Predicting Emerging Threats to Evolve your Threat Hunting Strategy
After you have watched this Webinar, please feel free to contact us with any questions you may have at general@anomali.com.
Transcript
.svg){kind=icon}
DOV LERNER: Thank you very much.
How's everyone doing? OK, so let's jump into it.
First some introductions.
These are all of our speakers here today on the webinar.
Just some background about myself.
My name is Dov Lerner.
I am security research lead at Cybersixgill.
My focus is the deep and dark web.
What do we see on the deep and dark web intelligence? How do we actually use this intelligence, and consume it and process it in order to protect our organizations.
So first of all, let's look at what Cybersixgill observes in a single minute.
That's I think a very important place to start, because there is so much that's happening on the deep and dark web.
We're collecting roughly six seven million intelligence items every single day.
That's post, replies data breaches, chats and Telegram, mentions of CVEs and exploits, IP addresses, malware links.
This is a tremendous amount of intelligence.
So how does someone go from that huge volume, which frankly is intimidating just how much there is out there, and take that and bring it into a digestible way that they can use it.
Actionability I'd say is one of the main challenges with intelligence in general.
So I'll just briefly mentioned all of our solutions.
So first Cybersixgill offers the darkfeed, and this is available through a threat stream.
And this is a stream of malicious IOCs.
IOC is obviously have a very easy use case.
You take the IOC, you block them, and the IOC is uniquely sourced from the deep and dark web and I'll explain in a minute why they're special.
What we actually see in the deep and dark web.
We also have an investigative portal which is you're able to search all of our posts our collection.
It's really a choose your own adventure type model you can monitor your assets you can understand what actors are saying in the deep and dark web what are emerging threats.
And lastly, we have our dynamic vulnerability, and exploits score system.
And that's a system where you can actually understand what's going on with CVS.
We give a unique score to CVS based on the level of chatter about them.
So very often the latest greatest CVE that all of the researchers are talking about doesn't really get much attention from Zagreb actors because they don't know how to exploit it.
Versus CVE from 2016 might have a new exploit going around on the Underground and that could be a genuine threat.
So this is the full menu of options that we have, but let's focus on the dark fate which is this feed of malicious IOCs.
All right, so again what kind of IOCs do we see on the deep and dark web? It's a straightforward question, but I think it's an important one because some telemetry feeds they're looking at thousands, millions of IOCs every single day, they're looking at their sources of data.
But what dark web actors are sharing IOCs? How do we a hash or malicious domain or something from looking at the deep and dark web? I'd like to present four scenarios where these are a supply chain basically of malicious tools and infrastructure.
That's what's happening on the deep and dark web.
Scenario number one, a threat actor creates malware, right? So a threat actor will-- malware happens all the time.
Now any actor can obviously use the malware that they're creating, or they can distribute it.
They can sell it on the deep and dark web to make some money.
It's an economy where they're specializing in different things, and now someone can sell it.
And then a third party can purchase the malware or download it, and use it for however they want.
Simple scenario.
Number two, a threat actor can compromise a domain infrastructure.
So again I've established shell access to a target domain.
Again, if this actor wants they can use it however they want.
They can abuse it, or they can basically sell the access to the compromised domain of the dark web.
There are plenty of access markets, they get a lot of attention rightfully so I believe.
And then anyone who has the access to the domain, right? So again, it's like I can either break into the bank of myself or I can share my secret how I can break into the bank, and now someone else can do that with this domain upload CNC server, phishing page, your malware server.
Next scenario, a threat actor can register a domain name.
Now OK, anyone's able to registered domain name totally legitimate.
But if a domain is being sold on the deep and dark web it's a little bit of a problem, because now anyone can use it for whoever they want.
And so then the third party can weaponize it they can put up a command and control server, phishing page, or malware server.
Again, these are all straightforward scenarios.
And the last one is cracking an RDP connection.
A threat actor can use it however they want or they can distribute those credentials on the deep and dark web, and now anyone can use the compromised RDP for command and control server, phishing page malware server proxy.
