Welcome to our Threat Labs Newsletter for late Summer 2021. Despite the season, It’s been a busy few months at Securonix for research, and below we share some of our recent work and highlights.
Welcome to the Team
Threat Labs continues to grow through key hires, and we are expanding our multi-disciplinary team with additional expertise and experience from industry innovators and thought leaders from across a variety of domains and diverse backgrounds.
Joshua Neil Joins Securonix Threat Labs as Chief Data Scientist
We welcome Joshua Neil to the Securonix Threat Labs team as our new Chief Data Scientist.
Josh is a Ph.D. statistician with over 20 years of data science experience, and most recently served as Principal Data Science Manager at Microsoft, where he helped design detection technology as part of Microsoft Defender for Endpoint and Microsoft 365 Defender products.
Josh will drive data science and machine learning research and development at Securonix.
You can read the full press release here.
Solay Adaikkalavan Joins as Director of Product Management
Solay joins Securonix Threat Labs with over ten years of technical product management experience. Before joining Securonix, Solay worked for RSA on the NetWitness Platform.
Solay will be responsible for leading all product management efforts across Securonix Threat Labs.
Recent Threat Research Initial Coverage Advisories
Threat Labs released an advisory on the recent Conti Ransomware insider leak. The source of the leak is a disgruntled associate working for the Conti Ransomware group who posted a collection of documents detailing the criminal group’s tactics, techniques, and procedures (TTPs). In our advisory you can learn how a Conti attack unfolds, what TTPs to look out for, and which detections we provide in our SIEM to help you detect Conti and other ransomware.
New Autonomous Threat Sweep Detections
Threat Labs released 28 new detections to Autonomous Threat Sweep (ATS). ATS is included in our SIEM offering and automatically and retroactively hunts for new and emerging threats in historical data based on the latest, up-to-date threat intelligence. It’s perfect as air-cover, alerting you if it finds any traces of a threat, and it is possible to opt-in at any time. You can also view our webinar on ATS here.
We publish all of the associated Securonix queries and indicators of compromise to our Github repository.
ATS Highlights
Top Five Detections in August
The top five threats in August 2021, based on prevalence in the wild, are:
Raccoon Stealer
ProxyWareAbuse
Prometheus TDS
LockBit 2.0
ServHelper RAT
Meet and See the Team at Events and Conferences
Oleg Kolesnikov, our VP of Threat Research, spoke together with Den Iuzvyk (Senior Security Researcher), at the SANS Blue team Summit on September 9th. Oleg and Den shared some code examples based on their experiences with Blue Team detection automation in code, including examples of the common blind spots, and how these blind spots can be addressed.
You can find additional information for the SANS Blue Team Summit here.
Real-World Insights From Our Threat Researchers
We kicked off our Medium Technical Blog at the end of July with a fantastic article on using Active Directory decoys to create a deception honeypot to detect LDAP enumeration by Bloodhound.
Trends and Observations
Below you’ll find some recent trends picked up by our threat researchers:
Detections Involving Legitimate Remote Admin Tool Use Continue to Rise
Attackers are increasingly using legitimate remote access tool payloads to evade detection and to stay under the radar, e.g. Anydesk.
Detections Focusing on Env-keyed Malicious Payloads
We are seeing more environment-keyed malicious payloads to evade cloud sandboxing.
Detections Involving Cross-Organizational Lateral Movement, Particularly for Ransomware
We are observing ransomware attacks increasingly leveraging stolen double-extortion data from cross-organizational exploitation. The gangs are targeting customers or partners of the original victim. A high-profile example of this is the Accenture LockBit ransomware & Bangkok Airways attack.
Recommendation: The ability to watch the “known-good” and benign apps for unexpected and malicious behaviors is critical. The ability to quickly eliminate false positives and deconflict through communications with internal DevOps and IT also increasingly matters.