Since April 14th, when the Shadow Brokers leaked a new batch of files allegedly affiliated with Equation Group – an APT threat actor suspected of being tied to the NSA – Darknet forum members have been sharing the leaked attack tools and zero-day exploits among themselves. Continue reading “Shadow Brokers’ Massive Leak Spreads Quickly Across the Dark Web”
We are very proud to announce our partnership with EclecticIQ, the industry-leading builder of analyst-centric technologies that turn cyber threat intelligence into business value.
In the partnership, SenseCy will deliver its unique cyber intelligence Continue reading “EclecticIQ Partners with SenseCy to Bring Leading Cyber Threat Intelligence Technology to the Israeli Cyber Community”
Ransomware is emerging as a predominant online security threat to both home users and businesses, with numerous reports appearing every day on ransomware attacks against organizations across the globe. SenseCy analysts have prepared a short list of security measures recommended for any business to help avoid these attacks. Check out the tips and stay safe!
Terrogence, SenseCy and Sixgill have formed a strategic partnership to deliver next generation integrated big data analytics and cyber threat intelligence for Japanese clients. The new venture allows organizations to create their own personal collection lists and real-time threat alerts enhanced with actionable intelligence. We look forward to working together to produce high quality intelligence for our customers.
The full press release can be viewed here.
In 2015 we saw an active underground trading of exploits, botnets and spam tools. The number of Ransomware sales were much lower than it was expected by cyber security experts. Investigate the key trends in hacking tools commerce observed on the English-language underground in 2015 from our short Infographic.
Please contact us to receive your complimentary 2015 SenseCy Annual Cyber Threat Intelligence Report. https://www.sensecy.com/contact
Written and prepared by SenseCy’s Cyber Intelligence analysts.
SenseCy’s 2015 Annual CTI Report spans the main trends and activities monitored by us in the different cyber arenas including the world of Arab hacktivism, the Russian underground, the English-speaking underground, the Darknet and the Iranian underground. In addition, we have listed the major cyber incidents that occurred in 2015, and the most prominent attacks against Israeli organizations.
The following is an excerpt from the report. To receive a copy, please send a request to: firstname.lastname@example.org
2015 was a prolific year for cyber threats, so before elaborating on our main insights from the different arenas covered here at SenseCy, we would like to first summarize three of the main trends we observed in 2015.
Firstly, when reviewing 2015, we recommend paying special attention to the evolving world of ransomware and new applications of this type of malware, such as Ransomware-as-a-Service (RaaS), and ransomware targeting cloud services, as opposed to local networks and more.
Secondly, throughout 2015, we witnessed cyber-attacks against high-profile targets attributed to ISIS-affiliated hackers and groups. One such incident was the January 2015 allegedly attack against the YouTube channel and Twitter account of the U.S. Central Command (CENTCOM).
Thirdly, 2015 revealed a continuing interest in the field of critical infrastructure among hackers. Throughout the year, we witnessed multiple incidents of critical infrastructure firms allegedly targeted by hackers, prompting periodic analyses addressing the potential vulnerabilities of critical sectors such as energy, water, and more. Taking into consideration the advanced capabilities and high-level of understanding of such systems required to execute such attacks, many security firms and experts are confident that these attacks are supported by nation-state actors.
The following are several of our insights regarding activities in different cyber arenas this past year:
During 2015, we detected several indications of anti-Israel cybercrime activity on closed platforms frequented by Arabic-speaking hackers. It will be interesting to see if these anti-Israel hacktivists that usually call to deface Israeli websites or carry out DDoS attacks will attempt to incorporate phishing attacks, spamming methods and tools into their arsenals. Notwithstanding, Islamic hacktivism activity continues unabated, but without any significant success.
Trade on Russian Underground Forums
The prominent products currently traded during 2015 on Russian underground forums are ransomware programs and exploits targeting Microsoft Office. With regard to banking Trojans, we did not notice any major developments or the appearance of new Trojans for sale. The PoS malware field has not yielded any new threats either, in contrast to the impression given by its intensive media coverage.
