Earlier this month, security researcher iamdeadlyz reported on multiple fake blockchain games being used to infect both Windows and macOS targets with infostealers, capable of emptying crypto wallets and stealing stored password and browser data.

In the case of macOS, the infostealer turned out to be a new malware written in Rust, dubbed “realst”. Building on this previous analysis, we identified and analyzed 59 malicious Mach-O samples of realst malware. Among those, we discovered some samples are already targeting Apple’s forthcoming OS release, macOS 14 Sonoma.

In this post, we describe the malware in detail to help threat hunters and security teams identify and detect compromises by Realst Infostealer.

Realst Distribution

Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend. The campaign appears to have links to the earlier PearlLand infostealer. Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts.

As reported by iamdeadlyz, threat actors have been observed approaching potential victims through direct messages on social media.

Individuals who fell for the lures soon found that they had become victims of theft.

Realst Malicious Installers

Some versions of the malware are distributed by a .pkg installer containing a malicious Mach-O and three related scripts.

The Python script game.py is a cross-platform Firefox infostealer. No actual game is contained here or elsewhere.

The installer.py script is in fact a copy of chainbreaker, an open-source project for extracting passwords, keys and certificates from a macOS keychain database. Given the user’s password scraped earlier in the execution chain, chainbreaker will retrieve clear text versions of the user’s internet account and other stored passwords.

Surprisingly, the uninstall.sh script is simply a barebones uninstall script with no malicious behavior.

Other versions of realst stealer are distributed as applications via .dmg disk images. In some cases the developer has packaged the malware in Electron apps; in others, native macOS application bundles are used. The previous research provides an in-depth description of these.

Some samples were codesigned with Apple Developer ID (Team Identifier: C46287MB25), which has since been revoked.

Other samples are ad-hoc codesigned and will continue to launch, as such signatures cannot be revoked remotely.

Dynamic Analysis of Realst Variants

Behaviorally, realst samples look fairly similar across variants and are readily detectable in much the same way as other macOS infostealers. Although they at times use different API calls and have some variant dependencies, from a telemetry point of view the key to all these infostealers is the access and exfiltration of browser data, crypto wallets, and keychain databases.

Targeted browsers include Firefox, Chrome, Opera, Brave and Vivaldi. Safari was not targeted in any of the samples we analyzed. We also note that the malware targets the Telegram application.

The samples we analyzed reach out to one of two hardcoded URLs to exfiltrate stolen data:

http://167[.]172[.]103[.]83:8080/opened
http://77[.]91[.]84[.]110:5000/send_analytics

Most variants (see below for further details) attempt to grab the user’s password via osascript and AppleScript spoofing and perform rudimentary checking that the host device is not a virtual machine via sysctl -n hw.model. We explore these differences in detail in the static analysis section below.

Collected data is dropped in a folder simply named “data”. This may appear in one of several locations depending on the version of the malware: in the user’s home folder, in the working directory of the malware , or in a folder named after the parent game, e.g.,

~/data/
~/data.zip
~/Downloads/brawl/data/
~/Downloads/brawl/data.zip

If the malware was able to access screen capture permission, a screenshot of the Desktop is also taken and deposited in the same location.

~/screenshot.jpeg
~/Downloads/brawl/screenshot.jpeg

Static Analyses of Realst Variants

Our analysis identified 16 variants across 59 samples, which we divide into four major families: A, B, C and D. The division is somewhat arbitrary: There are a number of overlaps that would allow us to draw the lines differently (for example, the use or lack of pycryptodome, or the targeting of macOS Sonoma). We chose the following taxonomy based on string artifacts that should aid threat hunters in better identification and detection.

Realst Variant Family A

Of the 59 Mach-O samples we analyzed, 26 fall into Variant A. This variant has a number of sub variants (we noted ten), but they all share one defining characteristic which isn’t found in Variants B, C and D: The inclusion of whole strings related to AppleScript spoofing.

Example SHA1: 144665cb2e5d65c88579aa4391cebbc116842536
0x752f16:: osascript
0x752f21: display dialog
0x752fb7: with hidden answer
0x7511dc: keychain-db
0x751238: dump-generic-passwords
0x1c75e13: FireFoxDecryptor
0x19444a1: hw.model

Family A variants use AppleScript spoofing in much the same way that we have seen earlier macOS stealers use to grab the user’s admin password in clear text. This technique involves popping a password request dialog box with the “hidden answer” option. This prevents the user seeing the characters they type by replacing them with bullet points, similar to a real password dialog. The important difference being, however, that in this case the password is only obscured from the user themselves. The password is captured and logged in clear text by the AppleScript dialog box.

Like other variants, A samples also include full strings related to anti-analysis through VM detection in the form of hw.model. This is used as an argument to the sysctl command to determine the model of the host device. When run on a Virtual Machine, a macOS instance will typically return the name of the VM software as opposed to the model of Mac.

Realst Variant Family B

Family B variants also have static artifacts related to password spoofing, but these samples are distinctive as they break up the strings into smaller units as a means to evade simple static detection. We found 10/59 samples fell into this category.

