of truth. The threat landscape demands innovative approaches that move beyond static data and reactive methodologies. Among the tools at a security leader's disposal are real-time threat intelligence and the MITRE ATT&CK framework. These two pillars of defense, though distinct in nature, can pave the way for a proactive cyber-defense strategy that enables a shift towards anticipating and defeating threats from adversaries. While the framework equips defenders with essential insights with a range of TTPs, you must independently learn how to create your own unique threat data and the playbooks that pivot off of it. When analysts can see infrastructure changes and trace communications with threat actor groups, they can find other victims of an attack and notify them of possible compromise. This type of threat reconnaissance is the primary way enterprise security teams can raise the cost of attack and make it less profitable for threat actors to target their organization. Actionable Insight: Embrace both external threat intelligence and the MITRE ATT&CK framework to equip cyber defenders with the visibility they need. It is the cornerstone of a proactive cyber defense that does not relegate defenders to reacting to events and chasing false positives and other resource-draining efforts. Close the Capability gap for Proactive Defense with the MITRE ATT&CK Framework and Real-Time Threat Intelligence The MITRE ATT&CK framework lays the foundation for creating robust detection mechanisms and preparing for what can be expected to detect and mitigate a threat. It doesn’t take long to notice that much of the model is focused on what occurs when an attacker is already in your network - what about when they are scanning your assets? Or when they have already compromised your network and are setting up staging servers to steal your data - your internal network analysis and security tools are blind to this activity at this point in the attack so far - gaining external visibility of attacker activity is the difference of that data remaining in your possession, or being stolen. Up-to-date external threat intelligence has the potential to greatly enhance security across the board. By automating detection policies with data that analysts derive by tracking threat actor infrastructure, this can be applied across the entire MITRE model. i.e., before, during and after an attack. To achieve this, analysts need a real-time view of threat actor activities. These insights and resulting additions to defense policies mean that analysts are not providing out-of-date information to block lists, ensuring defenses are optimized and effective. They are acting on what is happening now, ensuring that any updating of defense policies uses real-time data as it develops. Access to real-time information and visibility into threat actor movements enable analysts to build constructive views and learn about IOCs from an external threat perspective. Actionable Insight: Use the MITRE ATT&CK framework initially as a gap analysis tool. Not only does it call out adversary tactics, but helps to inform where you may, or may not, have visibility, tools, data, knowledge or resources that add value to your cyber defense. Allocate resources to invest in technologies that enable analysts to create actionable threat intelligence playbooks, promoting effective attribution and preventative tactics. How Visibility and Reconnaissance Pays off to Countering Attacks A quick snapshot of the MITRE ATT&CK reconnaissance frameworks shows ten different reconnaissance techniques and more than 30 sub-techniques that a bad actor might employ in their reconnaissance effort to gather intelligence for a targeted attack. As a defender, the framework suggestions for pre-compromise mitigations offered are minimal. Detection recommendations are relegated to anomaly-based analysis, known for high false-positive rates. It leaves little path for security leaders working towards enacting a proactive defense strategy and wanting to get ahead of attacks. When using threat intelligence based on internet telemetry, new possibilities open up to monitor malicious activity as it is happening. Analysts have a ground-zero current source of truth to observe attacker behavior and quickly make decisions if a suspicious IP should be further investigated. Visibility beyond the perimeter pays off in the latter stages of attack by enabling analysts to anticipate what a threat actor is going to do next, and be able to specify proactive defenses to counter an attacks. Creating visibility into the external threat landscape supports proactive defenses and a high detection efficacy in the pre-compromise stage. This visibility is crucial to building a proactive defense strategy and addressing all stages of compromise using the framework. Aggressive efforts made in the pre-compromise stage of an attack can pay out benefits towards prevention during exfiltration. Suppose you use internet telemetry enriched with threat intelligence for visibility and reconnaissance in the pre-compromise stage. In that case, you already have the answers to block exfiltration proactively instead of relying on signature or anomaly-based detection methods. It is a better way to address threats than using reactionary methods that lead to high false positive rates. Actionable Insight: Identify your visibility gaps that lie within the ‘Reconnaissance’ column of the MITRE ATT&CK framework. This will lead to data sources that will help you to better understand the threat actors that are reaching out to your own and third-party networks, including victims of ongoing attacks. It reveals their evolving tactics, and the changes they make to their infrastructure before another attack. External threat intelligence or internet telemetry are the only sources of knowledge and data that will fill the visibility gap for threat actors at the Reconnaissance stage of the model. Enhance Detection Capabilities with Actionable Insights Real-time up-to-date external threat intelligence derived from internet telemetry has the potential to greatly enhance security across the board. By automating detection policies with data that analysts derive by tracking threat actor infrastructure, it can be applied across the entire MITRE model. i.e., before, during