Featuring MITRE Engenuity Center for Threat-Informed Defense, a long-term community partner!
Many thanks to Jonathan Baker and CTID for continuing their support to #AdversaryVillage at @defcon 32 as well.
More info: https://ctid.io

https://adversaryvillage.org/adversary-events/DEFCON-32/ and https://defcon.org/html/defcon-32/dc-32-villages.html#adversary

Join Adversary Village Discord server: https://adversaryvillage.org/discord
#AdversarySimulation #PurpleTeam #Tradecraft #Tactics #AdversaryEmulation #CTID #MITREEngenuity #ThreatInformedDefense #MITRE

#AdversaryGuru live-stream series from Adversary Village

Mia Sanchez, Senior Cyber Threat Intelligence Analyst at MITRE, will be talking about "[Cyber Threat Intel] CTI Blueprints: Creating Actionable Reports", an open-source project from the MITRE Engenuity Center for Threat-Informed Defense designed to help analysts create high-quality actionable reports.

Schedule: 15th December at 11:00 AM CST.

More details about the live-stream: https://adversaryvillage.org/live-streaming-series/Mia-Sanchez
Sessions will be live-streamed on our Twitch, YouTube channels and QnA will happen on the Discord server.

Twitch: https://twitch.tv/AdversaryVillage
YouTube: https://youtube.com/AdversaryVillage
Join Discord server for QnA: https://adversaryvillage.org/discord

#adversarysimulation #purpleteaming #adversarytradecraft #adversaryemulation #threatinformedDefense #CTI #threatintel

This morning, we're thrilled to publish the @tidalcyber Ultimate Guide to Cyber Threat Profiling. At 57 pages of workflows, tips, resources, and infographics, I’m out of many more words to add here – check it out and let us know what you think!

#threatprofile #threatinformeddefense #mitreattack #DiamondModel #TTP #APT #ransomware #risk #cyber

https://www.tidalcyber.com/ultimate-guide-to-cyber-threat-profiling?utm_campaign=CTI%20Content%202022-23&utm_source=scott-direct&utm_medium=mastodon&utm_term=threat-profiling-ebook

A key part of #threatinformeddefense is focusing on threats relevant to you, but how do you know what threats those are? Developing a cyber threat profile is crucial, but many organizations find the process overwhelming.

We're excited to release our latest ebook, The Ultimate Guide to Cyber Threat Profiling! In this comprehensive guide, our Director of CTI lays out the strategic benefits of threat profiling, how to build your first threat profile, and more.

#threatintel #cybersecurity #cyberthreat

https://hubs.la/Q01R8SHT0

Introducing the newest major @tidalcyber TTP intelligence content roundup, the Initial Access & Malware Delivery Landscape matrix, now live in our free Community Edition platform: https://app.tidalcyber.com/share/43836024-a194-4ac7-9659-b51e88632e7f

The matrix covers 25 major & emerging #malware typically used to gain early footholds in victim environments, often leading to ingress of more impactful threats, especially #ransomware, #infostealers, cryptominers, & more. It includes many recognizable names (#QakBot, #IcedID, #Emotet, #Bumblebee, #Gootloader) plus several newer and less-discussed threats

The matrix includes 13 custom Technique Sets for threats not currently tracked in the #mitreattack knowledge base. All technique references derive from a large volume of recent, public #threat reporting (click the labels in the ribbon at the top of the matrix to view relevant source URLs for each threat)

An interactive link analysis visualization of connections among these threats, also derived from public reports, is also available here: https://onodo.org/visualizations/235067/

Community Edition matrices support easy identification of shared (and outlier) techniques among multiple threats, and quick & easy overlay or pivoting to defensive & offensive security capabilities relevant to your own #security stack. We’ll have a blog out soon reviewing our analysis of top & trending techniques common among these initial access threats

Tidal’s #Adversary Intelligence team remains focused on providing up-to-date #TTPintelligence, especially around traditionally under-represented yet widely relevant threats like crimeware. Other popular matrices in this theme include our Ransomware & Data Extortion Landscape matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a) and Major & Emerging Infostealers matrix (https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3), which each cover 20+ threats

