How has the #OSINT landscape evolved over the past half-decade, a period of immense geopolitical, societal, and digital change & disruption across the globe?

I just published an original analysis on the topic, a data-driven study derived from 5+ years of tracking thousands of #opensource #intelligence research tools & resources: https://metaosint.github.io/2023-osint-trends-analysis.html

The MetaOSINT project launched in 2021 as a tactical aide for researchers & investigators (explore the free tool’s two main features here: https://metaosint.github.io/). But after publishing multiple updates since, including a huge set of additions last month, it felt worthwhile to examine how shifts in the dataset might be reflecting broader trends & changes in the underlying information landscape

Key themes in the piece include social media OSINT trends, geopolitical resources (Russia, Ukraine, & more), and large increases in #disinformation & #verification tools and accountability projects. I know there are many more insights to be gleaned from the data, which is all publicly available, so be sure to let me know what you find after digging in 🔎

#MetaOSINT #intelligenceanalysis #dataviz #datascience #socmint #geoint #imint #darkweb #digitalprivacy

My #OSINT-focused side project just reached an exciting milestone: 400 stars on GitHub. As a thanks for all the support, I’m preparing to release its largest-ever update, so now is a great time to Watch the project (and if you haven’t yet, maybe consider tossing it another ⭐️): https://github.com/MetaOSINT/MetaOSINT.github.io

MetaOSINT aggregates and makes it easier to surface relevant tools & resources from across the open-source #intelligence resource landscape. Jump into the main UI here: https://metaosint.github.io/

The upcoming release more than doubles the number of resources tracked in the database, all while maintaining the hallmark of the tool: a straightforward & intuitive way to surface relevant resources, based on the number of citations from relevant inputs across the web. This round also brings MetaOSINT into the modern era, with the addition of many resources related to recent global events, conflicts & crises, new popular social media platforms, and more (look forward to some analysis on the shifts I’ve observed in the OSINT landscape coming soon too)

CTI industry leaders recently highlighted (smartly) several regional actors that might be less familiar to teams previously focused more on Russia or China APTs, ransomware, or other threats more often in headlines

The top web search results for these threats return sets of TTPs that are typically several years old. We dumped a large volume of more recent TTP #intelligence into our Community knowledge base to help fill some of these gaps, as many defenders are likely researching these threats

Intel from the highest confidence sources like government advisories appear as richer Group/Software/Campaign “objects” like you’d find on the MITRE ATT&CK® site. #TTP collections from other sources usually appear as lighter-weight Technique Sets

All content points back to the original public reporting. Thanks to the many teams sharing this important intel, including CISA & many partner agencies and the threat research teams at Cybereason, Deep Instinct, ESET, Fortinet, Kaspersky, PwC, & Zscaler

Further research prioritization can be approached several ways. Some views to consider:

Collection of all new & recently updated Groups & Software: https://app.tidalcyber.com/share/f1b8215c-f0c6-4e22-b314-417ca3f0d23e

Collection of key U.S. advisories focused on Iran-aligned actors: https://app.tidalcyber.com/share/72973762-be35-4286-83c4-6ea19f123616

Very recent reporting on Yellow Liderc/Imperial Kitten: https://app.tidalcyber.com/share/techniqueset/ab4eda0f-4502-484a-99f2-fe807357c204

New PhonyC2 framework used by #MuddyWater, a prominent #espionage #APT: https://app.tidalcyber.com/share/9f562a29-ff95-4ff4-ab3b-1fe9e2be8530

All Iran-attributed Groups & Campaigns in our knowledge base, featuring multiple new objects: https://app.tidalcyber.com/share/9a532bdf-fedb-4ee1-9714-b5ea8d2e80ac

#LOLBIN & open-source tools newly associated with Volatile Cedar (Lebanon): https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937-Volatile%20Cedar

Molerats additional TTPs beyond ATT&CK: https://app.tidalcyber.com/share/techniqueset/0e494374-9311-485e-b21b-0d082a316054

AridViper TTPs: https://app.tidalcyber.com/share/techniqueset/a655ea23-ff7e-4957-873b-3217d361f98c