Otherwise, B variants have similar artifacts to Variant A samples.

Example SHA1: 2d89ffbadddd62483bc2be33e296ce4e6036c45b
0x6940a0: display dialog
0x6b08f3: keychain-db
0x6b094f: dump-generic-passwords
0x6b52cb: hw.model
0x9b8b69: FireFoxDecryptor

Realst Variant Family C

Family C also attempts to hide the strings for AppleScript spoofing by breaking up the strings in the same way as Variant B. However, Variant C is distinctive in that it introduces a reference to chainbreaker within the Mach-O binary itself. 7/59 samples fell into this category.

SHA1: 112b5637c8cbb7d2e216d89f969515809e1dc66d
0x3fbc10: keychain-db
0x3fbc3c: chainbreaker
0x3fbc51: dump-generic-passwords
0x628e4f: FireFoxDecryptor
0x402552: hw.model

Realst Variant Family D

In Family D, which accounted for 16/59 samples, there are no static artifacts for osascript spoofing. Password scraping is handled by a prompt in the Terminal window via the get_keys_with_access function. Once the password is acquired it is immediately passed to sym.realst::utils::get_kc_keys, which then attempts to dump passwords from the Keychain.

In some versions, the malware also uses the scraped password to elevate privileges with the sudo command and install the Python pycryptodome package.

The use of pycryptodome is itself inconsistent across samples and families, appearing in around half of the entire collection.

SHA1: d436de35164a045e3c0f7b51cf41fcefedf7e77d
0x3fbc10: keychain-db
0x3fbc47: dump-generic-passwords
0x402542: hw.model
0x628de2: FireFoxDecryptor

Realst Infostealer Prepares for macOS 14 Sonoma

About a third of the samples we identified contain strings targeting macOS 14 Sonoma. These string artifacts appear in around half of Variant A samples, and all of Variant B samples. None of Variants C or D were found to contain Sonoma strings.

It is not clear at this point how differences between Sonoma and Ventura would affect execution of the malware – a question it seems the malware authors are themselves seeking to determine.

SentinelOne Protects Against Realst Infostealer

All known variants of Realst macOS infostealer are detected and, where the ‘Prevent’ site policy is enabled, prevented from execution by the SentinelOne agent. Apple’s malware blocking service “XProtect” does not appear to prevent execution of this malware at the time of writing.

Organizations not protected by SentinelOne may use the comprehensive indicators provided in this post to aid threat hunting and detection.

Conclusion

The number of Realst samples and their variation shows that the threat actor has invested serious effort in order to target macOS users for data and crypto wallet theft. Multiple fake game sites complete with Discord servers and associated Twitter accounts have been created to present the illusion of genuine products and convince users to try them out. As soon as the victim launches these fake games and provides the “installer” with a password, their data, passwords and crypto wallets are stolen.

Given the current popular interest in blockchain games, which promise users the reward of making money while gaming, users and security teams are urged to treat solicitations to download and run such games with extreme caution.

Indicators of Compromise

Communications
77.91.84[.]110
167.172.103[.]83

Team Identifier 
C46287MB25

Bundle Identifier
com.launcher.dev

Observed MITRE TTPs
T1033 System Owner/User Discovery (whoami)
T1059 Command and Scripting Interpreter (osascript)
T1070.004 File Deletion (rmdir)
T1082 System Information Discovery (sw_vers)
T1083 File and Directory Discovery (dirname, basename)
T1553 Bypass or Subvert Trust Controls (xattr)
T1620 Reflective Code Loading (execv, fork)
T1562 Disable or Modify Tools (sleep, waitpid)
T1639.001 Exfiltration Over Unencrypted Non-C2 Protocol (tcp, http)

Mach-O Files SHA1 
Family Variant A1
44aa30ca902a22520b52789b81add44e15e74a50
713cdae1bc6c68c06d3b9cc18171b5de43957f98
859e5b3d534c8282d168ebe40c127576dc0b9c70
8d60062ad8a29b4e88c7b9ec3b649aa30476001f

A2
963f55a93523c001fdec52ff33ff232e020135e5

A3
89e1cfc0fa65e4369279b78a26837e6259d4800c

A4
144665cb2e5d65c88579aa4391cebbc116842536
56a0b37302829d5fb116d8aa5700dcc3af00dc34
5da136f267dc70447d420b28dee729d32fdf437f
6cb07664ef882f7cb98f017b0fbdffe4946e9161
b10b37f3b1ce7aa6dacd4402fcfdb97ba92e1508
b898723602c96ecd04176bd13e6c21dbea82e6de
faf6b11a137bf7ae0ffcab411b02e0c0905260b6

A5
091f960fe4317696fb30abc3b36d2c8a7eef4b65
0eeb66a08ca067f168779be8b22da25f90fe4f51
88880772b0f8723020e0feb2bb179dc71e482072

