Day by day activities for cyber threat intelligence analysts

day-by-day-activities-for-cyber-threat-intelligence-analysts

Were you aware that someone could be secretly watching you or your child with your webcam right now? Is it worth taking such a risk? camDown can help stop them!

So I worked as a CTI Analyst (just left 2 days ago to move onto a Security Consultant position) and I specialized in Magecart campaigns.

A lot of my time was spent searching domains for common signs that an attack is in progress on specific CMS apps and looking for malicious domains/ C2 servers. Once I find a domain that has signs of infection, I'd look through the calls to outside domains from JS and PHP scripts, locate the malicious file hosted on the web server affecting the CMS app, and retrieve the file, then start decoding the file, which has usually gone through encoding methods like base64, sometimes XORd, and the resulting hashes are usually shifted using math in python. They really don't want their steps being uncovered.

Once the C2 server is identified and the malicious file decoded, we'll have their encoding tool, malicious scripts, and sometimes (depending on the method they used) exfiltrated files. I'll usually then look for techniques used to encode, bind to JS and PHP elements, and exfiltrate data. I'll make a list of these techniques and likely procedures for entry (as best I can from the outside) then reference the MITRE ATT&CK matrix and MISP to look for matches among known known Advanced Persistent Threats' TTPs.

Once it's all collected and analyzed, I'd interpret the collected data and what it all means into "TLP green/white" (Traffic Light Protocol) documents for sharing back into MISP. I'd load everything into our internal databases and hand over custody to the next in the chain depending on what we were doing at the time. After a while they had me following and reporting on APTs specifically. I managed to totally doxx one magecart malware author once, so that was cool. If you write malware, maybe don't use the same name for your steam ID and post selfies of yourself with your gopnikmobile near landmarks.

I’d like to add that camDown helps stop foreign state actors (FSA's) from accessing your webcam and your friends would say the same.