ANU Breach Report: Mapping to Mitre ATT&CK Framework

ANU Breach Report: Mapping to Mitre ATT&CK Framework
Richard Gold
Read More From Richard Gold
October 11, 2019 | 14 Min Read

Introduction

This week, the Australian National University (ANU) published a report on an intrusion into their networks that occurred in 2019. Whilst the attackers had access to data from the university going back 19 years, the ANU report that they cannot accurately ascertain specifically which data was taken. What they do know however is that the attackers were targeting a system which stored the Personally Identifiable Information (PII) and commercial information for the university. In addition to an exemplary breach response, the ANU provided a detailed breakdown of the intrusion, which is extremely helpful for network defenders.

We decided to map this intrusion to the Mitre ATT&CK framework, as we have done previously for:

This provides a useful lens for analyzing the attacker’s tradecraft and identifying which steps to take to prevent or detect this tradecraft.

 

Attacker goals

The attackers were extremely disciplined and, despite having wide-ranging access to the target environment, they were solely focused on targeting one system: the Enterprise Systems Domain (ESD) system. According to the report, ESD is the “Enterprise Systems Domain, which houses our human resources, financial management, student administration and enterprise e-forms systems”. Typically in these intrusions, attackers are looking for data that can be easily monetized (in the case of cybercriminal intrusions) or data that can be used for intelligence or counterintelligence purposes (in espionage-related intrusions). 

However, the ANU’s report stated: 

Despite our considerable forensic work, we have not been able to determine, accurately, which records were taken. However, our analysis has been able to establish that while the hackers had access to data up to 19-years-old, the hackers took much less than the 19 years’ worth of data we originally feared. We also knew the stolen data has not been further misused. Frustratingly this brings us no closer to the motivations of the actor. 

The fact that the data has not been misused indicates the motive behind the theft was likely for intelligence purposes, rather than for criminal purposes.

 

Mitre ATT&CK mappings

Initial Access 

  • T1193 Spearphishing Attachment
  • T1078 Valid Accounts

The initial attack reportedly started on 9 Nov 2018, with a single spearphishing email. It was stated that there were at least four waves of spearphishing attacks the attackers carried out. The report includes the recovered spearphishing emails in Appendices A, B, and C. Defenders should study these phishing emails in detail, as they are well crafted and display a detailed knowledge of the target’s environment and what emails and email styles would be considered normal for that specific environment.

Spearphishing was, however, not the only technique used for Initial Access. The attackers used the valid credentials they recovered from the previous spearphishing attacks to login remotely to a web server and install a web-shell for further post-exploitation actions.

This is where we see some of the craftsmanship of the attacker. The report provided information on some of the emails and campaigns, and also provided redacted images of some of the emails sent by the attacker.

The quote below is another favorite of ours from the report. It demonstrates some of the level of understanding and resourcefulness of the attacker, showing similar tradecraft to other well-known APT groups.

The actor continues to look for credentials and tries to maximise the effectiveness of their spearphishing efforts by connecting to the University’s spam filer and attempting to disable its ability to detect malicious emails.

The following is an extract from the report’s appendix, showing the detail and effort put into the phishing emails.

ANU breach report

 

Execution

  • T1204 User Execution
  • T1203 Exploitation for Client Execution
  • T1086 PowerShell
  • T1059 Command-Line Execution

To have their payload executed by their targets, the attackers used an “interaction-less” attack, according to the report: 

Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment. This “interaction-less” attack resulted in the senior staff member’s credentials being sent to several external web addresses.

The details provided in this extract initially may sound vague and unlikely. If we look back into the news in early 2018, we see the report of a vulnerability with these properties: CVE-2018-0950. This vulnerability would allow exactly this attack flow, where the preview pane within Outlook renders Rich Text Format (RTF) email messages that contain an object linking and embedding (OLE) object; this would then open a connection to a remote Server Message Block (SMB) server, allowing an attacker to acquire a password hash from the target user. This hash could then be cracked offline by the attacker. 

This attack spans multiple techniques. It requires user interaction to open the email (but not the attachment), exploits the client-side application, and also performs forced authentication (see T1187 Forced Authentication below).

 

The report also stated: 

Other software used by the actor included network session capture and mapping tools, bespoke clean-up, JavaScript and PowerShell scripts as well as a proxy tool.

This shows that the attackers are using a wide range of attack tools to maximize their effectiveness in the target environment.

 

Persistence

  • T1100 Web-shell
  • T1062 Hypervisor

The attackers installed and used a web-shell on the compromised web server, using the credentials from the first spearphish, to maintain access to the target environment. The attackers also used their access to a server to install a Windows XP and Kali Linux virtual machines, which they then used to attack other machines in the network. The attackers downloaded the images for the virtual machines via BitTorrent. This indicates a lack of outbound network filtering from the target environment.

 

Privilege Escalation

Privilege Escalation occurred during the attack but no concrete techniques were presented in the report. However, the report states: 

The senior user whose credentials were stolen was not a system administrator, so it is likely that a privilege escalation exploit was used to gain full control of the server.

 

Defense Evasion

  • T1146 Clear Command History
  • T1107 File Deletion
  • T1070 Indicator Removal on Host
  • T1064 Scripting
  • T1078 Valid Accounts
  • T1221 Template Injection
    • Used in conjunction with the forced auth technique

According to the report, 

The tactics, techniques and procedures used during the attack highlight the sophistication and determination of the actor. In addition to their efficiency and precision, the actor evaded detection systems, evolved their techniques during the campaign, used custom malware and demonstrated an exceptional degree of operational security that left few traces of their activities.

Defense Evasion was clearly a major part of the attackers’ tradecraft. 

 

Another example from the report is: 

The actor exhibited exceptional operational security during the campaign and left very little in the way of forensic evidence. Logs, disk and file wipes were a recurrent feature of the campaign.

