This time, we’re not revealing a new cyber threat investigation or analysis, but I want to share some insights about the team behind all Sekoia Threat Intelligence and Detection Engineering reports. Let me introduce you to the Sekoia TDR team.
TDR is the Threat Detection & Research team at Sekoia.io. Our main mission is to protect our Sekoia SOC Platform customers and partners by producing native and exclusive Cyber Threat Intelligence (CTI) and developing our integrated detection rules catalogue.
As cybersecurity is a collaborative effort, we regularly cooperate and share intelligence with our MSSP and technology partners, various other cybersecurity vendors, and their CTI teams.
We also regularly collaborate with cybersecurity authorities, CERT communities, and law enforcement agencies ( including Europol) to fight cybercrime globally.
Founded in 2020, TDR is a multidisciplinary team of around twenty passionate analysts with a wide range of expertise: detection engineering, technical and strategic analysis, threat hunting, reverse engineering, DevOps, etc. Our analysts have experience in defensive security from SOCs and CERTs, but some also have background in geopolitics or offensive security. They are primarily based in our offices in Rennes and Paris, while part of the team works fully remotely from various cities across France.
TDR is organised around 2 threat-themed squads and 4 chapters of expertise. Each squad is staffed by at least one analyst from each chapter to provide a 360° view of threats by tracking, contextualising, technically analysing and detecting them.
🐙The ‘Octopus’ squad focuses on state-sponsored and strategic threats, such as cyber mercenaries and hacktivists.
🦊The ‘Fox’ squad tracks down financially motivated cybercriminal threats, such as Ransomware-as-a-Service, Business Email Compromise, Phishing-as-a-Service, loader, etc.
The Strategic Chapter is composed of analysts with a geopolitical background. They provide context on cyber threats and the ecosystem around them from a geographical and sectoral perspective.
The Track & Investigation Chapter is staffed by technical threat intelligence analysts who track down attackers’ C2 servers and the related malware and tools. They aim to provide fresh and exclusive indicators of compromise (IOCs) to the Sekoia SOC Platform via the Sekoia C2 Tracker, Sekoia YARA Tracker and Sekoia Malware Watcher internal sources.
Check out our annual report to learn more about adversary C2 infrastructure tracking!
The Detection & Hunting Chapter comprises detection engineers whose main task is to create and update the detection rules (Sigma, Sigma Correlation and Anomaly) available in the catalogue that is integrated into the Sekoia SOC Platform. To do this, they use our TDR Lab to simulate tools / malware or to replay attacks, analysing the logs left behind to create relevant rules for detecting malicious behaviour. They are also in charge of various TDR honeypot projects.
Finally, the Reverse Engineering Chapter is formed by reverse engineers who technically analyse malicious code to better understand, track, and detect it. They are particularly responsible for creating malware configuration extractors to automate the production of IOCs.
Find out more about our reverse engineering work, with this in-deph technical analysis report on the DiceLoader malware.
The day-to-day work of TDR analysts varies according to their core expertise but can be categorised into two main activities:
Our priority is to provide actionable intelligence on cyber adversaries, their motivation, their victimology, the malware they use, the vulnerabilities they exploit and their TTPs (Tactics, Techniques and Procedures) to better understand and detect malicious activities.
We aim to provide our users with the most comprehensive catalogue of detection rules, enabling them to quickly detect the TTPs most commonly used by adversaries. Our rule creation efforts focus on the following areas: endpoint for workstations and servers, network outbound/inbound connections, cloud office applications, and identity management.
To find out more about the TDR detection strategy, we have documented the most frequently asked questions in the Sekoia.io documentation.
TDR is an operational team responsible for producing on a daily basis the Sekoia exclusive CTI and the detection rules for our SOC Platform. In addition, we also operate as a research team dedicated to investigating and detecting the latest cyber threats alongside developing our own R&D projects to improve our knowledge of cyber threats and their tracking/detection. R&D also includes developing internal tools analysts use to conduct investigations and to manage various honeypots projects.
To discover new threats, speed up investigations and help non-technical analysts, we continue to develop new, in-house applications and projects such as honeypots (Windows, Linux, Edge devices/ IOT). All these internal tools are interconnected with our Sekoia SOC Platform and with third-party services to make life easier for analysts. For example, with ASTRA, we have a Cloud lab for easily detonating malware and collecting logs / raising alerts in our SOC Platform. Reversers also use it to carry out their malware analysis work. ARIANE is an online rule editor (YARA, Suricata, Sigma) who helps analysts write effective rules. We also share some of our tools, such as various Maltego transforms thanks to Félix.
As sharing is one of our core values, we regularly publish the results of our TLP:CLEAR research on the Sekoia.io blog and on our Twitter/X account. IOCs, Sigma, and YARA rules are also available in the Sekoia.io Community on GitHub.
In September 2023, we successfully sinkholed a command and control server linked to the PlugX worms. We observed in 6 months of sinkholing more than 2,5M unique IPs connecting to it. We have shared with the authorities of the countries concerned the data on their compromised IPs and our help with a potential “sovereign” disinfection operations.
To find out all about our PlugX sinkhole, read our report and listen to Félix and Charles’ talk in BotConf !
Last but not least, some of our research work has also been presented at international cybersecurity conferences such as BotConf and Virus Bulletin.
Feel free to contact us at – tdr @ sekoia.io – if you want to collaborate on research and investigations into state-sponsored or cybercriminal threats.
Nicolas Caproni Head of Sekoia TDR