Another year is over – and didn’t we have a turbulent year!


We saw an increase in malicious coin mining, a record number of vulnerabilities, a rise in ransomware detections … the list goes on and on. More positively, we also saw threat intelligence services enhanced through collaboration, machine learning detect botnet activity and edge computing deliver security services in minutes instead of months. 

Our team of cybersecurity experts have explored all of these topics on our Technical Blog over the last 12 months but there’s more. So, just like we do every year, we have summarized the topics that captured the attention of our readers the most below. 

Back to basics: what application is connecting to the internet?

The ability to identify local applications connecting to the internet, especially rogue or malicious applications, is critical for any intrusion investigation. When local and remote systems establish a bi-directional network connection, seven different components exist on both systems. 

Terrence Lillard talks us through the seven components that make up the 7-Ps:

·       The first component is Source IP Platform, each system has a unique IP Address

·       The second component, Protocol, is used to establish a network connection between the local and remote system. For example, TCP or UDP

·       The third component, Port Number, which are numeric values on both the local system and the remote system

·       The fourth Component, the Process Identifier or PID, is used by each system’s operating system to track executable processes and threads on both systems separately.

·       The fifth Component is Person, which represents the User or System account used by the executable or application

·       The sixth Component, Path, represents the folder or directory where the application or executable resides

·       The seventh Component, the final component, is the Program or executable name that establishes the network connection

Attack patterns: what security researchers continue to see

Researchers. Analysts. Threat intelligence professionals. Cybersecurity practitioners.

Know what they all have in common? The nature of their (our) work enables us to easily see patterns which develop over time. We are all capable of seeing patterns in our day-to-day lives – traffic patterns, fashion patterns (skinny jeans, anyone?), and even relational patterns.

What those of us in the cybersecurity industry see time and time again is that a significant amount of cyber activity is predictable, and we don’t need a predictive AI algorithm to tell us what will be attacked next.

Our expert Aaron Perkins takes a look at a couple of examples, which NTT Security researchers analyzed and included in the June 2018 GTIC Monthly Threat Report. These included the Cisco ASA vulnerability, and North Korean attack activity.

Outlook Thread-Index value analysis

Not so long ago, Jeremy Scott found himself analyzing some emails that appeared to be spoofed or forged. During his analysis, he started looking at a header entry that he thought might aid in proving or disproving his theory. The header entry was Thread-Index. 

Thread-Index is a Microsoft Outlook centric header that is used to track conversations. He wanted to use this to analyze potential discrepancies in the FILETIME time stamp in the email message added by the email client.

He used the MSDN documentation to walk through the header value and the Python programming language to illustrate how to decode the somewhat obfuscated value.

So what did he find? In the case of his own analysis, the timestamp in the “suspect” emails were not consistent with the time stamps in other emails from the same client, confirming his suspicion that they were, in fact, forged.

Top five vulnerabilities identified in penetration assessments

Our expert Michael Born noticed a common theme of vulnerabilities when performing internal, external, and application penetration assessments for our NTT Group clients. 

In each case, the presence of these vulnerabilities allowed NTT Security to gain unfettered access to the domain, a critical environment or allowed access to exfiltrate sensitive data. In some cases, several of these vulnerabilities were exploited in a chained manner in order to gain high-privileged access. So, without further ado, here’s the list: 

·       Internal Penetration Assessment

·       MS17-010

·       LLMNR/NBT-NS

·       JMX-Console/JMXInvokerServlet/EJBInvokerServlet

·       Weak Passwords/Shared Accounts

·       Legacy OS Support (E.g., MS08-067)

Each vulnerability on the top five can be broken down to the following gaps in an organization’s Information Security practice:

·       Change Management (Legacy OS Support)

·       Patch Management (MS17-010, Legacy OS Support)

·       Configuration Management (LLMNR/NBT-NS, JMX-Console, JMXInvokerServlet, EJBInvokerServlet)

·       Server Hardening (LLMNR/NBT-NS, JMX-Console, JMXInvokerServlet, EJBInvokerServlet)

·       Password Policy/Password Management (Weak Passwords/Shared Accounts)

Time to fix these gaps then.


Cloud monitoring - part two

Finally, another highly read post is from Bryan Pluta who explored cloud monitoring considerations. After all, how could the cloud not be top of mind?

Part two is a follow up to his write-up on cloud vendors making log data available and the challenges associated with retrieval. He discussed the format of the data once it is retrieved from a cloud environment and the data that is contained in the logs. 

However, after the data is retrieved, you have to contend with the format and syntax of the data. As demonstrated in this post, there are a large number of items that must be contended with when monitoring a cloud environment. 

While the major cloud vendors have made great strides to make the correct information more accessible, there is still progress to be made. The good news is that many of these vendors listen to their clients and work to make the necessary changes.