On the heels of the ongoing ramifications of the SolarWinds/SUNBURST attack that has dominated threat intelligence activity over the last couple months is some great news for the cybersecurity community: the Emotet takedown.
The Emotet malware has been brought down thanks to a widespread, coordinated defense effort. Dedicated collaboration among Europol; the FBI; the U.K. National Crime Agency; and the Dutch, German, Lithuanian, Canadian, and Ukrainian Police dismantled what is presumed to be the largest botnet in existence. Fernando Ruiz, Head of Ops for Europol’s EC3, stated, “This is probably one of the biggest operations in terms of impact that we have had recently and we expect it will have an important impact.”
This Emotet takedown is a major win and illustrates what Collective Defense can accomplish.
The Emotet malware family is a common precursor to ransomware attacks. Although IronNet can detect Emotet on customer networks at a variety of stages using the Phishing HTTPS, TLS Invalid Certificate Chain, Encrypted Communications, and Consistent Beaconing analytics, the malware can still have dire consequences if it remains undiscovered. You can learn more about the evolution of Emotet in our recent on-demand webinar.
We look to behavioral analytics to detect such unknown threats on enterprise networks. First, we do the threat detection groundwork needed to spot abnormal network activity across our customers’ networks. Second, our expert system scores these alerts, prioritizing the most interesting events to help cut down on alert fatigue. Finally, we take a Collective Defense approach to threat sharing in real time.
The IronNet February Threat Intelligence Brief
The ability to analyze and correlate seemingly unrelated instances is critical for identifying sophisticated attackers who leverage varying infrastructures to hide their activity from existing cyber defenses. As reported in the February Threat Intelligence Brief, our analysts review alerts from millions of data flows that are ingested and processed with big data analytics. We apply ratings to the alerts (benign/suspicious/malicious) and immediately share them with IronDome Collective Defense participants.
Here is a snapshot of what we discovered across the IronDome communities in January, showing 420 correlated alerts across IronDome participant environments:
Analysis of IOCs
In addition to correlated alerts, significant IronDome community findings revealed 249 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed glitch[.]me. This domain hosts a fake Microsoft login page meant to harvest user credentials. Traffic to this domain and its subdomain microsoft-outlook-office365-onedrive.glitch[.]me is considered unsafe.
All the IoCs we analyzed are used to trigger alerts that are mapped to the Cyber Kill Chain to identify the stage and progression of the threat. They can be used to create detection rules for network, endpoint, or other security tools currently deployed to mitigate cyber risk in each IronDome participant’s environment.
See the February Threat Intelligence Brief for the full list of recent IoCs.
The IronNet Threat Intelligence Year in Review 2020
Also in this month’s intelligence brief is a rundown of our threat intelligence year in review. IronNet’s IronDome Collective Defense Platform correlates patterns of network behavior across participant environments using anonymized threat data. Being able to analyze and correlate seemingly unrelated instances is critical for identifying novel threats before they infiltrate networks.
You can access the Threat Intelligence Year in Review 2020 in the February brief for more information on key detections in 2020, including an overview of which IronNet behavioral analytics were at play in detecting SUNBURST intrusions.
*** This is a Security Bloggers Network syndicated blog from IronNet Blog authored by Anthony Grenga. Read the original post at: https://www.ironnet.com/blog/the-ironnet-february-threat-intelligence-brief