WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
February 20, 2024
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
As an intelligence analyst, it’s paramount to stay on top of what’s happening in the world around you. To inform our own research and develop skills, we typically keep on top of the news cycle by reading from multiple news sources, of course, mostly covering the world of cyber threats. Some of the more interesting pieces we’ve read this month are highlighted below.
Cyber threat intelligence (CTI) is a multifaceted and emerging field, with many companies and individuals having varying ideas on how it should be implemented. But like many things, there is a right and a wrong way to do it. So what makes a good CTI analyst? What is the right way to do CTI? Andy Piazza answers those questions in his blog titled “Cyber Threat Intelligence Study plan”, aimed at those looking to enter this fascinating field.
CTI aims to determine the capabilities and intentions of threat actors. This aim requires skill sets from information security and intelligence studies, both of which are very broad fields themselves. CTI teams often have dedicated roles for differing types of intelligence including but not limited to: all source analysts, threat analysts, threat hunters, malware analysts, linguists, and data analysts. All these roles are unique, but they all have a common purpose of critically evaluating sources of information and producing actionable intelligence reports as an output.
When evaluating threat reports, CTI analysts must think critically. Consideration must be made for the report’s accuracy, the research methods used to write it, and the reputation of its source. At the forefront of the analyst’s mind should be its relevance to stakeholders. Does the report “hit close to home” in terms of the stakeholders’ infrastructure? Are they at risk? Can they detect the activity should they themselves be targeted? The analyst must also consider any gaps in coverage the report presents (i.e. what does the report not tell the reader), as well as if it contains any logical fallacies, all while being mindful of their own cognitive biases.
The end goal of evaluating threat reports is the delivery of actionable intelligence to stakeholders. This must be presented in a clear and concise manner with all information presented being relevant and accurate. Knowledge of stakeholders’ priorities and interests is vital in achieving the fine balance between presenting too little information, leading to threats being missed, and too much information, leading to “cry wolf” syndrome. Debate has a role to play in the production and dissemination of intelligence, as it facilitates the identification of biases and fallacies.
Read more about it here.
The Russia-Ukraine War has seen significant amounts of malicious activity within cyberspace, with attacks targeting both sides of the conflict from a diverse range of groups. Hacktivists actors, nation-state–associated threat groups and even cybercriminals have all had a part to play in the conflict so far. We’ve released a considerable amount of material related to this war, which can be found at the following link.
As we approach the end of the second month of the conflict, the tempo and volume of offensive cyber activity against Ukraine may have taken by surprise even the most seasoned analysts. While there has been significant activity from Russia-aligned actors against Ukraine, the general consensus prior to the conflict appeared to be that the use of destructive malware would be deployed in a far greater number than it has been observed so far. The use of destructive malware so far has been targeted against several Ukrainian government organizations, but at a much more reduced tempo than perhaps anticipated during the lead-up to the conflict.
ESET has produced a fantastic blog detailing the use of the ‘Industroyer’ malware (aka Crash Override), which you might have heard about. Industroyer was previously used to target industrial control systems, including in attacks against the Ukrainian energy sector in 2016; this resulted in a power cut across Kiev for several hours. Industroyer has previously been named by researchers as the biggest threat to ICS since Stuxnet, so you know it’s a serious threat.
The recent deployment of Industroyet was also deployed against a Ukrainian energy provider, with the malware customized for targeting high-voltage electrical substations; this activity has been, perhaps unsurprisingly, attributed to the Russian “Sandworm” advanced persistent threat (APT) group. Sandworm is an APT that has been associated with the Russian Military Unit 74455 of the Main Intelligence Directorate (GRU). Their responsibilities during the war with Ukraine have been considerable; the group has also been associated with targeting WatchGuard firewall appliances and ASUS routers using the Cyclops Blink botnet
It is currently unclear how Sandworm gained initial access or moved into the IT network of the electrical station. The destructive actions were scheduled for 2022-04-08; however, analysis of artifacts suggests that the attack had been planned for at least two weeks. The motivation of the attack appears to have been aimed at decommissioning several infrastructural elements related to the electrical station; the attack was likely part of a wider effort to cause disruption to Ukrainian forces, and in doing so, provide an advantage to Russia’s military efforts.
It’s likely that the use of destructive malware will increase as the war continues; Russian forces have withdrawn from the Northern regions of Ukraine and are consolidating for a new campaign in the east. Given past observations, it’s realistically possible that Industroyer will make another, unwelcome, appearance during the later stages of this conflict.
Read more about Industroyer here.
With last month’s headlines still dominated by the Russia-Ukraine War, it comes as no surprise that other advanced persistent threats (APTs) in the Middle East, Asia, and beyond are taking advantage of the turmoil to fly under the radar. Looking beyond the headlines is therefore a cybersecurity team’s responsibility. Cisco Talos Intelligence’s blog post, “Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups” is an excellent technical analysis of APT activity as well as a reminder to stay vigilant in today’s noisy environment.
In their article, authors Asheer Malhotra, Vitor Ventura, and Arnaud Zobec unravel the complicated knot of MuddyWater’s techniques, tactics, and procedures (TTPs). First identified in early 2017, MuddyWater is a cyber espionage group that was directly linked to Iranian intelligence in February 2022 by the US government. The group targets government and corporate entities around the world, usually to conduct espionage, steal intellectual property, or carry out ransomware attacks.
Talos’s research shows that these differing modus operandi and geographic targets aren’t just coincidence – they’re the purposeful result of MuddyWater’s organizational structure. According to Talos, MuddyWater isn’t one behemoth group: it’s an amalgamation of smaller, independently operating teams, each one targeting specific geographic regions using specific TTPs. The decentralized group structure is adaptive, active, and effective, allowing MuddyWater to trial TTPs and gauge their success before deploying them across groups and regions. This makes MuddyWater a difficult beast to tackle. Instead of fighting Goliath, it’s combatting Hydra armed with firewalls and incident response plans.
If Marvel’s Hydra’s motto is “Cut off one head and two more shall take its place”, then the same should be true for cybersecurity teams: disable one protection, and two more will be in place to counter an attacker. Incident response teams need to make realistic threat assessments, and companies should be prepared to make use of tools and techniques to proactively counter threats.
Talos’s research offers us important lessons: Keep abreast of the threat landscape, don’t let major events hide other dangers, and know thy enemy. When cyber threat actors adapt and learn, so must we to counter them.
Lets be honest, we’re all incredibly busy these days and it is sometimes difficult to find time to identify and read long articles. This is why our intelligence service is so useful, with our team of dedicated analysts on hand to identify the threats and key details you need to know about. Why not take a demo of Search Light (now ReliaQuest GreyMatter Digital Risk Protection), to learn more about your use cases and how intelligence might make a difference for you.