Red Sky Alliance: CTAC Cyber Threat Intelligence

Threat intelligence and Indicators of Compromise (IoC's) associated with malicious cyber activity

Description:

Red Sky Alliance (Wapack Labs Corp.) is a privately held USA owned and cyber threat intelligence firm that delivers proprietary intelligence data, analysis and in-depth strategic reporting.

Sample Use Cases:

Red Sky Alliance can identify possible malware installations using either our botnet tracker collection or our sinkhole traffic collection. Red Sky Alliance collections data can also identify threats such as malicious emails, data breaches, phishing, and more. In many cases, it can also identify the malware protocol resulting in high confidence hits. This threat intelligence includes IP addresses, domains, or URLs, email addresses, etc. Threat intelligence consists of, but is not limited to:

Botnet Tracker table:
  • Attribution – Malware attribution known
  • C2 – Endpoint that source ip connected to. either an ip, domain, or URL
  • Indicator – Bot source IP
  • Indicator_type – Ipv4addr
  • Indicator_context – Either botnet_ip, proxy_ip, or sinkholed_ip
  • Last_seen – When indicator last observed
Breach Data table:
  • Breach_date – Date the breach data was originally observed
  • Breach_line_data – Raw data from a line in the source file ‚Äì usually a username and password combination
  • Breach_name – Name of the breach, if known
  • Raw_data_file – Name of the raw file containing the breach data
Keylogger table:
  • Attacker_server – Name of keylogger endpoint from which output was observed
  • First_seen – When keylogger output first observed
  • Indicator – Indicator extracted from keylogger output
  • Indicator_context – Context in which keylogger indicator observed; keylogged email, portal, etc.
  • Indicator_type – Indicator type
  • Username – Observed username credential captured by keylogger, if applicable
  • Victim_src_ip – IP address observed sending keylogger outputs. (While called victim source IP, this IP may not always represent a victim, for example, it may represent non-keylogger data observed sending information to the endpoint)
Malicious Emails table:
  • Detection – Number of positive antivirus detections
  • Indicator – Indicator extracted from the email header
  • Indicator_context – Additional context on the indicator, defines the indicator in the context of the email header
  • Reference – Source of the malicious email
Pastebin table:
  • First_seen – When indicator first observed
  • Indicator – Indicator extracted from paste
  • Indicator_type – Indicator type
  • Reference – URL for paste (may not resolve if paste taken down)
Sinkhole traffic table:
  • Attribution – provides malware attribution or actor attribution for sinkhole
  • Indicator – IP address checking into sinkhole: client-server IP (cs-ip as defined by W3C login)
  • Indicator_context – Always sinkhole_ip
  • Indicator_type – Always ipv4addr
  • Last_seen – When indicator last observed
Threat Recon table:
  • Attribution – Provides attribution information, if applicable
  • First_seen – When indicator first observed or processed
  • Indicator – Indicator observed by Wapack Labs or from open source
  • Indicator_context – Additional context on indicator to include kill chain phase (if known)
  • Reference – Reference for indicator
  • Root_node – Origin of derived indicator, only applicable for Derived_ process types”

 

About the Provider:

Red Sky Alliance is a cyber threat intelligence firm that delivers proprietary intelligence data, analysis and in-depth strategic reporting. We deliver insightful, actionable cyber threat intelligence in formats best suited to your strategic, operational, and tactical needs.

Visit the provider’s website for more information

Get access to the Red Sky Alliance: CTAC Cyber Threat Intelligence Dataset in Snowflake

Sign up for a free trial

Already a Snowflake customer?
Access this dataset directly from your Snowflake account