2022.06 Release Notes

STATUS: RELEASED

Threat Intelligence Portal

• Improved user experience by adding top-level search function across alerts and tickets
• Improved user experience by adding and updating error messages across the Threat Intelligence Portal
• Over the coming months, you will see the following Product tab releases:

          - “Articles” and “Platinum Alert Service” will be merged into Threat Insights

          - “CIRK” will be renamed Remote Forensics

          - “Crimeware” will be renamed Investigation and will be upgraded with an IOC search interface, and an interactive Threat Cloud

          - “Drop Data” will be renamed Compromised Data

          - “PhishDB” will be renamed Anti-Phishing

Please see our press release for more information:

https://csis.com/csis-s-latest-news-and-announcements/csis-launches-new-threat-intelligence-portal/ 

Cyber Threat Intelligence

Cyber Defense Feed:

• Improved detection by adding TLS certificate information as an additional data augmentation source for suspicious domains

Managed Detection & Response

• Improved user experience by adding a new incident classification a “Near Miss”

Explained:

The "Near Miss" is a classification specifically targeted towards providing more clear reporting to the customers. The "Near Miss" allows us to define incidents as successful or not without the severity classification change as a result.

A "Near Miss" is a potential incident in which there was no damage, privilege escalation, lateral movement, data leak, or significant security consequence, but where, given a slight shift in time, environment, or mitigations in place, damage or security consequences could have occurred. In short, a near-miss is a failed attack.

Further, the "Near Miss" classification will allow us to explain the potential impact of an incident, no matter the technical skill level. Likewise, the amount of failed attacks or near-misses against an organization can be utilized to determine both the threat-level that organization faces, as well as help, expose and identify if there are obvious weaknesses with security posture that are leading to a high number of near misses.

Concrete examples where “Near Miss” would apply (also see exemplary incidents at the bottom of the mail):

1. Malware was introduced to a customer system via USB, but the execution was blocked by Group Policy or MDE.
2. A Phishing URL was clicked by a user but was blocked via IPS systems.
3. A customer’s web app was subject to brute force attempts, but a Web Application Firewall rate-limited and ultimately blacklisted the offending IPs before the attackers could gain working credentials. (Similar cases are often seen with Azure AD where the user account is locked after X amount of attempts/attempts from known malicious IP’s)
4. An attacker with valid credentials attempted to log in to a customer’s VPN but was prevented by MFA policy.

More generally: 

1. “An attack happened, but had no impact because of X”
2. “An attack was attempted, but was prevented because of X”

CIRK

• Improved user experience by updating the CIRK Download page

Other

• Internal improvements