Impersonation

Storm-1811 impersonates help desk and IT support personnel for phishing and social engineering purposes during initial access to victim environments.(Citation: Microsoft Storm-1811 2024)

LAPSUS$ has called victims' help desk and impersonated legitimate users with previously gathered information in order to gain access to privileged accounts.(Citation: MSTIC DEV-0537 Mar 2022)

Saint Bear has impersonated government and related entities in both phishing activity and developing web sites with malicious links that mimic legitimate resources.(Citation: Cadet Blizzard emerges as novel threat actor)

APT42 has impersonated legitimate people in phishing emails to gain credentials.(Citation: Mandiant APT42-charms)(Citation: TAG APT42)

During Operation Dream Job, Lazarus Group impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)

Kimsuky has impersonated academic institutions and NGOs in order to gain information related to North Korea.(Citation: MSFT-AI)

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022)

APT41 impersonated an employee at a video game developer company to send phishing emails.(Citation: apt41_mandiant)

NPPSPY creates a network listener using the misspelled label logincontroll recorded to the Registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order.(Citation: Huntress NPPSPY 2022)

During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures: Create Comprehensive Training Programs: - Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives. Use Simulated Exercises: - Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols. Leverage Gamification and Engagement: - Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats. Incorporate Security Policies into Onboarding: - Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures. Regular Refresher Courses: - Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed. Emphasize Real-World Scenarios: - Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

A Threat Intelligence Program enables organizations to proactively identify, analyze, and act on cyber threats by leveraging internal and external data sources. The program supports decision-making processes, prioritizes defenses, and improves incident response by delivering actionable intelligence tailored to the organization's risk profile and operational environment. This mitigation can be implemented through the following measures: Establish a Threat Intelligence Team: - Form a dedicated team or assign responsibility to existing security personnel to collect, analyze, and act on threat intelligence. Define Intelligence Requirements: - Identify the organization’s critical assets and focus intelligence gathering efforts on threats targeting these assets. Leverage Internal and External Data Sources: - Collect intelligence from internal sources such as logs, incidents, and alerts. Subscribe to external threat intelligence feeds, participate in ISACs, and monitor open-source intelligence (OSINT). Implement Tools for Automation: - Use threat intelligence platforms (TIPs) to automate the collection, enrichment, and dissemination of threat data. - Integrate threat intelligence with SIEMs to correlate IOCs with internal events. Analyze and Act on Intelligence: - Use frameworks like MITRE ATT&CK to map intelligence to adversary TTPs. - Prioritize defensive measures, such as patching vulnerabilities or deploying IOCs, based on analyzed threats. Share and Collaborate: - Share intelligence with industry peers through ISACs or threat-sharing platforms to enhance collective defense. Evaluate and Update the Program: - Regularly assess the effectiveness of the threat intelligence program. - Update intelligence priorities and capabilities as new threats emerge. *Tools for Implementation* Threat Intelligence Platforms (TIPs): - OpenCTI: An open-source platform for structuring and sharing threat intelligence. - MISP: A threat intelligence sharing platform for sharing structured threat data. Threat Intelligence Feeds: - Open Threat Exchange (OTX): Provides free access to a large repository of threat intelligence. - CIRCL OSINT Feed: A free source for IOCs and threat information. Automation and Enrichment Tools: - TheHive: An open-source incident response platform with threat intelligence integration. - Yeti: A platform for managing and structuring knowledge about threats. Analysis Frameworks: - MITRE ATT&CK Navigator: A tool for mapping threat intelligence to adversary behaviors. - Cuckoo Sandbox: Analyzes malware to extract behavioral indicators. Community and Collaboration Tools: - ISAC Memberships: Join industry-specific ISACs for intelligence sharing. - Slack/Discord Channels: Participate in threat intelligence communities for real-time collaboration.