2017 is almost over and it’s safe to say our NTT Security bloggers have had a lot of expertise to share over the last 12 months. Here is a round-up of our most shared posts:
If you’ve watched the film Fight Club, you’ll know the rules of Fight Club. In the most shared technical post of the year, Chad Kahl lets you in on the rules for Threat Intelligence Club:
The first rule of threat intelligence is: you need to understand what "intelligence" truly means.
The second rule of threat intelligence is: you MUST talk about threat intelligence ACCURATELY!
Third rule of threat intelligence: you must talk about threat intelligence with the right people.
Fourth rule: nothing exists in a bubble. There are always multiple factors to consider.
Fifth rule: a data feed does not equal Intelligence.
Sixth rule: no analysis = no intelligence.
Seventh rule: The production and application of threat intelligence is cyclical.
There’s an eighth rule too: it may not be cheap or easy, but you need proper threat intelligence.
Memory analysis is extremely important in incident response, malware analysis and reverse engineering to examine memory of an infected system. It can help identify malicious code and explain how the specimen was used on the suspect system.
When performing memory analysis on a suspect system, our expert Jeremy Scott tries to answer some simple questions in an attempt to identify malicious code. In this blog post, he performs memory analysis using a completely open collection of tools called Volatility.
The bottom line? Memory analysis is a powerful technique and, with a tool like Volatility, it is possible to find and extract forensic artefacts from a memory.
Web applications are key to any organisation's digital transformation plans, but they are coming under increasing attack from hackers, cybercriminals and even nation states. In fact, web app attacks were the top attack category last year, comprising 16% of all cyber-attacks identified by NTT Security globally.
Hackers increasingly view the application layer as a weak link in organisations’ defences; and with good reason, as most time and resources tend to be focused on getting products to market, rather than embedding security.
For this reason, firms desperately need to find new ways to reduce risk in this area by integrating testing and controls’ implementation early on in the software development lifecycle (SDLC). But how best to achieve this? One way, as described by Nathan Britton, would be to build a secure, and repeatable, development framework around a Four As methodology: Assessment, Analysis, Action and Approval.
Have you ever wondered what goes on behind the scenes of a phishing attack? What does the infrastructure look like and what does the economy of the market look like?
One of our newest bloggers, Joel Cedersjö, scratches the surface to answers some of these questions. His post follows a client asking NTT Security to analyse an ongoing email phishing campaign towards the company. In the initial conversation, the customer supplied example emails, the files that were attached to the emails and a web link to what they believed was most relevant to the case.
The emails turned out to be quite uninteresting – they followed a recently common technique of referencing an invoice and encouraging the user to open an attached .zip archive.
However, when Joel and his team started looking more closely, something more sinister appeared.
On May 12, 2017, everyone heard the cry that echoed around cyberspace. More specifically, they heard the WannaCry. The true story has three elements, which Jon Heimerl explains in this blog post.
The first story surrounds one of the vulnerabilities included in MS17-010, which is often dwarfed by the next part of the story. The second part of the story is that WannaCry ransomware took advantage of the SMB vulnerability ETERNALBLUE. The third part of the story is that WannaCry was not the only attack to take advantage of this vulnerability.
NTT Security researchers and analysts took a long, hard look at WannaCry in the NTT Security Monthly Threat Report for May 2017, published on June 5 here. The report takes a detailed look at statistics from the ransomware – including industries being attacked, a detection calendar, as well as ports and protocols used.