About the Program
The Malware and Cyber Threats (MCT) Program addresses the technical threats, along with other emerging dark web trends, that are the most impactful to our partners. Our state of the art malware lab is a resource for both NCFTA and partner analysts to run various malware samples in both virtual and ‘cold steel’ environments. As a result of this analysis and our long term infections, we are able to provide near real time feeds based on the indicators of compromise as identified in the various live infections. The feeds can be received in various formats and are available via several platforms. Additionally, we run several honey pots, to include an Internet of Things (IoT), smart phones with certain applications of interest, and even an Industrial Control Systems (ICS) environment.
‘Dark Web’ and Other Underground Website Research
NCFTA has multi-lingual analysts who have years of experience navigating various underground forums, social media platforms, underground marketplaces, utilizing peer-to-peer (P2P) applications, and even internet relay chat servers (IRC). Through both manual and automated means, we are able to provide in-depth insight into what type of activity is occurring that may impact your organization.
MCT HAS FOUR MAIN LINES OF EFFORT:
The Long-term Infection (LTI) feed contains data gathered from live malware infections in our malware lab. Once a sample has been manually analyzed, and automated process is created to monitor the network traffic long term. These infections are permitted to access the internet, which allows them to download the latest updates and configurations, send and receive data from command and control servers, and be controlled by botnet operators. This traffic is monitored, parsed, and filtered to create reports that go into the feed. The Malicious Threat Indicators (MTI) feed is a subset of the LTI feed which is designed to provide more relevant indicators as opposed to all traffic coming from the infection.
The Malware Analysis Portal (MAP) enables partners to upload suspect malicious files into an environment that is meant for malware to be safely executed and tracked. MAP is provided to NCFTA’s trusted partners in order to give additional intelligence about threats by providing a safe environment to submit suspect files for Anti-Virus (AV) scanning and automated analysis.
Honeypot monitoring provides insight into the latest trends relating to scans across the internet. Multiple ports and services across different operating systems are monitored for activity in an attempt to learn about new vulnerabilities and ways of gaining unauthorized access to these machines.
Social Media monitoring happens across all programs but MCT provides automated keyword alerting for IRC (ThUNDER) and Pastebin (SCRAPE). Partners can provide keywords to be alerted on and an email is sent if matches are found. These feeds are intended to quickly identify potential attacks or compromises related to the partner.