In July 2021, security researchers and analysts from Huntress disclosed an ongoing ransomware campaign affecting more than 30 managed service providers (MSPs) operating deployments of the Kaseya VSA server. Threat actors associated with the REvil ransomware collective leveraged a series of zero-day vulnerabilities in Kaseya VSA servers to deploy ransomware to the affected MSPs’ downstream customers, totaling more than 1,000 businesses globally. One of the affected businesses, a prominent Swedish grocery store, was reportedly forced to close 800 physical locations, resulting in lost revenue and unsellable inventory. In coordination with Kaseya and other security industry experts, Huntress published a report detailing the exploits observed, including numerous indicators of compromise (IOCs) that can indicate infection of VSA servers or other adjacent endpoints and other malicious network activity.
The CTIX Solution
Cyware Threat Intelligence eXchange (CTIX) has robust collection integration capabilities that enable Cyber Threat Intelligence (CTI) teams and analysts to ingest nearly limitless types of data sources. CTIX can be configured to ingest posts from many of the leading vendor research blogs via RSS feeds, most of which contain valuable IOCs.
Huntress’ blog post ingested automatically into CTIX.
Actionable indicators can be automatically extracted from the blog post and published to relevant CTIX Intel Collections for downstream subscribers based on prescribed workflows—all in a matter of minutes.
CTIX’s use of intel collections provides a logical separation of data that can support even the most challenging workflows or sharing relationships. For example, multiple collections can be created to separate network-based indicators from endpoint indicators. Additional automation and orchestration can apply this data to appropriate security controls more efficiently.
CTIX automatically parses the content of the Huntress blog posts and suggests indicators to include in an intel package.
Multiple intel collections are created to support specific sharing workflows.
The CTIX rules engine facilitates this segregation of data. Rules can be created to disseminate these intel packages to their prescribed collection based on a series of conditions including confidence score, traffic light protocol (TLP), custom tags, and other customizable parameters. Automatically distributing data based on predetermined parameters can dramatically decrease the time between ingestion and dissemination enabling defenders to initiate appropriate controls and respond to incidents faster. Additionally, automated sharing of threat indicators also reduces the need for human analysts to curate often voluminous data from indicator feeds, which enables these resources to be reallocated to more substantive tasks.
A custom rule in the CTIX Rules Engine extrapolates IP addresses from ingested data to be published in a specified intel collection to be actioned by downstream subscribers.
The CTIX platform provides CTI teams with robust capabilities to enhance and expedite the sharing of threat intelligence. Adding automation to the processing and dissemination of threat data affords human analysts additional time to concentrate on providing impactful analysis and developing essential insights that produce more actionable intelligence.