It is worth noting how this operational security (OPSEC)  was clearly built into the attacker’s tradecraft. Their’ standard operating procedures included OPSEC-aware procedures and these were consistently followed.

 

Credential Access

  • T1187 Forced Authentication
  • T1040 Network Sniffing

The report states: 

The actor sent out four spearphishing emails, to ANU users, to try and gain credentials ie passwords, usernames, hashes. The aim of these emails was to gain the credentials of an administrator or someone with the right level of access to targeted systems. Actors also try to gain a broad set of credentials in case they expire, or compromised accounts are exposed. In the case of ANU, administrator credentials deliberately expire quickly. The other mechanism the actor used was software designed to “sniff” credentials from network traffic.

This quote indicates that the attackers were able to extract credentials from network traffic. It could be the case that credentials were sent in plaintext via FTP or HTTP or similar. Or the attackers could have used a tool like Responder to sniff Windows credentials as they travelled over the network.

 

Discovery

  • T1083 File and Directory Discovery
  • T1046 Network Service Scanning
  • T1135 Network Share Discovery
  • T1040 Network Sniffing
  • T1018 Remote System Discovery
  • T1016 System Network Configuration Discovery
  • T1049 System Network Connections Discovery
  • T1033 System Owner/User Discovery
  • T1007 System Service Discovery

Following a description of the initial attack vector, the report cited a timeline of 12−14 Nov 2018 for the next stage. This would have provided the attacker enough time to perform a brute-force cracking attack on any password hashes acquired during the first phase, and perform reconnaissance of the university’s Internet-facing infrastructure, looking for a platform for persistence and exfiltration.

Although the report does not detail exactly which Discovery techniques were used, given that the attackers compromised a wide variety of machines across a number of networks, they likely used a broad set of techniques to discover other systems. This assessment is supported by the report: 

The actor also starts to map out machines in ESD and locates servers housing the databases underpinning ANU HR, finance, student administration and e-forms systems. Upon finding these databases the actor tries repeatedly, and unsuccessfully, to access these systems.

The actor also gained access (through remote desktop) to a machine in a school which had a publicly routable IP address. Age and permissiveness of the machine and its operating system are the likely reasons the actor compromised this machine.

The “age and permissiveness” is not something you should be able to use to describe systems within your network; however, you’ve got to give ANU credit for their honesty and openness throughout the entirety of the report.

Using these positions to operate various tools for network traffic interception, monitoring, and clean-up efforts, the attackers were able to maintain access and discover multiple resources and systems that some may consider to be high-value targets within the network.

During this Discovery period another “legacy” system was discovered, this time an operational mail server. The attackers reportedly used the server to send several messages to external recipients, with contents suspected of containing information related to their reconnaissance efforts, and other data of value.

The actor connected to a legacy mail server and sent three emails to external email addresses. Unlike the University’s primary mail server, this legacy mail server requires no authentication. The emails sent out likely held data gained from the actor’s network mapping from the previous two days, as well as user and machine data.

 

Lateral Movement

The specific techniques used for lateral movement were not explicitly described but likely to be a combination of Windows and Linux remote-access technologies used with stolen credentials.

With any breach or assessment, lateral movement and persistence is an interesting area. There is a lot for the attacker to get right, from an OPSEC perspective, and depending on the environment it can take a lot of time and patience. From personal experience, sitting and watching packet captures and logs, waiting for something interesting and useful to appear, can be tedious.  

The report detailed some of the effort the attackers went through to maintain their OPSEC and remain in stealth mode. That being said, it may only take one missed log to trip you up and expose your whole operation.

From the compromised school webserver, the actor was able to gain access to a legacy server hosting trial software. This server was scheduled for decommissioning in late 2019 and at the time of this report no longer active. Unfortunately, the server was attached to a virtual LAN with extensive access across the ANU network.

The quote above provides the first of multiple references to the word legacy. If you have been in the industry long enough, you will have commonly encountered this shamed word or “well matured” to describe these systems and services, tucked away in the deep dark corners of the network. They are often marked as out of scope in penetration tests and other assessments, for fear of the testing team breaking something that nobody in the organization knows how to fix or even knows the true purpose of anymore. The reference raises questions as to the true purpose of this asset. What type of system do you provide “extensive” access across your orgs networks? Sounds like an ideal vantage point. 

The “legacy” server referenced in the quote was then reported to have been converted into an attack station to continue their journey into the network in search of untold treasures. This position also reportedly provided the attackers with access to perform remote management and clean-up tasks to help with their OPSEC obsessive-compulsive disorder. 

 

Collection

  • T1213 Data from Information Repositories
  • T1005 Data from Local System
  • T1074 Data Staged
  • T1114 Email Collection
  • T1039 Data from Network Shared Drive

On the flight path to the target, the attackers collected credentials to aid them in moving around the network. They attempted to collect them using the forced authentication technique described in the Credential Access section, through gathering plaintext credentials from local file systems or emails and by sniffing credentials on the network.

As the attackers neared their goal, they eventually found access to the ESD database.

The actor then accessed the administrative databases directly using a commercial tool. This tool allowed the actor to connect to several databases at once to search and extract records; and convert them to PDF format. The PDFs were then sent to the compromised school machine one for extraction from the ANU network.

This indicates how attackers are comfortable with Living off the Land―that is, using already installed or legitimate software tools to achieve their goals. In general, pre-existing or legitimate tools are less likely to raise suspicion than untrusted or unknown binaries in an environment.

 

C2

  • T1188 Multi-hop Proxy

The attackers were known to “conduct command and control (C2) operations through what is known as a TOR exit node” to hide the origin of their network traffic. This is one part of the broader OPSEC tradecraft exhibited by the attackers. 