and after an attack. To achieve this, analysts need to be able to observe attackers in real time view of threat actor activities. These insights and resulting additions to defense policies mean that analysts are not providing out-of-date information to block lists, ensuring defenses are optimized and effective with current information. They are acting on what is happening now, ensuring that any updating of defense policies uses real-time data as it develops. Access to real-time information and visibility into threat actor movements enable analysts to build constructive views and learn about IOCs from an external threat perspective. It's important to remember that the MITRE ATT&CK framework does not provide a complete answer to defense against attackers' tactics, techniques, and procedures and only offers suggestions for mitigation and detection. Bad actors constantly innovate, and a security leader's response must do the same. Let your analysts do more by tracing down attackers, making associations, and preempting an attack with reconnaissance-led intelligence that can actively block an attack. Once you enable visibility to internet telemetry and historical context, analysts are not just reacting to what is happening inside the network. This is foundational to enacting a proactive defense that turns the dynamics of the MITRE ATT&CK framework on its head and creates new areas for learning and preemptive defense. Actionable Insight: Allocate resources to invest in technologies that enable analysts to create actionable threat intelligence playbooks, promoting effective attribution and preventative tactics. Learn more about the threat vectors you should be considering for your Threat Model here Read our customer case study about the discoveries made when external Threat Intelligence is applied over a Threat Model. Mature threat intelligence teams add tangible financial business value and reduction of business risk. Learn more about how our customer gained success integrating real-time threat intelligence to enact a proactive defense that goes beyond the MITRE ATT&CK framework to offer pre-compromise defense. Up the Ante on Supply Chain Security Stop the Budget Drain of Dated Threat Intelligence Don’t Inherit a Security Problem with M&A Activity Automate Real-Time Intelligence and Increase Productivity. and Morale! External Threat Hunting Prevents Data Breaches

Keeping Security Teams at the Forefront of Proactive Defense Threat modeling is an integral part of security-by-design programs for applications, products, and services used by your organization that could be exploited by threat actors or suffer a software vulnerability. There are many different tools, methodologies (PASTA and STRIDE), and frameworks (OWASP and MITRE ATT&CK) to help security practitioners with threat modeling initiatives. Like the MITRE ATT&CK framework, threat models are adversarial-focused, requiring analysts to have a hacker mindset. Think like your enemy. In a way, creating a threat model is comparable to authoring a "worst-case scenario" handbook specifically for defending against cybersecurity threats. And like any disaster scenario needs a corresponding recovery plan, the time to prepare is now, not later, when it is too late. This blog series explores the relationship between threat Intelligence and threat modeling to demonstrate how they strengthen an organization's security. We will discuss how Threat intelligence informs adaptive threat models, merging strategic foresight with tactical preparedness to face evolving cyber threats. Threat Modeling informed by Intelligence is Vital for Security-by-Design Initiatives Threat modeling plays a vital role in security-by-design programs. Companies that need this level of security will analyze potential threats and vulnerabilities in applications, products, or services before they are brought to market. Security experts can identify weaknesses and create strong defenses against emerging risks by considering worst-case scenarios. However, the true power of threat modeling lies in applying threat intelligence to enable preemptive defenses. Real-time threat Intelligence involves monitoring and analyzing threat actors, their motives, tactics, and the external threat landscape. It can be thought of as strategic reconnaissance in cybersecurity. It allows organizations to predict, adapt, and defend by identifying changes in adversary behavior. When companies take a proactive approach to defending critical business applications, they recognize the need for tools to build visibility into threat actors operating in their geography and industry. This is where real-time threat intelligence and threat modeling step in to offer a preemptive defense strategy. Threat Modeling and Intelligence-Led Use Cases Threat modeling defends against potential cyber threats to applications, products, or online services. It's vital in identifying and addressing vulnerabilities and protecting digital assets from malicious actors. Integrating threat modeling into corporate initiatives early in development lays a secure foundation for product enhancements. Cyber threat modeling complements many different business initiatives and scenarios. Its versatility makes it applicable to a wide range of business initiatives, including: Application Development and Design: Early-stage software and app development to pinpoint design, architecture, and code vulnerabilities. Critical Network Infrastructure: Assessing routers, firewalls, and switches to identify attack vectors and improve network security. Cloud and Virtualization: Understand the security implications of cloud and virtualization technologies and manage risks. IoT Devices: A vital component of secure IoT device design and communication protocols, especially in medical settings. Critical Infrastructure: Digital transformation projects create risks that need threat modeling to build defenses for anticipating cyber threats. E-commerce and Finance: Online platforms handling online transactions and customer incentives need to build defenses against attacks that take into account seasonal impacts and changes to incentives and fulfillment partners. Healthcare and Medical Devices: Connected patient healthcare and communications must be protected with