Filter all Groups in our knowledge base by Country, Sector, & Motivation: https://app.tidalcyber.com/groups

Introducing the newest major @tidalcyber TTP intelligence content roundup, the Initial Access & Malware Delivery Landscape matrix, now live in our free Community Edition platform: https://app.tidalcyber.com/share/43836024-a194-4ac7-9659-b51e88632e7f

The matrix covers 25 major & emerging #malware typically used to gain early footholds in victim environments, often leading to ingress of more impactful threats, especially #ransomware, #infostealers, cryptominers, & more. It includes many recognizable names (#QakBot, #IcedID, #Emotet, #Bumblebee, #Gootloader) plus several newer and less-discussed threats

The matrix includes 13 custom Technique Sets for threats not currently tracked in the #mitreattack knowledge base. All technique references derive from a large volume of recent, public #threat reporting (click the labels in the ribbon at the top of the matrix to view relevant source URLs for each threat)

An interactive link analysis visualization of connections among these threats, also derived from public reports, is also available here: https://onodo.org/visualizations/235067/

Community Edition matrices support easy identification of shared (and outlier) techniques among multiple threats, and quick & easy overlay or pivoting to defensive & offensive security capabilities relevant to your own #security stack. We’ll have a blog out soon reviewing our analysis of top & trending techniques common among these initial access threats

Tidal’s #Adversary Intelligence team remains focused on providing up-to-date #TTPintelligence, especially around traditionally under-represented yet widely relevant threats like crimeware. Other popular matrices in this theme include our Ransomware & Data Extortion Landscape matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a) and Major & Emerging Infostealers matrix (https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3), which each cover 20+ threats

Financially motivated adversaries often display a rapid pace of #TTP evolution, and this is especially apparent for #initialaccess threats. Register for our webinar on May 31 dedicated to TTP evolution, its drivers, and discussion around what defenders can do to address it and its implications: https://hubs.la/Q01NC23k0

#SharedWithTidal #threatinformeddefense #malware #infostealer #cryptominer #IAB #blueteam #detectionengineering #purpleteam #cyber

New TTP sets are live in @tidalcyber's free Community Edition: https://app.tidalcyber.com/community-spotlight

SystemBC: A #ransomware precursor for years & second-most-seen malware in 2023's M-Trends

PrivateLoader: One of the most-connected nodes in our link analysis of the initial access landscape

The latest Technique Set added to Tidal’s free Community Edition summarizes the TTPs observed in recent #SocGholish campaigns according to public threat reporting https://app.tidalcyber.com/share/4b901fc2-d021-4eff-bd53-0c9fa0259ecf

SocGholish is a highly active, JavaScript-based loader #malware used to deliver a wide variety of impactful threats (summarized in the original visual attached here). Many #ransomware families, the #CobaltStrike post-exploit framework, other remote access trojans (#RAT) and loaders, and tools for #ActiveDirectory enumeration, #detection evasion, and #credential theft have been linked to recent SocGholish campaigns

SocGholish appears on multiple security and #CTI vendors' top priority threat lists. Active since 2017, SentinelLabs researchers observed a 330%+ increase in SocGholish malware-staging servers between the first and second halves of 2022, and Sucuri researchers detected more than 25,000 websites newly compromised by the malware's operators through July 2022 alone. Initial infections predominantly come via file downloads from sites hosting fake web browser updates, although operators use some non-traditional email delivery techniques to drive compromised content towards potential victims. Like many of today's top #initialaccess threats, SocGholish victimology involves a wide range of industries

Consider layering the new set with other recent Community Edition content from @tidalcyber's Adversary Intelligence team, including our recent #Gootloader set (https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2) or the set of techniques most recently associated with the ever-evolving #QakBot #trojan (https://app.tidalcyber.com/share/aef0f0c6-5212-4abf-9a24-3c81f518c59f), into one view to compare & contrast initial access techniques (https://app.tidalcyber.com/share/adb9581e-3318-4bc7-8d23-145891bf1ca4). Then take it a step further by layering mappings from your own defensive stack with the list of capabilities available in the Product Registry (https://app.tidalcyber.com/vendors). And stay tuned for our soon-to-be published overview matrix on the broad initial access/malware delivery ecosystem in today’s threat landscape, featuring more threats like the ones seen here

