How Cybersecurity Threat Intelligence Teams Spot Attacks Before They Start

October 9, 2020
| |
3 min read

Rigorous intelligence assists clients in the critical moment — when an attacker is already on the network and defenders need to act swiftly before significant damage is done. Yet even when the critical moment is over, intelligence has a multiplying effect by injecting new information gained into platforms that inform incident response consultants, managed security clients, and consumers of data.

When intelligence on threat groups is used to defend clients’ networks and drive research, that acts as a force multiplier for organizations, strengthening their security posture with each new insight acquired.

IBM Security X-Force incident response and intelligence service analysts have observed many real-world threat groups. Read on to learn the value threat group intelligence brings to the table. Plus, explore some specific actions organizations can take to help defend themselves.

Cybersecurity Threat Intelligence in Action: MegaCortex

Last year, cybersecurity threat intelligence helped stop a MegaCortex ransomware attack before it was executed. In turn, this saved the client organization from damages that had the potential to stretch to $239 million or more. Several threat intelligence insights were able to provide a warning that the attackers were likely preparing for a ransomware attack, advising incident responders and the client to remain vigilant; the malicious actors could turn destructive if they suspected they had been detected. The possibility of these actors deploying ransomware — potentially within hours — was a real threat.

In the end, threat intelligence insight and preparation for the worst paid off. On a Saturday afternoon, the attacker uploaded MegaCortex ransomware and associated deployment tools to one of the compromised systems from which they were operating. Incident response quickly advised the organization that this activity was in progress and, together, we executed on our planned containment and eradication items. Intelligence research to map the attacker’s command and control infrastructure provided the client with IP addresses to block based on observed activity in their environment.

Use Intelligence Now and In The Future

This attempted attack shows how important robust intelligence capabilities can be for realizing a successful outcome in incident response. Knowing the attacker’s intentions, capabilities, next moves, command and control infrastructure, malware capabilities and indicators of compromise (IOCs) played a pivotal role in keeping the incident response team and the client on top.

In addition, the existence of an intelligence component in an incident response practice allows for ongoing research and awareness even after an engagement is over. In this case, the cybersecurity threat intelligence team has been able to warn additional organizations about MegaCortex attack techniques, such as malicious outbound communications, Cobalt Strike and lateral movement.

Identifying Other Ransomware Attack Patterns

In addition to MegaCortex, X-Force incident response teams have observed multiple ransomware attackers at work over the past several years — gathering intelligence and enhancing our response along the way. One common ransomware technique observed multiple times over the past year includes an initial compromise of a Citrix server — usually using previously stolen credentials — and then use of Powershell and Cobalt Strike in conjunction with lateral movement before eventual deployment of ransomware.

In two particular incidents, the malware, IOCs and other artifacts in these attacks were so similar that our team was able to quickly replicate our analysis and accelerate the timeline for remediating the second incident. This is an excellent example of the power of cybersecurity threat intelligence and how the understanding we gain from one incident immediately enhances our ability to analyze and remediate incidents involving similar techniques.

Tracking Hive0085

Cybersecurity threat intelligence teams should conduct extensive research on several cybercriminal groups using multiple tools and methods. IBM does this by investigating their malicious campaigns using a variety of open, enterprise and IBM tools and repositories, tracking sales and activities on the dark web, and using Quad9 to track malicious IPs and domains associated with threat groups we follow.

In one particular instance, IBM saw that a group tracked as Hive0085 revealed several command and control domains for a backdoor the group purchased on the dark web called ‘more_eggs.’ Using data available to IBM through Quad9, we noticed this C2 network was very active, suggesting the group was engaged in an ongoing campaign. We were able to use this information to alert the victim organization to an active campaign against their network. This in turn provided the organization’s team valuable time in identifying and having an opportunity to remediate activity from this group. The information we had cultivated over months of research and our proactive approach allowed us to provide timely, actionable intelligence for the company in a critical moment.

Teaching Cybersecurity Threat Intelligence In Your Business

Researching threat actors and their techniques provides us with a strong cross-section of insight into how these threat groups behave and the tactics they are most likely to employ. Here are some of the more common tactics, techniques and procedures we observe advanced persistent threat groups using. You’ll also find strategies to help combat these tactics and mitigate risk from these top-tier actors along with using a cybersecurity threat intelligence team.

Tactic, Technique or Procedure Risk Mitigation Recommendation
Spear phishing: Of the threat groups we track, nearly 84% use phishing as an infection vector. Of those, 64% appear to use it as their primary infection vector. Apply banners to emails coming from outside your company; use Quad9 to block activity from malicious domains; employ multifactor authentication; educate employees on the latest phishing techniques; and regularly test your organization to determine the likelihood of a successful phishing attack.
Watering hole attacks: Nearly 27% of the advanced persistent threat groups we track use watering hole techniques to conduct operations. Take measures to hide your organization’s online activities through the use of a virtual private network (VPN) or other measures; employ a robust patch management program to keep software up to date; and detect anomalous behavior through user behavior analytics or an intrusion prevention system.
Living off the Land: Multiple threat groups use tools inherent in an operating system, such as Powershell, adfind, autorun registry entries, RemoteExec, WinRAR, WMI, scheduled tasks and others. Use an application inventory to find unpatched or outdated applications; employ a robust endpoint detection and response (EDR) tool; monitor for typical commands threat actors use to execute Powershell; and use threat hunting to proactively identify threats in your network.
Zero-day exploits: At least 23% of the threat groups we track are known to use zero-day exploits to compromise victims. Analyze user behavior to detect anomalous behavior resulting from a zero-day exploit and stay up to date on new vulnerabilities and patches to mitigate the risk from a vulnerability once it is detected.

Embedding Intelligence Into Security

Organizations can integrate threat intelligence into risk management models to consider likely threat actors, infection methods and likely impacts. Understanding probable adversaries enables an organization to prioritize the hardening of assets by identifying threat sources and threat events with up-to-date information about threat groups’ tactics. In addition, threat intelligence can be incorporated into incident response plans and used to inform senior leaders and board members about key threats to an organization.

There are several ways companies can request custom cybersecurity threat intelligence research and analysis. First, a strategic threat assessment can provide customized cybersecurity threat intelligence for one organization or as part of an incident response retainer, in addition to intelligence accessed through data sharing platforms such as TruSTAR. Having knowledge of threat groups, their motivations and their capabilities can act as a force multiplier during an engagement, improving your security team’s effectiveness today and tomorrow.

Camille Singleton
X-Force IRIS Global Security Intelligence Analyst

Camille Singleton brings thirteen years of professional experience to cyber security topics, both in the US government and as an analyst at IBM. She speciali...
read more