January 24, 2019 • The Recorded Future Team
Recorded Future clients, like all other cybersecurity practitioners, are incredibly busy protecting and monitoring their networks. Because threats can often emanate from outside of the wall of the networks they’re focused on defending, it’s difficult to keep track of everything happening on that front — things like deciphering which malware reports to read, which Twitter accounts to follow, which conference talks to stream, and what threat intelligence to consume.
Here, we’ll look at three alerting rules that you can use in the Recorded Future® Platform to more easily keep up with some of the most common threats out there — spearphishing, advanced persistent threats (APTs), and malware metadata — before they hit your organization.
A large number of threats are only reported on after the disclosure of an incident or an observed attack, and many of these threats involve typosquatted domains that are registered days or even weeks in advance of a phishing attack or malware delivery. Recorded Future clients can use the following searches to help themselves find potential threat vectors (and show their bosses that they are being proactive).
Phishing, whether from targeted espionage activity or bulk credential theft, typically does not mimic the victim’s company or brand, but instead tries to blend in with commonly used services. These phishing attempts can emulate large technology and services companies such as Google, Microsoft, or Amazon, and can typosquat on any number of their products.
The use of phishing kits — even tools as advanced as the reverse proxy Modlishka — require a typosquat domain under the attacker’s control to swipe credentials. Recorded Future data regarding new domain registrations can help users identify these domains before they become weaponized.
Using strings of common brands and product names coupled with strings similar to login or account pages can surface a number of domains that one can assume with moderate confidence could be used to phish members of their network, or users, more broadly.
These hostnames can be blocked in the network proxy or denied by the DNS server. After building the query in Recorded Future, these alerts can be configured to fire at a daily cadence for ingestion into those blocking tools, or for further monitoring by researchers for potential abuse once they become hosted on an IP address.
Tracking advanced actors and commodity malware samples can be a daunting task, and one that requires a number of resources to do accurately. Access to new samples and a thorough malware repository are needed, as is an accurate set of Yara rules or signatures to categorize the samples. Many security teams do not have access to these sample repositories, and are often not given adequate time (or even tasked) to reverse-engineer malware that may be in their threat landscape. However, they are still required to stay on top of threats to their enterprises somehow.
Fortunately, many researchers and malware philanthropists post new hashes regularly, and often post their association with actors behind the malware. This can commonly be found on Twitter and in VirusTotal comment sections.
Instead of monitoring large amounts of accounts, malware reports, or other sources, Recorded Future users can couple the Any Hash entity type with the common names or strings of threat actors, surfacing newly found hashes associated with actors of interest.
This search logic helps teams identify recent malware samples from actors they know to pose a threat to their networks. These malware hashes can be rapidly ingested into EDR tools to identify infected endpoints or generate alerts, if those files become present.
These hashes can be alerted on at a regular cadence for ingestion into a threat intelligence team’s monitoring or blocking, at whatever tempo they deem appropriate. This will help teams get around the dreaded cutting and pasting from malware reports, or continuing to refresh news sites for mentions of threat actors or malware of interest.
Finally, malware also can use metadata alterations to evade basic security checks or controls. Applications or binaries can make use of a client or vendor brand name, and while these files may not always be malicious, they may signal targeting intent if they are.
Identifying these files can help spot brand infringement before it happens, along with spotting malware using a client name. Alerts for this can fire when Recorded Future observes them, and security teams can then be alerted to the abuse of their products and name.
These three alerting rules can help security teams keep a pulse on domains and malware hashes being abused by actors they believe to pose a threat to their organization. To learn more about how Recorded Future can help organizations understand and prevent threats, request a personalized demo today.