By using an anonymity network like Tor, it becomes much harder for network defenders to discern where an attack is originating from and also to block malicious IP addresses. This is because Tor exit nodes can be changed easily by the attacker and, also, there is a pre-existing pool of IP addresses the Tor network uses.

 

Exfiltration

  • T1002 Data Compressed
  • T1022 Data Encrypted
  • T1048 Exfiltration Over Alternative Protocol
    • Email

The report stated: 

The actor used a variety of methods to extract stolen data or credentials from the ANU network. This was either via email or through other compromised Internet-facing machines.

Although the report did not detail exactly which network protocols were used to exfiltrate data from the environment, they likely used HTTPS for bulk transfer. Intriguingly, though, the attackers used email to send stolen credentials out of the network by using a legacy email server that was present in the environment: 

The actor connected to a legacy mail server and sent three emails to external email addresses. Unlike the University’s primary mail server, this legacy mail server requires no authentication. The emails sent out likely held data gained from the actor’s network mapping from the previous two days, as well as user and machine data

This activity underlines the importance of trusting as little as possible inside the enterprise network and enforcing authentication even for local services. 

 

Mitigation

In the section “Lessons from the attack and follow-up actions”, the ANU report gave an excellent breakdown of the issues and suggested mitigation. We recommend studying this table carefully. Additionally, the ANU stated: 

Technical gaps aside, ANU ultimately views this breach and cybersecurity more broadly as an organisational issue, one which requires a change to the University’s security culture to adequately mitigate.

They go on to state that, in response to this breach, they will be establishing “a strategic information security program”. We fully agree that mitigating a threat of this type requires more than just point solutions, but rather a comprehensive approach that encompasses people and process, not just technology.

 

Conclusions

The ANU was attacked by persistent and skilled adversaries. Although their precise goals are currently unclear, they were determined to gain access to the ESD service operated by the university. The attackers were very OPSEC savvy and used a variety of techniques to hide their tracks, including deleting files and log files and using Tor for their C2 communications. 

We would like to commend the ANU for their exemplary breach response, transparency, and honesty in admitting their own mistakes. We can all learn a lot from their example and are grateful for them taking the time and effort to release their report.

 

Want to detect sensitive data that’s been exposed by employees, contractors, or third parties? Learn how we can help you with data leakage detection here

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Cybersecurity Awareness Month: Week 4 – The Future of Connected Devices

Cybersecurity Awareness Month: Week 4 – The Future of Connected Devices

October 28, 2020 | 8 Min Read

This year’s Cybersecurity Awareness Month...
Marcus Carey Joins ShadowTalk

Marcus Carey Joins ShadowTalk

October 23, 2020 | 3 Min Read

We recently had mentor, author, founder, US...
Dark pathways into cybercrime: Minding the threat actor talent gap

Dark pathways into cybercrime: Minding the threat actor talent gap

October 21, 2020 | 11 Min Read

Digital Shadows recently published two blogs...
Cybersecurity Awareness Month: Week 3 – Securing Internet- Connected Devices in Healthcare

Cybersecurity Awareness Month: Week 3 – Securing Internet- Connected Devices in Healthcare

October 21, 2020 | 9 Min Read

The healthcare industry is increasingly...
Quarterly Update: Ransomware Trends in Q3

Quarterly Update: Ransomware Trends in Q3

October 19, 2020 | 8 Min Read

As we embark on the final months of 2020,...
Digital Shadows Analysis of Europol’s Cybercrime Report

Digital Shadows Analysis of Europol’s Cybercrime Report

October 14, 2020 | 12 Min Read

In early October 2020, Europol released...
Cybersecurity Awareness Month: Week 2 – Security Devices at Home and Work

Cybersecurity Awareness Month: Week 2 – Security Devices at Home and Work

October 14, 2020 | 7 Min Read

This week, National Cyber Security Awareness...
Clickbait to Checkmate: SMS-based scam targets US smartphones and accesses victim locations

Clickbait to Checkmate: SMS-based scam targets US smartphones and accesses victim locations

October 13, 2020 | 11 Min Read

Since the start of the COVID-19 pandemic,...
Cybersecurity Awareness Month: Week 1 – If you Connect It, Protect It

Cybersecurity Awareness Month: Week 1 – If you Connect It, Protect It

October 8, 2020 | 6 Min Read

This week marks the opening week of the...
Help your development teams keep their keys safe

Help your development teams keep their keys safe

October 7, 2020 | 3 Min Read

Modern development practices are a blessing...
Let’s get ready to tumble! Bitcoin vs Monero

Let’s get ready to tumble! Bitcoin vs Monero

October 6, 2020 | 13 Min Read

Over the past ten years, cryptocurrencies...
Recent arrests and high-profile convictions: What does it mean for the cyber threat landscape?

Recent arrests and high-profile convictions: What does it mean for the cyber threat landscape?

September 30, 2020 | 13 Min Read

In the wonderful world of cyber threat...
Four Ways to Validate Credentials in SearchLight

Four Ways to Validate Credentials in SearchLight

September 29, 2020 | 3 Min Read

Amid the billions of credentials that are...
Cybercriminals Targeting SAP RECON

Cybercriminals Targeting SAP RECON

September 29, 2020 | 5 Min Read

Key takeaways From the discussions that...
Unpicking Cybercriminals’ Personalities – Part 2:  Morality and Forum Dynamics

Unpicking Cybercriminals’ Personalities – Part 2: Morality and Forum Dynamics

September 28, 2020 | 7 Min Read

In the first part of this blog series, we...
RECAP: Discussing deception  with Chris Sanders

RECAP: Discussing deception with Chris Sanders

September 24, 2020 | 3 Min Read

When I was a Forrester Research analyst, I...
Unpicking Cybercriminals’ Personalities – Part 1:  Gender and Nationality

Unpicking Cybercriminals’ Personalities – Part 1: Gender and Nationality

September 23, 2020 | 9 Min Read

It’s easy to fall into the trap of...
DarkSide: The new ransomware group behind highly targeted attacks

DarkSide: The new ransomware group behind highly targeted attacks

September 22, 2020 | 8 Min Read

We’ve recently observed the emergence of a...
ShadowTalk Update – Ed Merrett Joins To Talk HackableYou And The Latest In Threat Intel

ShadowTalk Update – Ed Merrett Joins To Talk HackableYou And The Latest In Threat Intel

September 21, 2020 | 2 Min Read

This week’s host Kacey is joined by...
With the Empire falling, who will take over the throne?

