According to data from CrowdStrike, 68% of detections from the last three months were not malware-based - identifying more than 65,000 potential intrusions, or approximately 1 potential intrusion every 8 minutes — 24 hours a day, 365 days a year.
- The time an adversary takes to move laterally, from an initially compromised host to another host within the victim environment - from July 1, 2020, to June 30, 2021, the average was just 1 hour 32 minutes. Moreover, it was found that in 36% of those intrusions, the adversary was able to move laterally to additional hosts in less than 30 minutes.
- Most ransomware operators engaged in big game hunting (BGH) activity have now adopted the threat of data leaks alongside data encryption to extract payment from victims. Many adversaries have also established dedicated leak sites (DLSs) as a forum to publicize victim details and release the stolen data. INDRIK SPIDER is an exception to this trend toward the use of data extortion.
- A year-over-year comparison of the total number of attempts that were observed is that attacks targeting the telecommunications and retail industries more than doubled. The professional services industry saw a more than 90% increase in numbers, while the government and academic sectors both saw attacks increase by more than 80%.
- Common initial access techniques observed in use against the telecommunications industry include spearphishing, vulnerability exploitation, use of legitimate credentials, and supply chain compromise. Once access has been gained, adversaries often exploit services or use system-native tools, such as Windows Management Instrumentation (WMI) and various command and script interpreters, to stage the rest of their operation.
- China-nexus adversary WICKED PANDA often uses a variety of remote access tools including Cobalt Strike and their custom software such as Winnti, ShadowPad, or RouterGod to progress their intrusions. The LightBasin cluster has a diverse toolset that includes a tool referred to as sun4me, which has been deployed as an encrypted payload using a key derived from the victim's environment and is decrypted by a tool referred to as STEELCORGI. sun4me's wide-ranging features include:
- Tools to enumerate the network via SNMP, UDP and different traceroute mechanisms
- WHOIS and DNS query tools
- Exploits for HeartBeat, Java over Remote Method Invocation (RMI), Apache Struts,
- Weblogic, Veritas Veritas NetBackup, and others
- Administration interface for MikroTik routers
- Tools to remotely extract the configuration from Cisco routers
- Tools to decrypt passwords from Cisco configuration, vncpasswd, and cvspass files
- Tools to monitor activity on the infected host
- Tools to enumerate remote users and brute force their credentials via SSH
- Utility tools such as grep, hexdump, shred, compress and uncompress, and various versions of netcat
Metmox Human-led Threat Hunting Methodology
Threat hunting is the adoption of simple and unique methods, standards, and practices, it is a unique ability to see and stop the most sophisticated threats. With top-level proactive threat hunting, anomaly detection, statistical & behavioral analysis, our threat hunters have helped our clients achieve a secure environment.
Our Human-led Threat Hunting Methodology finds a needle in a haystack — described below, to systematically detect threats at scale:
- Search for indicators of compromise: Using Indicators of Attack (IOAs) and tactics, techniques, and procedures (TTPs) proactively hunt for and validate potential threats and incidents- Rather than sit back and wait for threats to strike.
- Hypothesis-driven investigation: Our cyber threat hunters gather events from millions of endpoints and formulate a hypothesis that aligns with MITRE and is based on knowing the behaviors of threat actors and validate those hypotheses through active searches in the environment.
- Initiate actions to remotely disrupt, contain, and neutralize threats: We hunt and detect threats faster, 24x7, and respond more adaptively to contain and remediate. We protect our clients from countless new vulnerability points and highly sophisticated attacks.
With each new threat, Metmox extracts new insights to drive continuous advancements in automated detections and human threat hunting.
Outcome-Focused Security
Our experts look at the behaviors and activities associated with malicious screen capture activity, including the writing of image files to disk, the deployment and execution of file compression and archival utilities, and anomalous traffic to unknown external hosts that may indicate potential exfiltration activity. Our Threat hunters proactively investigate lateral movement activity, enriched by contextual system events.
Our mission is to expose advanced interactive threats and deliver actionable contextual threat intelligence through our shared factory operations. Metmox supports fully and co-managed security teams around the globe by delivering alerts in Real-time. These alerts enable security responders to act quickly and decisively against live threats in their environment. But finding the threat is only half the battle — it is crucial that defenders contain and remediate the threat quickly before any damage can be done.
Difficulty in Finding threats? known adversaries or insider threats or outside attackers? Our Team is constantly monitoring the threat landscape to detect new types of attacks, critical vulnerabilities, and the behavior of cybercriminals and other adversaries.
Recommendations for Seamless Security
- Organizations must employ strict patch management and enforce robust user and password controls, coupled with robust privileged access management practices while ensuring an appropriate level of scrutiny and caution is applied for all externally accessible services.
- Be vigilant and ready to act. Adversaries are continuing to find new ways to breach organizations and can move laterally in just minutes. Defenders must hunt around the clock and must be ready to act within minutes.
- Pay close attention to remote access. The use of legitimate, non-native remote access tools such as TeamViewer, AnyDesk, or VNC (and its variants) by eCrime actors is common. Defenders should restrict and audit the use of such tools in their environment, even for authorized use cases.