1. Introduction

Black Cell’s mission is to stay ahead of cybercriminals, particularly those targeting blockchain and cryptocurrency ecosystems. These sectors face unique adversarial tactics due to their decentralized nature and high-value assets. To provide precise, actionable recommendations, it’s crucial to analyze both your infrastructure and the tactics, techniques, and procedures (TTPs) employed against other organizations in the blockchain space. By mapping these TTPs to the MITRE ATT&CK framework, we deliver a heatmap highlighting the most significant threats to your environment.

2. Sector-Specific Analysis of Adversary TTPs

Effective threat intelligence hinges on its capacity to preempt attacks with robust mitigations. Using frameworks like David Bianco’s Pyramid of Pain, we focus on detecting and mitigating adversarial TTPs rather than just tools, forcing attackers to adapt their methods. This approach ensures you receive insights to prioritize efforts that disrupt adversaries targeting blockchain environments.

2.1. Methodology

Our analysis aggregates data from diverse, high-quality sources relevant to blockchain and cryptocurrency, using techniques such as:

  • OSINT with Google Dorking for public insights.
  • Deep web searches using SearX and CTI platforms to access data from TOR, I2P, and other sources.
  • Incident mapping to identify tools, malware, and TTPs utilized in sector-specific cyberattacks.

This research also identifies threat actors such as APTs and cybercriminal groups operating within the blockchain space. Their profiles include tools, malware, and exploitation methods, mapped to the ATT&CK framework. Additionally, we examine security gaps that led to previous successful attacks, applying these lessons to assess your vulnerabilities.

Steps of the Methodology:

  1. Identify major cyber incidents targeting blockchain/cryptocurrency.
  2. Collect data about attack vectors, tools, and methods used.
  3. Map findings to the MITRE ATT&CK framework.
  4. Build profiles of relevant threat actors.
  5. Assess and map security gaps to ATT&CK techniques.

Scoring and Heatmap Generation

Each threat is evaluated on:

  • Impact (1–5): From minor disruptions to risks to systemic financial stability.
  • Evasion (1–5): From basic signature-detection evasion to advanced techniques.
  • Complexity (1–5): From script kiddies to adversaries crafting custom malware.
  • Success (1–5): Level of historical execution success.
  • Accuracy Multiplier: Reflecting confidence in data validity.

These scores are normalized (1–7) to prioritize critical threats and displayed on a heatmap to focus on the most severe risks in blockchain and cryptocurrency security.

Below you can find the MITRE ATT&CK heatmap of the Cryptocurrency sector. Red techniques indicate critical threats to this sector, while green techniques are less severe.

(For full size view open the image in a new tab or save image.)

Author

Tibor Luter

Tibor Luter

FUSION CENTER MANAGER

Related Posts

User vulnerabilities, threat hunting and MDATP

User vulnerabilities, threat hunting and MDATP

by | May 19, 2020 |

For almost every organization security is important, no matter that we are talking about physical security or digital. This fact won’t be written over neither the type of the organization/company nor the size of it. In the digital world often we make the mistake that we lay back behind the safety of firewall, antivirus and email filers. And not caring about the education of our employees in information security.

Transforming Splunk to a semi-SOAR platform

Transforming Splunk to a semi-SOAR platform

by | Apr 29, 2020 |

SOAR (Security Orchestration, Automation and Response) is a solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance. The goal of using a SOAR stack is to improve the efficiency of physical and digital security operations.

Pin It on Pinterest