With the Empire falling, who will take over the throne?

September 16, 2020 | 10 Min Read

With the Empire falling, who will take over...
Access Keys Exposed: More Than 40% Are For Database Stores

Access Keys Exposed: More Than 40% Are For Database Stores

September 14, 2020 | 6 Min Read

By now, we’ve all heard news about AWS...
ShadowTalk Update – The Team Talks Baka, Epic Manchego, and Smaug, Plus Emotet Rides Again

ShadowTalk Update – The Team Talks Baka, Epic Manchego, and Smaug, Plus Emotet Rides Again

September 14, 2020 | 2 Min Read

This week’s host Kacey is joined by...
Recruitment fraud: Don’t spook your dream candidates this halloween

Recruitment fraud: Don’t spook your dream candidates this halloween

September 10, 2020 | 4 Min Read

Everyone wants their dream job. Some people...
Cyber espionage: How to not get spooked by nation-state actors

Cyber espionage: How to not get spooked by nation-state actors

September 8, 2020 | 8 Min Read

In all the years I’ve worked in the...
Revisiting Typosquatting and the 2020 US Presidential Election

Revisiting Typosquatting and the 2020 US Presidential Election

September 2, 2020 | 11 Min Read

In October 2019, Digital Shadows’ Photon...
What is DevSecOps and Why Do We Need It?

What is DevSecOps and Why Do We Need It?

August 12, 2020 | 4 Min Read

DevSecOps, SecDevOps, and any...
Dread takes on the spammers – who will come out on top?

Dread takes on the spammers – who will come out on top?

August 28, 2020 | 9 Min Read

Spamming is an irritating and sometimes...
RECAP: Discussing the evolution and trends of cybercrime with Geoff White

RECAP: Discussing the evolution and trends of cybercrime with Geoff White

August 25, 2020 | 8 Min Read

In late July 2020, Digital Shadows had the...
Validate Exposed Credentials with Okta to Save Even More Time

Validate Exposed Credentials with Okta to Save Even More Time

August 24, 2020 | 3 Min Read

SearchLight customers can now automatically...
Dark Web Forums – The new kid on the block

Dark Web Forums – The new kid on the block

August 18, 2020 | 12 Min Read

Introducing DWF There’s a new kid on...
Optiv CTIE 2020: COVID-19, cybercrime, and third-party risk

Optiv CTIE 2020: COVID-19, cybercrime, and third-party risk

August 17, 2020 | 10 Min Read

Optiv recently released their 2020 Cyber...
ShadowTalk Update – Defaced Subreddits, Intel Leak Drama on Twitter, and HIBP Goes Open-Source

ShadowTalk Update – Defaced Subreddits, Intel Leak Drama on Twitter, and HIBP Goes Open-Source

August 17, 2020 | 2 Min Read

Alex, Kacey, and Charles host this week’s...
It’s even easier to initiate takedowns in SearchLight

It’s even easier to initiate takedowns in SearchLight

August 12, 2020 | 3 Min Read

When faced with infringing content, phishing...
Escrow systems on cybercriminal forums: The Good, the Bad and the Ugly

Escrow systems on cybercriminal forums: The Good, the Bad and the Ugly

August 11, 2020 | 15 Min Read

Just a few short months ago, the...
Saving the SOC from overload by operationalizing digital risk protection

Saving the SOC from overload by operationalizing digital risk protection

August 5, 2020 | 4 Min Read

As you may have seen last week, the latest...
The story of Nulled: Old dog, new tricks

The story of Nulled: Old dog, new tricks

August 4, 2020 | 9 Min Read

It is often said that old dogs have a hard...
ShadowTalk Update – Garmin ransomware attack, QSnatch malware, and ShinyHunters Stage 2

ShadowTalk Update – Garmin ransomware attack, QSnatch malware, and ShinyHunters Stage 2

August 3, 2020 | 3 Min Read

This week it’s a full house with ShadowTalk...
Dark Web Travel Agencies Revisited: The Impact of Coronavirus on the Shadow Travel Industry

Dark Web Travel Agencies Revisited: The Impact of Coronavirus on the Shadow Travel Industry

July 29, 2020 | 10 Min Read

Back in February, Digital Shadows published...
Account takeover: Expanding on impact

Account takeover: Expanding on impact

July 27, 2020 | 7 Min Read

Digital Shadows has collected over 15 billion...
Ransomware Trends in Q2: How Threat Intelligence Helps

Ransomware Trends in Q2: How Threat Intelligence Helps

July 22, 2020 | 8 Min Read

If you’re anything like me, it can be a...
Jira Atlassian SearchLight   Integration

Jira Atlassian SearchLight   Integration

July 21, 2020 | 2 Min Read

On average, it’s estimated that security teams...
Abracadabra! – CryptBB demystifying the illusion of the private forum

Abracadabra! – CryptBB demystifying the illusion of the private forum

July 15, 2020 | 8 Min Read

You wouldn’t usually associate cybercriminal...
SearchLight’s Credential Validation: Only Focus on What Matters

SearchLight’s Credential Validation: Only Focus on What Matters

July 14, 2020 | 4 Min Read

Of the many use cases associated with threat...
Tax Fraud in 2020: Down But Not Out