A6
6ee0d99e3a56a72c60f3da790268286cd1e7a3ab

A7
60a747b3e8a25b885ccd16945ba1a238a66e4439
8054b51a51c8c8f21fe4c51322ef36a9fa02b570
b8ac89eed011c0a4e5f4973acbee888323ec80f0
efccafe8cf2a7d63f82c69882195a565fbd60720

A8
39060bb82061c5d426d4a7bad66e07888b05b354
b1aac3888403f4597d9cf14b505f572b2fe7d485
d890822af137df48a91f4ba47a27272dcacc9920

A9
630b23a57d2d8e6d8e25c346173191af6273c3ab

A10
087b3bf372928279d547fb6bb0ab656717fa8c4b

Family Variant B1
0a2a853251fe28333761cc6f9c4518807354dd27
13bdb3823b8555d846f17bdf381f9568b9a81d26
29a7eefff22156a72577ed920eaf9b903e9f164a
2d89ffbadddd62483bc2be33e296ce4e6036c45b
4e5a59a515981fb97bdb272e3e4acb7118e4e6b2
9719fd9415d438722f94877c55c9495708c64fee
c205d4ba044f2d69500f10a46c31aaf068e32c44
c716a02e3bc8603fcf0bb8d63fc4f7e3afab471d
dadfbd13b7bd0e9b6d87ebae30bc48c2eeae0eb3

B2
09e8672af5e18ce99ad8ae608cdc0fa229f121f0

Family Variant C1
112b5637c8cbb7d2e216d89f969515809e1dc66d

C2
154909cdd261130b0ed6d603d4727cb9f15ddc36
247c50d19e7ad18f466558f9c1785ef29962ab7c
32f06e3e9d8899f5224f3d5538724d132bda0921
68dc1f80064f6c261e587cdbb2f01677c8f2e14a
8b4cdd02330cf25f4e1d338b91ffd1c1dd87021a
ce42d202446cc6b316f668a072c17df87dcd495c

Family Variant D1
2f61ddd391d23a6665fa326629e004cb380c4f85
38ae4fa8f4fec9ab98c0003c455016464b62acce
65c175f5fad31ea1c938a96a9cdc9987413fd1f2
80483c5c95ed92da6f086e9497cd08cf7d3b7658
c4296e1a67545e50f44c3776adb674ea1d4d4c0e
d436de35164a045e3c0f7b51cf41fcefedf7e77d
f097123a1999a656a368114abbd848b68d523ee0

D2
158cf7a0c89544ce1c3294453be2a8c8ced9c9b0
294392bcf166953c552443fe95ba1e8f15487f74
294bfc9b97092904bb5e216531b184e38fb2c11f
3685fdd3d14b500fd73f0a3d16dafcc028035204
4053e0ecf5f59b6f7afc06750551d77e131ebd2d
410e4e24f6f6c4f29c8a75723f84bf60ff96c2d5
ada7a47b7fecb142ff532c6e0f01a89bcb47afc9
bfac1b17ad79719c4602a2142435f02c529ec4ab
db9fe7ba9ff8771d28a2fa504d84059faab6be5b

Modern enterprises have rapidly adopted hybrid cloud environments to harness the benefits of both on-prem infrastructure and public cloud services. With higher rates of adoption and nearly half of all breaches occurring in the cloud, the question of how to secure this growing hybrid cloud landscape has become a top priority for business leaders.

One significant aspect of securing hybrid clouds is effectively managing identity and access controls. Since identity and access provide the framework and controls to authenticate and authorize user access, understanding them in the context of hybrid clouds is a critical element in establishing a secure environment.

In hybrid cloud deployments where resources are distributed across on-prem and cloud platforms, managing identities can be a challenge for security teams. This blog post covers how security teams and business leaders can combine identity and access control best practices with advanced detection and response capabilities to ensure robust security for their hybrid cloud environments.

Understanding Identity & Access Management In Cloud Security

Identity and access controls are essential measures in the fight against cyberattacks. They involve the processes used to authenticate and authorize user access to resources within an organization’s data infrastructure. Through strong identity and access controls, organizations can establish a robust security framework that helps prevent unauthorized access and mitigate the risk of breaches and cloud ransomware attacks.

Identity and access controls ensure that only authenticated and authorized individuals can access sensitive information, systems, and resources. Effective controls also enable organizations to enforce least privilege principles, limiting user access to only what they need to for their specific roles. Maintaining granular control over user permissions means security teams can reduce the attack surface and protect against insider attacks, data breaches, and attacks involving privilege escalation.

When it comes to the digital infrastructure, organizations must consider all fronts: on-prem, public cloud, and hybrid cloud environments:

• On-premises (on-prem) refers to infrastructure that is owned and managed directly by the organization within its premises.
• Public cloud involves utilizing resources and services provided by third-party cloud service providers (CSPs) over the internet.
• Hybrid cloud combines both on-prem and public cloud components, allowing organizations to leverage the benefits of both.

