SYNAPSE
SYNAPSE: Offensive Operator Cyber Intelligence Platform
The SYNAPSE Cyber Intelligence Platform articulates trends in open source, offensive operator tooling and publicly available exploitation methods, likely to be adopted by sophisticated adversaries. SYNAPSE is a human-machine teamed solution that harnesses the power of advanced automation to locate, assess, classify and correlate offensive behaviors popular within the cyber security community. Utilizing this autonomy, human defenders can anticipate the attack behaviors their organizations are likely to face from state-sponsored actors and sophisticated criminal syndicates. The outputs produced by SYNAPSE could take a team of open source intelligence analysts (OSINT) weeks to yield, provided there are even the necessary in-house skills to do so. SYNAPSE reduces the demand for these specialized skills by providing highly curated OSINT signals, making predictive cyber intelligence accessible to all organizations. Organizations with the ability to anticipate adversary trajectories before they become offensive campaigns, significantly reduce their attack surface, as compared to more traditional reactive measures
The SYNAPSE Cyber Intelligence Platform articulates trends in open source, offensive operator tooling and publicly available exploitation methods, likely to be adopted by sophisticated adversaries. SYNAPSE is a human-machine teamed solution that harnesses the power of advanced automation to locate, assess, classify and correlate offensive behaviors popular within the cyber security community. Utilizing this autonomy, human defenders can anticipate the attack behaviors their organizations are likely to face from state-sponsored actors and sophisticated criminal syndicates. The outputs produced by SYNAPSE could take a team of open source intelligence analysts (OSINT) weeks to yield, provided there are even the necessary in-house skills to do so. SYNAPSE reduces the demand for these specialized skills by providing highly curated OSINT signals, making predictive cyber intelligence accessible to all organizations. Organizations with the ability to anticipate adversary trajectories before they become offensive campaigns, significantly reduce their attack surface, as compared to more traditional reactive measures
Product Sheet Download
| synapse-product-brief.pdf |
Through extensive research, Cyber Mongol was able to determine that advanced adversaries pay particularly close attention to the cyber security community for ways in which to migrate their offensive operations. Adversaries are able to reduce the time between offensive campaigns by leveraging innovative research produced by security professionals, modifying publicly available code rather than developing exploitation methods from scratch. This also provides a certain level of adversary anonymity when compared to employing custom malware and exploitation methods. We can see other security vendors also noticing this trend and validating our research through various threat reports.
CLEARSKY’s report on Iranian threat actors who effectively leverage 1-day exploits to attack IT systems.
“Iranian APT groups have developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two [1].” - CLEARSKY
Microsoft’s threat intelligence team articulates GADOLINIUM ‘s activities and their close observations of the security community.
“GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods [2].” – Microsoft
If we look at the two examples above, SYNAPSE would have been able to provide a valuable early warnings system, for both examples. SYNAPSE’s sensing technology is able to spot trends in publicly available exploits, sometimes weeks ahead of warnings issued from authoritative sources. A recent example can be found below where SYNAPSE issued an early warning for CVE-2020-5902 (F5 Networks BIG-IP) and predicted mass exploitation, 15 days ahead of the Cybersecurity & Infrastructure Security Agency. When it comes to offensive tool system migrations, SYNAPSE can see these changes sometimes occurring six months ahead of utilization within adversary campaigns. Examples of these articulations can be found in the “Operator Research” section of our website which were initiated by signals generated by the SYNAPSE platform.
SYNAPSE leverages advanced sensing technology that is dispersed throughout the security community, monitoring key areas of the ecosystem for emerging offensive trends. Once found, SYNAPSE decides if those trends should be ingested into the system, based on a dynamic set of criteria. This results in curated signals representative of the emerging threat landscape and access to the underlying signals themselves (source code, blog posts, etc..). SYNAPSE uses graph theory to map the cyber security ecosystem and analyzes the connections between various exploit tools and methods. Understanding which exploit tools and methods are related to others provides valuable context for an analyst assessing these signals. Tools and methods connected to well-known, highly adopted exploitation methods indicate a significantly higher chance for adversary adoption and method efficacy. Moreover, signals ingested by SYNAPSE are classified and tagged by the offensive behaviors they embody. The SYNAPSE user interface articulates these connections in an intuitive graph format, indicating offensive signal, it’s associated offensive signals, as well as the associated behaviors. Analysts are able to traverse the user interface by viewing trending signals, behavior type or keyword search.
SYNAPSE leverages advanced sensing technology that is dispersed throughout the security community, monitoring key areas of the ecosystem for emerging offensive trends. Once found, SYNAPSE decides if those trends should be ingested into the system, based on a dynamic set of criteria. This results in curated signals representative of the emerging threat landscape and access to the underlying signals themselves (source code, blog posts, etc..). SYNAPSE uses graph theory to map the cyber security ecosystem and analyzes the connections between various exploit tools and methods. Understanding which exploit tools and methods are related to others provides valuable context for an analyst assessing these signals. Tools and methods connected to well-known, highly adopted exploitation methods indicate a significantly higher chance for adversary adoption and method efficacy. Moreover, signals ingested by SYNAPSE are classified and tagged by the offensive behaviors they embody. The SYNAPSE user interface articulates these connections in an intuitive graph format, indicating offensive signal, it’s associated offensive signals, as well as the associated behaviors. Analysts are able to traverse the user interface by viewing trending signals, behavior type or keyword search.