Tax Fraud in 2020: Down But Not Out

July 13, 2020 | 4 Min Read

After a three month extension, tomorrow marks...
From Exposure to Takeover: Part 1. Beg, borrow, and steal your way in

From Exposure to Takeover: Part 1. Beg, borrow, and steal your way in

July 7, 2020 | 9 Min Read

Account Takeover: Why criminals can’t...
Digital Risk Reporting Best Practices: Top 10 Ways to Build Killer Reports in SearchLight

Digital Risk Reporting Best Practices: Top 10 Ways to Build Killer Reports in SearchLight

June 30, 2020 | 4 Min Read

We all have those days or that time of the...
Reducing technical leakage: Detecting software exposure from the outside-in

Reducing technical leakage: Detecting software exposure from the outside-in

June 16, 2020 | 6 Min Read

Modern Development Practices Leads to...
Security Threat Intel Products and Services: Mapping SearchLight

Security Threat Intel Products and Services: Mapping SearchLight

June 10, 2020 | 6 Min Read

For those of you who have not yet seen, Gartner...
CISA and FBI alert: Top vulnerabilities exploited from 2016-2019 and trends from 2020

CISA and FBI alert: Top vulnerabilities exploited from 2016-2019 and trends from 2020

June 9, 2020 | 7 Min Read

A couple of weeks ago, the United States...
3 Phishing Trends Organizations Should Watch Out For

3 Phishing Trends Organizations Should Watch Out For

May 20, 2020 | 16 Min Read

It’s only May, and is it just me, or has this...
The 2020 Verizon Data Breach Investigations Report: One CISO’s View

The 2020 Verizon Data Breach Investigations Report: One CISO’s View

May 19, 2020 | 6 Min Read

Sadly, Marvel’s Black Widow release date was...
A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

May 14, 2020 | 10 Min Read

Q1 2020 was packed full of significant...
Contact Tracing: Can ‘Big Tech’ Come to the Rescue, and at What Cost?

Contact Tracing: Can ‘Big Tech’ Come to the Rescue, and at What Cost?

May 11, 2020 | 13 Min Read

Co-authored by: Pratik Sinha MD PhD1,2, Alastair...
Threat Intelligence Feeds: Why Context is Key

Threat Intelligence Feeds: Why Context is Key

May 7, 2020 | 10 Min Read

Key Takeaways: Choosing which threat...
ShadowTalk Update – Microsoft Teams ATO Vulnerability, APT32, & Uptick In Ransomware

ShadowTalk Update – Microsoft Teams ATO Vulnerability, APT32, & Uptick In Ransomware

May 1, 2020 | 3 Min Read

Jamie, Adam, and Demelza join Viktoria for this...
What ‘The Wire’ can teach us about cybersecurity

What ‘The Wire’ can teach us about cybersecurity

April 21, 2020 | 12 Min Read

In the current era of self-isolation, remote...
ShadowTalk Update – SFO Airport Hack, Fin6, And Sodinokibi Switching From Bitcoin To Monero

ShadowTalk Update – SFO Airport Hack, Fin6, And Sodinokibi Switching From Bitcoin To Monero

April 20, 2020 | 2 Min Read

This week we have new ShadowTalk guest joining us...
Zoom Security and Privacy Issues: Week in Review

Zoom Security and Privacy Issues: Week in Review

April 17, 2020 | 10 Min Read

In the last month, you’ve likely been hearing...
Top Priorities for 3rd party risk assessments

Top Priorities for 3rd party risk assessments

April 16, 2020 | 6 Min Read

If you’re like me, you’re probably tired of...
ShadowTalk Update – COVID-19 Third Party App Risks, Zoom, and DarkHotel Hackers

ShadowTalk Update – COVID-19 Third Party App Risks, Zoom, and DarkHotel Hackers

April 13, 2020 | 3 Min Read

Coming to you from Dallas this week - we have...
How to minimize cybersecurity breaches in 2020

How to minimize cybersecurity breaches in 2020

April 8, 2020 | 9 Min Read

Seriously, don’t click back or close – I...
COVID-19: Risks of Third-Party Apps

COVID-19: Risks of Third-Party Apps

April 7, 2020 | 7 Min Read

As the global community continues to pursue...
The Digital Risk Underdog: Remediation

The Digital Risk Underdog: Remediation

April 1, 2020 | 4 Min Read

When it comes to evaluating threat intelligence...
COVID-19: Third-party risks to businesses

COVID-19: Third-party risks to businesses

March 31, 2020 | 5 Min Read

As social distancing becomes more prevalent...
ShadowTalk Update – Remote Worker Threat Model And Cybercrime Updates

ShadowTalk Update – Remote Worker Threat Model And Cybercrime Updates

March 30, 2020 | 2 Min Read

This week the team looks at some...
COVID-19: Companies and Verticals At Risk For Cyber Attacks

COVID-19: Companies and Verticals At Risk For Cyber Attacks

March 26, 2020 | 8 Min Read

  In our recent blog, How cybercriminals...
Threat Model of a Remote Worker

Threat Model of a Remote Worker

March 25, 2020 | 7 Min Read

Threat models are an often discussed but...
Want to Control Your Ever-Changing Perimeter? Focus on Integrations.

Want to Control Your Ever-Changing Perimeter? Focus on Integrations.