While on-prem offers full control and customization, it requires significant upfront investment and ongoing maintenance. Public cloud offers scalability, flexibility, and cost-effectiveness, but data privacy and compliance concerns may arise. This in mind, hybrid clouds have become a popular option as they provide a balance by allowing organizations to leverage existing investments while utilizing the scalability and flexibility of the public cloud for specific workloads. Understanding these differences is crucial for organizations to make informed decisions about their infrastructure security.

Key Components of Identity & Access Controls For Hybrid Clouds

Effective management of identity and access controls is crucial in securing hybrid cloud environments. To establish a robust security framework, several key components need to be considered.

Identity Management Systems

Identity management systems play a pivotal role in managing user identities and access rights across hybrid cloud environments. These systems provide a centralized approach to identity management, enabling organizations to streamline user provisioning, authentication, and deprovisioning processes. With a unified identity management system in place, organizations have the capability to enforce password policies, implement multi-factor authentication (MFA), and efficiently manage user lifecycle events across hybrid cloud platforms.

Centralized identity management ensures consistent access control policies throughout the hybrid cloud infrastructure and reduces the risk of unauthorized access or compromised credentials. Also, it simplifies the administration of user identities, giving security teams greater visibility and control over user access privileges. Organizations with a unified identity management system in place are much better positioned to achieve a higher level of security, streamline user management processes, and ensure compliance with any industry-specific regulations.

Authentication Mechanisms

Authentication mechanisms are the gatekeepers along the path to accessing resources in hybrid cloud environments. Organizations must carefully evaluate and implement appropriate authentication methods to strengthen security. While traditional methods like passwords are still often used, they are no longer considered sufficient protection on their own. Advanced techniques such as digital certificates, biometrics, or token-based authentication offer stronger security measures.

One of the most effective authentication mechanisms in hybrid cloud environments is multi-factor authentication (MFA). MFA requires users to provide multiple pieces of evidence to verify their identities. By combining something the user knows (such as a password) with something they have (like a physical token) or something they are (biometrics), MFA significantly elevates the security posture of hybrid cloud deployments. Even if one factor is compromised, the additional layers of authentication provide an added layer of defense against unauthorized access.

Implementing strong authentication mechanisms in hybrid clouds ensures that only authorized users can access resources, minimizing the risk of credential theft and unauthorized account access. Organizations should choose authentication methods that align with their security requirements and strike the right balance between usability and protection.

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a widely adopted authorization model that simplifies access management in hybrid cloud environments. RBAC associates permissions with predefined roles, rather than with specific individuals in the organization. In this approach, security teams work with leadership to assign and approve permissions based on job responsibilities. This ensures that users have access only to the resources necessary for their assigned roles.

In terms of protecting hybrid clouds, RBAC helps maintain consistent access control policies across different platforms, simplifying user privilege management. By implementing RBAC, organizations can reduce their overhead costs by managing access at a role level rather than assigning individual permissions to each user which is arduous and leaves too much room for error or oversight. This granular control is designed to lessen the risk of excessive privileges and unauthorized access – two issues that commonly threaten the overall security posture of hybrid cloud deployments.

Identity Threat Detection & Response (ITDR)

As the number of digital identities continues to grow exponentially, opportunistic threat actors have seized this expanding surface as a prime target for cyberattacks. Identity-based cyber threats have surged, challenging conventional identity management tools like Identity Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA). These solutions alone are insufficient to shield organizations from the evolving cyber threats targeting both digital and machine identities.

To combat the rising risks and safeguard their enterprises, many organizations are now turning to a combination of identity threat detection and response (ITDR) strategies. By employing ITDR alongside traditional identity management tools, organizations can bolster their defense against advanced cyber threats, mitigate risks, and fortify their security posture effectively.

Managing Identity & Access Controls in Hybrid Clouds

Managing identity and access controls in hybrid cloud environments requires a proactive approach. By following best practices, security teams can establish a robust framework to protect business-critical resources and data effectively.

Establish the Principle of Least Privilege (PoLP)

The Principle of Least Privilege (PoLP) is a fundamental security principle that applies to all IT environments, including hybrid clouds. It dictates that users should only be granted the minimum level of access necessary to perform their job responsibilities. Applying the PoLP ensures that individuals have access only to the resources they need and reduces the risk of unauthorized access or accidental misuse of privileges.

To implement the PoLP in hybrid cloud environments, organizations should conduct regular access reviews to evaluate user permissions and ensure they align with current roles and responsibilities. Also, consider implementing just-in-time (JIT) access where privileges are granted for a limited time when needed and revoked afterward.

Perform Continuous Monitoring & Auditing

Continuous monitoring and auditing are a core pillar in maintaining the security of identity and access controls in hybrid cloud environments. Monitoring user activities is the first step to detecting and responding to potential security incidents in real-time as well as reducing the time needed to identify and mitigate threats.

Continuous monitoring involves collecting and analyzing security logs and events from various sources, including identity management systems, authentication systems, and access control mechanisms. This enables security analysts to identify atypical behavior within hybrid clouds, such as unusual login patterns or unauthorized access attempts, and take the right actions promptly.

