3 Steps to Disrupt Threat Actors Selling Access to Your Environment

Unmasking a threat actor at an individual level could help you to gain more context, determine why the attack occurred, and quantify future risk

Imagine law enforcement reaches out to a security team to tell them a threat actor is selling employee credentials or private access keys to a sensitive business application. Even though there is no confirmation that these threat actors accessed or stole data, it is very troubling. This type of threat is growing increasingly common in today’s threat landscape. To make sure these types of events don’t become full-blown breaches and damage the company’s reputation, sophisticated enterprises know that they need to take timely action and have visibility outside their perimeter. That action typically consists of external threat hunting, forensics, and the unmasking of the actors using open-source intelligence (OSINT). Successfully attributing the actor goes a long way to determining if the company is the victim of a targeted attack or just a target of opportunity. 

However, there are three steps that organizations can follow to ensure confidentiality, integrity, and availability of data systems.

Step 1: Initial Internal and External Triage

The first step is making sure you have a coordinated response.  This should include the legal, human resources, information technology, and security teams. The top priority should be ensuring the confidentiality, integrity, and availability of your data systems.  You can do this by determining the origin of leaked credentials. If law enforcement or a third-party vendor initiates contact, they may hold those user credentials or private keys while engaging directly with the threat actor(s). 

Generally speaking, law enforcement will have the account names of the forum users attempting to sell the credentials. Once you have this information, you should research the threat actors to ..

Support the originator by clicking the read the rest link below.