ENIGMA GROUP's Cyber Threat Intelligence

We proactively monitor internal networks, systems and the global threat landscape, including valuable data from the clear, deep, and dark web, to determine whether you have been exposed, how it happened, what data was leaked, and the extent of the impact it may have on the business, in order to identify patterns, behaviors, and threats before they materialize. Whether the breach stems from external threats, criminal activity, internal threats, or employee negligence, we capture information about the threat to prevent further incidents. Organizations need to look beyond the perimeter to gain visibility and ongoing information about what their adversaries know about them and then address those issues before they are exploited.

Darknet markets: knowing if your company's data is being exchanged

Investments in cybersecurity protection and prevention have focused primarily on IT infrastructure and perimeter defense. Monitoring the dark web may not seem like an urgent concern, but operations that expose critical information and damage your company beyond repair always begin on the dark web. Knowing where to look and doing so promptly is the key to protecting your assets before a cyber attack occurs. Sensitive data stolen from companies during a cyber attack often ends up on darknet marketplaces. With the rise of the cybercrime business model as a service, we observe that not only is the data obtained from attacks for sale, but also the information needed to organize the attack. Once an attacker gains access to an organization's infrastructure, he can sell that access to other advanced cybercriminals, such as ransomware operators. Meanwhile, such attacks result in significant financial and reputational losses for the attacked organization and can even cause work stoppages and disruption of business processes. With our tools and automated platform, we monitor the deep and dark web, providing 24/7/365 surveillance.

Service Delivery

The service is offered with a structured Report for remediation action management. In the search and analysis of information, we have implemented new methodologies, where the search is integrated with a wide variety of intelligence sources, over a hundred, including through network OSINT, related to domains, IP addresses, emails, etc., obtaining a more complete view of the corporate attack surface exposed on the Internet. A new tool we developed, called Ransomware Gang Monitor, informs us in real time about the new victims (companies and branches) that ransomware gangs are constantly posting on their websites. It is important to monitor gang's websites and forums, found on the dark web, as a proactive activity to ransomware attacks.

The Cyber Threat Intelligence activity is aimed at checking whether there is, within the various information channels, information related to:

> leakage and sale of sensitive information and data within underground forums and marketplaces, such as credentials, web platform vulnerabilities, cookies, and various sensitive data that help potential attackers gain initial access to the target's systems;

> employee identity theft and profiling (particularly CEO, Executive, C-Level);

> phishing and spear phishing.

Cyber Threat Intelligence activity is aimed at checking for vulnerabilities that attackers can exploit that can lead to:

> abusive access of corporate servers;

> SSH and shell access to servers (allowing access to servers as an administrator);

> SQL injection, XSS and other code injection attacks;

> privilege escalation due to faulty authentication mechanisms.

Cyber Threat Intelligence activity also allows detection of long-lost or forgotten IT resources that may be so outdated that they can be immediately recognized as unpatched and vulnerable. In addition to forgotten servers, misconfigured S3 (Amazon Simple Storage Service-object storage service) buckets and unwanted exposures can be identified. We can also get a complete picture of Shadow IT (IT systems managed outside the IT department, often without their knowledge). Cloud services, such as enterprise-wide SaaS (Software as a Service) applications, file sharing applications, collaboration tools, and social media, are key factors in the expanding network of Shadow IT. All of this leads to more comprehensive vulnerability scanning and gives us detailed information about which identified assets might need protection or be taken offline.