built-in defenses. Automotive and Transportation: Development of embedded defenses for secure connected vehicles. Supply Chain Security: Assess security risks with threat models that include software supply chain partners used to deliver services and operate critical production systems and communications. Incident Response: Simulate cyberattacks with threat modeling to develop response plans. Government and Defense: Capture nation-state actors TTPs to build predictive defenses and proactive response. Social Engineering: Improve awareness against social engineering cyber-attacks with threat models that visualizes a credential based compromise. All of these will likely have internet facing systems, or communications that traverse it, making external threat intelligence a key ingredient for their success and security. Create Preemptive Defenses using Frameworks and Threat Models Security practitioners within enterprise organizations use tools, methodologies, and frameworks for comprehensive threat modeling. PASTA and STRIDE methodologies and OWASP and MITRE ATT&CK frameworks offer different approaches to modeling threat actor behavior and their techniques, tactics, and procedures. On the defensive side, many tactical workflows and processes use frameworks to anticipate attacks and devise built-in resiliency in case of compromise. Frameworks like OWASP (Open Web Application Security Project) and MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) provide resources for analysts to build a threat modeling practice. MITRE ATT&CK adopts an adversarial perspective, encouraging analysts to think like a hacker. Security experts can identify weaknesses and create strong defenses against emerging risks by considering worst-case scenarios. Start Early to Model Threats for New Applications and Changing Business Realities A good example of using these combined initiatives and maximizing its benefits is during the early stages of the Software Development LifeCycle (SDLC), before an application or new online service reaches production. It enables security analysts and developers to scrutinize every aspect of the application's architecture. This scrutiny proactively identifies inherent weaknesses and potential vulnerabilities that might go unnoticed. During this early phase, collaboration with the threat intelligence team becomes invaluable. These teams understand the evolving threat landscape, offering insights into threat actor behavior, tactics, techniques, and procedures (TTPs). By integrating threat intelligence into the threat modeling process, organizations can fortify their defenses and better align their security efforts with company business initiatives. Threat modeling is most effective when it adapts to changing environments. Security leaders help align threat models with evolving dynamics by establishing feedback loops for ongoing assessment with business counterparts. Dynamic factors, such as seasonal business variations and introducing new incentives, significantly change an application's risk profile and the type of attacks likely to occur. Our own research demonstrates that even your cyber adversaries have seasonal changes that impact when they are most likely to launch an attack against your organization. Business unit leaders play a pivotal role in these scenarios, as their insights can help align threat models with evolving commercial dynamics. Establishing a feedback loop between threat modeling, intelligence, hunting teams, and business units is instrumental in assessing ongoing application changes and the internal and external threat landscape. For instance, integrating third-party access via APIs or introducing new monetization strategies can dramatically alter an application's threat model by introducing new threat vectors. This adaptability ensures that threat models remain relevant and effective in the face of emerging challenges. Build Threat Models that include Partners and Cloud Services Business transformation initiatives are a driving force in migrating to cloud services to speed up the launch of new applications and customer services. Third-party services available through APIs are another factor that spurs the adoption of cloud services and drives the availability of online customer services. Proactive defense of core applications critical to the business requires continuous monitoring and prioritization of CVEs, especially within vulnerable application development frameworks. Organizations must enact proactive security measures that allow analysts to quickly discover new applications, points of entry, and how new business partnerships will change their attack surface and influence business risk. This is critical in light of the software supply chain that makes up online customer services or other core functions you cannot do without. When analysts can operate with an outside-in view of your external attack surface that includes third parties and cloud services, they can better defend it.This level of visibility enables the creation of realistic threat models that consider third parties that support your applications. As cybersecurity threats evolve, threat modeling emerges as an indispensable tool for organizations making strides toward a proactive security defense. Early examination of potential attack vectors and vulnerabilities using threat models empowers security practitioners to craft aggressive defenses in designing new services and products. By integrating threat intelligence and fostering collaboration across various teams, organizations can ensure their threat models remain relevant, agile, and capable of anticipating and mitigating emerging threats. The synergy between threat modeling, intelligence, and stakeholder involvement paves the way for a more secure and resilient digital future. Further Reading: Learn more about the threat vectors you should be considering in your Threat Model here Read our customer case study about the discoveries made when external Threat Intelligence is applied over a Threat Model. Up the Ante on Supply Chain Security Stop the Budget Drain of Dated Threat Intelligence Don’t Inherit a Security Problem with M&A Activity Automate Real-Time Intelligence and Increase Productivity. and Morale! External Threat Hunting Prevents Data Breaches