Talanos Cybersecurity offers customers an intelligence service that uses various paid, open and closed community sources to feed threat indicators to our specialised human analysts. Our team review the indicators and often need to branch out their investigation and dig into multiple sources to determine whether the threat is active, internal or external to the organisation and if it poses a serious risk requiring immediate action.
Detecting early signs of serious issues
At a high-level, some of the types of issues uncovered include:
- An early discovery of malware infected machines talking to known bad actor infrastructure or leaking data and credentials
- Monitoring anonymised Tor traffic into and out of the organisation which can also be an early indicator of compromise
- Active leaked credentials that grant access into organisational systems unprotected by multifactor authentication
- Unsanctioned use of third-party applications and software with data transfers outside of the organisation
- Registration of typosquatting domains in preparation for a targeted business email compromise or phishing campaign
- The use of personal non-compliant devices to access organisational systems and data
- Sharing of credentials between users which may be disallowed by the organisation’s IT security policies – poor password policies and enforcing controls can also be easily identified
- Discussion of the organisation on closed forums in preparation of a targeted attack or discovered weakness
- Discovered vulnerabilities or recently opened services in an organisation’s external attack surface – known or unknown to the IT team
- Leaks related to VIP users who might not be using corporate email services only, monitoring their personal and portfolio company email domains
- The discovery of planted canaries that might indicate a broader compromise or data loss
Most organisations have already lost significant data to the “Dark Web” – which represents roughly 5% of the Internet and can only be accessed through specialised software. Understanding what data is out there, combined with pre-attack intelligence is crucial to knowing whether the organisation is at risk and what the nature of those risks are. In fact, many cybersecurity frameworks and standards like ISO 27001 are beginning to mandate that strategies become “threat-led” and that organisations begin to gather external, dark and deep web intelligence.
Protecting a global law firm
A leading global law firm had identified a need to gather external threat intelligence and respond to emerging threats. The capability would need to augment their existing, comprehensive cybersecurity strategy and controls. Within weeks, Talanos had provided a comprehensive risk assessment that quantifiably demonstrated how their investment in the deployment and configuration of security controls had decreased their exposure to cyber risks over the last few years. The implementation of the law firm’s security strategy had decreased both the volume and impact of targeted threats and this was clearly visible in the data.
Having completed the initial assessment, Talanos moved the service into a 24/7 monitoring mode which detects threats and works to contain them as they emerge. In targeted attacks, threat actors might register domain names that look like the organisation’s legitimate domain and then send emails from that domain intended to deceive staff, customers and suppliers. In the course of their monitoring, the Talanos analysts detected a newly registered domain name that looked exactly like one of firm’s legitimate domain names, replacing a certain letters – a common typosquatting tactic to deceive users because it is difficult to identify whether a ‘vv’ or ‘w’, or an ‘i’ or an ‘l’ has been used in an email or website address. The domain registration was made all the more suspicious because on reviewing the associated DNS records, there were no entries other than a mail server configuration indicating that the domain owner intended to mail from the domain only.
Responding to emerging threats
Talanos worked quickly on two fronts to firstly prepare the law firm for a possible attack. Their incident response team were requested to search email logs for any evidence of emails received from the registered mail server or from the typosquatted domain. No suspicious emails could be found, indicating that the threat actor’s campaign had not yet begun. Talanos then requested that the firm consider creating an “Alert and Quarantine” rule, rather than a “Block All” rule, to trigger on received mails from the typosquatted domain to be used as additional evidence in the takedown process. Talanos also suggested sending a company-wide email notification to staff to be on the lookout for emails containing the typosquatted domain and potentially run a security awareness campaign to educate the law firm’s customers. Talanos analysts moved into a heightened state of awareness and closely monitored their intelligence feeds for additional indicators of compromise.
Secondly, Talanos worked through multiple takedown processes to disable the domain and it’s email sending capability. Takedowns without evidence of abuse are quite challenging relying rather on claims of trademark infringement. Talanos performed a UK trademark search and found that the firm had trademarked their domain name in both text and logo format. The US based domain registrar is compelled by the Digital Millennium Copyright Act of 1998 (“DCMA”) to review and respond to trademark and copyright claims and had posted their abuse notification process on their website. Talanos composed the required information and submitted the claim to both the registrar and the email sending service. The incident was later also escalated to ICANN when the registrar failed to response timeously.
Within two weeks of the threat actor registering the typosquatted domain, Talanos had successfully prepared the law firm against the possible attack and had taken down the offending domain and email sending service before a single email could be sent. The legal firm’s CISO said, “The initial assessment was a really good report, easy to read, concise and well written. The team had also summarised the report in a slide which I included in my board presentation which was most helpful. I was really impressed with their detection and response capability – having proactively prevented an attack on our staff and customers. Ultimately, I feel comforted by the work Talanos do for us".
Talanos Dark and Deep Web Intelligence service is offered as both a single point-in-time risk assessment report as well as an ongoing detection and response capability, without limitations on the number of domains, public facing IP addresses and VIP accounts monitored.
