IronNet’s
2022 Annual Threat Report

Threat Research from the IronNet Ecosystem

Our Annual Threat Report shares unique observations and analysis from our Threat Research Team, combined with intelligence drawn from the vast telemetry of the IronNet ecosystem and the services we offer. This provides crucial insight into the ever-evolving cyber threat landscape so security teams can be more proactive in their defenses while we continue to move the community together to collectively defend against cyber threats.

 

Download the Report
New call-to-action
Nation-State Analysis

Analyzing the Geopolitical-Cyber Threat Landscape 

The interrelationship between the geopolitical and cyber threat landscapes became unavoidably clear this year as Russia invaded Ukraine - highlighting the importance of tracking government actions and international relations to assess their potential implications in the cyber domain.

In our Annual Report, we analyze the geopolitical and cyber activity of the Big Four (Russia, China, Iran, & North Korea) and provide actionable recommendations to avoid compromise by these countries' APTs. We also provide insight into 2022 ransomware trends and the Collective Defense response to the war.

 2022 with the Big Four
With special analysis of:

2022 Adversary infrastructure trends

Attack Infrastructure Trends and TTPs

 

Our analysis of adversary infrastructure trends is drawn from data produced by IronNet’s proactive threat intelligence feed IronRadar. In our report, we provide insight into adversary infrastructure trends, including breakdowns of the top countries, cloud providers, and domain registrars hosting IronRadar-detected C2 servers, as well as new evasive tactics by threat actors.

14,802

Unique Cobalt Strike
Indicators Detected

20,953

Unique Malicious
Indicators Detected

 

Sliver rival Cobalt Strike icon
 
Will Sliver rival Cobalt Strike as fastest growing C2 framework among threat actors?

IronNet analysts have observed an increase in Sliver detections over the past several months, including a nearly 25% increase in December 2022 alone.

 
IronNet Detection SpotLights

An inside look at notable IronNet detections from 2022

The telemetry analyzed in these case studies is drawn from our network detection and response (NDR) platform IronDefense and automated Collective Defense platform IronDome. 

blackhat
Defending the Black Hat Conference Networks: Asia, U.S., and Europe
  • Wordpress infection campaign at Black Hat Asia
  • North Korean malware at Black Hat USA
  • Arechclient2 info-stealer at Black Hat EU
data
MUMMY SPIDER Uses Emotet to Test New Tactics for Future Attacks
  • Thread hijacking attack targets Asia Pacific organization with Emotet malware
  • Emotet C2 infrastructure trends
security
China Chopper Targets M&A Infrastructure of U.S. Software Company
  • Unique MS SQL bypass technique
  • Shack2 and China Chopper webshells
2022 in the IronDome

Correcting fundamental problems in how we share cyber threat intelligence

As a Collective Defense platform, IronDome bypasses the latency and bureaucracy faced by typical intel-sharing groups by anonymously sharing real-time attack intelligence to participant organizations. 

17,367

Total Alerts Correlated
in IronDome

15,455

Alerts correlated between
3+ participants

Collective Defense Spotlights icon
 

Collective Defense Spotlights

 

IronDome automatically and anonymously shares all malicious activity in organizations’ networks and generates alerts when similar activity is detected in another environment. In this way, IronDome enables analysts at different organizations to instantaneously collaborate on shared threats and equips them with the proactive intelligence they need to stop intrusions in their tracks.  

A targeted attack against multiple European colleges was correlated in Education and EU IronDomes and greatly reduced triage time for impacted organizations. 

The detection of a malicious file download from a fraudulent Zoom installer in the Finance IronDome led to the quick identification of the same activity in the network of a Healthcare IronDome participant two months later.

A malicious alert detected while defending the NOC at Black Hat Europe 2022 led to the identification of the same activity across at least nine different enterprises in the U.S., Asia, and the Middle East.

2022 Annual Threat Report
YEAR IN REVIEW

Threat Research from the IronNet Ecosystem

 

Our Annual Threat Report shares unique observations and analysis from our Threat Research Team, combined with intelligence drawn from the vast telemetry of the IronNet ecosystem and the services we offer

 

Download the Report