Blog

Is CTI a product without a process?
What's wrong with CTI and what we should focus on

Cyber threat intelligence has become an important component for today's cyber security practice, but its great potential is frequently not fully realized. In our latest position paper, we take a look at the state of the cyber threat intelligence field. We argue that CTI is still in its infancy, and is rich with tools and technical knowledge, but comparatively light still on process and methdology. This is where the biggest potential lies for the advancement of CTI, because a good product is the result of a solid process.

Kris Oosthoek and Christian Doerr

Quality evaluation of Cyber Threat Intelligence feeds

In order to assist in early detection, organization subscribe to cyber threat intelligence feeds for indicators of malicious activity. The success of this strategy however largely depends on the quality of the provided intelligence. In this study, we investigate 24 CTI feeds with 1.3 million indicators across a set of criteria such as timeliness, coverage, or impact. We find that CTI feeds are typically very late in including new indicators, cause significant collateral damage and probably only cover a fraction of the problems we should be concerned about.

Christian Doerr

Infected third-party software key driver for cryptojacking on the Internet

In cryptojacking, websites maliciously mine cryptocurrency on your computer in the background while visiting a website. Based on a large Internet survey of 55 million websites, we find that most of the infections are the result of compromised third-party software, such as malicious Wordpress plugins, website templates, external libraries.

Christian Doerr

CTI take-aways from the Mueller indictment

In this article, we provide an overview of the CTI that can be gathered from the reporting on the election hacking that was released yesterday. While it does not really include any new TTPs, it has newsworthy elements. Based on a review of the report, this article offers some important take-aways for CTI researchers and practitioners.

Kris Oosthoek

Cerber ransomware introduces malware coordination via the bitcoin blockchain

In order for malicious software to receive configuration information or commands, malware needs to be able to locate and connect to its owner. As hard-coded addresses are easy to block and thus render the malware installation inoperable, malware writers have turned to dynamically generated addresses. We describe an entirely new principle of domain generation, actively deployed in the Cerber ransomware, which finds and coordinates with its owner based on transaction information in the bitcoin blockchain. This allows the malware author to dynamically update the location of the server in real-time, and as the malware directly goes to the right location no longer generates a sequence of NXDomain responses.

Christian Doerr
\