#threatinformeddefense #SharedWithTidal

Struggling to differentiate & prioritize among the large set of opportunistic and “indiscriminate” threats in the landscape? Our new blog aims to help

Threat profiling generally focuses on identifying & prioritizing (rank-ordering) threats motivated to harm your organization. These include threats with clear targeting intent relative to your org or your industry, often a smaller set that is more straightforward to surface. Then comes the large pool of threats that seem to impact most sectors, maybe in some cases your vertical specifically or others trending in threat intel generally, regardless of explicitly links to your industry yet

With the high volume of recent activity from threats like #ransomware, #infostealers, & loader/initial access malware like #QakBot, #Gootloader, and many others, I’m seeing more awareness that these often broad-based threats should be on many security teams’ radars. But how do you keep from being overwhelmed by what often feels like an endlessly growing list of new threats?

@tidalcyber's latest blog (https://www.tidalcyber.com/blog/ransomware-threat-profiling-prioritizing-indiscriminate-threats) offers several strategies for helping make more sense out of this subset of threats, using major ransomware-as-a-service operations as a representative case study. Our guidance involves (where possible) leaning on metrics to rank-order groups linked to your industry, using technical sources to identify potential spikes in activity and quantifiably justify increased priority levels, and focusing defenses on discrete TTPs that might be common across the wide pool of these threats (summarized for major #RaaS in the attached table, with data sourced from the Ransomware & Data Extortion mega-matrix available in Tidal’s free Community Edition here: https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a)

These tips are often just a starting point – for more upcoming threat profiling guidance, subscribe to the Tidal blog here https://www.tidalcyber.com/blog and follow us on all major social platforms, and we look forward to hearing what other techniques you use to drive focus in the ever-evolving threat landscape

#threatinformeddefense #threatprofile #risk #intelligence #CTI

#Gootloader is a highly active banking Trojan-turned-loader #malware that has recently appeared on multiple vendors’ priority threat lists, attacking organizations in a wide range of verticals & countries. If your leadership or other stakeholders asked for a list of this threat's most common TTPs, would you be able to provide it quickly?

Now you can, with the Gootloader #TTP matrix available in Tidal’s free Community Edition: https://app.tidalcyber.com/share/796cacb6-3bb1-474b-9747-abcce2c47de2

Gootloader, also referred to by its related payload, #Gootkit, first emerged in 2014 but has been especially active since 2020. Despite this, technical reporting around its TTPs has been relatively light until even more recently. In the past two years alone, verticals including finance, #healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, #IcedID (a common #ransomware precursor), & more. Industry-based #threat profiling can be a powerful tool, but even if your industry (or your corner of it) hasn’t yet directly observed Gootloader activity, we believe broad-based threats like this should be on most teams’ radars

Our matrix summarizes Gootloader TTPs detailed across several great recent technical reports. Reports from SentinelLabs, Cybereason, & The DFIR Report were helpfully pre-mapped to #mitreattack, and we mapped a couple other detailed analyses. Procedural details are even available for nearly all the included technique mappings – be sure to click the Technique Set’s label in the ribbon at the top of the screen to pivot into the Details page with this information & relevant source links throughout

Red Canary & The DFIR Report helpfully provided tool-agnostic suggested #detection logic for key behaviors observed during recent Gootloader campaigns here https://redcanary.com/blog/gootloader/ and here https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/. Take a wider view by layering entire segments of your defensive stack over the #CTI back in the Community Edition, by toggling on any of the mappings available in @tidalcyber's Product Registry https://app.tidalcyber.com/vendors

#SharedWithTidal #threatinformeddefense #CobaltStrike #initialaccess #blueteam

With #Hive ransomware infrastructure taken down last week and speculation of similar action against #LockBit, which groups will likely take the “top” #RaaS spots in the first part of the year? If you don’t track #ransomware-as-a-service closely, you may not realize how many other groups regularly carry out attacks (or at least claim & extort victims publicly)

