Digital Shadows Alert Details
Alert ID: DS-CLOSED-SOURCES-7842
Alert Time: 2024-02-09 09:22:15 EST
Severity: HIGH (78/100)
Source: Digital Shadows SearchLight Platform
Rule: “Sensitive Company Data Found on Closed Sources”
MITRE ATT&CK: T1597 – Search Closed Sources
Alert Details:
Finding Type: Closed Source Monitoring (Dark Web, Forums, Telegram)
Detection Time: 2024-02-09 09:15 EST
Content Discovery Date: 2024-02-08 22:00 EST
Source 1: Restricted Telegram Channel “DataLeak_Official”
– Channel Members: 4,782
– Post Content: “Anyone have internals for [Company Name]? Willing to trade.”
– Attachment: None
– User: “data_broker_47”
– Activity: User active in multiple data trading channels
Source 2: Private Russian Forum “exploit[.]in”
– Thread: “Seeking Access to [Industry] Companies”
– Post: “Looking for credentials, VPN access, or internal docs for [Company Name]. BTC payment.”
– User: “hacker_seller_89”
– Registration Date: 2024-01-15
– Post Views: 342
– Replies: 3 (all offering “contact me for more info”)
Source 3: IRC Channel #datamarket (Dark Web)
– Chat Log Excerpt:
[22:34]
[22:35]
[22:36]
[22:38]
Risk Assessment:
– Multiple threat actors actively seeking company data
– No actual data confirmed sold/leaked yet
– Targeting suggests reconnaissance for future attack
– Jira/Confluence access would reveal internal projects and vulnerabilities
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Digital Shadows findings
Digital Shadows Console
Confirmed legitimate threat actor activity
2. Actor Profiling
Investigate threat actors
Recorded Future, ThreatConnect
“hacker_seller_89” known for selling initial access
3. Internal Hunting
Check for signs of prior compromise
CrowdStrike Falcon, Splunk
No evidence of Jira/Confluence compromise
4. Credential Monitoring
Check for leaked credentials
HaveIBeenPwned, Dehashed
No new credential leaks found
5. Jira/Confluence Audit
Review access logs for anomalies
Atlassian Audit Logs
No suspicious access patterns
6. User Awareness
Notify employees about targeting
Email, Security Teams
Security awareness reminder sent
Jira Incident Report
Ticket: SOC-2024-045
Summary: T1597 – Threat Actors Seeking Company Data on Closed Sources
Status: RESOLVED
Resolution: RECONNAISSANCE – No Data Leak
Priority: P2 – MEDIUM
Labels: T1597, closed-sources, dark-web, threat-intel, digital-shadows
Components: Threat-Intelligence, Security-Awareness
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Digital Shadows SearchLight Platform.
Alert: “Sensitive Company Data Found on Closed Sources”.
Time: 2024-02-09 09:22 EST.
Technique: MITRE ATT&CK T1597 – Search Closed Sources (dark web, forums, Telegram).
2. Technical Analysis:
Closed Source Findings:
Telegram Channel “DataLeak_Official”:
Threat actor “data_broker_47” publicly requesting company data.
No actual data shared; purely reconnaissance.
Channel has 4,782 members (potential buyer pool).
Exploit[.]in Forum:
Actor “hacker_seller_89” seeking credentials and VPN access.
Post from 2024-01-15; 342 views; 3 replies.
Actor known from previous campaigns targeting similar industries.
IRC Channel #datamarket:
Direct conversation between buyer and seller about Jira/Confluence access.
No confirmation of actual access sale.
Jira/Confluence would provide internal project details, security issues.
Attribution:
“hacker_seller_89” linked to initial access broker group “TA564”.
Previously sold VPN credentials for manufacturing companies.
Operating since late 2023.
3. Investigation Findings:
Internal Verification:
Jira audit logs: No unauthorized access detected.
Confluence audit logs: Normal patterns only.
VPN logs: No unusual authentication attempts.
No credential leaks detected in monitoring tools.
Threat Intelligence:
Similar targeting observed for 3 other companies in our sector.
No confirmed data sales for our company.
Actors appear to be in information-gathering phase.
4. Containment Actions:
Monitoring Enhancements:
Increased monitoring of Jira/Confluence access logs.
Added actors to threat intelligence watchlist.
Enhanced credential monitoring for associated emails.
User Awareness:
Security team notified all employees about increased targeting.
Reminder to report suspicious activity.
Phishing simulation scheduled for next week.
5. Root Cause Analysis:
Primary Cause: External threat actors interested in company data.
Contributing Factors: Company is in high-value industry sector.
6. Business Impact:
Risk Level: MEDIUM – No actual compromise, but targeting indicates interest.
Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
Threat actors added to watchlist.
Enhanced monitoring implemented.
User awareness completed.
8. Conclusion:
This incident involved threat actors actively seeking company data on closed sources. While no actual data leak occurred, the targeting indicates reconnaissance for potential future attacks. Enhanced monitoring and user awareness have been implemented.
Closure Rationale: No data leak; enhanced monitoring in place.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-09 11:00 EST