Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Impersonation

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims. In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables Financial Theft. Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as `payment`, `request`, or `urgent` to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.   Impersonation is typically preceded by reconnaissance techniques such as Gather Victim Identity Information and Gather Victim Org Information as well as acquiring infrastructure such as email domains (i.e. Domains) to substantiate their false identity.(Citation: CrowdStrike-BEC) There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)

ID: T1656
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Office Suite, SaaS, Windows
Источники данных: Application Log: Application Log Content
Версия: 1.1
Дата создания: 08 Aug 2023
Последнее изменение: 15 Apr 2025

Примеры процедур

Название Описание
Storm-1811

Storm-1811 impersonates help desk and IT support personnel for phishing and social engineering purposes during initial access to victim environments.(Citation: Microsoft Storm-1811 2024)

LAPSUS$

LAPSUS$ has called victims' help desk and impersonated legitimate users with previously gathered information in order to gain access to privileged accounts.(Citation: MSTIC DEV-0537 Mar 2022)

Saint Bear

Saint Bear has impersonated government and related entities in both phishing activity and developing web sites with malicious links that mimic legitimate resources.(Citation: Cadet Blizzard emerges as novel threat actor)

APT42

APT42 has impersonated legitimate people in phishing emails to gain credentials.(Citation: Mandiant APT42-charms)(Citation: TAG APT42)

During Operation Dream Job, Lazarus Group impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)

Kimsuky

Kimsuky has impersonated academic institutions and NGOs in order to gain information related to North Korea.(Citation: MSFT-AI)

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022)

APT41

APT41 impersonated an employee at a video game developer company to send phishing emails.(Citation: apt41_mandiant)

NPPSPY

NPPSPY creates a network listener using the misspelled label logincontroll recorded to the Registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order.(Citation: Huntress NPPSPY 2022)

Scattered Spider

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)

Контрмеры

Контрмера Описание
User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures: Create Comprehensive Training Programs: - Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives. Use Simulated Exercises: - Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols. Leverage Gamification and Engagement: - Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats. Incorporate Security Policies into Onboarding: - Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures. Regular Refresher Courses: - Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed. Emphasize Real-World Scenarios: - Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

Threat Intelligence Program

A Threat Intelligence Program enables organizations to proactively identify, analyze, and act on cyber threats by leveraging internal and external data sources. The program supports decision-making processes, prioritizes defenses, and improves incident response by delivering actionable intelligence tailored to the organization's risk profile and operational environment. This mitigation can be implemented through the following measures: Establish a Threat Intelligence Team: - Form a dedicated team or assign responsibility to existing security personnel to collect, analyze, and act on threat intelligence. Define Intelligence Requirements: - Identify the organization’s critical assets and focus intelligence gathering efforts on threats targeting these assets. Leverage Internal and External Data Sources: - Collect intelligence from internal sources such as logs, incidents, and alerts. Subscribe to external threat intelligence feeds, participate in ISACs, and monitor open-source intelligence (OSINT). Implement Tools for Automation: - Use threat intelligence platforms (TIPs) to automate the collection, enrichment, and dissemination of threat data. - Integrate threat intelligence with SIEMs to correlate IOCs with internal events. Analyze and Act on Intelligence: - Use frameworks like MITRE ATT&CK to map intelligence to adversary TTPs. - Prioritize defensive measures, such as patching vulnerabilities or deploying IOCs, based on analyzed threats. Share and Collaborate: - Share intelligence with industry peers through ISACs or threat-sharing platforms to enhance collective defense. Evaluate and Update the Program: - Regularly assess the effectiveness of the threat intelligence program. - Update intelligence priorities and capabilities as new threats emerge. *Tools for Implementation* Threat Intelligence Platforms (TIPs): - OpenCTI: An open-source platform for structuring and sharing threat intelligence. - MISP: A threat intelligence sharing platform for sharing structured threat data. Threat Intelligence Feeds: - Open Threat Exchange (OTX): Provides free access to a large repository of threat intelligence. - CIRCL OSINT Feed: A free source for IOCs and threat information. Automation and Enrichment Tools: - TheHive: An open-source incident response platform with threat intelligence integration. - Yeti: A platform for managing and structuring knowledge about threats. Analysis Frameworks: - MITRE ATT&CK Navigator: A tool for mapping threat intelligence to adversary behaviors. - Cuckoo Sandbox: Analyzes malware to extract behavioral indicators. Community and Collaboration Tools: - ISAC Memberships: Join industry-specific ISACs for intelligence sharing. - Slack/Discord Channels: Participate in threat intelligence communities for real-time collaboration.

Ссылки

  1. CloudFlare. (n.d.). What is vendor email compromise (VEC)?. Retrieved September 12, 2023.
  2. Bart Lenaerts-Bergmans. (2023, March 10). What is Business Email Compromise?. Retrieved August 8, 2023.
  3. Microsoft Threat Intelligence. (2024, May 15). Threat actors misusing Quick Assist in social engineering attacks leading to ransomware. Retrieved March 14, 2025.
  4. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  5. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  6. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
  7. Google Threat Analysis Group. (2024, August 14). Iranian backed group steps up phishing campaigns against Israel, U.S.. Retrieved October 9, 2024.
  8. Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023.
  9. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  10. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  11. Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024.
  12. Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
  13. Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.
  14. Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024.
  15. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  16. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.