And all of these are things that we see all the time.
Now here's the kicker.
When the third party takes the compromised infrastructure and weaponizes it, and then they deploy the attack.
So a traditional TI solution is going to catch it over here, right? Traditional telemetry based solution which they work great, and not knocking them at all.
But they're looking at something else.
They're looking at a different vector, and so they're going to catch it when the attack is deployed because that's where they're sitting on the gateways and the endpoints.
But the dark feed is going to catch it over here, because the dark feed is looking at this infrastructure exchanging hands on the deep and dark web.
And therefore we're looking at how things develop, how the stage of compromised, but not the stage of weaponization.
And so we're shifting left, we're looking at things earlier, and obviously alerting to IOCs and attacks earlier before they turn into weaponized deployed attacks.
And obviously there's no need to explain why earlier prevention is more important than detection.
Here's an example, the domain for this Canadian tour bus company goldenarrowtourbus.com has been compromised.
A web shell for this domain is being sold on a dark web market, right? So this is Golden Arrow Coaches you can see their website.
It looks like a beautiful place to travel in the Western Canadian Rockies never been there.
It's a tour bus company they don't probably understand that they should be protecting their site with a sheet PS, you can see it's not secure.
And someone has indeed popped a shell on the site, and they're selling it for $10 anyone can now access this site.
So this is what it will look like in the dark feed.
We have the domain, we have some contextual information.
So people can understand what exactly we're dealing with, right? It's a compromised domain and everything.
Now here's the proof that this domain is compromised.
Someone's put up this gambling page, right? goldenarrowtravellers.com/onlineslotsaristocrat.
This is clearly not at all related to the tour bus company someone's put up this gambling page because domain is vulnerable and anyone can use the infrastructure however they want.
And just as we found this gambling page here we can also find other items probably that are more malicious, but clearly you want to block this for your organization.
You don't want someone registering for a bus trip to go to this site, and then who knows what else is there.
So that is that.
So that explains in a nutshell things that we're finding all the time in the deep and dark web, and again automatically producing this into our feed.
But now let's look at an example that we're going to focus on today, Cobalt Strike.
So this is a scenario that we saw several months ago.
In one hacking forum an actor shared a new build of Cobalt Strike allegedly by compiling the source code that was cracked.
Shared on a Chinese language forum in August, 26th.
So this is September 2nd that's being shared, so about a week and a half later.
And the actor posted the file to a non files, and on files is an underground file sharing site so the Dropbox or Google Drive of the dark web.
And so anyone can now download the source code and use it.
So this post doesn't look like something that ring the alarm, bells press the big red button, and stop everything, but it is.
This is a very, very serious intelligence item.
Why is that? Let's zoom out a bit.
Cobalt Strike is a popular commercial tool for anyone that's unaware.
It's used in penetration testing to emulate a breach of malware attack.
It's also often deployed by threat actors for malicious ends.
Again, this is something that just penetration tests versus the hacking attack it's just a matter of attention.
I mean, sorry permission, right? If someone has the permission to try to enter an organization's network then it's a pen test, if someone doesn't it's a hacking attack.
And because Cobalt Strike is a commercially developed tool, right? This is a tool where actual programmers are getting paid money to plan, develop, and QA and produce this software.
And it's very, very highly functional, and so attackers are going to use it.
Cobalt Strike has stealthy techniques and abilities to execute a memory or this file's execution as adjustable C&C communication, with covert channels, and it has extended attack capabilities and techniques and it has strict scripting integration.
So basically this is a Swiss army knife, and nuclear weapon all in one.
So anyone using this tool for a hacking attack has all they need.
If I'm going to attacker, if I can get Cobalt, right? So Cobalt Strike generally cost a lot of money.
So clearly more advanced groups are going to pay for it.
But if I'm not going to pay for it, and I just want to use it.
This is a gift.
I'm going to be very excited, because I'm not going to have to code anything myself.
