Posts

Strengthening Threat Hunting Programs - Part 1: Requests for Threat Hunts

Image
  This is the first part of a threat hunting blog series I want to start. I plan to share some insights on several related ideas such as risk hunting, incident-based hunting, and leveraging a system similar to requests for intelligence (RFIs) in cyber threat intelligence (CTI) but for threat hunting. These ideas and concepts came to me from creating and running a professional threat hunting program over the course of more than two years, from early 2022 to mid 2024. In this blog are many of the lessons I have learned in my time venturing on this journey. If you are just looking for some threat hunting resources in general, please find this collection on my GitHub I’ve compiled and were helpful to me during my journey. Introduction If you are like myself and have been generating and disseminating cyber threat intelligence (CTI) for many years, it may be an obvious choice to transition into a role whereby you consume and leverage it. Threat Hunting is an activity that experienced

Strengthening Threat Hunting Programs - Part 2: Risk Hunting

Image
  This is the second part of my threat hunting blog series. Please click here for the first part. Introduction It was once put to me that, much like hunting in the wilderness, so much of what matters is not the last pursuit of target, but the long stalk. It is crucial to learn to read the land and the patterns of the local wildlife as well as the predators. Understanding the lay of the land is as important as it was for our hunter-gatherer ancestors as it is to hunting threats in your organisation’s network. To increase the overall security posture of an organisation as an in-house security or managed security service provider (MSSP) you need to learn what is normal and what is abnormal in that organisation. You must understand what that organisation’s current policies around software downloads are, website filtering, vulnerability patching, remote login abilities, or file access permissions, among other controls (or lack thereof). The types of risky behaviour you will naturally uncov

The CTI Analyst Challenge

Image
Welcome to the Cyber Threat Intelligence (CTI) Analyst Challenge!  I am excited to introduce a comprehensive repository designed to enhance the skills and expertise of CTI analysts through a challenging and engaging intelligence analysis exercise. Purpose This repository is created to test and improve the capabilities of CTI analysts by providing a structured challenge that covers both proactive and reactive CTI tasks. It aims to simulate real-world scenarios and offer hands-on experience in fulfilling a demo client's Priority Intelligence Requirements (PIRs) and Requests for Intelligence (RFIs). Key Features Self-Directed Challenge: CTI analysts are provided with instructions and resources to independently navigate through the tasks, encouraging self-discipline and critical thinking. Realistic Scenarios: The tasks are designed based on real-world inspired situations, making the training highly relevant and practical. Comprehensive Training Materials: The repository includes all

Strengthening Proactive CTI Through Collaboration

Image
Those who have worked in our industry for a certain amount of time will be acutely aware that executives often encounter information security media articles and flag them to their teams.  This is something myself and my peers at other organizations also face. So I decided to write about it, expand my thoughts, offer some tips from my experience and research to hopefully provide a practical solution for a common problem. This usually prompts inquiries to the Cyber Threat Intelligence (CTI) Team who have to do their best to provide timely and accurate answers, reassuring their executive stakeholders everything is OK or being handled.  This often leads to shepherding various Cybersecurity Teams to acquire these answers. G etting to the stage whereby timely and accurate responses can always be provided can be a bit of a mountain to climb, especially for newly created CTI Teams. An Ideal 7-STEP Solution  While inevitable, these interactions can be optimized to enhance organizational resilie

Tracking Adversaries: UAC-0050, Cracking The DaVinci Code

Image
In this blog, we shall investigate a Russia-based mercenary group that has appeared in multiple CERT-UA reports after sending waves of spam to Ukrainian organisations. These mercenaries use tried and tested tactics, techniques, and procedures (TTPs) that are low effort, but operationally functional. This includes use of off-the-shelf commodity crimeware as well as legitimate remote management and monitoring (RMM) tools. These mercenaries also are notable as they have low operational security (OPSEC) and offer their services publicly, to Russians, via Facebook, Instagram, Telegram, various cybercrime forums, as well as their own websites. Background on UAC-0050 A report by the Computer Emergency Response Team of Ukraine (CERT-UA) on 22 February 2024 shared a notable statement of attribution to a threat group tracked as UAC-0050 that CERT-UA has shared updates on several times already. The CERT-UA team and other security researchers online believe that UAC-0050 is linked to a Rus

Lessons from the iSOON Leaks

Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About