<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=439793516377641&amp;ev=PageView&amp;noscript=1">

ThreatSTOP Free Open Source Analysis Tools Series. Part 3: Analyzing Threat Infrastructure

Posted on August 08, 2019 by Ofir Ashman Leave a comment

As mentioned in our previous post on IOC Collection and Sharing, analyzable indicators can be found on a variety of platforms and channels, each with its own level of reliability and information detail. Once an analyst has deemed the collected IOCs suspicious, they can review its background and infrastructure information, such as ASN and passive DNS for IPs, and Whois, resolving IPs, and popularity score for domains. In addition, the analyst can also check if leading security vendors have already deemed the IOC malicious by choosing from a wide array of open-source blacklists. At the end of this process, the analyst will have the information and knowledge required to decide if the inbound and/or outbound traffic to the indicator should be blocked.

In this post we will review free, open-source tools that analysts can use to collect technical and reputation information on IOCs, with a focus on IPs and domains.

Read More

Share this:

ThreatSTOP Free Open Source Analysis Tools Series. Part 2: Threat Exchanges & IOC Sharing

Posted on August 01, 2019 by Ofir Ashman Leave a comment

 

The first step in IOC analysis is obtaining the indicators to analyze. Some analysts will opt to stick with one source, and analyze whichever IOCs come their way, while others may search various sources for a specific threat type such as Ransomware, or threat such as Lokibot. Threat exchanges are open and free community platforms for information sharing and collaboration, and are an excellent source for IOCs. Another source for IOC collection which may come off as less intuitive is social media, with Twitter being the best SM platform to find new, relevant IOCs.

In this post, we will describe our Top 5 Free IOC Sources for Analysis.

 

Read More

Share this:

ThreatSTOP Free Open Source Analysis Tools Series. Part 1: Why Use IOCs?

Posted on July 17, 2019 by Ofir Ashman Leave a comment

Welcome To Our New Weekly Series, Free Open Source Analysis Tools.

This Week's Topic: Free Open-Source Analysis Tools, Why Use IOCs?

Throughout this series, we'll be talking about a Security Analyst’s IOC analysis journey. From discovering relevant indicators and performing the analysis, to finding enrichments and new IOCs. We will also share recommendations for free open-source analysis tools and use cases completed by ThreatSTOP's Security and Research Team, showing how to utilize the various platforms and tools. Let's get started.

Read More

Share this:

ThreatSTOP Offering More Policy Customization with New Threat Severity Levels

Posted on July 02, 2019 by Steve Wallace Leave a comment

ThreatSTOP will be implementing changes to our severity labels to be consistent and clearer throughout our policies. We are not changing the policies themselves. Some targets, however, will have different severities and that may impact the volume of alerts you see in your portal account. Accordingly, we wanted to communicate those changes and the rationale behind them.

Read More

Share this:

Riltok Mobile Banking Trojan Stealing Credit Card Information with Phishing Ads

Posted on June 28, 2019 by Ofir Ashman Leave a comment

Riltok is a mobile banking Trojan that uses mobile phishing pages to steal credit card information from its victims. Discovered in 2018, Riltok started out solely attacking Russian targets, yet it quickly began attacking victims in other European countries as well. The Trojan is spread via malicious SMS messages, which contain links that direct the victims to a fake website posing as a popular free ad service.

Once on the website, victims are prompted to click and download the Trojan, disguised as the ad service’s mobile app. If downloaded, Riltok connects to its C&C server to exfiltrate device data, and opens a fake Google Play screen or phishing page in a browser, requesting the victim’s bank card details.

Read More

Share this:

Getting Real (SMB) Value From Threat Intelligence

Posted on June 26, 2019 by Joe Dahlquist Leave a comment

You’ve probably heard of Threat Intelligence, it's all the rage and all the cool kids are doing it… where’ve you been? Threat Intelligence, or “TI,” is everywhere and in everything, and it can be cool, but it can also be slippery and confusing and complex and a huge waste of time and resources depending on what you do (or don’t do) with it. In this post, we’re going to make a bunch of snarky statements about Threat Intelligence, and we’re going to spill the tea on how you (as a small or medium sized business) can use it and actually get some security value in return.

Read More

Share this:

US Heightens Online Attacks on Russian Power Grid: How DNS Can Protect Critical US Infrastructure

Posted on June 17, 2019 by John Bambenek Leave a comment

In retaliation for ongoing attacks against US interests and to be a deterrent against future cyberattacks, the United States has been penetrating Russian power and industrial systems according to recent reporting in the New York Times. There have been multiple articles about attacks on critical infrastructure and attempts to penetrate systems in this space. In the US, no breach has been reported to lead to a wide spread outage, but there has been an increasing level of concern.

Read More

Share this:

Upgraded JasperLoader Infecting Machines with New Targets & Functional Improvements: What You Need to Know

Posted on June 05, 2019 by Ofir Ashman Leave a comment

 

A few months ago, JasperLoader (a new malware loader) emerged, infecting systems with various malware payloads, such as the Gootkit Banking Trojan. After a short, initial campaign, the threat actors behind the malware halted their activity and JasperLoader went off the radar for a while. However, since late May, a new and upgraded version of JasperLoader has been spotted infecting machines across Europe.

Read More

Share this:

Quest Diagnostics Breach Exposes Millions: Highlights Importance of Automating Threat Intelligence & Security Layers

Posted on June 04, 2019 by John Bambenek Leave a comment

Quest Diagnostics, a large medical diagnostic and laboratory services provider, has been breached, potentially impacting tens of millions of patient records. In accordance with HIPAA, fines can range from $100 to $50,000, per record lost, if there was non-compliance. This means, at a minimum, Quest could be fined $1.2 billion dollars if they are found to have violated HIPAA. Increasingly, other regulatory regimes are imposing fines for lost records, as well. While we don’t yet know in detail how this happened, there are some important points to consider.

 

Read More

Share this:

How ThreatSTOP's Security Research Team Uses Data to Create Targets & Block Suspicious Traffic

Posted on June 03, 2019 by John Bambenek Leave a comment

One of the challenges in threat intelligence is taking the massive amount of data we have about the threat landscape and distilling it into its most relevant components. A huge part of the reason for growth in data science (and in cyber security specifically) is habitually struggling with too much information. (With some exceptions) With this roadblock, it’s a challenge to focus in on the data that’s truly relevant.

Read More

Share this:

Home Page

Partners

Blogroll

ARCHIVES

see all

OTHER THREATSTOP OUTLETS

  1. ThreatSTOP on YouTube
  2. ThreatSTOP on Twitter