I'm just going to use a builder Cobalt Strike that I find on the underground.
So back to our scenario, on the same thread another actor shared a virus full scan of his URL, and they're showing that it was OK it wasn't malicious.
What does that mean? Well, we have to understand now this is a good lesson about the underground.
Deep and dark web access aren't stupid.
They understand that if someone shares a file, someone shares an executable in the underground forum.
Don't just download it and run it, right? You're going to be-- if just because someone says this is Cobalt Strike doesn't mean that it's something else.
Maybe with a Trojan or embedded in it that the person who shared it now has access to all the systems of all the people that downloaded it, right? So that's something that actors are aware of and savvy about.
And so someone basically scanned this file on VirusTotal.
So they're saying, hey, yeah, I downloaded this Cobalt Strike build everyone else is paying attention to this thread just keep in mind it looks good.
It looks legitimate.
So they're basically what they're doing is this is a zero trust environment on the deep and dark web.
The actors know this, and they're now trying to prove this.
They're trying to share that.
Now for us when an actor is sharing the virus little scan of something the SHA-256 is in the scan.
So here you can see this being 97 DV, and I'm not going to read the rest of the number.
That is the SHA-256 for this build of Cobalt Strike.
Why is that good? Because now we have the hash and now we can publish this hash to our feed.
By the way another scenario with VirusTotal scan is the actor himself the one that shared this-- any malware or tool or whatever on the deep and dark web.
If an actor is selling something they'll often share the VirusTotal to show that's undetected.
Why is that? Because if I'm producing malware and I'm trying to sell it or this is a good quality malware.
I want to show that the AV vendors are not detecting my malware as malicious.
So you can use it without being detected, right? Makes sense because if I'm selling something and it lights up on VirusTotal and everyone thinks that it's malicious, then no one's going to use it.
It's not worthwhile.
So again sharing VirusTotal scans and extracting from those links is something that we do a lot, and to I would say very good success we find a lot of stuff that no one else finds.
And here's an example, zero as of a few weeks after this was shared this is called Cobalt Strike got exe, right? This could not be more obvious, and here's what it looks like a VirusTotal has zero detections.
That is obviously just because someone something has zero detections on VirusTotal doesn't mean it's not malicious.
This is Cobalt Strike this needs to be blocked by any organization.
No one should be running Cobalt Strike on a network, it goes without saying.
And also we found other things.
We found that actually now we have the hash we searched his hash, and found it on a different forum.
So we don't have just a hash, right? If you have an IOC feed, and the IOC has hashes in it.
So OK you block the hashes, but that's not-- it's not anything interesting that doesn't explain what happened.
You need some sort of context, so we have context here, right? We found not just a malicious hash for a very powerful dangerous hacking tool, but we uncovered a story and what's the story? The story ultimately reflects that the speed at which the underground moves, and this is it, right? Source code share it on a Chinese speaking forum, right? So everyone in this forum is speaking Chinese, but someone sees it, right? An English speaking actor, so it shows that these dark web forums and markets they're not operating in a vacuum separate from one another.
It's a community of communities.
And just because everyone on this form is Chinese, and someone else who is English speaking, or someone from their Chinese speaking forum was active on an English forum whatever it is it hoped over.
And they compile the source code, right? So they start from just the raw source code, but someone has compiled it turned it into an executable on two separate forums.
The executable was then shared, and then who knows how many people download it and use it, right? So this all happened in a matter of weeks.
The underground moves very, very quickly.
Actors always are in conversation with one another, sharing TTPs, sharing ideas, sharing malicious infrastructure, and hacking tools.
And that is fast, and the only way to counter this is to be just as agile on defense, right? If you have an agile program that's taking in the threat intelligence, and actually get immediately closing that loop in a very meaningful way and being able to pivot and-- well hold off and defend against every attack, and that would be better.
But if defenders are slow, if defenders take a long time to respond then the dark web is going to move much faster, and these actors are going to move much faster.
