National Threat Research
National Threat Research Services
An Urgent Call to All Organisations
Mossé Security is urgently inviting all Australian organisations to join us in the fight against cyber criminals and nation-state sponsored illegal activities. We are committed to nationwide cyber defence and highly equipped with capabilities that are otherwise unavailable to most organisations. Therefore, Mossé Security is making an urgent invitational call to any and all Australian organisations that want to contribute to stopping cyber crimes by accepting our offer of free-of-charge, threat research services. Let’s work together to help stop cyber crimes against our good nation.
We are fighting against cyber adversaries who compromise the networks of hundreds of organisations every year. They steal intellectual property, personal information and business documents. They hold companies ransom and blackmail executive teams. In too many cases, their activities go unpunished which in turn only entices them to be more aggressive.
For most Australian organisations, the cost of reverse-engineering malware, tracking attack campaigns, performing structed intelligence analysis and deanonymizing threat actors is too high. The business cases for these investments is not properly understood and thus is not acted on by business leaders.
What we do in Threat Research?
One of the most effective ways to detect advanced adversaries is by making a copy of every piece of software that executes in your network for a certified security analyst to analyse. Adversaries may go undetected for months or years, but if we have a copy of their malware, then we are guaranteed to find them.
One malware leads us to another and another until all their toolkits are identified. At which point, detections may be written, law enforcement may be notified, and solutions may be put in place that will make it incredibly difficult for the adversaries to reuse the same tools and tactics to regain access to a network or compromise somebody else.
In some cases, it may be possible to get the adversaries arrested and put an end to their activities once and for all.
This process is called Threat Research and it takes hundreds of man-hours from trained security analysts to perform.
How to Come on Board and Participate?
Organisations that see the high value of our offer and who are keen to participate must upload executables seen in their networks into our datacentre in order for Mossé Security to perform threat hunting and research.
Some of the partners who have already onboarded to participate in this service use it in the following ways:
- They upload all the executables from machines they suspect to have been compromised before any formatting and system recovery is performed
- They periodically upload all the executables from their top 100 machines twice a year for due diligence purposes
- They confirm their machines to automatically upload new executables never seen before into Mossé Security’s infrastructure
Added Benefits You Will Receive from our Threat Research Service
- Incident Notifications: the moment our team confirms that one of the executables seen on your network is malicious then we will notify you and organise a teleconference call to handle the incident.
- Australian Threat Intelligence: Mossé Security is the only Australian company to invest significant resources into producing threat intelligence on the adversaries that target Australia. By joining this programme, any threat that we discover will be tested against your files. In short, we will act as your private threat intelligence partner.
- Insights: Via our reports and security advisories, you will receive insights into cyberattack campaigns delivered against Australian organisation and advice on where security investments may need to be considered.
Why is This Service Free?
Mossé Security delivers numerous paid threat hunting exercises and breach assessments per year for customers that want to receive dedicated worktime from our security analysts for due diligence, risk mitigation and incident response purposes.
Our reasons for offering such a valuable service at no charge are quite simple. Firstly, many organisations who hesitate to invest in consistent threat research generally underestimate the crucial value of what they can save themselves from. Secondly, we can share our threat detections across organisations, reduce the cost of expert security services,and deliver a service that can benefit thousands of organisations nationwide.
Frequently Asked Questions
What Files Do We Need To Offer This Service To Your Organisation?
The file extensions that we scan for are:
".acm", ".ax", ".cpl", ".dll", ".drv", ".efi", ".exe", ".mui", ".ocx", ".scr", ".sys", ".tsp", ".vbs", ".ps1", ".bat", ".js", ".vb", ".vbe", ".wsc", ".wsf", ".wsh", ".psd1", ".psm1", ".ps1xml", ".clixml", ".psc1", ".pssc", ".dump", ".www", ".ct", ".lnk", ".hta", ".crt", ".msc", ".bas", ".cmd", ".com", ".chm", ".tmp", ".jse", ".psc2", ".ps2xml", ".inf", ".pif", ".application", ".gadget", ".ws", ".msh", ".msh1", ".msh2", ".mshxml", ".msh1xml", ".msh2xml", ".reg"
We also give you direct access to our API along with its documentation so that you may write your own upload tool if ours doesn’t meet your requirements.
Our tool is provided with full source code access under GPLv3 licence.
What’s different between Mossé Security Threat Research and Virus Total?
Uploading suspicious files to Virus Total (VT) is not recommended by us as a course of action against threats:
- Adversaries are monitoring VT to see whether their victims have discovered them. When you upload files to VT you risk tipping them off and prompting them to clean all valuable forensics traces
- VT shares your files with over 70 anti-virus companies who will not contact you to handle the incident in a professional manner even when their product identifies your file as malware
- The results displayed on VT do not provide you the insights that you need to properly assess the impact of a malicious file. What if only 2 out of 70 anti-virus products detect the malware? Are you going to treat the file as a false-positive? Furthermore, the labels that these companies report malware to be do not provide you with guidance as to its capabilities. It’s not because something is marked as “low risk” that it doesn't provide remote command execution capabilities to the person behind the keyboard!
Virus Total could be a potentially a good tool for security analysts who have received formal training in interpreting the tool’s output properly. Laypeople would do well to avoid basing any major security decisions on this tool’s output.
Can Threat Intelligence Feeds Produced by this Service be Purchased?
Mossé Security does not sell the results of its research.
Neither do we share our YARA rules, or the C2 domain names we’ve identified, or the MD5 hashes, or any newly identified malware techniques with 3rd party vendors.