Financially motivated adversaries often display a rapid pace of #TTP evolution, and this is especially apparent for #initialaccess threats. Register for our webinar on May 31 dedicated to TTP evolution, its drivers, and discussion around what defenders can do to address it and its implications: https://hubs.la/Q01NC23k0

#SharedWithTidal #threatinformeddefense #malware #infostealer #cryptominer #IAB #blueteam #detectionengineering #purpleteam #cyber

We're excited to welcome @loginsoft to the Tidal Product Registry! You can now explore their System-41 analytics to detect potential cyber threats in the Tidal Community Edition, and add them to your matrix to check coverage against specific threat actors or groups. Be sure to check them out!

https://hubs.la/Q01NkXgn0

#tidalproductregistry #threatinformeddefense #threatintel #cybersecurity

There's still time to register for our #webinar tomorrow exploring initial access threats and #malware delivery! You won't want to miss this presentation by our Director of CTI will present research on remote access trojans (RATs), loaders, and other initial access threats, and provide recommendations for prioritization. Join us at noon ET tomorrow!

#threatinformeddefense #cybersecurity #initialaccessthreats #threatintel

https://www.brighttalk.com/webcast/19703/578939?utm_source=organic-social&utm_medium=brighttalk&utm_campaign=578939

The Enterprise Edition of the Tidal Platform was created to help CISOs and large organizations reap the benefits of adversary behavior data and #threatinformeddefense. In this blog, our CEO discusses how the Enterprise Edition builds on MITRE ATT&CK® and the benefits it brings to security leaders. Check it out!

#ciso #threatintel #cybersecurity

https://www.tidalcyber.com/blog/announcing-tidal-cyber-enterprise-edition

We are excited to announce today that our Enterprise Edition is generally available! The Enterprise Edition fully operationalizes threat-informed defense for large organizations and security teams. It brings a robust feature set including advanced threat profiling, coverage maps, and the Tidal Confidence Score™.

"The Enterprise Edition of the Tidal Cyber platform has helped my team save countless hours as we work to defend Winton," said Edward Millington, Head of Information Security at Winton. "The way that Tidal has operationalized adversary technique data is unique and makes it possible for us to truly adopt threat-informed defense."

Read more in the press release!

#threatinformeddefense #threatintel #cybersecurity #pressrelease #infosec

https://www.tidalcyber.com/newsroom/tidal-cyber-launches-enterprise-edition-of-threat-informed-defense-platform

Although initial access threats like loaders and remote access trojans are responsible for many infections and notoriously frequently change their TTPs, there hasn't been a full survey of the entire initial access threat landscape. Join us on Thursday, April 13 at noon ET where we'll discuss the full initial access threat threatscape and highlight overlaps to help defenders prioritize their efforts.

#cybersecurity #threatintel #threatintelligence #threatinformeddefense

https://www.brighttalk.com/webcast/19703/578939?utm_source=organic-social&utm_medium=brighttalk&utm_campaign=578939

Ready or not, April's here and it's time to look back at March's top TTPs! In March, the Tidal Adversary Intelligence Team added 721 technique references to the Tidal knowledge base. Check out our latest Making Waves blog post to learn more about the trending TTPs last month.

#threatintel #ttp #cyberthreat #threatinformeddefense

https://www.tidalcyber.com/blog/making-waves-ttp-intelligence-highlights-in-march

Today's the day! You won't want to miss our review of the top #TTPs across the first quarter of 2023. We'll also be talking defensive takeaways and what we can learn from the first quarter as we head into the rest of the year. Join us at noon ET!
#threatintel #cyberdefense #threatinformeddefense #cybersecurity

https://www.brighttalk.com/webcast/19703/574914?utm_source=linkedin&utm_medium=brighttalk&utm_campaign=574914

Starting soon! Join us to discuss the communication gap between #cyber security vendors and their customers. We'll be talking about how it got like this, and giving clear steps for how to fix it. Can't make it at 11 AM ET? Register anyway for the recording!
#webinar #threatintel #cybersecurity #threatinformeddefense

https://www.brighttalk.com/webcast/19703/576891?utm_source=mastodon&utm_medium=brighttalk&utm_campaign=576891

Don’t approach your threat profile irrationally – use our #PiDay #TTPs Matrix to slice through the infinite universe of threats and bring more (mathematically) constant focus on the ones that matter most: https://hubs.la/Q01GPxgV0

Whether you’re a freshly-baked analyst/operator or a crusty infosec veteran, the piping hot and fresh content in Tidal’s free Community Edition is sure to ins-pie-re the next step in your threat-informed defense journey!

