“An ounce of prevention is worth a pound of cure.”
Benjamin Franklin said it in the mid-to-late 1700s, so something along the lines of 250 years ago. Moreover, it is as true today as it was then. Maybe even more so, since we live in a more complicated world that, in many ways, is also more dangerous.
The August 2019 Monthly Threat Report focuses more on prevention than it does on what is in the past.
Looking into the future
NTT is constantly looking at ways to improve cybersecurity, detections, and predictive measures. In general, the sooner an organization sees an attack coming, the better.
Predicting the future is a difficult task – but not impossible. If an organization recognizes scanning and brute force attacks, it should not be surprising if that same organization is then faced with social engineering, phishing, or web attacks. If a new vulnerability in a popular technology is announced, it should not be surprising that threat actors will develop an effective exploit.
However, even this information requires an understanding of the context of the data. Ultimately, the more you know about a situation, the more prepared you are to take proactive action.
To this end, in the August Threat Report, NTT describes an automated means to detect and cluster bots propagating the internet. The method analyzes over 300 bot characteristics to cluster bot behavior into related groups. This automated interpretation of data helps security analysts to prioritize additional analysis in an effective and efficient manner, enabling analysts to identify bots, and their associated characteristics, behaviors, and indicators, much more rapidly than they could do so manually. The result – more threat information faster.
Having more threat information is what NTT Security’s partnership with the Cyber Threat Alliance (CTA) is all about. The CTA is a not-for-profit organization working to improve cybersecurity by enabling near real-time, high-quality threat information sharing amongst participating organizations. This relationship helps NTT learn more technical details, including things like characteristics, behaviors, and indicators, from other threat research groups. Also, it enables NTT Security to share our findings with fellow like-minded organizations.
The result is that the CTA is another way to get more information faster.
Using what we see now
Even if we cannot predict the future, we can take the best advantage of information about what we see right now, and take proactive measures. Take, for instance, the fact that 40% of the exploit attempts NTT Security observed in August targeted Joomla!, and that Jooma! and j2store were the two most targeted technologies. You can arm yourself with that knowledge and take proactive action to ensure your Joomla! patch level is up to date – hopefully before an attacker attempts those exploits on your organization. The August GTIC Monthly Threat Report discusses these attacks, the CVEs they target, and what the other 13 most commonly attacked technologies were during August.
It might be a good idea to review the list and double-check patches for all of them which have the potential to affect you. These technologies are being attacked now, but changes in exploits and malware happen rapidly.
At the same time, some evolutions occur more gradually.
When Advanced Persistent Threat (APT) group APT41 was first observed in about 2012, they gained fame by conducting cyber-espionage operations as state-sponsored actors of China. APT41 ran many successful operations which, more often than not, directly supported China’s Five-Year Plan. However, over time, APT41 has branched into additional activities, blurring the lines between state-sponsored actions (espionage) and for-profit cyber crime. This activity has included currency manipulations and ransomware, along with the development and deployment of non-public malware. APT41 has proven to live up to their name and be very persistent – and this branching into additional targets increases the threat they face to additional organizations.
Recognizing this evolution is one step in monitoring the activities of an organization like APT41 – enabling NTT Security, and other organizations to be better prepared if they are exposed to such operations.
You can read more details about these stories in the August 2019 GTIC Monthly Threat Report – available now.