March 4, 2020 | 5 Min Read

An ever changing perimeter? Over the past few...
ShadowTalk Update – Data Breaches, Stalkerware, and Dopplepaymer ransomware

ShadowTalk Update – Data Breaches, Stalkerware, and Dopplepaymer ransomware

March 2, 2020 | 2 Min Read

Coming to you from Dallas this week -...
Mapping MITRE ATT&CK to the Equifax Indictment

Mapping MITRE ATT&CK to the Equifax Indictment

February 24, 2020 | 6 Min Read

  On Monday, February 10th, the United...
The evolving story of the Citrix ADC Vulnerability: Ears to the Ground

The evolving story of the Citrix ADC Vulnerability: Ears to the Ground

February 18, 2020 | 4 Min Read

  The dust hasn’t quite settled on the...
ShadowTalk Update – OurMine Hacks, Equifax Indictment, and SWIFT POC attack

ShadowTalk Update – OurMine Hacks, Equifax Indictment, and SWIFT POC attack

February 17, 2020 | 2 Min Read

Roses are red, violets are blue, here’s...
The Devil, the Details, and the Analysis of Competing Hypothesis

The Devil, the Details, and the Analysis of Competing Hypothesis

February 13, 2020 | 5 Min Read

  Digital Shadows’ Photon Research Team...
ShadowTalk Update – CTI Frameworks, Wawa Breach Updates, APT34, and Coronavirus Phishing Scams

ShadowTalk Update – CTI Frameworks, Wawa Breach Updates, APT34, and Coronavirus Phishing Scams

February 10, 2020 | 3 Min Read

In this week’s episode, Jamie starts by...
The Iowa Caucus: Third-Party Apps Can Be Risky Business

The Iowa Caucus: Third-Party Apps Can Be Risky Business

February 6, 2020 | 7 Min Read

  If you’ve seen HBO’s Silicon...
Red Team Blues: A 10 step security program for Windows Active Directory environments

Red Team Blues: A 10 step security program for Windows Active Directory environments

February 6, 2020 | 9 Min Read

  A fun tweet crossed our path recently,...
How to Operationalize Threat Intelligence: Actionability and Context

How to Operationalize Threat Intelligence: Actionability and Context

February 5, 2020 | 5 Min Read

  In 1988 the idea of a Computer...
ShadowTalk Update – SANS CTI Summit, Snake Ransomware, CacheOut, and Citrix Vuln Update

ShadowTalk Update – SANS CTI Summit, Snake Ransomware, CacheOut, and Citrix Vuln Update

February 3, 2020 | 3 Min Read

Rick Holland jumps in to kick-off this...
Cyber Threat Intelligence Frameworks: 5 Rules for Integrating These Frameworks

Cyber Threat Intelligence Frameworks: 5 Rules for Integrating These Frameworks

January 29, 2020 | 7 Min Read

  As the cyber threat intelligence (CTI)...
SANS Cyber Threat Intelligence Summit 2020: A Recap

SANS Cyber Threat Intelligence Summit 2020: A Recap

January 28, 2020 | 9 Min Read

  Last week I attended the eighth annual...
How Digital Shadows Helped Find and Remediate an Exposed Admin Password on Github

How Digital Shadows Helped Find and Remediate an Exposed Admin Password on Github

January 23, 2020 | 5 Min Read

  I often get asked to share examples of...
ShadowTalk Update – NSA Vulnerability Disclosure, Ransomware News, and Iran Updates

ShadowTalk Update – NSA Vulnerability Disclosure, Ransomware News, and Iran Updates

January 20, 2020 | 3 Min Read

Kacey, Charles, Alex, and Harrison host...
Third Party Risk: 4 ways to manage your security ecosystem

Third Party Risk: 4 ways to manage your security ecosystem

January 16, 2020 | 5 Min Read

  The digital economy has multiplied the...
NSA Vulnerability Disclosure: Pros and Cons

NSA Vulnerability Disclosure: Pros and Cons

January 15, 2020 | 5 Min Read

  On Monday, January 13th, Brian Krebs...
CVE-2019-19781: Analyzing the Exploit

CVE-2019-19781: Analyzing the Exploit

January 14, 2020 | 4 Min Read

  On December 17th 2019, CVE-2019-19781...
Iran and the United States – start of the long war or return to normal?

Iran and the United States – start of the long war or return to normal?

January 13, 2020 | 9 Min Read

  On 03 Jan 2020, the United States...
Iranian APT Groups’ Tradecraft Styles: Using Mitre ATT&CK™ and the ASD Essential 8

Iranian APT Groups’ Tradecraft Styles: Using Mitre ATT&CK™ and the ASD Essential 8

January 7, 2020 | 6 Min Read

  With the recent news of Qasem Soleimani...
Iran and Soleimani: Monitoring the Situation

Iran and Soleimani: Monitoring the Situation

January 7, 2020 | 9 Min Read

*This blog has been updated as of Jan 9,...
Iranian Cyber Threats: Practical Advice for Security Professionals

Iranian Cyber Threats: Practical Advice for Security Professionals

January 6, 2020 | 8 Min Read

Unless you went very dark for an extended holiday...
2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

December 18, 2019 | 10 Min Read

  If all the holiday fuss isn’t...
Threat Intelligence: A Deep Dive

Threat Intelligence: A Deep Dive

December 12, 2019 | 21 Min Read

Welcome to our deep dive on threat intelligence:...
A Threat Intelligence Analyst’s Guide to Today’s Sources of Bias

A Threat Intelligence Analyst’s Guide to Today’s Sources of Bias

December 5, 2019 | 9 Min Read

  In an industry prone to going overboard...
2.3 billion files exposed across online file storage technologies

2.3 billion files exposed across online file storage technologies

December 3, 2019 | 17 Min Read

Originally published May 2019 2.3 billion is a...
ShadowTalk Update – RIPlace, Trickbot, and Russian-language forum Probiv

ShadowTalk Update – RIPlace, Trickbot, and Russian-language forum Probiv

December 2, 2019 | 3 Min Read

No ShadowTalk podcast episode this week, but...
ShadowTalk Update – Black Friday Deals on the Dark Web, Phineas Fisher Manifesto, and DarkMarket