So I say now I'm going to pass this off to Luke, because this is really where we're going to hop over from the intelligence collection side to Luke show us now what to do with this.
So I will stop sharing my screen, and handed over.
Or should I stopped for questions first.
I think-- KASH SHARMA: Thank you very much, Dov, for a great presentation.
I can say that we've got some good feedback coming through our chat window.
I would like to remind our audience that you can still participate in the Q&A at any time by submitting your questions in the Q&A window at the bottom of your screen.
I would like to now introduce you to Luke Amery, who is the solutions architect and Anomali Luke, over to you.
LUKE AMERY: Hey, guys is that coming through clearly? DOV LERNER: It is.
Thank you.
LUKE AMERY: Yes, OK.
So Thanks, Dov.
That was really interesting insight into the intelligence gathering collection side of things.
So briefly I just want introduce first an example of being a cybersecurity professional for about a decade now.
Somewhat recently joined Anomali.
Basically I couldn't stop reading cyber threat Intel blog post and articles and so forth for the last 10 years.
So it just seemed to be a natural place to come and work.
So if you're not familiar with what Anomali is, and what we do.
Then Anomali provides a threat intelligence platform which enables you to ingest a wide variety of cyber threat Intel in various forms.
You can then curate that, enrich, investigate that before operationalizing that into various ways into your environment.
So shortly I'd like to continue the discussion around Cobalt Strike that was started by Dov, but also put that into a bit more of a combined solution between the cyber suite skill dark fate and the Anomali platform.
And how they can be utilized together to achieve some strategic outcome for the SETI program.
But before I do that, I just want to jump into some of the fundamentals of cyber threat intelligence, and what is appropriate.
What is required from an organizational level to obtain any value from that? So there's a lot of thought attributed to Lewis Carroll that goes something along the lines of if you don't know where you're going, then all roads will lead you there.
So this is true and relevant to any project or endeavor we undertake in our personal lives.
And basically it's summarized as if you don't have an objective and a strategic plan then you're never going to get anywhere.
I feel this is something that needs to be pointed out in the realm of CGI, and the use of cyber threat intelligence.
Because it is a critical differentiator between programs that effectively utilize cyber threat intelligence and those fall short.
So what exactly is intelligence, and what are the different types of intelligence and how do we interpret that? So there are a lot of different interpretations and definitions of what cyber threat intelligence is.
And you can find some that have been defined by Gartner, by Sans, by Mist, but they all have a variety of things in common.
So within the context of cyber threat Intel it is some form of knowledge around existing or emerging threats that has been processed, analyzed, collated, contextualized et cetera.
Formatted appropriately for use, so it's in the form that can be actually consumed, and most importantly, it should be able to be used in a way that informs decision making and action.
So there is three fundamentals that we look at when we consider what CPI is.
Is it timely, or does it arrive in time to inform decision making? Is it actionable? Is there enough detail and context to allow a decision maker to take action, and does it exist in a format that can be used for example, if you're putting indicators into a firewall or an endpoint for blocking, or if you want to look at adversary techniques that influence a CISO spending.
And lastly, it needs to be relevant.
It needs to be aligned to the objectives of the consumer the intelligence.
And probably this final point is often overlooked in a lot of organizational level attempts to influence CPI.
Namely just how relevant is a particular threat to your organization.
And if you can answer that question in the context of your business operations, you're in a good way to actually achieving a successful program.
An example of how that comes into play is if you have an actor that's known to target mobile banking applications within the financial services industry, then that may not be necessarily relevant if you're a gas or water utility and vice versa.
So another thing to look at is we have different levels of intelligence from tactical, to strategic.
And this governs the operational level of the various uses of CPI, and also dictates which stakeholders you need to engage and what conversations you would have with them.
So if you're an analyst, and you understand the three different types of intelligence from tactical to strategic then you better able to determine what solutions to use and how to operationalize them, and also how to proactively respond to threats.
