In the past several weeks, a common evolution has taken place within the Get2 attack schema, a prolific cyber-threat program. TA505, the attack group behind Get2, saw its illicit return on tactics diminish due to the attacks’ duration in place, volume of usage, and counter-intelligence exchange among security operations teams. In response, the attack group paused activity for several days, and then showed up swiftly with a new delivery mechanism in their approach to their victims. In this particular case, Get2 changed from html file-based delivery to embedded links overnight.
Thanks to a broad pool of knowledge collection, initial indications of the change began to be shared through vigilant private intelligence-share communities while most in the western hemisphere were still sleeping. This initial discovery and intelligence distribution included the stage 2 and stage 3 domains that this attack infrastructure utilizes for malware delivery. Security personnel on call were able to initiate their respective processes with this information. Success in countering the attack evolution is not solely reliant on availability of information. Protection also relies on the speed with which security operations teams can react. Both determine the company’s level of confidence in combatting the latest threat of the attack infrastructure.
In a highly capable security operations center (SOC), team members use information gathering and intelligence enrichment processes to efficiently target the threats prevalent to them and their clients. In instances where Get2 was attempting to breach a company, the enrichment process involves analysts’ skill at taking the new information and “tuning” it in the form of controls specific to the company IT infrastructure in order to block the attack. While knowing what is going on everywhere in the cyber-attack realm would be ideal, the most important threat intelligence is the knowledge of what is happening in and against one’s own enterprise.
Successfully reacting to Get2 looked like this:
- Middle of the night, Day 1 uncovering of the tactic change
- Data share about the change, including stage 2 and stage 3 domains to incorporate on black lists
- Enriching the information with an assortment of tools, along with internally and externally gathered intelligence, leading to the creation or updating of controls to combat the new tactics
- Incorporating the updated defense into intelligence-sharing across the company’s security operations teams, thus ensuring all analysts are working with the most updated information
- Sharing control ideas and additional research findings with security communities for a stronger network of defense against this specific attack vector
Teams are able to make great strides within a matter of hours, due to operators with dynamic skillsets, a deep knowledge of and attention to active and current threats specific to the infrastructure they protect, and broad, reliable community-sharing relationships. With these proactive approaches, they can ready the defense for subsequent attack campaigns that will be launched later that day.