Our latest matrix features seven timely threats:

PyPI Malicious Packages: A recent report from Sonatype highlighted software supply chain compromises, where four Python packages hosted on the PyPI software registry contained malicious code that could drop malware, delete system utilities, & tamper with files containing authorization keys

AppleSeed: According to the MITRE ATT&CK knowledge base, “AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.”

Raspberry Robin: A highly active worm that spreads through removable media and abuses built-in Windows utilities after initial infection. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware

Chocolatey Backdoor: Last March, Proofpoint identified an attack on French organizations in multiple sectors that used Chocolatey, an open-source package installer, to fetch malicious scripts that delivered the Serpent backdoor (this represents one of the first documented uses of Chocolatey in a cyber campaign)

(Key) LimeRAT: Trellix researchers documented a July 2022 spearphishing campaign targeting government agencies across South Asia, Europe, and North America that ultimately delivered AsyncRAT & LimeRAT. As a special bonus, this set of Pi Day techniques fittingly features T1056.001 (Input Capture: Keylogging)!

Banana Sulfate: This small set derives from Sekoia.io’s investigation into a large and sophisticated but unattributed infrastructure cluster last February
Golden Chickens: Security researchers assess this is a malware-as-a-service provider whose customers include FIN6, Cobalt Group, and the Evilnum APT group.

#SharedWithTidal #threatinformeddefense #threatintel #threatintelligence

The latest Technique Set added to Tidal’s free Community Edition summarizes the TTPs observed in recent #SocGholish campaigns according to public threat reporting https://app.tidalcyber.com/share/4b901fc2-d021-4eff-bd53-0c9fa0259ecf

SocGholish is a highly active, JavaScript-based loader #malware used to deliver a wide variety of impactful threats (summarized in the original visual attached here). Many #ransomware families, the #CobaltStrike post-exploit framework, other remote access trojans (#RAT) and loaders, and tools for #ActiveDirectory enumeration, #detection evasion, and #credential theft have been linked to recent SocGholish campaigns

SocGholish appears on multiple security and #CTI vendors' top priority threat lists. Active since 2017, SentinelLabs researchers observed a 330%+ increase in SocGholish malware-staging servers between the first and second halves of 2022, and Sucuri researchers detected more than 25,000 websites newly compromised by the malware's operators through July 2022 alone. Initial infections predominantly come via file downloads from sites hosting fake web browser updates, although operators use some non-traditional email delivery techniques to drive compromised content towards potential victims. Like many of today's top #initialaccess threats, SocGholish victimology involves a wide range of industries

Consider layering the new set with other recent Community Edition content from @tidalcyber's Adversary Intelligence team, including our recent #Gootloader set (https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2) or the set of techniques most recently associated with the ever-evolving #QakBot #trojan (https://app.tidalcyber.com/share/aef0f0c6-5212-4abf-9a24-3c81f518c59f), into one view to compare & contrast initial access techniques (https://app.tidalcyber.com/share/adb9581e-3318-4bc7-8d23-145891bf1ca4). Then take it a step further by layering mappings from your own defensive stack with the list of capabilities available in the Product Registry (https://app.tidalcyber.com/vendors). And stay tuned for our soon-to-be published overview matrix on the broad initial access/malware delivery ecosystem in today’s threat landscape, featuring more threats like the ones seen here

#threatinformeddefense #SharedWithTidal

One of the biggest issues in cybersecurity today is the gap in knowledge between security vendors and consumers of exactly how cybersecurity products defend against specific adversary techniques. Is this impossible to overcome? Not at all! Join us on March 23 for an informative fireside chat presentation where we'll discuss how we can bridge this gap.

