4 min read time

The Imperative of Accelerating Effective Threat Response

by in Cybersecurity

Evil Corp (AKA UNC2165) is one of the most capable cybercriminal syndicates in the world. Led by Maksim Yakubets, the cybercriminal gang is responsible for the development and operation of several powerful malware and ransomware variants. The cybercriminal gang has a reputation of being exceptionally aggressive and capable. The gang is financially motivated, using digital extortion (e.g., ransomware) and sensitive information theft that can be sold on the dark web for profit.  To learn more, see this Evil Corp summary from CyberRes Galaxy, our immersive threat research platform (you will need to register with Galaxy first to access the summary).

FBI

In May, Cisco was a victim of a cyberattack. Security researchers are now speculating that the infrastructure used in the Cisco hack was the same used to target a workforce management solution firm back in April, which was attributed to Evil Corp. A threat actor affiliated with Evil Corp may have brokered initial access to Cisco’s network, but ultimately sold the VPN credentials to Hive operators and its affiliates.

Elevate Situational Awareness to Keep up with Cybercriminals 

Threats from the cybercrime underground emerge each day. Most people, and many organizations, lack awareness on how to prepare and to respond to these increasing threats. As October is Cybersecurity Awareness Month, we should all endeavor to learn more (CyberRes is an official Champion of the cause, and strives to provide orgs with resources to help avoid data breaches). The Reimagining Cyber podcast series has had several episodes that can help, including: 

Going beyond general cyberattack preparation and response, how can CyberRes SecOps solutions help?

GTAP+ integration with ArcSight Automates Curated Intelligence-based Response 

Earlier this year, analyst firm KuppingerCole released their 2022 Leadership Compass for Intelligent SIEM Platforms, which named ArcSight an Overall Leader, as well as a Product, Innovation, and Market Leader. As Preston Wheiler captured in this blog, An Innovative SIEM Leader and a Customers’ Choice, KuppingerCole praised ArcSight for its unified SecOps platform, its natively integrated SOAR, and its advanced threat analytics.  

CyberRes' SecOps solution portfolio has continued to make enhancements with its threat management focused portfolio CyberRes Galaxy.  Galaxy Online, a free to use threat research platform, can be leveraged to proactively assess threat actors in the cybercriminal ecosystem and anticipate potential impact to our customers businesses. ArcSight ESM customers are entitled to install Galaxy Threat Acceleration Program (GTAP) Basic, which automatically incorporates threat monitoring content & sources for ArcSight to increase visibility into threats. GTAP+ is the premium version of CyberRes Galaxy’s threat feed and is specifically built for ArcSight ESM. It incorporates insights from Galaxy’s threat research network and powers advanced implementation of MITRE ATT&CK and D3FEND countermeasures and provides high confidence indicator information for efficient use in triage and automation to help the Security Operations practices to achieve more with less. 

Now GTAP+ offering of Galaxy, which integrates with SOAR, provides enhanced semi-automated responses to threats identified in the Galaxy universe. This will enable ArcSight ESM customers who have subscribed to GTAP+ the ability to respond faster to threats with less false positive distraction and resource waste.

Galaxy integrates with SOAR

The diagram below represents an example of a SOAR playbook. You have enrichment and action groups based on different categories.  The GTAP+ integration enables IP, file, and url reputation indicators from Galaxy in this case to enrich data to trigger automated actions.

SOAR playbook

You could also add an analyst decision element to determine whether to block or not, making the playbook semi-automated.

ArcSight ESM customers already have access to great SOAR capabilities without any additional license fees. The addition of GTAP+ will enable ArcSight ESM customers to quickly act and respond at the velocity need to thwart today’s threats. 

Learn More: 

To learn more, please attend this webinar on October 18 that is focused on Galaxy’s GTAP+ program called “How I learned to trust my threat intelligence solution.” 

Join our Galaxy Community. Have technical questions about Galaxy’s threat intelligence? Visit the Galaxy User Discussion Forum. Keep up with the latest Tips & Info. Do you have an idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange. Check out these Galaxy resources. We’d love to hear your thoughts on this blog. Log in or register to comment below.

Labels:

Security Operations