Since the takedown on Thursday, five RaaS groups have claimed nearly 30 victims publicly, with LockBit 3.0, #Clop, and #ViceSociety leading the pack. In our ransomware landscape briefing last week, a participant asked which group concerned us most into the new year. My answer is “most” seen in the slide here (but if I had to narrow, I choose LockBit in the short-term, and Vice Society in the medium/longer term)

Last week I argued that many, if not most, of the “top” groups (measured quickly by last year’s victim count) should be on most security teams’ radars. While there are some notable trends in victim sectors, like a relative increase in attacks on public services organizations, in general most of the leading groups are associated with a broad range of victim verticals (a similar trend holds for victim size too – a relative rise in mid-sized organizations, but still a notable number of large enterprises like in years past)

Rather than burn resources trying to track each new victim associated with each group every day, there is value in identifying top common tactics, techniques, & procedures among groups with generally similar motivations & victim patterns, and focusing response drills, defensive reinforcements, log source & detection tuning, and, where resources allow, unit testing or adversary simulation or emulation around that subset of TTPs

Our living matrix of top ransom & extortion group #TTPs is found here, covering nearly 30 groups and 175 techniques, although the cluster of top common ones is much smaller. Click the labels in the ribbon at the top to see source references for every mapping and procedural details for many: https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a

You can also catch the recording of last week’s session and slides with this and similar metrics & graphics on-demand here: https://www.brighttalk.com/webcast/19703/570527

#threatinformeddefense #TTP #risk

Prioritizing TTPs for ransomware linked to Royal Mail attack

After media reports linking #LockBit ransomware to the attack on the UK’s largest mail delivery service, which halted some delivery operations (https://www.bleepingcomputer.com/news/security/royal-mail-cyberattack-linked-to-lockbit-ransomware-operation/), we revisited our technique set for this #threat and added 20 technique references (including six net-new techniques linked to this malware in our knowledge base). View the data here: https://app.tidalcyber.com/share/bcc36246-50b7-41c0-9e43-57cb07db59ad

LockBit 3.0 emerged in July as the latest variant in this highly active family of ransomware-as-a-service (RaaS). LockBit was likely the single most active #ransomware cluster of 2022, accounting for the most publicly extorted victims last year by far (a very rough approximation for overall activity – more on the nuances of public victim data below)

Considering threats to your industry & immediate peers is a great entry point to building a cyber “threat profile”. Many of the top #RaaS, including LockBit, stand out for the breadth of sectors they’ve victimized – often, if you look hard enough, you can likely find at least one victim in a given vertical associated with a particular RaaS family. It’s therefore usually pertinent to evaluate many of these threats in your profiling efforts and consider taking some steps to reinforce defenses around them

Likely in part due to extra scrutiny, LockBit 3.0 has more linked techniques (57) than any other threat in our Ransomware & Data Extortion Landscape mega-matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a). Orders of magnitude less than the # of associated indicators (see here for just one indication of volume https://valhalla.nextron-systems.com/info/rule/MAL_RANSOM_Lockbit_Jul22_1) but still a fair amount worth prioritizing. A good entry point for this involves gauging the widest gaps between highest-density techniques (those seen most often in your data) and those you’ve determined you are most- or least-defended against. The attached table shows Sigma, Atomic Red Team, & Data Component coverage for select LockBit 3.0 techniques – these and many commercial capabilities can all be easily surfaced, pivoted to, or overlaid in Tidal’s free Community Edition

And while technique counts are usually much smaller than IOC volume, remember adversaries can & and do (increasingly) evolve their TTPs, underscoring the importance of intelligence tracking over time where team resources & bandwidth allow: https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps

#SharedWithTidal #threatinformeddefense #RoyalMail

Finally, several recent thoughtful articles/discussions commenting on important nuances to consider when looking to victim extortion/data leak sites to gauge ransomware prevalence: https://www.ohadzaidenberg.com/post/victimology-analysis-and-data-leaks-site
https://www.curatedintel.org/2022/11/the-difficulties-and-dubiousness-of.html
https://twitter.com/uuallan/status/1597950775216394240