So if we think of tactical intelligence, threat intelligence is the most basic form of threat Intel.
Which consists of a common indicators of compromise typically used on day to day basis for machine to machine detection of threats and incident responders to search for specific artifacts in enterprise networks and so forth.
One second.
So operational threat intelligence provides a degree of insight into acting methodologies and exposes potential risks.
It's the basis for some form of meaningful detection, interpretation instead of response.
So it sits above the level of tactical intelligence, and looks at the tools, tactics, techniques, procedures, et cetera there might be being used by an adversary.
So if you're responding to an intrusion event you might be wondering how a particular actor performs privilege escalation and lateral movement or data theft, then this is an operational level of threat intelligence.
Whatever the scenario it's generally a good idea if you can get operational threat Intel allows you to answer questions such as, how do you search for this specific actor within your environment.
And lastly, we have strategic threat intelligence.
This provides a big picture look at how threats and attacks are changing over time.
So allows us to identify historical trends, motivations, attributions as to who is behind an attack.
It's knowing about the who and the why have your adversaries also provides clues into their future operations and tactics.
So we can in some way utilize strategic threat Intel to make predictions about what future threats we might encounter, and it's also a solid starting point to deciding what defensive measures are going to be most effective.
So jumping on.
So part of the confusion around what intelligence is sometimes due to the overuse of the term within the industry.
So often we see raw data or the output of research or even just uncurated threat period is being referred to intelligence when it may not truly fulfill the definition that we put forward before.
But a helpful way to interpret what is and isn't intelligence is to consider the process by which some form of raw data gets processed and analyzed, and then transformed into Intel.
So if you look at this slide as an example of what we can do is we start, with raw data, which is data information that's been collected but not processed or evaluated.
For example a repository of raw log data on a syslog server or some other logging platform.
Data is a term I'm using at least for this slide is basically when we process that data and evaluate the potential usefulness of sources.
So this is where you would look at different log sources, and determine whether there are value in a threat Intel program.
You might consider a sort of curated open source Intel here to be raw data and other forms of that might be a firewall log which might identify-- it might be deemed as useful of containing potential threat Intel.
Raw intelligence is basically done and it's being evaluated with that context to make a final assessment on what that data is.
So we have some context around the information that's coming in.
We know that it might be security alert appearing on a theme while there might be file hashes from a malware feed.
But we need to actually apply an additional degree of context before this actually becomes finished intelligence.
So the third part-- I'm sorry, the fourth part is the finished intelligence is this is when we apply some form of human reason and judgment to the raw intelligence that we received in the previous step.
And looking at it through the organizational lens to provide some form of specific context to what we're seeing.
So if we think of intelligence is going through that process it really makes you appreciate the difference between what raw data and raw intelligence and true intelligence actually is.
So in terms of operationalizing this hopefully some of you are familiar with the cyber threat intelligence lifecycle.
I'm not going to dwell too much on the details around this, but effectively this five key phases of this consist of planning and direction phase.
This is the key phase I'm going to dwell on a little bit on the next slide.
But this is where we identify the stakeholders to find the operational environment.
We look at what decision makers need to be engaged, and then we codify this into some form of prioritized intelligence requirements.
So you can think of the planning and direction phase as analogous to a business plan.
You wouldn't launch into a business without a business plan, and likewise, you wouldn't launch a CDI program without having some form of planning and direction.
And then we look at collection.
So this is where is the collection and gathering of any possible form of data and processing that.
Typically the data that's collected will be data that's identified in the previous phase and also includes the evaluation of this data to confirm whether it's useful or whether it's relevant.
The next steps around the analysis and production.
So this is when we put some form of organizational or specific context to the data and the information obtained in the previous phases.
Typically this consists of threat research, indicator expansion, pivoting on indicators and written intel conclusions or other forms of documentation.
So another step is reviewing and validating the intel gathered and formatting it for distribution.
So this last point is sometimes overlooked because Intel doesn't just exist in the form of indicators that need to get pushed out to multiple devices.
