The CTI Analyst Challenge

Welcome to the Cyber Threat Intelligence (CTI) Analyst Challenge!

I am excited to introduce a comprehensive repository designed to enhance the skills and expertise of CTI analysts through a challenging and engaging intelligence analysis exercise.

Purpose

This repository is created to test and improve the capabilities of CTI analysts by providing a structured challenge that covers both proactive and reactive CTI tasks. It aims to simulate real-world scenarios and offer hands-on experience in fulfilling a demo client's Priority Intelligence Requirements (PIRs) and Requests for Intelligence (RFIs).

Key Features

Self-Directed Challenge: CTI analysts are provided with instructions and resources to independently navigate through the tasks, encouraging self-discipline and critical thinking.
Realistic Scenarios: The tasks are designed based on real-world inspired situations, making the training highly relevant and practical.
Comprehensive Training Materials: The repository includes all necessary resources and guidance to assist analysts in completing the challenge effectively.

Recommended Usage

CTI teams are recommended to utilize this free training repository in internal workshops led by managers or team leaders. These workshops can serve as an excellent platform to:

Discuss and Analyze Results: Review written reports generated by team members and discuss their findings in the context of real-world scenarios.
Identify Knowledge Gaps: Use the outcomes of the exercises to pinpoint areas where further training and knowledge enhancement are needed.
Foster Team Collaboration: Encourage collaboration and knowledge sharing among team members to build a stronger, more cohesive CTI team.

Take advantage of this resource to sharpen your CTI skills and elevate your team’s proficiency in handling complex intelligence challenges. Happy analyzing!

You can find The CTI Analyst Challenge on my GitHub repository below:

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail. In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor

Lessons from the iSOON Leaks

Introduction A Chinese Ministry of Public Security (MPS) contractor called iSOON (also known as Anxun Information) that specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on internal and border security, counter-terrorism, surveillance. The MPS is comparable to the Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About