The IronLens

Introducing IronNet’s Monthly CyOC Report

Accenture just released its third annual “State of Cyber Resilience Report,” and the study’s findings about cybersecurity defense are somewhat alarming: “Despite higher levels of investment in advanced cybersecurity technologies over the past three years, less than one-fifth of organizations are effectively stopping cyberattacks and finding and fixing breaches fast enough to lower the impact.”

At IronNet, we believe collective defense can act as a force multiplier for those working behind the scenes at SOCs across sectors by collaborating in a real-time ecosystem. We also believe that enabling the sharing of information within the IronDome collective defense platform is only one part of our mission at IronNet. We also want to share with the public at large any information that will contribute to greater awareness of — and ultimately protection against — the cybersecurity threats that are being used to steal data and intellectual property and to compromise critical infrastructure and national security.

That’s why we’ve created The IronLens monthly blog series: to provide focus on current events in cybersecurity and a closer look at threats affecting the cyber community today as we advance the collective defense mission, together.

The February IronLens from the IronNet CyOC

Our approach at the IronNet Cyber Operations Center (CyOC) is two-fold. First, our advanced NTA solution, IronDefense, identifies and highlights network behavioral anomalies along the Cyber Kill Chain. In turn, the IronNet CyOC experts rate them as suspicious/malicious. In other words, IronDefense uses both machine learning models and the threat intelligence of our CyOC hunters who validate and qualify the threats. Analysts also indicate benign threats as well, thereby saving time and enabling the prioritization of response. Second, we draw on the participant analysts in our collective defense ecosystem, IronDome, and participants’ anonymized log data to see across a broader playing field. This approach amplifies cyber defense across the sector and even across different industries participating in the same IronDome.

Our sharp eye on cyber threats

Our CyOC distributes these behavioral analytic detections to all IronDome participants. In February, 126 billion flows of traffic were ingested and processed, from which 409,000 alerts were detected across all IronDefense deployments. Of the total alerts, 737 were high severity (i.e., alerts scored at 900 or higher), and 203 were correlated ones, meaning severe alerts were found in more than one IronDome participant’s network.

Significant community findings revealed 72 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. These IoCs are used to trigger alerts that are mapped to the Cyber Kill Chain to identify the stage and progression of the threat. They can be used to create detection rules for network, endpoint, or other security tools currently deployed to mitigate cyber risk in each IronDome participant’s environment. The Top 10 Indicators of Compromise included domain or IPs relating to credit card skimming, fake Amazon login pages, and IOCs associated with browser hijackers. See the February IronLens Report for the full list.

The bigger picture of collective defense

Based on community findings, IronNet’s expert threat analysts create threat intelligence rules (TIR) to detect malicious behavior. In February, we created 11,094 threat intel rules, including signatures looking for Indicators of Compromise. TIRs derived from IronNet’s behavioral analytic findings that are identified as malicious are shared in real time. Additionally, rules were created to identify URLs known to be hosting malicious payloads based upon findings from the IronNet Threat Research Team. Rules were also created to search for recent activities documented by researchers in the wider cybersecurity community. Some examples of this month’s research include

  • A phishing campaign using email lures executed by the Iran-linked group Charming Kitten posing as journalists
  • A campaign installing malicious files into a large number of premium WordPress themes and plugins as a means to compromise web servers

You can see more in the full February IronLens CyOC Report.

This combination of behavior-driven and IoC signature-based detection, alert ranking, and sharing ensures our customers have the broadest view of threats facing their enterprise.

A wider aperture for cyber defense

The CyOC continues to track industry threats to strengthen cybersecurity resilience across industries. For example:

  • The cybersecurity company ClearSky released a report on a large-scale campaign dubbed Fox Kitten. ClearSky asserts this campaign is linked to multiple Iranian APT groups which were either sharing attack infrastructure or may have been erroneously identified as independent groups.
    • The primary initial intrusion vector outlined in the report is the use of various recently publicized vulnerabilities in popular VPN services such as Pulse Secure, Fortinet, and Palo Alto’s Global Protect.
    • The actors appear to have become adept at quickly weaponizing these vulnerabilities and then establishing mechanisms to maintain persistence in the victim systems. The report lists a wide range of targeted countries and industries, including the information technology, telecommunications, oil and gas, aviation, government, and security sectors.

Learn about additional threats on the horizon in this month’s IronLens Report.

That’s a wrap from the CyOC! See you next month.

Get all of the latest info and insights on today’s advanced threats.