#cybersecurity #cyberrisk #threatintel #threatinformeddefense

https://www.brighttalk.com/webcast/19703/576891?utm_source=mastodon&utm_medium=brighttalk&utm_campaign=576891

Struggling to differentiate & prioritize among the large set of opportunistic and “indiscriminate” threats in the landscape? Our new blog aims to help

Threat profiling generally focuses on identifying & prioritizing (rank-ordering) threats motivated to harm your organization. These include threats with clear targeting intent relative to your org or your industry, often a smaller set that is more straightforward to surface. Then comes the large pool of threats that seem to impact most sectors, maybe in some cases your vertical specifically or others trending in threat intel generally, regardless of explicitly links to your industry yet

With the high volume of recent activity from threats like #ransomware, #infostealers, & loader/initial access malware like #QakBot, #Gootloader, and many others, I’m seeing more awareness that these often broad-based threats should be on many security teams’ radars. But how do you keep from being overwhelmed by what often feels like an endlessly growing list of new threats?

@tidalcyber's latest blog (https://www.tidalcyber.com/blog/ransomware-threat-profiling-prioritizing-indiscriminate-threats) offers several strategies for helping make more sense out of this subset of threats, using major ransomware-as-a-service operations as a representative case study. Our guidance involves (where possible) leaning on metrics to rank-order groups linked to your industry, using technical sources to identify potential spikes in activity and quantifiably justify increased priority levels, and focusing defenses on discrete TTPs that might be common across the wide pool of these threats (summarized for major #RaaS in the attached table, with data sourced from the Ransomware & Data Extortion mega-matrix available in Tidal’s free Community Edition here: https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a)

These tips are often just a starting point – for more upcoming threat profiling guidance, subscribe to the Tidal blog here https://www.tidalcyber.com/blog and follow us on all major social platforms, and we look forward to hearing what other techniques you use to drive focus in the ever-evolving threat landscape

#threatinformeddefense #threatprofile #risk #intelligence #CTI

#Gootloader is a highly active banking Trojan-turned-loader #malware that has recently appeared on multiple vendors’ priority threat lists, attacking organizations in a wide range of verticals & countries. If your leadership or other stakeholders asked for a list of this threat's most common TTPs, would you be able to provide it quickly?

Now you can, with the Gootloader #TTP matrix available in Tidal’s free Community Edition: https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2

Gootloader, also referred to by its related payload, #Gootkit, first emerged in 2014 but has been especially active since 2020. Despite this, technical reporting around its TTPs has been relatively light until even more recently. In the past two years alone, verticals including finance, #healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, #IcedID (a common #ransomware precursor), & more. Industry-based #threat profiling can be a powerful tool, but even if your industry (or your corner of it) hasn’t yet directly observed Gootloader activity, we believe broad-based threats like this should be on most teams’ radars

Our matrix summarizes Gootloader TTPs detailed across several great recent technical reports. Reports from SentinelLabs, Cybereason, & The DFIR Report were helpfully pre-mapped to #mitreattack, and we mapped a couple other detailed analyses. Procedural details are even available for nearly all the included technique mappings – be sure to click the Technique Set’s label in the ribbon at the top of the screen to pivot into the Details page with this information & relevant source links throughout

Red Canary & The DFIR Report helpfully provided tool-agnostic suggested #detection logic for key behaviors observed during recent Gootloader campaigns here https://redcanary.com/blog/gootloader/ and here https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/. Take a wider view by layering entire segments of your defensive stack over the #CTI back in the Community Edition, by toggling on any of the mappings available in @tidalcyber's Product Registry https://app.tidalcyber.com/vendors

#SharedWithTidal #threatinformeddefense #CobaltStrike #initialaccess #blueteam

Wondering how to best identify the cyber threats most relevant to your organization? It's not too late to register for our cyber threat profiling webinar! Join us LIVE today at 1 PM ET to learn how to get started building a threat profile and how to use your profile to defend your organization. Can't make it at 1? Register anyway for the recording and slide deck.

#threatintel #cybersecurity #threatinformeddefense #cyberthreatintelligence #webinar

https://www.brighttalk.com/webcast/19703/572855?utm_source=mastodon&utm_medium=brighttalk&utm_campaign=572855

Identifying the threats relevant to your organization is a critical piece of implementing threat-informed defense, but it can also be difficult! Join us on February 15 as Tidal's Director of CTI walks through how to build a threat profile for your organization so you can more effectively and efficiently defend against threats.
#threatinformeddefense #threatintel #webinar #cybersecurity

https://www.brighttalk.com/webcast/19703/572855?utm_source=li-org&utm_medium=brighttalk&utm_campaign=572855