Respond to Illicit Networks Events

13 min

when you receive an alert pointing to a dark web source, the first step will be to look at the result on the platform using the link provided in the alert if there is a specific result that is of interest to you and you are unsure about how, or whether it's safe to access, feel free to reach out to us, we'll be happy to share screen captures or html documents and give you more context market listing a market listing alert means an actor has mentioned one of your identifiers on illicit networks what's the risk? in this category, actors are usually malicious they can be inexperienced cybercriminals or more advanced threat actors if the item for sale is an account of some type, consider whether it may be an employee or a customer account, and the potential impact if the account was taken over and accessed by a malicious actor once connected to the account, remember that the actor can do lateral movements and potentially access more information or accounts what should i do? analyze the content of the listing to understand the risk click on the actor to browse to his profile and evaluate his credibility if an employee account is identified, advise that the employee rotate the credentials immediately forum post and chat messages a forum post alert means that an actor has mentioned one of your identifiers on an illicit networks what's the risk? in this category, actors are usually malicious they can be inexperienced cybercriminals or more advanced threat actors if actors are discussing an attack or a fraud method, read the whole context of the thread to better understand if the use of this method can pose a legitimate threat to your organization what should i do? analyze the context of the mention to understand the risk click on the actor to browse to his profile and evaluate his credibility ransom leaks a ransom leak alert means that an identifier of yours has been mentioned on the illicit networks what's the risk? the content of ransomware websites is curated and published by the ransomware groups themselves if you are a victim of ransomware, you are normally already aware before flare alerts you in this case, the risk is that the group has started publishing confidential information as a proof that their attack is successful in the case where the alert is generated by an identifier related to a third party of yours, this is a highly credible confirmation that the organization is in fact victim of ransomware what should i do if i'm under ransomware? if not already done, contact a trusted security partner to help remediate the incident monitor flare alerts to know in a few minutes when the group publishes any information announcement or data regarding your company if sensitive data is published, follow appropriate procedures what should i do if i get an alert for a third party? contact the third party, and ensure that he is aware and handling the incident evaluate the potential impact on your organization if the third party's data was to be lost, or publicized how is the severity of a ransom leak evaluated? there are a number of rules and factors that are used to evaluate the risk of a ransomware event, which apply in the following way if the event is flare believes that you are the victim in the ransomware event ⬤ ⬤ critical flare believes that some of your sensitive files are present in the ransom leak, which is the case when an important supplier or third party is breached ⬤ ⬤ critical your organization is mentioned in the breach or blog post, but there is no clear indication of increased risk ⬤ ⬤ high the event, although critical for the victim, does not seem to relate to your organization in any way ⬤ ⬤ medium infected devices an infected devices alert originate from https //docs flare io/illicit networks#yvejy these are https //docs flare io/collection data categories#ippxa contianing leaked credentials and cookies, amoung other important data what's the risk? across all alerts, infected devices can be one of the most time sensitive alerts you will receive they can indicate that an employee's account is available for sale, and that a malicious actor could take over that account when you receive an alert where the listed https //docs flare io/leaked credentials relate to critical infrastructure or corporate accounts, you should treat it as a high urgency signal and respond quickly (e g forced password resets, session revocation, additional monitoring) what should i do? check the full alert in flare and identify which domain you monitor has matched the listing with this information, you need to assess how critical it would be for a malicious actor to log into this portal for critical access (admin, vip) to a login portal, consider shutting down the website to minimize any risk right away use any additional information in the listing (partial ip address if available, other logins available on the same botnet) to filter a subset of users who might be the potential owner of the infected device use your logging and network information to try to identify the user in question reset the passwords of the user, if found if you were only able to identify a subset of users, consider a password reset for all these users and send an email explaining the situation here is a sample workflow to help you gauge the level of criticality of an alert about an infected device (keep in mind this is only meant as a guide and does not represent a solution necessarily designed for your organization) related articles