October 9, 2020 By Camille Singleton 5 min read

Rigorous intelligence assists clients in the critical moment — when an attacker is already on the network and defenders need to act swiftly before significant damage is done. Yet even when the critical moment is over, intelligence has a multiplying effect by injecting new information gained into platforms that inform incident response consultants, managed security clients, and consumers of data.

When intelligence on threat groups is used to defend clients’ networks and drive research, that acts as a force multiplier for organizations, strengthening their security posture with each new insight acquired.

IBM Security X-Force incident response and intelligence service analysts have observed many real-world threat groups. Read on to learn the value threat group intelligence brings to the table. Plus, explore some specific actions organizations can take to help defend themselves.

Cybersecurity Threat Intelligence in Action: MegaCortex

Last year, cybersecurity threat intelligence helped stop a MegaCortex ransomware attack before it was executed. In turn, this saved the client organization from damages that had the potential to stretch to $239 million or more. Several threat intelligence insights were able to provide a warning that the attackers were likely preparing for a ransomware attack, advising incident responders and the client to remain vigilant; the malicious actors could turn destructive if they suspected they had been detected. The possibility of these actors deploying ransomware — potentially within hours — was a real threat.

In the end, threat intelligence insight and preparation for the worst paid off. On a Saturday afternoon, the attacker uploaded MegaCortex ransomware and associated deployment tools to one of the compromised systems from which they were operating. Incident response quickly advised the organization that this activity was in progress and, together, we executed on our planned containment and eradication items. Intelligence research to map the attacker’s command and control infrastructure provided the client with IP addresses to block based on observed activity in their environment.

Use Intelligence Now and In The Future

This attempted attack shows how important robust intelligence capabilities can be for realizing a successful outcome in incident response. Knowing the attacker’s intentions, capabilities, next moves, command and control infrastructure, malware capabilities and indicators of compromise (IOCs) played a pivotal role in keeping the incident response team and the client on top.

In addition, the existence of an intelligence component in an incident response practice allows for ongoing research and awareness even after an engagement is over. In this case, the cybersecurity threat intelligence team has been able to warn additional organizations about MegaCortex attack techniques, such as malicious outbound communications, Cobalt Strike and lateral movement.

Identifying Other Ransomware Attack Patterns

In addition to MegaCortex, X-Force incident response teams have observed multiple ransomware attackers at work over the past several years — gathering intelligence and enhancing our response along the way. One common ransomware technique observed multiple times over the past year includes an initial compromise of a Citrix server — usually using previously stolen credentials — and then use of Powershell and Cobalt Strike in conjunction with lateral movement before eventual deployment of ransomware.

In two particular incidents, the malware, IOCs and other artifacts in these attacks were so similar that our team was able to quickly replicate our analysis and accelerate the timeline for remediating the second incident. This is an excellent example of the power of cybersecurity threat intelligence and how the understanding we gain from one incident immediately enhances our ability to analyze and remediate incidents involving similar techniques.

Tracking Hive0085

Cybersecurity threat intelligence teams should conduct extensive research on several cybercriminal groups using multiple tools and methods. IBM does this by investigating their malicious campaigns using a variety of open, enterprise and IBM tools and repositories, tracking sales and activities on the dark web, and using Quad9 to track malicious IPs and domains associated with threat groups we follow.

In one particular instance, IBM saw that a group tracked as Hive0085 revealed several command and control domains for a backdoor the group purchased on the dark web called ‘more_eggs.’ Using data available to IBM through Quad9, we noticed this C2 network was very active, suggesting the group was engaged in an ongoing campaign. We were able to use this information to alert the victim organization to an active campaign against their network. This in turn provided the organization’s team valuable time in identifying and having an opportunity to remediate activity from this group. The information we had cultivated over months of research and our proactive approach allowed us to provide timely, actionable intelligence for the company in a critical moment.

Teaching Cybersecurity Threat Intelligence In Your Business

Researching threat actors and their techniques provides us with a strong cross-section of insight into how these threat groups behave and the tactics they are most likely to employ. Here are some of the more common tactics, techniques and procedures we observe advanced persistent threat groups using. You’ll also find strategies to help combat these tactics and mitigate risk from these top-tier actors along with using a cybersecurity threat intelligence team.

Tactic, Technique or Procedure Risk Mitigation Recommendation
Spear phishing: Of the threat groups we track, nearly 84% use phishing as an infection vector. Of those, 64% appear to use it as their primary infection vector. Apply banners to emails coming from outside your company; use Quad9 to block activity from malicious domains; employ multifactor authentication; educate employees on the latest phishing techniques; and regularly test your organization to determine the likelihood of a successful phishing attack.
Watering hole attacks: Nearly 27% of the advanced persistent threat groups we track use watering hole techniques to conduct operations. Take measures to hide your organization’s online activities through the use of a virtual private network (VPN) or other measures; employ a robust patch management program to keep software up to date; and detect anomalous behavior through user behavior analytics or an intrusion prevention system.
Living off the Land: Multiple threat groups use tools inherent in an operating system, such as Powershell, adfind, autorun registry entries, RemoteExec, WinRAR, WMI, scheduled tasks and others. Use an application inventory to find unpatched or outdated applications; employ a robust endpoint detection and response (EDR) tool; monitor for typical commands threat actors use to execute Powershell; and use threat hunting to proactively identify threats in your network.
Zero-day exploits: At least 23% of the threat groups we track are known to use zero-day exploits to compromise victims. Analyze user behavior to detect anomalous behavior resulting from a zero-day exploit and stay up to date on new vulnerabilities and patches to mitigate the risk from a vulnerability once it is detected.
Scroll to view full table

Embedding Intelligence Into Security

Organizations can integrate threat intelligence into risk management models to consider likely threat actors, infection methods and likely impacts. Understanding probable adversaries enables an organization to prioritize the hardening of assets by identifying threat sources and threat events with up-to-date information about threat groups’ tactics. In addition, threat intelligence can be incorporated into incident response plans and used to inform senior leaders and board members about key threats to an organization.

There are several ways companies can request custom cybersecurity threat intelligence research and analysis. First, a strategic threat assessment can provide customized cybersecurity threat intelligence for one organization or as part of an incident response retainer, in addition to intelligence accessed through data sharing platforms such as TruSTAR. Having knowledge of threat groups, their motivations and their capabilities can act as a force multiplier during an engagement, improving your security team’s effectiveness today and tomorrow.

More from Threat Intelligence

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today