Skip to content

The TIDE: Threat-Informed Defense Education (Moonstone Sleet, DarkGate, SocGholish, DiceLoader, and new product coverage)

  • June 3, 2024

Last week, Scott Small, our Director of Cyber Threat Intelligence, wrote a blog about what he and his team were seeing with some recent threats and what we put into our platforms. We have decided to level this up and expand from simply talking about the “Threats of the Week” to also talking about all things Threat-Informed Defense. Threat will remain the cornerstone of the story, after all you can’t have Threat-Informed Defense without the threat, but you also can’t have it without defense. This is where my team’s experience will come in full force, as we can leverage its experience working with and evaluating vendors.  

So, we now bring you “The TIDE”, our Threat-Informed Defense Education blog. It’s our way of giving you the best information we can to help you understand why Threat-Informed Defense is critical to understanding your defenses now. 

As most of you will recognize, we have both our Community and Enterprise editions because we want to help everyone stay up to date with the most recent adversary activity and explain what solutions exist to defend against them. While our Enterprise customers get the tools Enterprises need to do this at scale, where community does not, we thought this blog might be a good way of highlighting notable research and content the team Tidal Cyber Adversary Intelligence Team is creating on a continual basis for our customers. You have gotten to see great minds like Scott Small and Ian Davila on the conference circuit, and now they and others will be sharing their unique perspectives relative to MITRE ATT&CK® mappings, our research, threat and defensive intelligence, and partner research.  

Preamble aside, here is this week’s The TIDE:

Threat Highlights 

  • Moonstone Sleet: Exclusively for our Enterprise users, we’ve provided new group, campaign and software objects around a newly identified North Korean espionage and financially motivated actor. Researchers assess the group is expanding its capabilities, possibly to conduct disruptive operations and/or software supply chain attacks. Defending against the group's extensive social engineering and stealthy payload execution techniques could help mitigate against the risks of its evolving long-term objectives. 
  • Law Enforcement Action: International authorities carried out a massive sting, disrupting several prominent malware used as precursors in ransomware & criminal attacks. As we’ve seen countless times before, resilient criminals will typically shift to new malware (or regroup after some time). We’ve added and updated content around several other major/emerging precursor threats, such as DarkGate, SocGholish, and DiceLoader (aka Lizar). 

Defensive Highlights 

  • New Modeled Products: A unique capability available to our Enterprise users is our ability to model different solutions – ensuring you get a base understanding of what YOUR capabilities can do to help your ATT&CK coverage. As part of this effort, we released four new modeled products for our users’ defensive stacks so they can build their own defenses if they do not have them:  
    • Honeypots and Canary Tokens Models for deception-based technologies 
    • SSL Inspection for telemetry products that provides visibility into SSL traffic 
    • Personal Identity Protection for products that provide protection to individuals 

Side note: Our lead on defensive intelligence, Ian Davila, is in London at Infosecurity Europe this week, so stop by stand C55 to chat with him. 


Data-Driven Threat-Informed Defense

Meet Tidal Enterprise Edition

Quickly and easily develop custom threat profiles and defensive stacks, see your coverage and identify gaps and redundancies, and get daily recommendations to improve your cybersecurity posture.