It can exist in the form of threat bulletins or documentations or alerts that need to be distributed to various stakeholders.
And lastly, the final phase is distributing this Intel to decision makers and actively engaging them to get feedback on whether this is valuable or useful.
So if we focus on the planning and direction phase bringing it back to you all roads lead nowhere if you don't know where you're going.
Basically the stakeholder ask yourself a variety of questions around what you're actually trying to achieve.
So first understanding the business, what is the mission of the organization.
What is the mission of individual stakeholders, which industry and sector do we operate in, and what assets do you need to protect.
That gives you some idea of what your operating environment is.
And then correlate that with what threat actors are interested or from known to operate within that industry or sector.
And look at what actors are known for targeting that area and so forth.
So if you factored in a lot of these it will actually allow you to introduce a much more prioritized and much more targeted direction and strategy for the plan.
Jumping into the Anomali platform now.
So the Anomali threat intelligence platform as I mentioned before allows you to ingest a wide variety of intelligence at the tactical level and the strategic level as well, in which case it can be managed, curated, investigated and then published for internal consumption or it could be pushed out to various systems within your environment.
Now one of the ways that we support the planning and direction phase of the cyber intelligence lifecycle is with what we call intelligence initiatives.
So these allow the business to focus upon one particular area that's aligned to the priority intelligence initiatives, whether it's domain monitoring, adversary monitoring, which particular adversaries are active in your environment-- active in your sector.
And allows you to focus all of the threat Intel you've gathered in that space.
What other work and investigations you've incorporated into that and tracked the metrics of the organization aligned to that.
So now if we start looking into basically taking off from where a Dov left off around the Cobalt Strike.
Cybersixgill provides a threat intelligence stream into Anomali through the dark feed, so this comes in the form of a preconfigured connector between the Anomali platform and the Cybersixgill through threat Intel feed.
So there's no need to actually go out and perform any of the configuration or the logistical activities associated with operationalizing that or ingesting that interior environment.
It just basically gets turned on as long as you've got the license for Cybersixgill dark trade it can be enabled.
And we can say here that you can see some of the indicators that have actually come out of that feed.
So we have a few compromised domains, some malware file hashes, malware CMC IPs and so forth.
Now one way to actually put some context around what these are is looking into a specific IOC.
So what I'm looking at here is the same hash that Dov showed for the Cobalt Strike.
Let's see.
And this provides all the contextual information that Anomali knows about this, which mostly has come from the Cybersixgill feed, but then I've added a little bit more information in there through the associations in the platform.
But firstly, if we look at what Anomali how it will present the data from Cybersixgill.
Each indicator comes with the confidence, and that is us assessing how malicious.
This particular indicator is or how confident we are that this is a malicious indicator.
A rating of 80 is a very solid indication that this is malicious, and you would therefore use that as part of your defensive strategy.
We also categorize these based on the different I types.
There's about 130 different I types in the platform.
So file has been taken many different forms like an IP address could be as can also take many different forms depending on whether it's a C&C IP address or a server or it's so forth.
So this actually specifies that the file hash is known to be a malware file.
You can see here there's various tags that have been automatically applied to some of these have been defined by Sixgill themselves.
But also what I've actually done here is done a quick search of this hash through the Anomali thread Intel platform to see if there's any other associated information about this.
And we can see that there is a threat active group here called security group that is known to be using that.
So as Dov mentioned before, we also pull in VirusTotal information about any as this comes through in the form of an enrichment.
So an enrichment is just additional information to provide various forms and context around indicators and threat intelligence.
And we can see here that the detection ratio is quite low.
So this was put in just recently, and even though the file is reasonably old it still hasn't been detected by many of the vendors on VirusTotal.
So now one of the things we can do on the threat intelligence platform is pull that indicator into what's called an investigation.
So this is where we want to expand out, and learn as much as we possibly can about this particular indicator.
And see if we can extract any form of tactical, operational Intel.