In addition to monitoring, regular auditing is essential to evaluate the effectiveness of identity and access controls and ensure they are in compliance with regulatory requirements. Auditing involves reviewing user permissions, access logs, and system configurations to identify any vulnerabilities or discrepancies. Having a firm auditing policy in place helps organizations to identify and address security gaps and demonstrate adherence to industry standards and compliance regulations.

Combine Advanced Endpoint Protection With ITDR

In the shifting threat landscape, identity threat detection and response (ITDR) continues to emerge, complementing advanced security solutions like Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR). ITDR focuses on safeguarding credentials, privileges, cloud entitlements, and the systems that govern them, bridging a significant gap in the security realm. By implementing ITDR, organizations can:

• Protect cloud environments – Cloud infrastructures can present permissions sprawl, overwhelming teams with numerous applications, containers, and servers to manage. ITDR solutions extend their protective umbrella to cloud environments, offering visibility into risky entitlements that could attract opportunistic attackers.
• Detect & Prevent Identity-Based Attacks – ITDR actively seeks out attacks targeting identity vectors, swiftly identifying credential theft, signs of privilege misuse, and malicious activities on Active Directory (AD) and other systems.
• Thwart The Attack Lifecycle – ITDR solutions add an extra layer of protection by deploying pre-set decoys to divert attackers, automatically isolating affected systems, and preventing lateral movement into other networks.
• Build Lasting Cyber Resilience – ITDR proves its value in forensic data collection, gathering critical telemetry on attack processes. The gathered threat intelligence empowers technical teams to fortify weak policies and processes, enhancing long-term cyber resilience.

Conclusion

Hybrid clouds are often targeted by cyberattacks due to their unique complexities and increased attack surface. Exploiting potential misconfigurations, weak authentication mechanisms, and synchronization issues between different platforms, threat actors increasingly have their eyes set on hybrid clouds as a lucrative attack vector.

In the face of relentless identity-based threats affecting industries worldwide, business leaders are intensifying efforts to mitigate these risks with a more proactive approach. By centering their focus on identity and access protection, organizations can fortify their hybrid cloud deployments against unauthorized access attempts, minimize the risk of compromised credentials, and establish a foundation of trust and security across the infrastructure.

SentinelOne has leveraged its deep experience in privilege escalation and lateral movement detection to become a significant player in the ITDR space. Learn about SentinelOne’s approach defending hybrid cloud environments by contacting us or booking a demo today.

To combat a growing range of cyber threats, enterprise leaders and cybersecurity professionals often employ tabletop exercises as a valuable tool to enhance preparedness and response capabilities. Tabletop exercises simulate real-world cyber incidents in a controlled environment, allowing organizations to test their incident response plans, evaluate team coordination, and identify vulnerabilities.

As the overall threat landscape shifts though, it is essential to continuously improve tabletop exercises so that they remain effective. Without the right strategy in place, organizations may not find value in their tabletop exercises. Adapting to the changing cybersecurity landscape requires security teams to incorporate the most current emerging threats, technologies, and attack vectors into these exercises.

This blog post discusses how modern enterprises can build their tabletop strategy to meet a changing threat climate and ways to overcome common challenges associated with the exercises. It also covers how tabletop exercises will transform in the future and how businesses can continue to derive value from such tools.

From Military Roots to Cyber Defenses | Defining Tabletop Exercises

Tabletop exercises (TTX) have a rich history in the realm of cybersecurity, dating back to the early days of military and emergency response planning. Originally used to simulate military campaigns and disaster response scenarios, TTXs gradually found their way into the cybersecurity domain. These exercises were initially developed to assess an organization’s ability to respond to physical security incidents, but as cyber threats became more prevalent, their focus expanded to include cyber incidents.

TTXs in cybersecurity typically involve a simulated scenario where participants gather in a controlled environment to collaboratively respond to a fictional cyber incident. The scenario is crafted to mimic real-world situations and may include elements like phishing attacks, data breaches, ransomware infections, or network intrusions. Participants, representing various roles within the organization, such as IT personnel, executives, legal advisors, and public relations representatives, engage in discussions and decision-making processes to address the unfolding incident.

The exercises can take different forms, ranging from informal discussions to more structured and time-constrained simulations. Facilitators guide the exercise, presenting new challenges and information as the scenario progresses, and participants must work together to assess the situation, make decisions, and develop an effective response plan. These exercises allow organizations to evaluate their incident response procedures, identify gaps and weaknesses, and refine their strategies to improve preparedness.

By simulating cyber incidents in a controlled environment, TTXs provide a safe space for learning, fostering collaboration among team members, and enabling the exploration of alternative approaches. They help organizations identify strengths and weaknesses in their incident response capabilities, assess communication channels, and uncover areas for improvement. Additionally, tabletop exercises offer the opportunity to test and validate incident response plans, refine coordination between different teams, and enhance overall cyber resilience.

Understanding the Relevance of Tabletop Exercises In Today’s World

Cyber threats have become more sophisticated and frequent, making tabletop exercises a highly useful tool for organizations. While new solutions provide advanced security measures, cybercriminals continue to exploit vulnerabilities and develop new attack vectors. This makes it essential for organizations to regularly assess and enhance their preparedness to combat cyber threats.

