Gain Visibility into Attacker Activity with Threat Campaigns

January 27, 2023

If you’re looking to gain visibility into attacker activity with threat campaigns, you’ve got a few options. First, you can rely on time-stamping and Indicators of Behavior (IOBs). These methods used to identify known and unknown threats, but they aren’t as effective as threat campaigns.

Indicators of Behavior (IOBs)

If you’ve been searching for a way to detect malicious activities, then you’ve likely heard of Indicators of Behavior (IOBs) and Indicators of Compromise (IOCs). They are useful for detecting the early signs of attacks, and for identifying attackers’ path to a targeted system.

IOBs are often unique to a target. They show the trajectory of an attack and the tactics and techniques used by the attacker. They can also be useful to determine whether an attack is a replica of normal network activity.

Indicators of Compromise generated by enriched telemetry from a variety of data sources, including network devices and servers. This telemetry then processed in SIEM environments. The result is a list of IOBs that can export from a security tool and shared with other organizations. This provides a proactive means to identify and monitor attacks, and a more thorough set of data than IOCs.

Indicators of Compromise can express in machine readable formats that can quickly loaded into security devices. This is especially helpful for non-advanced actors.

Living off the Land (LotL) techniques

Living off the Land (LotL) is an attacker strategy that allows cyber criminals to use legitimate tools and functions while avoiding detection. This technique has become popular with nation-state targeted attack groups, but has also adopted by many other cyber criminals.

The main category of LotL attacks are fileless attacks. These attacks characterized by running shellcode directly in memory. Some of these attacks use tools that already installed on the target computer. These tools may have legitimate uses, such as running a backup program, but they can also use to download malware.

These tools often evade security measures, such as antivirus and firewalls. This is because they can run in trusted process memory space and fly under the radar. They can use to download and execute malware, or as backdoors.

These tools may be legitimate or unauthorized, but it is often difficult to tell the difference. The tool can either installed on the victim’s system, or it can be one that is only available to the attacker.

Time-stamping techniques

With the proliferation of ransomware activity, organizations need a reliable approach to tracking adversaries and their activity. One such approach involves time-stamping techniques. By leveraging this type of technology, recipients can verify the integrity of a document.

In many of these campaigns, the documents used to deliver the malicious payload hosted on legitimate web services. For example, they may host on Google Drive, Basecamp, or Sendgrid. However, the real purpose of the phishing document is to download malware binaries. The phishing document contains instructions to click on a link, which then launches the malicious payload.

In addition to the malicious payload, the phishing document includes additional links to other websites. The document also crafted to look like a generic corporate communication, such as a reply to a business call. It may even contain the recipient’s name in the subject line.

Using time-stamping techniques, recipients can verify the document’s authenticity after it has delivered. The process involves combining a hash of the original file with a trusted time stamp.

Blocking a novel threat

As security teams work to block a novel threat campaign, they often lack visibility into the tactics and techniques used by the attackers. However, with Mandiant’s Threat Campaigns feature, they can quickly stay abreast of the most active attacks.

With the ability to view a detailed timeline of the campaign, security teams can understand the attack lifecycle and identify key events and techniques. Analysts add comments to each event and explain its context. By gaining insight into the attacker’s activities, defense teams can prioritize their defensive actions and respond to threats more effectively.

The StellarParticle campaign, which tracked by CrowdStrike, leveraged a variety of malware families, and associated with the COZY BEAR adversary group. It also demonstrated a deep knowledge of Linux and Active Directory. As a result, the attackers were able to use decoys to obfuscate their attack surface and create persistence within the Office 365 environment.

The threat actor accessed several sensitive documents related to the victim’s products and services. They viewed vulnerabilities, internal business operations, points of contact, and product/service architecture. They used a VPN to connect to the victim’s network. In addition to accessing data, they attempted to log into the victim’s account using valid accounts without implementing MFA.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us