Sorry, Anything more than just the tactical level of intelligence from this.
So indicators the hash file that's tactical what do we know that's operational or strategic.
So with a right click on the indicator itself, you can actually drill down, and search through known associations in the platform and we search for actors here.
What we actually find is that there are several actors that have been known to use this specific cache.
The first one that came up was the ghost security group.
Now we've also been able to expand upon the ghost security group and say, well what else do we know about that particular actor.
We've got attack patterns here, which are mapped to the Mitre ATT&CK TTPs.
We also got threat bulletins.
So a threat bulletin is a form of finished Intel, which is a short form report of a particular security incident or a piece of threat intelligence that might be of note or use.
So if we drill down on the actual actor itself we can get a little bit more context around the address that we're facing.
So some of the tags here have been applied automatically, and you can also apply your tags.
So that we can see that this Ghost Security Group is targeting certain industries.
So financial services, civilian garb high tech.
We can look at the threat actor types.
So these are activist hackers, these are their motivations as well, and we get a bit of an understanding of who these guys are and what they might be doing.
So now we've done that, we can drill down and learn a bit more about this.
So what other reports exist about this particular threat actor.
We could look into the threat actor, sorry, the threat bulletins here, and you can see there's various reports from various sources that provide more context.
And we can also look at the operational level Intel.
These are the specific TTPs that ghost group has used.
So as a result of this investigation just from pivoting off a hash we now have an understanding of a particular active group that might be using that, and we have an understanding of the behaviors that they exhibit and how we may be able to protect ourselves from them.
So the next step from here is where we take the information that's available in the tips.
And we overlay that onto the Mitre ATT&CK framework.
So as you can see here these are the various stages of the Mitre ATT&CK lifecycle, and the different colors highlight the number of times that these particular techniques and sub techniques have actually been used by this particular actor group.
So it gives you an indication of the areas that you would need to invest in to adopt a preventative posture.
So drilling this down a little bit more.
So if you were to right click on one of these items you can see here that the attack pattern, and the specific TTPs is described here.
But any entities that we know that are linked to this technique are highlighted down here as well.
So this is where we join the dots on the actors, the TTPs So once we've done that level of investigation we might be interested in expanding that a little bit further, and just basically looking at well who else is potentially using the Cobalt Strike.
In this particular case, I've just gone back into our threat model database done a quick search for any instances of Cobalt, and come up with three different actors.
We see Cobalt Gypsy, Cobalt Group EmpireMonkey.
Now if you were to investigate those you might decide that tracking those adversaries is relevant to your organizational activities, and it's just simply a matter of right clicking and adding that into the existing investigation that we created earlier.
And then we can now build out a much more comprehensive map based on that initial file hash that came through from Sixgill around various groups.
That we have Ghost Security Group, Cobalt Gypsy, Cobalt Group.
And then through expanding and enriching from those-- pivoting off those sources we can find that there's a whole bunch more TTPs, domains indicators, and so forth that we can associate with those.
Now what does that mean? Well, when we map all of those three actors across the Mitre ATT&CK framework you can see now that there are a variety a larger number of techniques that are being used, and we can now invest-- make a more targeted investment in our preventative posture.
So turning us all back into the intelligence initiatives, which lengthy, prioritize Intel requirements.
You can see back here in the investigation there's a dropdown box, which allows you to select which one of these prioritize intelligence initiatives you want to focus upon.
So in this particular case, I've just chosen two which one's adversary monitoring.
We want to keep track of the three adversaries, and two obviously this is a malware based attack so we want to keep track of any malware prevention that's relevant.
So and the last piece of the puzzle, one thing that can be done from the previous investigation is that any associated indicators that are within of those actors, those file hashes.
So any IP addresses, domains, URLs, and so forth they can be all extracted from an only threat intelligence platform, and then forward it out to your environment to use as a defensive or protective measure.
So there's a normal integrator, which has an in-built API connected to a whole range of network and infrastructure within your environment.
So that basically summarizes the four.