IronNet Blog

Proactive Intelligence Against Infostealers: Lessons from the Snowflake Data Breach

no-reply@ironnet.com (IronNet) — Fri, 14 Jun 2024 16:05:01 GMT

After major cyber attacks or data breaches, cybersecurity companies and professionals universally face the question, "How would you have detected or prevented this type of attack?" This week, the question is related to the Snowflake data breach.

EDR-Killing Malware and the Need for Network Detection

IronNet Threat Research — Fri, 24 May 2024 13:03:18 GMT

A recent blog by Elastic Security Labs details GHOSTENGINE, a crypto miner that leverages an intrusion set (HIDDENSHOVEL) to disable endpoint security solutions (EDRs) on a victim host. While crypto miners may not pose a grave threat to an enterprise, the usage of anti-EDR functions is dangerous and likely to increase in prevalence. In today's cybersecurity landscape, confidence and reliance upon an enterprise endpoint solution are commonplace; this further increases when leveraging XDR capabilities to add network detection functions. While EDR is a critical component of any cybersecurity framework, Network Detection and Response (NDR) solutions play an equally important role as new vulnerabilities emerge.

IronRadar Reforged

no-reply@ironnet.com (IronNet) — Fri, 03 May 2024 17:36:42 GMT

Block The Assault Before It Ever Happens

Cybersecurity organizations are fighting a constant battle against threats across an evolving cyber landscape while being understaffed and facing constrained budgets. This generally results in a reactive cybersecurity environment, especially for the more resource-strained entities, wherein the adversary always has the initiative. Traditional cybersecurity threat intelligence solutions require significant funding, or in-house skills, or both.

Volt Typhoon Threat Report

Mon, 01 Apr 2024 21:38:41 GMT

Threat Overview

On March 19, 2024, CISA, along with other participating agencies, released a joint Fact Sheet warning executive leaders in the critical infrastructure sector that Volt Typhoon has strategically pre-positioned itself to conduct cyber attacks against US infrastructure. In the event of escalating tension between the US and China, leaders are encouraged to take all the necessary precautions against this urgent risk to protect critical infrastructure networks.

Volt Typhoon is a People’s Republic of China (PRC) state-sponsored advanced persistent threat group reportedly active since 2021. This group specializes in cyber espionage operations, specifically targeting the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.

Back to School Reminder - Keep Your Mac Clean!

Mon, 28 Aug 2023 21:57:20 GMT

Key points from our research:

Around early-mid August, we noticed an increase in MacOS malware detections, specifically AdLoad and UpdateAgent in IronDome, in the education sector. This timing correlates with students returning to school, therefore bringing their personal (infected) devices to school networks, and is likely the cause of this increase.
Our CyOC discovered previously unreported IOCs relating to AdLoad and UpdateAgent, including HTTP User Agents, HTTP Paths, and domains. Additionally, some IOCs discovered have been reported since 2019, which indicates the techniques the threat actors are using have been around for years and continue to compromise systems. These IOCs are available in the Appendix section.
IronDefense was able to detect this activity via multiple different analytics, including our Suspicious File Download, Beaconing, and Domain Analysis behavioral analytics. IronDome correlated this activity together and uncovered five more enterprises affected.

'::ffff' only...Tips for identifying unusual network activity

IronNet Threat Research Team — Wed, 19 Jul 2023 18:35:29 GMT

Every now and then, a security team uncovers something only the Internet Engineering Task Force (IETF) can fully explain. During a review of network activity, our team noted unusual outbound web traffic from our network. Our investigation took us from checking a simple IPv6 address to researching the IETF’s Request for Comments. What we found along the way demonstrates why monitoring for anomalous IP addresses is important for every organization.

Who’s Listening? Securing Ports Within Your Network

IronNet Threat Research Team — Fri, 30 Jun 2023 13:00:00 GMT

Your house has several entrances— windows, doors, garage, maybe even your roof. These openings to your home are used for different purposes. Your door is used for foot traffic, the garage for cars, and windows for contractors or burglars. Whatever the specific case, we expect certain types of activity with each entrance.

XDR Cannot Exist Without NDR

Rajaram Sivasankar, IronNet VP of Product Management — Mon, 15 May 2023 16:10:00 GMT

Threat detection and response remain a key priority for organizations as ransomware and data breaches continue to disrupt business operations. With multiple solutions known as EDR, NDR, and XDR, as well as the “managed” versions known as MNDR and MXDR, it can feel like an acronym soup and be challenging to determine the best fit for an organization’s unique security needs.

Investigating Undocumented Netcomms From Legitimate Chrome Extension

no-reply@ironnet.com (IronNet) — Fri, 05 May 2023 20:13:38 GMT

Early this month, IronNet analytics detected an unusual HTTPS connection between internal resources and 173.231.16[.]76.

IronNet Monthly Global Threat

General (Ret) Keith Alexander and the IronNet Team — Mon, 01 May 2023 21:27:23 GMT

While much of the cybersecurity world’s focus has been on attacks related to the Russian-Ukraine war, there is an urgent need to raise awareness about the growing threat of a barrage of “digital strikes” by China against the United States, particularly if the conflict over Taiwan deepens, suggests Congressional Rep. Mike Gallagher (R-Wis.), chair of the House Select Committee on China. In line with our ongoing tracking of the threat of Chinese cyber attacks, we agree that it is critical to take note of a cyber strategy by China to target critical infrastructure on U.S. soil such as military and transportation networks as well as in the energy, water, financial markets, and business sectors, as mentioned in this recent Politicoarticle.