By now, you might have caught wind of Photon’s new research on Initial Access Brokers (IABs). It’s a pretty awesome, data-driven study analyzing more than 500 listings from 2020. If you’re a security practitioner that cares about the risks of unauthorized RDP, Citrix, or VPN access, I’d encourage you to gain access to the report, Initial Access Brokers: an excess of access, or listen to the recording of our recent webinar.
The inexorable rise of IABs has continued into 2021 and with that in mind, you can probably expect Photon to revisit this topic in future quarters. This blog, however, is for those that cannot wait that long and want to be the first to know when cybercriminals first list their accesses for sale.
In this blog, I will outline what four things you can do to monitor IAB listings if you are either a full SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) user or have embarked on a 7-day free trial:
- Intelligence Tippers. Short intelligence updates researched and analyzed by our analyst team, Photon.
- Actor Profiles. Curated profiles outlining everything Photon knows about the actors in question.
- Access Raw Data. Via Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection), users can explore and set up custom alerts on the raw data from the forum listings themselves
- Custom Reporting. Through our Reporting Module, automatically schedule reports on IAB to be delivered to your inbox.
Access Photon Intelligence Tippers
The most popular method for monitoring IAB listings is via our Intelligence Tippers. Our own team, Photon, do the heavy-lifting–monitoring new posts on criminal forums where IABs may be listing new accesses. These tippers provide a quick intelligence write-up and include the essential information and context, including targets, source, and associated actors. Armed with this information, users can then gain more information in our tagged profiles or ask our team for a deeper dive.
If you want to peruse all tippers about specific actors, these can be added as filters on the left-hand panel (as shown below).
Access Threat Actor Profiles
When presented with a listing that may be of interest to you, the next step is to make an assessment about the actor selling the access. There are plenty of actors attempting to scam fellow cybercriminals, and so not all listings will be for legitimate access.
This is where actor profiles come into play–providing essential context on their historical activities, reputation, associations, known sites, associated observables, and assessed threat level. For example, in the screenshot below, you can see in the “Summary” section that this actor has had successful sales of accesses.
Monitor the Raw Threat Data
For those that want to know as soon as the post surfaces, you can do that through Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection). It’s possible to search by specific username or follow threads of particular interest. From there, you can set up saved searches and immediate email alerts.
Create and Schedule Custom Reports
The final option is to schedule automatic reports to be delivered to your inbox at a cadence of your choosing. Within SearchLight’s reporting module, users can create reports based on private alerts and intelligence activities. In the example below, a report has been created based on Tags of known IAB actors. You can then schedule these reports to be delivered on a weekly, monthly, or quarterly basis.
Get Started Today
Security teams love getting visibility into IAB listings—especially in the cases that those listings reference their company or suppliers.
Hopefully, with these four tips, you don’t have to wait until our next research report on Initial Access Brokers. For those who are not yet SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) users, you can head towards Test Drive and request a demo for yourself now.