Evil Corp (AKA UNC2165) is one of the most capable cybercriminal syndicates in the world. Led by Maksim Yakubets, the cybercriminal gang is responsible for the development and operation of several powerful malware and ransomware variants. The cybercriminal gang has a reputation of being exceptionally aggressive and capable. The gang is financially motivated, using digital extortion (e.g., ransomware) and sensitive information theft that can be sold on the dark web for profit. To learn more, see this Evil Corp summary from CyberRes Galaxy, our immersive threat research platform (you will need to register with Galaxy first to access the summary).
In May, Cisco was a victim of a cyberattack. Security researchers are now speculating that the infrastructure used in the Cisco hack was the same used to target a workforce management solution firm back in April, which was attributed to Evil Corp. A threat actor affiliated with Evil Corp may have brokered initial access to Cisco’s network, but ultimately sold the VPN credentials to Hive operators and its affiliates.
Elevate Situational Awareness to Keep up with Cybercriminals
Threats from the cybercrime underground emerge each day. Most people, and many organizations, lack awareness on how to prepare and to respond to these increasing threats. As October is Cybersecurity Awareness Month, we should all endeavor to learn more (CyberRes is an official Champion of the cause, and strives to provide orgs with resources to help avoid data breaches). The Reimagining Cyber podcast series has had several episodes that can help, including:
- Inside Cybercrime (accompanying blog) – In this episode Raveed Laeb (VP, KELA) shares how threat actors are putting more effort into building lasting business-like enterprises — investing more in branding, customer support, cybercrime-as-a-service, specialization, and even intuitive user interfaces.
- Colonial Pipeline fuels the fire: not the first, not the last, and how to protect for the future (accompanying blog) – Brett Thorson (Principal, Platinion) does a deep dive into the Colonial Pipeline attack and shares general best practices on how organizations can better prepare and respond to cyberattacks.
- COVID-19, The Cavalry, and Cyber – No one is coming to save you (accompanying blog) – As co-founder of “I am the Cavalry”, Josh Corman (VP Cyber Safety Strategy, Claroty) notes all of us have responsibility to keep ourselves safe in cyberspace and provides a strategy to do so.
- So you’ve been hacked, now what? (accompanying blog) – Shawn Tuma (Cybersecurity and Data Privacy Attorney and Partner, Spencer Fane, LLP) deals with cyberattacks on a daily basis. In this episode he shares his experiences and best practices about what to do once you’ve been breached.
Going beyond general cyberattack preparation and response, how can CyberRes SecOps solutions help?
GTAP+ integration with ArcSight Automates Curated Intelligence-based Response
Earlier this year, analyst firm KuppingerCole released their 2022 Leadership Compass for Intelligent SIEM Platforms, which named ArcSight an Overall Leader, as well as a Product, Innovation, and Market Leader. As Preston Wheiler captured in this blog, An Innovative SIEM Leader and a Customers’ Choice, KuppingerCole praised ArcSight for its unified SecOps platform, its natively integrated SOAR, and its advanced threat analytics.
CyberRes' SecOps solution portfolio has continued to make enhancements with its threat management focused portfolio CyberRes Galaxy. Galaxy Online, a free to use threat research platform, can be leveraged to proactively assess threat actors in the cybercriminal ecosystem and anticipate potential impact to our customers businesses. ArcSight ESM customers are entitled to install Galaxy Threat Acceleration Program (GTAP) Basic, which automatically incorporates threat monitoring content & sources for ArcSight to increase visibility into threats. GTAP+ is the premium version of CyberRes Galaxy’s threat feed and is specifically built for ArcSight ESM. It incorporates insights from Galaxy’s threat research network and powers advanced implementation of MITRE ATT&CK and D3FEND countermeasures and provides high confidence indicator information for efficient use in triage and automation to help the Security Operations practices to achieve more with less.
Now GTAP+ offering of Galaxy, which integrates with SOAR, provides enhanced semi-automated responses to threats identified in the Galaxy universe. This will enable ArcSight ESM customers who have subscribed to GTAP+ the ability to respond faster to threats with less false positive distraction and resource waste.
The diagram below represents an example of a SOAR playbook. You have enrichment and action groups based on different categories. The GTAP+ integration enables IP, file, and url reputation indicators from Galaxy in this case to enrich data to trigger automated actions.
You could also add an analyst decision element to determine whether to block or not, making the playbook semi-automated.
ArcSight ESM customers already have access to great SOAR capabilities without any additional license fees. The addition of GTAP+ will enable ArcSight ESM customers to quickly act and respond at the velocity need to thwart today’s threats.
Learn More:
To learn more, please attend this webinar on October 18 that is focused on Galaxy’s GTAP+ program called “How I learned to trust my threat intelligence solution.”
Join our Galaxy Community. Have technical questions about Galaxy’s threat intelligence? Visit the Galaxy User Discussion Forum. Keep up with the latest Tips & Info. Do you have an idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange. Check out these Galaxy resources. We’d love to hear your thoughts on this blog. Log in or register to comment below.