Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs

Liam Stevenson, Associate Director of Technical Services within NCC Group's Managed Detection & Response division, shows how to derive significant cost efficiencies in SIEM platform consumption with smart log ingestion utilizing pre-processing data pipelines and modern cloud services. Doing so significantly reduces data volumes to the SIEM without loosing the residual value and accessibility of the underlying data.

TA505: A Brief History Of Their Time

Threat Intel Analyst: Antonis Terefos (@Tera0017)Data Scientist: Anne Postma (@A_Postma) 1. Introduction TA505 is a sophisticated and innovative threat actor, with plenty of cybercrime experience, that engages in targeted attacks across multiple sectors and geographies for financial gain. Over time, TA505 evolved from a lesser partner to a mature, self-subsisting and versatile crime operation with … Continue reading TA505: A Brief History Of Their Time

Machine learning from idea to reality: a PowerShell case study

Detecting both ‘offensive’ and obfuscated PowerShell scripts in Splunk using Windows Event Log 4104 This blog provides a ‘look behind the scenes’ at the RIFT Data Science team and describes the process of moving from the need or an idea for research towards models that can be used in practice. More specifically, how known and … Continue reading Machine learning from idea to reality: a PowerShell case study

Experiments in Extending Thinkst Canary – Part 1

The Thinkst Canary is best described as a digital tripwire for physical and virtual environments. It sits there waiting for a threat actor to tip you off they are mooching around your environment. What is less appreciated however is it is extensible with custom user modules. This post is the first in a series detailing our experiments in extending the product.

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox), Michael Sandee and in close collaboration with NCC’s RIFT. About the Research and Intelligence Fusion Team (RIFT):RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IOCs and detection capabilities to strategic reports on tomorrow's threat landscape. Cyber security is an … Continue reading WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

In-depth analysis of the new Team9 malware family

Publicly discovered in late April 2020, the Team9 malware family (also known as ‘Bazar’) appears to be a new malware being developed by the group behind Trickbot. Even though the development of the malware appears to be recent, the developers have already developed two components with rich functionality. The purpose of this blog post is to describe the functionality of the two components, the loader and the backdoor.