June 22, 2023
Every network has hidden vulnerabilities. Curated threat intelligence data and scalable expertise let organizations find these vulnerabilities before it’s too late.
In late May 2023, threat actors began exploiting a critical zero-day vulnerability in the popular MOVEit Transfer app, stealing sensitive data from the app’s users. Over the next few weeks, investigators notified victims in 14 countries that their data was impacted.
These victims include government agencies, financial service providers, and healthcare institutions entrusted to handle sensitive data. Payroll providers, regulators, and airlines were also impacted. This translates to tens of millions of affected individuals. Six million driver’s license records were stolen from the state of Louisiana alone.
Many of these organizations had fully compliant, up-to-date security processes in place. They had internal teams, reliable third-party partners, and experienced leaders responsible for maintaining their security posture.
Cybercriminals simply bypassed all of that by exploiting a third-party service provider. By the time threat actors showed their hand, the attack was already complete.
The Security Chain Extends Beyond the Network Perimeter
Popular wisdom says every chain is only as strong as its weakest link. This is especially true when securing networks against cyberattacks, but there’s a caveat – nobody has complete control over the entire chain.
Organizations rely on a wide variety of third-party apps, services, and processes every day. Their ability to ensure the security of third-party partners is limited. Even organizations in strictly regulated industries like banking, government, and healthcare can’t be sure their partners are adequately protected.
That’s why organizations are increasingly investing in using threat intelligence solutions to conduct proactive threat-hunting research. This lets security teams discover new zero-day vulnerabilities and emerging threats early in the attack cycle. When combined with scalable managed detection and response services, this approach gives organizations critical early warning signals of impending attacks.
Threat Intelligence Is Vital to Proactive Defense
All modern SIEM platforms support threat intelligence data feeds. Typically, these feeds come from generic open-source data providers. Every time a cybersecurity researcher assigns a CVE number to a new threat, the feed updates to show the new data to everyone in the industry.
Security analysts can then query the data feed to learn about new threats impacting their organization’s risk profile. Threat hunting is the process of querying these feeds to gain early information about emerging threats.
However, the sheer volume of new threat data released daily makes proactive threat hunting unfeasible with open-source threat intelligence feeds. More than a million new threats may be published on any given day. Nobody has the time to look through them all, hoping to find the few that apply to their organization’s unique infrastructure and tech stack.
Level the Playing Field with Curated Threat Intelligence
Curated threat intelligence feeds like Anomali ThreatStream allow analysts to search through a narrowly defined database of threats that apply to their organization’s risk profile. This filters out all the threats that don’t apply to the organization, leaving only those that demand closer inspection.
In the case of the MOVEit Transfer data breach, this means the corresponding CVE numbers would either be flagged or filtered based on the threat they represent to the organization. If you’re curious about the details, the CVE numbers associated with MOVEit are CVE-2023-35708, CVE-2023-34362, CVE-2023-34363, CVE-2023-34364, and CVE-2023-35036.
- If the organization or its partners use MOVEit Transfer, the threat would be tagged according to its severity in real time. Analysts would be able to start addressing the impact the moment details come out from official channels.
- If the organization and its partners don’t use MOVEit Transfer, the CVE number is conveniently filtered out of the threat intelligence feed. This frees up security resources for conducting proactive threat hunting on higher severity risks.
This makes it much easier for security teams to manage their exposure to emerging threats. Analysts can quickly assess whether their organizations are at risk and take appropriate measures to protect users early on.
See Anomali Threat Intelligence in Action:
As the MOVEit attack spread, it quickly became apparent that a massive-scale supply chain attack was taking place. By that time, Anomali customers already received comprehensive data on the attack, including a complete set of insights and indicators.
In fact, Anomali went one step further in a mid-June message distributed to all ThreatStream customers. The threat intelligence vendor provided:
- An introduction explaining the CISA/FBI advisory for MOVEit and listing the relevant CVE numbers.
- A detailed blog post showing readers how to protect themselves from the vulnerability.
- A comprehensive Threat Bulletin providing more than 2200 observable indicators of MOVEit-related activity.
- A new intelligence dashboard called Anomali Global Security Event Intel, trained specifically on the activities of major cybercrime syndicates exploiting the vulnerability.
- Registration for an informative webinar with threat intelligence experts discussing MOVEit.
Crucially, all this information is readily available in one place. Security analysts don’t have to dig through huge volumes of data to research the threat. They simply respond to actionable early warning data provided by their threat intelligence partners.
Have Castra Conduct Proactive Threat Hunting for Your Team
Castra provides organizations with managed detected and response services that include unparalleled SIEM expertise, deep rule customization, and curated threat intelligence implementation. Rely on our analysts to sound the early warning alarm on hidden vulnerabilities and high-severity threats, earning your organization a valuable head start in protecting users from new attacks and zero-day exploits.