How has the #OSINT landscape evolved over the past half-decade, a period of immense geopolitical, societal, and digital change & disruption across the globe?

I just published an original analysis on the topic, a data-driven study derived from 5+ years of tracking thousands of #opensource #intelligence research tools & resources: https://metaosint.github.io/2023-osint-trends-analysis.html

The MetaOSINT project launched in 2021 as a tactical aide for researchers & investigators (explore the free tool’s two main features here: https://metaosint.github.io/). But after publishing multiple updates since, including a huge set of additions last month, it felt worthwhile to examine how shifts in the dataset might be reflecting broader trends & changes in the underlying information landscape

Key themes in the piece include social media OSINT trends, geopolitical resources (Russia, Ukraine, & more), and large increases in #disinformation & #verification tools and accountability projects. I know there are many more insights to be gleaned from the data, which is all publicly available, so be sure to let me know what you find after digging in 🔎

#MetaOSINT #intelligenceanalysis #dataviz #datascience #socmint #geoint #imint #darkweb #digitalprivacy

My #OSINT-focused side project just reached an exciting milestone: 400 stars on GitHub. As a thanks for all the support, I’m preparing to release its largest-ever update, so now is a great time to Watch the project (and if you haven’t yet, maybe consider tossing it another ⭐️): https://github.com/MetaOSINT/MetaOSINT.github.io

MetaOSINT aggregates and makes it easier to surface relevant tools & resources from across the open-source #intelligence resource landscape. Jump into the main UI here: https://metaosint.github.io/

The upcoming release more than doubles the number of resources tracked in the database, all while maintaining the hallmark of the tool: a straightforward & intuitive way to surface relevant resources, based on the number of citations from relevant inputs across the web. This round also brings MetaOSINT into the modern era, with the addition of many resources related to recent global events, conflicts & crises, new popular social media platforms, and more (look forward to some analysis on the shifts I’ve observed in the OSINT landscape coming soon too)

CTI industry leaders recently highlighted (smartly) several regional actors that might be less familiar to teams previously focused more on Russia or China APTs, ransomware, or other threats more often in headlines

The top web search results for these threats return sets of TTPs that are typically several years old. We dumped a large volume of more recent TTP #intelligence into our Community knowledge base to help fill some of these gaps, as many defenders are likely researching these threats

Intel from the highest confidence sources like government advisories appear as richer Group/Software/Campaign “objects” like you’d find on the MITRE ATT&CK® site. #TTP collections from other sources usually appear as lighter-weight Technique Sets

All content points back to the original public reporting. Thanks to the many teams sharing this important intel, including CISA & many partner agencies and the threat research teams at Cybereason, Deep Instinct, ESET, Fortinet, Kaspersky, PwC, & Zscaler

Further research prioritization can be approached several ways. Some views to consider:

Collection of all new & recently updated Groups & Software: https://app.tidalcyber.com/share/f1b8215c-f0c6-4e22-b314-417ca3f0d23e

Collection of key U.S. advisories focused on Iran-aligned actors: https://app.tidalcyber.com/share/72973762-be35-4286-83c4-6ea19f123616

Very recent reporting on Yellow Liderc/Imperial Kitten: https://app.tidalcyber.com/share/techniqueset/ab4eda0f-4502-484a-99f2-fe807357c204

New PhonyC2 framework used by #MuddyWater, a prominent #espionage #APT: https://app.tidalcyber.com/share/9f562a29-ff95-4ff4-ab3b-1fe9e2be8530

All Iran-attributed Groups & Campaigns in our knowledge base, featuring multiple new objects: https://app.tidalcyber.com/share/9a532bdf-fedb-4ee1-9714-b5ea8d2e80ac

#LOLBIN & open-source tools newly associated with Volatile Cedar (Lebanon): https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937-Volatile%20Cedar

Molerats additional TTPs beyond ATT&CK: https://app.tidalcyber.com/share/techniqueset/0e494374-9311-485e-b21b-0d082a316054

AridViper TTPs: https://app.tidalcyber.com/share/techniqueset/a655ea23-ff7e-4957-873b-3217d361f98c

Filter all Groups in our knowledge base by Country, Sector, & Motivation: https://app.tidalcyber.com/groups

This morning, we're thrilled to publish the @tidalcyber Ultimate Guide to Cyber Threat Profiling. At 57 pages of workflows, tips, resources, and infographics, I’m out of many more words to add here – check it out and let us know what you think!

#threatprofile #threatinformeddefense #mitreattack #DiamondModel #TTP #APT #ransomware #risk #cyber

https://www.tidalcyber.com/ultimate-guide-to-cyber-threat-profiling?utm_campaign=CTI%20Content%202022-23&utm_source=scott-direct&utm_medium=mastodon&utm_term=threat-profiling-ebook

Introducing the newest major @tidalcyber TTP intelligence content roundup, the Initial Access & Malware Delivery Landscape matrix, now live in our free Community Edition platform: https://app.tidalcyber.com/share/43836024-a194-4ac7-9659-b51e88632e7f

The matrix covers 25 major & emerging #malware typically used to gain early footholds in victim environments, often leading to ingress of more impactful threats, especially #ransomware, #infostealers, cryptominers, & more. It includes many recognizable names (#QakBot, #IcedID, #Emotet, #Bumblebee, #Gootloader) plus several newer and less-discussed threats

