One of the most interesting questions we get asked at TheatSTOP concerns how long an IP address remains bad once it has been identified as such. Each threat list treats its IPs slightly differently, so the answer is not completely straightforward and varies depending on which list the IP is on. Moreover, many lists do not display specific "first seen" or "last seen" data on each IP address, but rather simply list the currently active IPs (where “active” typically means that they have been identified as bad within the last week or so). Possibly worse for our questioners, some of the threat sources we use are distributed under terms that prohibit us from answering the question.

Welcome To Our New Weekly Series, Free Open Source Analysis Tools.

This Week's Topic: Free Open-Source Analysis Tools, Why Use IOCs?

Throughout this series, we'll be talking about a Security Analyst’s IOC analysis journey. From discovering relevant indicators and performing the analysis, to finding enrichments and new IOCs. We will also share recommendations for free open-source analysis tools and use cases completed by ThreatSTOP's Security and Research Team, showing how to utilize the various platforms and tools. Let's get started.

Georgia Tech recently notified almost 1.3 million people about a potential breach of sensitive data, and in some cases, including a social security number. Over a four month period, there was a vulnerable server that allowed people to enumerate records on a back-end database, allowing the exfiltration of sensitive information. While universities are seen as more open environments, they do have sensitive information they have to protect.

On top of the RDP vulnerability out there, additional Microsoft Windows zero-days are out there, which can exploit enterprises and give attackers full system control. The RDP vulnerability had the potential to be used in a WannaCry like worm. 

Last week, Cyberscoop reported that someone was launching a scan of the entire internet using packets spoofed with a source address of major American banks. That event is interesting in its own right, and follows an occasional pattern by which attackers occasionally try to manipulate the automation our industry uses to protect against attackers.

Between March 2 - 5, we detected a significant increase in scanning activities over Tenet ports via the target, ''NoThink! Telnet HoneyPot – IPs," provided by NoThink. To put this in perspective, the magnitude includes an increase of 4,000 IPs to about 130,000 IPs that were a part of the scanning on telnet ports, as presented in Figure 1 below.

As people start thinking about completing the upcoming United States census online, security concerns have emerged. While there are unique threats to the Census because of the impact it has on budgeting and government, these concerns tell us a great deal about the security concerns of doing business online.

A government agency that found itself infected with ransomware and having to pay the ransom to restore service. Another local agency has opted not to pay the ransom and restore operations. Ransomware targeted at organizations is still a threat and even with backups, you have a highly disruptive and public event to try to get back online that comes with serious costs and potentially lost revenue.

Photo Credit: LuckyStep48, Getty Images

In the past few years, we’ve seen a radical shift from traditional paradigms in transactions. With the emergence of blockchain, decentralized peer-to-peer transactions have replaced typical financial arrangements and revolutionized the financial world. In a few short years, the landscape for financial institutions has radically changed. Yet, the surface has barely been scratched in the ways blockchains can disrupt other entrenched industries. Enterprises have two choices, adopt the blockchain or be left in the stone age. The question is, why should your security program be any different?