TTXs provide a controlled environment to simulate real-world cyber incidents and test an organization’s response capabilities. The relevance of TTXs to modern security practices can be broken down into these main areas:

• Risk Management – TTXs allow security teams to understand pain points, challenges, and any weaknesses in processes and communication channels that may not have been apparent in day-to-day operations. The results of the exercise can help teams bolster the weak points in their response strategy and bring in additional oversight where needed.
• Continuous Improvement & Lessons Learned – TTXs force security teams to validate documented flows that are in place for the current security program. After the exercise, all relevant participants can provide feedback on gaps and work towards revisions.

• Cybersecurity Training – After a TTX, valuable findings and any updates for processes are documented into training guides and playbooks for future use. New stakeholders can follow vetted documentation to prepare for future exercises.

• Stakeholder Collaboration – TTXs bring together key stakeholders, including IT personnel, executives, legal advisors, and public relations representatives. Holding regular exercises fosters collaboration and provides an opportunity to practice decision-making under pressure.

Mitigating The Challenges of Building A Tabletop Strategy

TTXs are a key element in developing the human side of incident response and cyber defense. By conducting regular tabletop exercises, organizations can test and enhance the knowledge and skills of incident responders. In the long run, having an established tabletop strategy bolsters the overall security posture of the business.

Many organizations, however, not only face challenges in implementing the strategy, but also generating ongoing value from TTXs. For some, the exercises are carried out with the best of intentions but still ‘fail’. From resource limitations to lack of engagement and availability, there are several common challenges associated with implementing value-driven TTXs. Here are some ways to overcome these pitfalls and ensure that the strategy works with the business and benefits security teams as cyber threats continue to develop.

Define Clear & Actionable Objectives

When objectives are not laid out in advance of a TTX, the sessions can feel like a perfunctory technical drill or a check-the-box activity with little to no value. Without clear goals in mind, the discussion can quickly unravel.

Defining the objectives comes from having a clear understanding of ‘the why’ behind the TTX. Based on the organization’s risk profile, senior leadership and security leaders need to pinpoint what takeaways the sessions should garner and what incremental improvements they want to make in their security strategy.

Having clear and actionable objectives for a cybersecurity tabletop exercise is key to ensuring its effectiveness. Here are some steps that enterprises can follow:

• Identify Key Focus Areas – Start by identifying the specific areas of cybersecurity that the exercise should address. This could include incident response procedures, communication protocols, decision-making processes, or testing the effectiveness of security controls. Consider the organization’s priorities, recent trends in cyber threats, and any known vulnerabilities or weaknesses.
• Align Objectives With Organizational Goals – The exercise objectives should align with the broader goals and priorities of the business. For example, if working towards compliance within a specific security framework or regulatory requirement, the exercise objectives can focus on testing and improving compliance-related processes.
• Be Specific & Measurable – Objectives should be specific and measurable to enable effective evaluation. Rather than stating a vague goal like “improve incident response,” set measurable targets such as “reduce incident response time by 20%,” or “enhance coordination between IT and legal teams during a data breach scenario.”
• Document & Communicate Objectives – Clearly document the defined objectives and share them with all participants. This ensures everyone is aligned and working towards common goals during the exercise.

Invite The Right Experts To The Discussion

A successful TTX requires the participation of key individuals who represent the roles and functions applicable to the TTX scenario being discussed. Considering the specific objectives set for a particular TTX, participants should only include those that will be able to answer for their function as too many observers may dilute the conversation if not managed.

Commonly, most TTX sessions will feature representatives from:

• Executive Leadership – C-suites should be involved to provide a high-level decision-making perspective, assess the impact of potential cyber incidents on the organization, and give the final word on necessary resources for incident response. Cyber incidents are not only a test of technical defenses, but they also examine executive-level responses when it comes to communicating the impact to both customers and the general public.
• Security & IT – Security professionals, including cybersecurity analysts, incident response managers, and network administrators, are essential participants. Their expertise in identifying and mitigating cyber threats supplies the technical acumen needed for the exercise.
• Legal & Compliance – Inclusion of legal advisors and compliance officers ensures that the exercise considers legal and regulatory implications. They can offer guidance on breach notification requirements, legal obligations, and potential liabilities.
• Communications & PR – Both internal and external communication is vital during a cyber incident. This team can speak to the management of public perception, media inquiries, and stakeholder communications during the scenario.
• Human Resources – Human resources representatives can contribute by addressing employee-related aspects, such as incident reporting procedures, training, and handling internal communication during an incident.
• Departmental Heads – It is beneficial to include representatives from different departments to ensure a holistic understanding of the organization’s operations and their interdependencies. Should a scenario deal with one specific department’s data, for example, that department head would be expected to provide input.
• Operations – Participants from operations and business continuity teams can provide insights into the potential impact of cyber incidents on critical operations and contribute to the development of effective recovery strategies.