The matrix includes 13 custom Technique Sets for threats not currently tracked in the #mitreattack knowledge base. All technique references derive from a large volume of recent, public #threat reporting (click the labels in the ribbon at the top of the matrix to view relevant source URLs for each threat)

An interactive link analysis visualization of connections among these threats, also derived from public reports, is also available here: https://onodo.org/visualizations/235067/

Community Edition matrices support easy identification of shared (and outlier) techniques among multiple threats, and quick & easy overlay or pivoting to defensive & offensive security capabilities relevant to your own #security stack. We’ll have a blog out soon reviewing our analysis of top & trending techniques common among these initial access threats

Tidal’s #Adversary Intelligence team remains focused on providing up-to-date #TTPintelligence, especially around traditionally under-represented yet widely relevant threats like crimeware. Other popular matrices in this theme include our Ransomware & Data Extortion Landscape matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a) and Major & Emerging Infostealers matrix (https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3), which each cover 20+ threats

Financially motivated adversaries often display a rapid pace of #TTP evolution, and this is especially apparent for #initialaccess threats. Register for our webinar on May 31 dedicated to TTP evolution, its drivers, and discussion around what defenders can do to address it and its implications: https://hubs.la/Q01NC23k0

#SharedWithTidal #threatinformeddefense #malware #infostealer #cryptominer #IAB #blueteam #detectionengineering #purpleteam #cyber

New TTP sets are live in @tidalcyber's free Community Edition: https://app.tidalcyber.com/community-spotlight

SystemBC: A #ransomware precursor for years & second-most-seen malware in 2023's M-Trends

PrivateLoader: One of the most-connected nodes in our link analysis of the initial access landscape

The latest Technique Set added to Tidal’s free Community Edition summarizes the TTPs observed in recent #SocGholish campaigns according to public threat reporting https://app.tidalcyber.com/share/4b901fc2-d021-4eff-bd53-0c9fa0259ecf

SocGholish is a highly active, JavaScript-based loader #malware used to deliver a wide variety of impactful threats (summarized in the original visual attached here). Many #ransomware families, the #CobaltStrike post-exploit framework, other remote access trojans (#RAT) and loaders, and tools for #ActiveDirectory enumeration, #detection evasion, and #credential theft have been linked to recent SocGholish campaigns

SocGholish appears on multiple security and #CTI vendors' top priority threat lists. Active since 2017, SentinelLabs researchers observed a 330%+ increase in SocGholish malware-staging servers between the first and second halves of 2022, and Sucuri researchers detected more than 25,000 websites newly compromised by the malware's operators through July 2022 alone. Initial infections predominantly come via file downloads from sites hosting fake web browser updates, although operators use some non-traditional email delivery techniques to drive compromised content towards potential victims. Like many of today's top #initialaccess threats, SocGholish victimology involves a wide range of industries

Consider layering the new set with other recent Community Edition content from @tidalcyber's Adversary Intelligence team, including our recent #Gootloader set (https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2) or the set of techniques most recently associated with the ever-evolving #QakBot #trojan (https://app.tidalcyber.com/share/aef0f0c6-5212-4abf-9a24-3c81f518c59f), into one view to compare & contrast initial access techniques (https://app.tidalcyber.com/share/adb9581e-3318-4bc7-8d23-145891bf1ca4). Then take it a step further by layering mappings from your own defensive stack with the list of capabilities available in the Product Registry (https://app.tidalcyber.com/vendors). And stay tuned for our soon-to-be published overview matrix on the broad initial access/malware delivery ecosystem in today’s threat landscape, featuring more threats like the ones seen here

#threatinformeddefense #SharedWithTidal

Struggling to differentiate & prioritize among the large set of opportunistic and “indiscriminate” threats in the landscape? Our new blog aims to help

Threat profiling generally focuses on identifying & prioritizing (rank-ordering) threats motivated to harm your organization. These include threats with clear targeting intent relative to your org or your industry, often a smaller set that is more straightforward to surface. Then comes the large pool of threats that seem to impact most sectors, maybe in some cases your vertical specifically or others trending in threat intel generally, regardless of explicitly links to your industry yet

With the high volume of recent activity from threats like #ransomware, #infostealers, & loader/initial access malware like #QakBot, #Gootloader, and many others, I’m seeing more awareness that these often broad-based threats should be on many security teams’ radars. But how do you keep from being overwhelmed by what often feels like an endlessly growing list of new threats?

@tidalcyber's latest blog (https://www.tidalcyber.com/blog/ransomware-threat-profiling-prioritizing-indiscriminate-threats) offers several strategies for helping make more sense out of this subset of threats, using major ransomware-as-a-service operations as a representative case study. Our guidance involves (where possible) leaning on metrics to rank-order groups linked to your industry, using technical sources to identify potential spikes in activity and quantifiably justify increased priority levels, and focusing defenses on discrete TTPs that might be common across the wide pool of these threats (summarized for major #RaaS in the attached table, with data sourced from the Ransomware & Data Extortion mega-matrix available in Tidal’s free Community Edition here: https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a)

These tips are often just a starting point – for more upcoming threat profiling guidance, subscribe to the Tidal blog here https://www.tidalcyber.com/blog and follow us on all major social platforms, and we look forward to hearing what other techniques you use to drive focus in the ever-evolving threat landscape

#threatinformeddefense #threatprofile #risk #intelligence #CTI