ShadowTalk Update – Black Friday Deals on the Dark Web, Phineas Fisher Manifesto, and DarkMarket

November 25, 2019 | 3 Min Read

Adam Cook and Viktoria Austin talk through the...
BSidesDFW 2019: OSINT Workshop Recap

BSidesDFW 2019: OSINT Workshop Recap

November 18, 2019 | 5 Min Read

  A few Saturdays ago, we had the...
ShadowTalk Update – BSidesDFW Recap, Dynamic CVV Analysis, and the Facebook Camera Bug

ShadowTalk Update – BSidesDFW Recap, Dynamic CVV Analysis, and the Facebook Camera Bug

November 18, 2019 | 3 Min Read

Dallas is sound effects and all this week with...
Dynamic CVVs: 2FA 2Furious

Dynamic CVVs: 2FA 2Furious

November 12, 2019 | 5 Min Read

  The security community is quick to...
ShadowTalk Update – BlueKeep Attacks, Megacortex Ransomware, and Web.com Breach

ShadowTalk Update – BlueKeep Attacks, Megacortex Ransomware, and Web.com Breach

November 11, 2019 | 3 Min Read

This week the London team looks at the following...
ShadowTalk Update – Avast Breach Attempt, NordVPN Breach, and Wifi Security Risks

ShadowTalk Update – Avast Breach Attempt, NordVPN Breach, and Wifi Security Risks

November 4, 2019 | 4 Min Read

Adam Cook, Philip Doherty, and Viktoria Austin...
Understanding the Different Cybercriminal Platforms: AVCs, Marketplaces, and Forums

Understanding the Different Cybercriminal Platforms: AVCs, Marketplaces, and Forums

October 31, 2019 | 6 Min Read

  With the recent breach that targeted...
Cybercriminal credit card stores: Is Brian out of the club?

Cybercriminal credit card stores: Is Brian out of the club?

October 31, 2019 | 8 Min Read

  If you’re an avid follower of Digital...
Your Cyber Security Career – Press start to begin

Your Cyber Security Career – Press start to begin

October 30, 2019 | 13 Min Read

  October was Cyber Security Awareness...
Australia Cyber Threat Landscape report (H1 2019)

Australia Cyber Threat Landscape report (H1 2019)

October 29, 2019 | 5 Min Read

Depending on where you are in the world, October...
ShadowTalk Update – Avast Breach Attempt, NordVPN Breach, and Wifi Security Risks

ShadowTalk Update – Avast Breach Attempt, NordVPN Breach, and Wifi Security Risks

October 25, 2019 | 3 Min Read

We’ve got all 3 ShadowTalk hosts in Dallas this...
Understanding the Consequences of Data Leakage through History

Understanding the Consequences of Data Leakage through History

October 24, 2019 | 4 Min Read

One of the most interesting aspects of...
WiFi Security: Dispelling myths of using public networks

WiFi Security: Dispelling myths of using public networks

October 23, 2019 | 9 Min Read

We have all seen many articles, blogs, endless...
Japan Cyber Threat Landscape report (H1 2019)

Japan Cyber Threat Landscape report (H1 2019)

October 22, 2019 | 5 Min Read

Japan: currently the host of the multi-national...
ShadowTalk Update – Typosquatting and the 2020 U.S. Election, Honeypots, And Sudo Vulnerability

ShadowTalk Update – Typosquatting and the 2020 U.S. Election, Honeypots, And Sudo Vulnerability

October 18, 2019 | 3 Min Read

Kacey, Charles, Harrison, and Alex kick off this...
Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

October 17, 2019 | 9 Min Read

Honeypots can be useful tools for gathering...
Typosquatting and the 2020 U.S. Presidential election: Cyberspace as the new political battleground

Typosquatting and the 2020 U.S. Presidential election: Cyberspace as the new political battleground

October 16, 2019 | 15 Min Read

Typosquatting. It’s a phrase most of us know in...
ShadowTalk Update – Iran-linked APT35, Skimming by Magecart 4, Rancour, and Emotet Resurgence

ShadowTalk Update – Iran-linked APT35, Skimming by Magecart 4, Rancour, and Emotet Resurgence

October 11, 2019 | 3 Min Read

We’re back in London this week! Viktoria chats...
Top Threat Intelligence Podcasts to Add to Your Playlist

Top Threat Intelligence Podcasts to Add to Your Playlist

October 3, 2019 | 4 Min Read

Looking for some new threat intelligence podcasts...
Domain Squatting: The Phisher-man’s Friend

Domain Squatting: The Phisher-man’s Friend

October 1, 2019 | 8 Min Read

In the past we have talked about the internal...
ShadowTalk Update – Tortoiseshell Targets IT Providers, the Tyurin Indictment, and Emotet’s Return

ShadowTalk Update – Tortoiseshell Targets IT Providers, the Tyurin Indictment, and Emotet’s Return

September 27, 2019 | 4 Min Read

Viktoria hosts this week’s episode in London...
Singapore Cyber Threat Landscape report (H1 2019)

Singapore Cyber Threat Landscape report (H1 2019)

September 26, 2019 | 7 Min Read

Despite being the second smallest country in...
Mapping the Tyurin Indictment to the Mitre ATT&CK™ framework

Mapping the Tyurin Indictment to the Mitre ATT&CK™ framework

September 25, 2019 | 7 Min Read

Between 2012 to mid-2015, U.S. financial...
DevSecOps: Continued Database Exposures Point to Growing Challenges

DevSecOps: Continued Database Exposures Point to Growing Challenges

September 24, 2019 | 5 Min Read

Last week, we learned that millions of...
Nemty Ransomware: Slow and Steady Wins the Race?

Nemty Ransomware: Slow and Steady Wins the Race?

