InQuest Insider - November 2023
InQuest.net
Take your risk out of their hands. File-based cybersecurity protection to enforce Zero Trust and minimize end-user risk.
Attackers can hide a threat in nearly any part of a file, from content to metadata. You need a security solution designed to uncover threats, no matter where they hide. FileTAC, powered by our Deep File Inspection? (DFI) technology, is that solution.
Many security solutions are dependent on receiving constant updates and rely on broader public dissemination before they are capable of identifying emerging threats. FileTAC leverages machine learning and advanced analytical algorithms to empower you to hunt for publicly unknown threats, keeping you ahead of the curve.
Dig deeper, learn more, and give your SOC team the tools they need to go on the offensive. Our Deep File Inspection? technology will give your team everything they need to stop file-borne threats in their tracks.
InQuest Email Attack Simulation
This month we harvested 552 samples from the wild capable of bypassing either Microsoft or Google. Of those, Microsoft missed 91 (16%), and Google missed 137 (25%). InQuest, MailTAC for reference, missed only 6 (.01%). The distribution of misses by file type is depicted below:
InQuest EAS includes samples sourced from 50+ industry-leading blogs. This month, we sourced 407 samples from these blogs for inclusion in attack simulation.
Want to validate the efficacy of your email security stack? InQuire here for a one-month free email attack simulation.
Lab's IOC Lead Time
Every month, we conduct an analysis to ascertain the lead time for our C2 (Command and Control) and TI (Threat Intelligence) compared to public blogs. Over the past 30 days, we've examined a total of 1568 indicators. Our findings reveal 1 instance of C2 victories and 209 successes in Threat Intelligence and Dark Web (TIDB) across 24 distinct sources. This data points to an average lead time of 234 days for these indicators, covering only 13% of the observed IOCs.
InQuest Latest Blog Posts & Events
Navigating the Evolving Landscape of File-Based Cyber Threats
Posted on 2023-11-20 by Katie Brown
One of the most significant trends in the realm of file-based attacks is the use of email as a primary delivery mechanism. Attackers are increasingly leveraging emails to deploy their malicious payloads, capitalizing on the ubiquity and essential nature of email communications in the business world.
Less is Not More: Sharing Better Indicators
Posted on 2023-11-21 by Darren Spruell
Discover how to increase the effectiveness of threat information sharing by standardizing enriched indicators and review available tooling that can help with this endeavor.
InQuest Labs Research Spotlight
Nemesis
Nemesis is an offensive data enrichment pipeline and operator support system. Built on Kubernetes with scale in mind, our goal with Nemesis was to create a centralized data processing platform that ingests data produced during offensive security assessments.
领英推荐
AVClass
AVClass is a Python package and command line tool to tag / label malware samples. You input the AV labels for a large number of malware samples (e.g., VirusTotal JSON reports) and it outputs a list of tags extracted from the AV labels of each sample.
Self-Operating Computer
A framework to enable multimodal models to operate a computer. Using the same inputs and outputs of a human operator, the model views the screen and decides on a series of mouse and keyboard actions to reach an objective.
Global Security Events
MALWARE SPOTLIGHT - INTO THE TRASH: ANALYZING LITTERDRIFTER
Gamaredon, also known as Primitive Bear, ACTINIUM, and Shuckworm, is a unique player in the Russian espionage ecosystem that targets a wide variety of almost exclusively Ukrainian entities. While researchers often struggle to uncover evidence of Russian espionage activities, Gamaredon is notably conspicuous. The group behind it conducts large-scale campaigns while still primarily focusing on regional targets.
US seizes Sinbad crypto mixer used by North Korean Lazarus hackers
The U.S. Department of the Treasury has sanctioned the Sinbad cryptocurrency mixing service for its use as a money-laundering tool by the North Korean Lazarus hacking group. A cryptocurrency mixer is a server that allows people to deposit crypto, which is mixed among many different wallet addresses to help prevent it from being accurately traced.
Exploitation of Unitronics PLCs used in Water and Wastewater Systems
CISA is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector. Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility. In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply.
Useful Links
Prefer to receive the InQuest Insider via email? Subscribe here.
Copyright ? InQuest 2023