About the Program
The Malware and Cyber Threats (MCT) Program addresses the technical threats, along with other emerging dark web trends, that are the most impactful to our partners. Our state of the art malware lab is a resource for both NCFTA and partner analysts to run various malware samples in both virtual and ‘cold steel’ environments. As a result of this analysis and our long term infections, we are able to provide near real time feeds based on the indicators of compromise as identified in the various live infections. The feeds can be received in various formats and are available via several platforms. Additionally, we run several honey pots, to include an Internet of Things (IoT), smart phones with certain applications of interest, and even an Industrial Control Systems (ICS) environment.
‘Dark Web’ and Other Underground Website Research
NCFTA has multi-lingual analysts who have years of experience navigating various underground forums, social media platforms, underground marketplaces, utilizing peer-to-peer (P2P) applications, and even internet relay chat servers (IRC). Through both manual and automated means, we are able to provide in-depth insight into what type of activity is occurring that may impact your organization.
MCT’s MAIN EFFORTS:
Malware Analysis and Decryption seeks to research, identify and provide timely and proactive intelligence on malware, ransomware and related technical cyber threats.
Onsite Malware Lab consists of 30 bare metal and virtual machines that collect data gathered from live malware infections running in the lab. These infections are permitted to access the internet, which allows them to download the latest updates and configurations, send and receive data from command and control servers, be controlled by botnet operators and sinkhole malicious traffic. Once a sample has been manually analyzed, an automated process collects the IOCs which are monitored and parsed into three feeds; Long Term Infection (LTI), Malicious Threat Indicators (MTI) and Domain Generated Algorithm (DGA).
Honeypot/IoT Monitoring provides insight into the latest trends relating to scans across the internet. Multiple ports and services across different operating systems are monitored for activity in an attempt to learn about new vulnerabilities and ways of gaining unauthorized access to these machines.
Threat Actor Attribution and Engagement (Dark Web Analysis, Social Media Monitoring, APTs and Other Threat Groups) study and articulate cyber threats, tactics, techniques and procedures (TTPs) and monikers/actors targeting various industries including but not limited to financial (banking and brokerage), retail, healthcare, pharmaceutical, manufacturing and critical infrastructure (water, electric, telecommunications, communications, oil and gas, and transportation).
Website and Communication Channel Monitoring and Scraping performs web scraping on both dark web and clearnet sites. Web scraping allows analysts to view archived market and forum postings from a localized setting. There are of over 100 archived dark web and clearnet sites, including ransomware blog sites and various Telegram channels. Partners can receive automated keyword searching alerts from Internet Relay Chat (IRC), Pastebin, Github and Twitter.
Marketplace and Forum Analysis examines current activity and threat intelligence from an abundance of dark web marketplaces and forums. Analysis will update and highlight recent activity and identify the marketplace/forum moderators and administrators.
Event Monitoring Support monitors real time dark web and social media sites for event threats; additional keyword searching to include location and personnel specific threats.
SIEM (Security Incident Event Monitoring) Support monitors real time dark web and social media sites for event threats; additional keyword searching to include location and personnel specific threats.
Controlled Test Purchases and Analysis of digital goods that partners identify as a risk to their organization. Analysts have the ability to make controlled test purchases within a reasonable monetary amount.
Onsite Gaming Lab researches in-game threats and real-world risks. By entering the in-game environments, investigations can gather actionable intelligence into threat actors and groups. The gaming lab provides both key intelligence and supplementary research into the threats influencing the gaming landscape.