Mobile malware for Android devices is on the rise as well, with the majority of tools offered being Trojans, but we have also detected ransomware and loaders.
Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms.
Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and crypting malware to avoid detection were also extremely popular on Russian forums.
The English-Language Underground
Our analysis of password-protected forums revealed that exploits were the best-selling products of 2015. This comes as no surprise, since exploits are a vital part of almost every attack.
The Darknet made the headlines on multiple occasions this year, mostly owing to databases that were leaked on it and media reports recounting FBI activities against Darknet users. Furthermore, this year saw increased activity by the hacking community on the Darknet, manifested in dedicated markets for the sale of 0-day exploits and the establishment of several new hacking forums.
The Iranian Underground
With regard to Iranian threat actors, 2015 was a highly prolific year, with attack groups making headlines around the world. Delving deeper into the Iranian underground, we uncovered several interesting trends, some more clear than others.
One main development in 2015 was the persistent interest in critical infrastructure, with underground forum members sharing and requesting information related to industrial control systems and other related components. With Iranian actors becoming increasingly drawn to this field, we assess that this trend will remain relevant in 2016 as well.
Another growing phenomenon is the stunted life cycles of Iranian cyber groups, many with a life-span of just several months. This trend makes it difficult to monitor the different entities active in the Iranian cyber arena and their activities. To understand the constant changes in this realm, this short life cycle trend must be taken into consideration and the Iranian cyber arena continuously monitored.
That said, we must not overlook one of the most prominent characteristics of Iranian attack groups – confidentiality. With attacks attributed to Iranian actors becoming more sophisticated and high-profile, we believe that the divide between medium-level practices of malicious activity and alleged state-sponsored activity by attack groups will remain pronounced.
ISIS – Cyber-Jihad
On the other side of the Arab-speaking cyber world, we can find ISIS and its evolving cyber activities. There is disagreement between intelligence firms and cyber experts about the cyber offensive capabilities of the Islamic State. In addition, there is a high motivation among hackers that identify with the group’s fundamentalist agenda to carry out cyber-attacks against Western targets, especially against those countries actively involved in the war against the group in Iraq and Syria.
What are the real ISIS capabilities in the cyber domain?
Any ISIS activities become a hot topic after destructive events organized by the Islamic State (IS) during 2015. The whole world is concerned about ISIS plans and afraid of another bloody attacks.
One of the most discussed topic is the Islamic State offensive capabilities in the cyber space. In 2015 various organizations were hit by a number of cyber-attacks allegedly launched by IS hackers. Nevertheless, some cyber security experts presume that a sophisticated group of Russian hackers stands behind the attacks against a French TV station in April 2015 and the hijacking of the CENTCOM Twitter account in January 2015. Anyway, let’s have a look at the timeline of cyber-attacks that are related to ISIS in 2015. Investigate the Infographic. We will appreciate your opinion regarding ISIS cyber capabilities.
During January 2016 we will publish our annual Cyber Threat Intelligence report, in which you could find fascinating information regarding ISIS cyber activities, recent developments in the Russian underground, technical analysis of self-developed malicious tools that we identified this year, new trends in Darknet platforms, and more.
The short answer to this question is another question – does it really matter? What is more important is their ever-growing desire and motivation to obtain and develop offensive capabilities in cyber-space.
There has been debate among security experts on this matter since the Islamic State (IS) started operating in the cyber domain. On the one hand, some argue that IS hackers have already proven their ability to launch successful cyber-attacks and now they are attempting to carry out meaningful attacks against critical infrastructures (with no success thus far).
On the other hand, an emerging theory suggests that attacks previously associated with IS were actually perpetrated by a sophisticated group of Russian hackers. In other words, the alleged attacks against a French TV station in April 2015, the hijacking of the CENTCOM Twitter account in January 2015 and others were the work of a Russian APT group, and not the IS-affiliated “Cyber Caliphate.”
