As a product marketer myself, I’m familiar with the sort of techniques that are used to market a product and attract a target audience. As a cybersecurity product marketer, it’s even more interesting to me to see how attackers are using similar techniques to lure victims into downloading their “products” or malicious payloads.
It’s not news that attackers have widely commercialized cybercrime – using dedicated underground marketplaces selling competitively priced products such as Ransomware-as-a-Service – but the techniques are evolving. Enterprises need to stay one step ahead and future-proof our methods for anticipating, adapting and responding to these ever-advancing techniques.
Let’s take a look at a couple of examples used by attackers and outline some key steps you can take to improve your defenses.
It’s not news that attackers have widely commercialized cybercrime – using dedicated underground marketplaces selling competitively priced products such as Ransomware-as-a-Service – but the techniques are evolving.
SEO Poisoning
SEO poisoning is a social engineering technique in which threat actors compromise legitimate and highly trafficked websites.
The attackers use Search Engine Optimization (SEO) to improve their searchability on the web and increase their website’s ranking in search engines – just like digital marketers do. The obvious difference here is that in the case of attackers, legitimate websites are compromised. By naming malicious files on the website with highly ranked search terms that appeal to their audience, they increase the chances of convincing a victim to download the file. This is a particularly common practice with ransomware groups.
By naming malicious files on the website with highly ranked search terms that appeal to their audience, attackers increase the chances of convincing a victim to download the file.
Future-Proof Solution – Combining Endpoint Detection & Response with Threat Intelligence Enrichment
Attacks leveraging SEO poisoning are increasingly being used against enterprises. It involves installing devices with a malicious file, which will then run a script that can act as a beacon for future attacks. Using an Endpoint Detection and Response (EDR) solution can provide you with deep visibility of endpoint activity like this and trace back how the attack started.
However, you cannot expect everything to be detected by EDR solutions. Attackers are constantly creating new tactics & techniques and security teams are often unable to rely on up-to-date configuration of an EDR solution, as company policies change and testing cycles slow down.
What’s necessary is having more context by leveraging threat intelligence, which helps explain the broader objective of the attack so that you can then anticipate next steps. That’s why we recommend, at the very least, having some kind of threat intelligence enrichment process, whereby further research is conducted across the clear, deep and dark web. This provides an understanding of wider attack campaign activity that resembles the alert you received – and uses that information (such as malicious Ips, domains and file hashes) to hunt for signs of attack that may have been missed by your security controls.
It can also be difficult to maintain the configuration of your EDR solution so that the correct rules are being triggered, security policies are up-to-date, and any alerts triggered on one machine are then followed up with an investigation into other machines – to reduce the impact on the rest of the network. A Managed EDR solution provider can do this for you on a continuous basis.
Attackers are constantly creating new tactics & techniques and security teams are often unable to rely on up-to-date configuration of an EDR solution, as company policies change and testing cycles slow down.
You can find an example of how CyberProof responded to an SEO poisoning attack in our latest CyberProof Defenders Playbook report, along with other real-life scenarios.
Underground Marketplaces
Like most e-commerce sites on the clear web, underground marketplaces provide a digital commercial experience where products and services can be browsed and purchased by customers. The obvious difference is that illicit goods are being traded, and the prime audience is cyber criminals.
CyberProof’s Cyber Threat Intelligence (CTI) team discovered a new cyber crime marketplace named Plugged, developed by a threat actor named Nerds, which claimed to have more than 15,000 customers.
Underground marketplaces are key sources for stolen identity information, credit card information and pre-built malware tools. Compromised bank accounts and payment services can be priced between $20 and $100, according to a report on the most popular marketplaces.
CyberProof’s Cyber Threat Intelligence (CTI) team discovered a new cyber crime marketplace named Plugged, developed by a threat actor named Nerds, which claimed to have more than 15,000 customers.
Future-Proof Solution – Threat Intelligence & Reconnaissance combined with Expert Threat Hunting
In order for any organization to know whether it has been compromised, it’s essential to know if information about the company or its customers has been made available in underground marketplaces. However, without specific expertise and trade skills, obtaining manual access to underground forums and marketplaces can take years.
CyberProof recommends leveraging a combination of threat intelligence platforms (TIPs) and a collective team of human analysts and threat hunters.
Organizations will often look to use dark web monitoring platforms that have been built by experienced threat intelligence and reconnaissance experts, to scour these underground sources and collect indicators about whether accounts or company information is being sold. However, security teams need the ability to not only associate this activity with the tactics, techniques and procedures of a threat actor or campaign in order to find similar activity within their network – but also to know how to respond appropriately.
This is why CyberProof recommends leveraging a combination of threat intelligence platforms (TIPs) and a collective team of human analysts and threat hunters, who know what patterns resemble a particular campaign or threat actor and can:
- Collect further indicators of compromise (IOCs) associated with the threat actor or campaign such as malicious IPs, domains and file hashes and detection rules – to update your security controls and threat detection systems
- Conduct further research into the other marketplaces or forums – to see if more data has been compromised
- Hunt through your network – for evidence that this threat is continuing to steal information in your network, or at least validate there is no further threat
To learn more about how to future-proof your organization against cyber security threats, contact us!