Build Business-Tailored Scenarios & Evaluation Criteria

Designing realistic scenarios that accurately reflect most current threat landscapes can be challenging. It requires staying updated on the latest attack techniques, emerging technologies, and industry trends. Creating scenarios that strike the right balance between realism and feasibility is crucial for a meaningful exercise.

To foster better TTX discussions, the scenarios should be aligned with the industry-specific risks and active and known threats to similar organizations or competitors in the same space. Scenarios can also be based on the organization’s own history of security incidents.

• Tie Scenarios to Operations – Design scenarios that reflect the organization’s unique business operations, systems, and processes. Consider the industry, internal procedures, technology infrastructure, and specific threats relevant to the organization. This ensures that participants can relate to the scenarios and their potential impact.
• Leverage Past Risk Assessments – Using past risk assessments, identify the critical assets, vulnerabilities, and potential impacts within the organization. This helps determine the areas to focus on and ensures that the exercises address the most applicable risks.
• Incorporate Real-World Scenarios – Draw inspiration from real-world cyber incidents and recent data breach reports. Simulate scenarios that resemble actual incidents faced by similar organizations or that align with prevalent industry-specific threats. This helps participants gain practical experience and understand the implications of such incidents.

Create Follow Ups For the Next Exercise

Assessing the outcomes of TTXs and translating them into actionable improvements is a necessary but often overlooked part of the discussion. Proper evaluation and analysis of exercise results, followed by effective follow-up actions, are essential to maximize the value of these exercises. Having this iterative approach ensures that the teams learn from each exercise, actions any needed changes, and continuously enhance their response capabilities.

• Evaluate The Outcome – Conduct a thorough evaluation of the tabletop exercise right after its completion. Gather feedback from participants to identify strengths, weaknesses, and areas for improvement. Document any key insights or ideas for future exercises.
• Analyze The Gaps – Analyze the gaps and weaknesses identified during the exercise. Categorize them based on severity and prioritize them for action. Determine the root causes behind the gaps, whether they involve processes, technology, communication, or personnel.
• Assign Actions Items – Based on the identified gaps, assign action items to address each one to relevant individuals or teams. Set realistic timelines and milestones for completion. Continuously track progress and use key performance indicators (KPIs) to gauge the success of the follow-up initiatives. This provides a basis for further refinement and adjustment.
• Update Incident Response Plans – Revise and update the organization’s incident response plans to reflect the gaps identified during the exercise. Ensure that all employees have access to the updated plans.
• Conduct Training and Awareness Programs – Provide training sessions to enhance skills, educate employees on specific cyber threats, and reinforce incident response procedures. This helps fill knowledge gaps and improves preparedness.

Seeing Tabletop Exercises As One Part Of A Whole

When carried out correctly, a strong tabletop exercise strategy can expose weaknesses in incident response strategies, uncover areas for improvement, and foster a better strategy for emergency preparedness. While TTXs are a helpful tool, allowing security teams to simulate various scenarios, the exercises themselves are not enough to build an end-to-end cybersecurity defense posture against advanced cyber threats. In the greater scheme, TTXs are just one part of a whole and only place emphasis on fixing known vulnerabilities and any gaps identified during the sessions.

For ongoing, holistic protection against increasingly sophisticated threat tactics, techniques, and procedures, enterprises can augment their TTX processes with artificial intelligence (AI), machine learning (ML), red teaming, and a combination of autonomous endpoint, cloud, and identity security. The future of TTXs is now including such emerging technologies as they can simulate advanced attack vectors and enable organizations to test the effectiveness of automated response mechanisms. This ensures preparedness against new and evolving threats that haven’t already been documented and tracked.

Further, AI and ML can be used to model and simulate the behavior of adversaries, both known and unknown. By analyzing historical attack data, threat intelligence, and patterns, these technologies can generate realistic adversary profiles. TTXs can then include a wide range of adversary behaviors, making the exercises more challenging and reflective of real-world threats.  Algorithms can be written to analyze historical data from previous cyber incidents and help identify patterns and trends. With this data on hand, organizations can predict and anticipate potential future threats, vulnerabilities, or attack vectors. Incorporating predictive analytics in TTXs helps security teams proactively enhance their defenses.

The new wave of TTX strategy is also seeing more involvement from red teams. Red teaming, which involves simulating adversarial attacks, can be augmented by AI and ML. These technologies can automate certain aspects of red teaming exercises, such as generating realistic attack scenarios, identifying vulnerabilities, and assessing the impact of potential attacks. This helps in uncovering weaknesses and testing the resilience of an organization’s defenses.

Conclusion

Tabletop exercises, when implemented alongside AI-powered tools, allow security operations centers (SOCs) to understand their responsibilities and spend less time collecting and analyzing data during an incident. These risk-informed exercises reduce the overall mean-time-to-containment, enhance collaboration, and allow for the refinement of incident response plans. When combined with red teaming, where simulated adversarial attacks are conducted, organizations gain a deeper understanding of their vulnerabilities and can proactively address them.

