Supporting threat hunters and incident response teams with hands-on data is crucial, as it not only safeguards organizations but provides the basis for a proactive prevention-first security strategy.
In recent years, a significant number of cyberattacks have been ransomware related and, despite fluctuations in frequency and intensity, they remain one of the most prevalent and feared security threats.
Ransomware attacks are highly orchestrated, but what makes them particularly insidious is that they are not merely automated programs running rampant through systems without direction but are often controlled minute-by-minute by human attackers. Once attackers utilize various Trojans to deploy the necessary tools, they meticulously navigate dozens of steps in search of valuable information within the compromised network. From there the options left open to defenders narrow, then increasingly become measures focused on mitigation — or worse, remediation.
The selection of “measures” is very much based on a keen understanding of the threats faced and any associated peculiarities, whether they be unique processes around privilege escalation or credential access techniques that enable cybercriminals to retrieve sensitive information until they can exfiltrate what they deem valuable. Every day, ESET Threat Intelligence (ETI) processes hundreds of millions of indicators of compromise (IOCs), akin to a database of clues left by cyber-intruders while they crawl through a victim’s network.
Preventing these chains of attacks is crucial since they can have long-lasting consequences, going beyond mere financial loss or data breach. They can provide leverage for future attacks and can sap the capacity and impact of defenders’ work across an organization’s entire threat surface. Working to avoid the narrowing of options means taking a prevention-first approach, putting in place preventive measures that stop ransomware payloads from reaching the endpoints. This process starts with insight and intelligence.
Putting threat intelligence to work
Researchers, SOC teams, threat hunters, and even curious prevention-minded admins can benefit from the types of threat intelligence that inform everything from replicated attack scenarios that aid red and blue team network defenders to security strategies, prevention measures, and detection and response incident triage.
ESET Threat Intelligence comes to users in highly accurate, curated, and actionable formats that amount to an up-to-date technical manual that enables customers to logically pursue a prevention-first approach to security. Specifically, both (wider) industry and ESET Threat Intelligence data are compiled and ready to be paired with observations made via other tools, including XDR, SIEM, and/or SOAR, to prevent damages from (for example) ransomware and any subsequent extortion from taking place.
<image 1.> Locating ESET Threat Intelligence’s role in proactive defense.
Users employing data/intel gathered in ETI for their inspection and/or monitoring of security incidents is just one way to create better-informed operators. In this use case, operators, increasingly supported by automation, can more consciously interact with incidents from an XDR’s triage system, for example, executables, malicious processes, computers, and threat indicators. From there, various forms of mitigation can be conducted in an informed, systematic, and prioritized manner. Specifically, an ESET user might employ ETI to cross-reference relevant data to better understand the actions necessary to perform in ESET INSPECT* (the XDR-enabling module of the ESET PROTECT platform).
The ransomware case here puts into focus why ESET Threat Intelligence, with its APT reports, unique data feeds, dashboard, and portal, has grown in popularity.
*ESET Threat Intelligence and ESET INSPECT (detection & response module) are not currently integrated via the ESET PROTECT platform.
Threat Intelligence – the tricks & trade of ransomware
In late 2023, ESET observed the SmokeLoader malware family, a generic backdoor with a range of capabilities that depend on the modules included in any given build of the malware, being utilized as one of the multiple variants packed by AceCryptor, a crypto service used worldwide by cybercriminals to obfuscate malware. SmokeLoader is deployed to download and execute the final payload of an attack discreetly, to evade security measures, making it crucial to rely on robust cyber defense mechanisms.
Defenders can specifically utilize ETI’s backend tracking systems to support an improved understanding of threats and apply their learnings to both prevention and proactive defense processes. ETI assembles all the clues needed to deploy prevention mechanisms and, when necessary, effectively mitigate against malware like SmokeLoader. Importantly, ETI’s benefits are vendor agnostic, so businesses already running alternate SIEM/SOAR products, including Microsoft Azure Sentinel, OpenCTI, IBM QRadar, Anomali and ThreatQuotient (outside of the ESET PROTECT ecosystem) can also gain from ETI’s unique data stream via our API.
<image 2.> OpenCTI SmokeLoader attacks.
This means that a wider spectrum of curious, prevention-minded admins can now turn to the main ESET research findings and other relevant data. These are published in regular reports on the ETI platform and portal and are accessible in specific territories, with ESET continuously working to expand their availability.
Delivering data to stop an attack before it happens
As with the SmokeLoader data, ETI clusters data on a wide spectrum of malware, finds similarities or particularities, highlights what stands out, and monitors attack chains and any changes in TTPs. This automation occurs in real time, continuously updating all feeds to provide end customers with the most important and immediately actionable intel on threats targeting them. These outputs are also synthesized into specific APT reports, which ensures customers receive pertinent information without being overwhelmed by excessive data.
<image 3 and 4> SmokeLoader IoCs in OpenCTI and Microsoft Sentinel.
ESET Threat Intelligence provides its data feeds to customers through the TAXII server, integrating it directly into their current systems, for example, Microsoft Sentinel or the OpenCTI Threat Intelligence Platform. The feeds cover various aspects of cybersecurity, including tracking malicious files, botnets, and APTs; identifying potentially harmful domains or URLs and IPs considered malicious; and tracking the associated data. To ensure compatibility and easy integration, the feeds are provided in widely used formats, such as JSON and STIX 2.1.
Fighting malicious activity
Preventing multifaceted threats from impacting your network, business continuity, and/or reputation requires a comprehensive and always up-to-date knowledge base. Thus, moving beyond the technical defenses against ransomware and other malware, security operators at organizations must adopt a knowledge-based security culture that puts learning on level with action.
<image 5.> ETI Portal Dashboard.
The cornerstones of security are particularly essential at public and private institutions that depend on well-developed SOC teams, threat hunters, and security operators that have both technical skills and access to the ever-growing body of work on threat actors, system configuration, and an understanding of what is and isn’t working.
These cornerstones are where ESET Research employs its long history of collaboration with law enforcement agencies, the Joint Cyber Defense Collaborative, and even its work with “No More Ransom” to communicate our views on ransomware, fight threats at large, and inform how and why we’ve built our threat intelligence platform, ETI.
Explore your use case for ETI via ESET API, ESET APT reports, the ETI data feed, or a comprehensive toolset for an ESET-powered prevention-first approach.
by Andre Lameiras and James Shepperd, ESET
Comments