Deliver COVID-19 Intelligence to Your Security Controls
Malicious actors continue to leverage the global Coronavirus (COVID-19) pandemic to register phishing and malware domains to lure unsuspecting users into disclosing their credentials or downloading and executing malware onto their systems. Anomali and our partner ecosystem have publicly released data and information to identify, monitor, and respond to the latest threats to thwart malicious Coronavirus (COVID-19) themed activity from impacting customer’s information systems and networks. In this latest blog, we detail how to collect the new and rich data source offered by Anomali partner DomainTools and how to operationalize this data within ThreatStream, the industry-leading Threat Intelligence Platform (TIP).
On March 23, 2020, Anomali partner DomainTools released a free COVID-19 Threat List. In the list, users can find Coronavirus (COVID-19) malicious domain name permutations covering more than 60 relevant keywords such as Covid, c0vid, c0v1d, Corona, carona, and corrona. Moreover, the threat list filters out any domains below a Domain Risk Score of 70. According to DomainTools, the Domain Risk Score is a proprietary machine-learning classifier to analyze the intrinsic properties of a domain, identifying patterns consistent with malware, phishing, spam, or neutral domains.
MITRE Pre-ATT&CK Techniques: Buy domain name (T1328) | Spearphishing for Information (T1397)
MITRE Enterprise ATT&CK Techniques: Spearphishing Attachment (T1193) | Spearphishing Link (T1192)
Figure 1. Free COVID-19 Threat List – Domain Risk Assessments for Coronavirus Threats (Source: DomainTools)
How Anomali Customers Leverage the COVID-19 Threat List
The Anomali Threat Research team has curated the COVID-19 Threat List and imported the close to 65,000 suspicious and malicious domains into ThreatStream to help customers protect and defend their organizations. Anomali empowers our customers to operationalize and take action on this data in multiple ways such as:
- Identify attack trends, map out the adversary’s infrastructure, and discover tactics, techniques, and procedures employed by adversaries using the Investigations Workbench and Enrichments within ThreatStream
- Automate threat intelligence ingestion and deployment to downstream security systems via Integrator to proactively block access to high-risk COVID-19 themed domains at their organization’s defensive technologies
- Correlate high-risk COVID-19 themed domains against internal event logs using Anomali Match to identify current and historical sightings indicative of a compromised host or network
- Ingest the domains into their Security Information and Event Management (SIEM) instances such as Splunk to automatically scan events against the observables associated to the Coronavirus (COVID-19) Cyber Threats Threat Bulletin
- Use Trusted Circles as a mechanism for real-time threat intelligence sharing and collaboration with industry peers and sharing groups to maintain situational awareness and establish community-based protections on a specific Campaign, adversary, or Incident
- Use Anomali Lens to determine if there are any observables in the aforementioned article (and others during their research) that are relevant to their environment by scanning the page and seeing if there are any Matches
Of note, this Threat Bulletin was announced on March 24, 2020 and provides our customers with a steady stream of new, actionable intelligence.
Figure 2. ThreatStream Observables Search page filtered on DomainTools – COVID-19 Threat List