As cyberattacks grow in frequency and complexity, autonomous security, AI, and ML technologies are bringing valuable capabilities to tabletop exercises. They enable the automation of many security tasks and enhance predictive analytics. By leveraging these technologies, organizations can improve threat detection, response speed, and decision-making, allowing them to stay ahead of threat actors in the ever-changing cyber ecosystem.

SentinelOne focuses on acting faster and smarter through AI-powered prevention and autonomous detection and response. With the Singularity XDR Platform, organizations gain access to back-end data across the organization through a single solution, providing a cohesive view of their network and assets by adding a real time autonomous security layer across all enterprise assets. It is the only platform powered by AI that provides advanced threat hunting and complete visibility across every device, virtual or physical, on-prem or in the cloud.

Learn more about how Singularity helps organizations autonomously prevent, detect, and recover from threats in real time by contacting us or requesting a demo.

The Good | Tougher Times Ahead for Play Store Malware

With so many personal devices now hopping on and off company networks, the risks from mobile malware are always a concern. Google has had more than its fair share of problems with malicious apps on its Play store, but this week new rules for developer accounts aim to curb the problem.

Although new app submissions are vetted before being allowed on the app store, crafty developers typically circumvent these checks by initially uploading a benign version of the app. After approval, they issue an update containing the malicious code. If users are lucky, the malicious app is discovered, reported, and the developer banned from the store. Up till now, that has never presented much of a problem, as the malicious developers return by creating a new account and repeating the cycle.

In an effort to combat this, Google will begin requiring all new developer accounts to provide a valid D-U-N-S number,  a unique nine-digit identifier for businesses, from August 31st. Acquiring a valid D-U-N-S number requires passing various proof-of-identity and business checks and that will make it difficult, expensive and time-consuming for fraudsters to complete.

Additionally, the Play store will require apps to display the developer’s business address, website URL and phone number in an effort to improve transparency and limit fraud.

It remains to be seen how effective these moves will be, or whether the extra identification requirements will serve to discourage legitimate independent developers from distributing on Google Play, but if it helps to reduce malware on Android devices, it will certainly be welcomed by IT and security teams.

The Bad | Cloud Credentials Stealer Targets Azure and Google

A malicious actor previously targeting AWS accounts for compromise has now turned to stealing credentials for Azure and Google Cloud Platform (GCP) services, it was revealed this week.

Updated versions of known malware scripts now gather credentials from AWS, Azure, Google Cloud Platform, Censys, Docker, Filezilla, Git, Grafana, Kubernetes, Linux, Ngrok, PostgreSQL, Redis, S3QL, and SMB. Successfully harvested credentials are then exfiltrated to a remote server under the threat actor’s control.

The campaign has been linked to notorious crime group TeamTNT, a threat group known to primarily target cloud and containerized environments with cryptocurrency miners. However, as researchers at SentinelLabs pointed out, attribution remains challenging with script-based tools as they can be readily adapted by anyone for their own use.

The attack scripts target public-facing Docker instances and aim to deploy a worm-like propagation module. They also contain functionality for extensive system and environmental profiling. Post-exploitation activity involves collecting details from the infected host and using Bash to download the curl binary from the attacker’s server. This is notable because attacks against minimal systems like containers are often limited by the absence of common living off the land tools like curl.

Up to eight incremental versions of the credential harvesting scripts have been observed in the last two months, indicating an actively evolving threat. Based on this activity, researchers believe that the actor is likely preparing for larger scale campaigns.

The Ugly | Office 365 Intrusions Compounded by Lack of Visibility

A China-based threat actor has breached email accounts of dozens of organizations worldwide, including U.S. and Western European government agencies, it was revealed this week.

The campaign, which is thought to have begun in mid-May, was reported to Microsoft by the U.S. government after the discovery of unauthorized access to Microsoft cloud-based email services. According to reports, the State Department was the first of a number of government agencies to detect a compromise of its Microsoft Office 365 system. The Department of Commerce and the House of Representatives were also among those targeted.

A sophisticated China-based hacking campaign has targeted U.S. government agencies and organizations, compromising email accounts via Microsoft Outlook Web Access in Exchange Online (OWA) & Outlook.

Read: https://t.co/390mnDokqJ#cybersecurity #hacking #malware

— The Hacker News (@TheHackersNews) July 13, 2023

Microsoft’s own investigation revealed that a China-based threat actor used forged authentication tokens and an acquired Microsoft account (MSA) consumer signing key to access user email. It is unclear how the threat actor acquired the Microsoft key or whether there is an exploitable flaw in Microsoft’s token validation system.

The company says it has blocked all tokens signed with the stolen key and worked to improve its “key management systems” since the theft occurred. Microsoft says it has contacted all targeted or compromised organizations directly with information to help them investigate and respond.

However, the company is facing criticism because access to forensic logs for users of its Office 365 services requires extra licensing. U.S. Senator Ron Wyden reportedly said that Microsoft should offer all its customers full forensic capabilities, saying that “charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags”.