But again – does it really matter? We can say with a high degree of certainty that IS as a terror organization is trying to develop cyber capabilities. We received a strong indication of this trend in late August 2015, when a US drone strike killed a British IS cyber expert.
Even before that, in early 2014, we had heard of so-called cyber operations conducted by the Al-Qaeda Electronic Army (AQEA, or AQECA – the Al-Qaeda Electronic Cyber Army) against US government websites.
We assess that at the moment IS hacking entities (such as “Cyber Caliphate” or the Islamic Cyber Army – ICA) do not have high technical capabilities. That said, we should not underestimate the Islamic State’s attempts to develop an offensive cyber capability. An analysis of IS publications reveals a clear increase in the motivation of IS-inspired hackers to wage attacks against high-profile Western targets.
A concerning development in this aspect would be indications of the purchasing of attack tools and malware from highly sophisticated cyber criminals. Taking into consideration the clear intentions expressed by IS in relation to executing cyber-attacks against the West, such tools could be directed at critical infrastructures, sensitive organizations, government agencies and more.
By Dori Fisher, VP Intelligence Solutions
Information security (“cyber security”) has rapidly evolved in recent years, and as a result, we need to reinvent and redefine concepts that were once considered clear and concepts that have not yet been addressed. One of these concepts is cyber threat intelligence, or CTI.
Market Guide for Security Threat Intelligence Services, a Gartner paper from October 2014, lists 27 companies in its CTI category. These include two very different Israeli companies, Check Point, known originally for its firewalls, and SenseCy, which is known for its intelligence.
Yet one-dimensional market categories do not reflect the specific activities of various companies. In other words, CTI, like DLP (data leakage protection) and other terms, is implemented in various ways and expresses different needs. Sometimes, with all the marketing hype, words lose their meaning. One of the biggest challenges with “CTI” is that it refers to intelligence when what is actually delivered is information.
What is Intelligence?
Intelligence, according to the FBI, is “information that has been analyzed and refined so that it is useful to policymakers in making decisions.”
Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice.”
The common thread in definitions of intelligence is that it is information analyzed to create value.
Stages of Cyber Intelligence
Cyber intelligence, like classic intelligence, consists of a number of major processes:
Developing sources: Where do you look and how do you get there? (For example, how do you become a member of a closed Indonesian carding forum?)
Collection: What do you look for and how do you find information? (For example, using various languages, automatic or manual tools, etc.)
Filtering and aggregation: Filtering and combining bits of information.
Analysis: Understanding the information and its value.
Conclusions and deliverables: Insights about the information analyzed and packaging of the information.
Computers have proven themselves efficient at collecting, aggregating, and filtering intelligence. However, human beings are still better at developing high-quality sources, analyzing, and drawing conclusions – despite the great promise of various analytic technologies.
Intelligence vs. Information
Many of the deliveries called intelligence (or CTI) are in fact, information.
Examples are information collection by means of honey pots, attack servers, network forensics, social networks, Internet networks not accessible through a Google search (the Deep Web), or networks requiring special browsing software (the Dark Web).
Without information collection there would be no intelligence, but the mere act of collection from one source or another does not make the information “intelligence.”
For example, a quote from a closed group that is planning to attack a certain bank on Christmas is important information, but the modus operandi, the tools to be used, the ability to actually carry out the attack, and the likelihood that the attack will take place is important intelligence.
Cyber Intelligence as a Nail and Information Security Tools as a Hammer
Psychologist Abraham Maslow noted that “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”
In the ancient world, when Joshua sent spies into Jericho, his tools were mainly between his ears, and the intelligence took form accordingly. Today, with firewalls, information security management systems, data leak prevention, and endpoint protection, we sometimes confuse intelligence with technological information like IP addresses and signatures that can be inserted into the products that we buy.
The technological information is the delivery but not the essence.
High-quality intelligence can sometimes also be expressed in technological deliveries, but the quality of intelligence can be measured based on the ability to act upon it, whether by updating firewall rules or redefining strategy or tactics in regard to a certain topic.