Selki Threat Management System - Infostealer Detection

Overview

The Threat Management System provides comprehensive monitoring and detection of infostealer malware threats that may have compromised user credentials. This system helps organizations identify both internal employee compromises and external customer credential breaches through automated collection and analysis of infostealer logs.

Understanding the Threats List Interface

Main Dashboard

The Threats List dashboard displays all detected infostealer threats in a centralized table format. Key features include:

• Active Threats: Currently open threats requiring attention (shown with count)
• Closed Threats: Previously resolved threats that have been mitigated
• Search Functionality: Full-text search across all threat data
• Filtering Options: Filter by description, type, user, password, and collection date

Threat Categories by Type

Threats are categorized into two main types:

• Employees: Internal staff credentials that have been compromised
• Customers: External customer credentials detected in infostealer logs
• Others: Miscellaneous credential types

Security Features

For security and privacy protection:

• User and Password columns are blurred by default
• Hover to reveal: Credentials become visible only when hovering over the specific field
• This prevents accidental exposure while allowing authorized personnel to view necessary details

Risk Level Classification System

The system automatically categorizes threats into four distinct risk levels:

🔴 Critical

• Trigger: Employee credentials have been compromised
• Impact: Highest risk due to potential internal system access
• Priority: Immediate attention required

🟠 High

• Trigger: External customer credentials have been compromised
• Impact: Customer data breach risk and reputational damage
• Priority: Urgent response needed

🔵 Medium

• Trigger: Infection occurred within the last 6 months
• Impact: Recent compromise with active threat potential
• Priority: Timely investigation recommended

🔵 Low

• Trigger: Infection is older than 6 months
• Impact: Historical compromise with reduced immediate risk
• Priority: Can be addressed during routine security reviews

Common Infostealer Families

The system detects various infostealer malware families, each with distinct characteristics:

Lummac2

• Type: Credential harvesting malware
• Targets: Login credentials, browser data, cryptocurrency wallets
• Distribution: Often spread through malicious email attachments or compromised websites
• Detection: Appears frequently in the threat logs as shown in the screenshots

Other Common Families

While not visible in the current screenshots, typical infostealer families include:

• Redline: Popular credential stealer targeting browsers and applications
• Vidar: Focuses on browser data, cryptocurrency wallets, and system information
• Raccoon: Comprehensive data stealer with modular capabilities
• Mars: Browser-focused stealer with cryptocurrency wallet targeting
• Azorult: Multi-purpose stealer with data exfiltration capabilities

Threat Details View

Accessing Detailed Information

Click on any threat to open the detailed view panel, which provides:

Key Threat Attributes

• Threat ID: Unique identifier for tracking (e.g., CM9LACKYZ005HYPYNK2X0S2KT)
• Status: Current state (Open/Closed)
• Family: Specific malware variant (e.g., Lummac2)
• Type: Category classification (Users/Employees/Customers)
• Threat Level: Risk assessment (Critical/High/Medium/Low)
• Watcher: Monitoring source (e.g., 2Degrees)
• Domain: Affected domain (e.g., 2degrees.nz)
• Full URL: Complete compromised URL
• Collection Date: When the threat was first detected
• Infection Date: When the initial compromise occurred (if known)
• IP Address: Source IP of the infection (may be Unknown)

Threat Management Workflow

1. Detection and Triage

• Threats are automatically collected and categorized
• Risk levels are assigned based on the classification criteria
• New threats appear in the Active Threats list

2. Investigation

• Security teams review threat details
• Analyze infection paths and affected systems
• Determine scope of compromise

3. Mitigation

• Reset compromised credentials
• Implement additional security measures
• Notify affected users if necessary
• Document remediation actions

4. Closure

• Mark threats as "Closed" after successful mitigation
• Threats move from Active to Closed status
• Maintain records for compliance and reporting

Search and Filter Capabilities

Search Functions

• Global Search: Search across all threat data fields
• Real-time Results: Instant filtering as you type
• Comprehensive Coverage: Searches descriptions, URLs, domains, and metadata

Filter Options

• Description: Filter by threat description or malware family
• Type: Filter by Employee, Customer, or Other categories
• User: Search for specific compromised usernames
• Password: Filter by password-related criteria
• Collection Date: Filter by when threats were detected
• Actions: Filter by available actions or status

Best Practices

Regular Monitoring

• Review Active Threats daily, prioritizing Critical and High-risk items
• Monitor trends in infostealer family distribution
• Track closure rates and response times

Incident Response

• Establish clear escalation procedures for Critical threats
• Maintain communication protocols for customer notification
• Document all remediation actions for compliance

Preventive Measures

• Implement user security awareness training
• Deploy endpoint detection and response (EDR) solutions
• Maintain updated antivirus and anti-malware protection
• Regular security assessments and penetration testing

Reporting and Analytics

The system provides insights into:

• Threat volume trends over time
• Most common infostealer families
• Response time metrics
• Risk level distribution
• Affected domain analysis

Updated on: 14/08/2025