September 19, 2019 | 3 Min Read

As we outlined recently, ransomware is a key...
NCSC Cyber Threat Trends Report: Analysis of Attacks Across UK Industries

NCSC Cyber Threat Trends Report: Analysis of Attacks Across UK Industries

September 18, 2019 | 7 Min Read

The United Kingdom’s National Cyber Security...
Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

September 17, 2019 | 8 Min Read

Data breaches are not slowing down. Nobody...
Mapping the NIST Cybersecurity Framework to SearchLight: Eating our own BBQ

Mapping the NIST Cybersecurity Framework to SearchLight: Eating our own BBQ

September 10, 2019 | 2 Min Read

Back in February, I wrote about how we avoid the...
ShadowTalk Update – Ryuk Ransomware, Twitter rids SMS tweets, and Facebook Records Exposed

ShadowTalk Update – Ryuk Ransomware, Twitter rids SMS tweets, and Facebook Records Exposed

September 9, 2019 | 3 Min Read

Alex, Alec, and Harrison are in the room today...
Emotet Returns: How To Track Its Updates

Emotet Returns: How To Track Its Updates

August 26, 2019 | 5 Min Read

What is Emotet? Emotet started life as a banking...
ShadowTalk Update – Texas Ransomware Outbreaks and Phishing Attacks Using Custom 404 pages

ShadowTalk Update – Texas Ransomware Outbreaks and Phishing Attacks Using Custom 404 pages

August 23, 2019 | 3 Min Read

Charles Ragland (a brand new ShadowTalk-er!) and...
The Nouns of Black Hat: People, Places, and Things From Summer Camp 2019

The Nouns of Black Hat: People, Places, and Things From Summer Camp 2019

August 19, 2019 | 6 Min Read

Black Hat and DEFCON are a wrap! Digital Shadows...
Black Hat and DEFCON 2019 – Some of our Favorite Sessions

Black Hat and DEFCON 2019 – Some of our Favorite Sessions

August 19, 2019 | 9 Min Read

The team were fortunate to go to Black Hat and...
Recon Village: Panning for gold

Recon Village: Panning for gold

August 1, 2019 | 7 Min Read

Richard will be presenting ‘Asset Discovery:...
Capital One Breach: What we know and what you can do

Capital One Breach: What we know and what you can do

July 31, 2019 | 5 Min Read

Monday blues. It’s a thing. It’s when you...
The Account Takeover Kill Chain: A Five Step Analysis

The Account Takeover Kill Chain: A Five Step Analysis

July 30, 2019 | 17 Min Read

It’s no secret that credential exposure is a...
ShadowTalk Update – More BlueKeep updates, FSB contractor hacked, and the Enigma Market

ShadowTalk Update – More BlueKeep updates, FSB contractor hacked, and the Enigma Market

July 29, 2019 | 3 Min Read

Christian and Travis sit down with Harrison to...
Harnessing Exposed Data to Enhance Cyber Intelligence

Harnessing Exposed Data to Enhance Cyber Intelligence

July 11, 2019 | 7 Min Read

  An illicit and lucrative trade has...
Leaky SMB File Shares – So Many Bytes!

Leaky SMB File Shares – So Many Bytes!

June 19, 2019 | 5 Min Read

Everyone loves a sequel. If you’re an avid...
Managing Digital Risk: 4 Steps to Take

Managing Digital Risk: 4 Steps to Take

June 18, 2019 | 9 Min Read

Organizations are finding it increasingly...
ShadowTalk Update – XMRig Cryptocurrency Mining, FIN8 Backdoor, and Attacks Against Office 365

ShadowTalk Update – XMRig Cryptocurrency Mining, FIN8 Backdoor, and Attacks Against Office 365

June 17, 2019 | 3 Min Read

This week Harrison is joined by Travis and Alec...
Managing Infosec Burnout: The Hidden Perpetrator

Managing Infosec Burnout: The Hidden Perpetrator

June 10, 2019 | 8 Min Read

The secret of the burnout epidemic lies in how we...
BlueKeep: Cutting through the hype to prepare your organization

BlueKeep: Cutting through the hype to prepare your organization

May 24, 2019 | 8 Min Read

Over the last week we have all been tuning into...
Mapping Iran’s Rana Institute to MITRE Pre-ATT&CK™ and ATT&CK™

Mapping Iran’s Rana Institute to MITRE Pre-ATT&CK™ and ATT&CK™

May 15, 2019 | 15 Min Read

The internet has been aflame with discussions...
Cyber Talent Gap: How to Do More With Less

Cyber Talent Gap: How to Do More With Less

May 14, 2019 | 5 Min Read

The challenge facing us today is twofold: not...
ShadowTalk Update – 5.06.19

ShadowTalk Update – 5.06.19

May 13, 2019 | 4 Min Read

Kacey and Alex join HVR this week to talk through...
Enabling Soi Dog’s Digital Transformation: A Case Study

Enabling Soi Dog’s Digital Transformation: A Case Study

May 8, 2019 | 3 Min Read

At the beginning of this year I was introduced to...
ShadowTalk Update – 5.06.19

ShadowTalk Update – 5.06.19

May 6, 2019 | 3 Min Read

Phil and newcomer Benjamin Newman join Harrison...
ShadowTalk Update – 4.29.19

ShadowTalk Update – 4.29.19

April 29, 2019 | 3 Min Read

Jamie and Alex are back with Harrison this week...
ShadowTalk Update – 4.22.19

ShadowTalk Update – 4.22.19

April 22, 2019 | 3 Min Read

This week the team discusses an unidentified...
ShadowTalk Update – 4.15.19

ShadowTalk Update – 4.15.19

April 15, 2019 | 4 Min Read

Christian and Jamie join Harrison for another...
Reducing your attack surface

Reducing your attack surface

April 9, 2019 | 4 Min Read

What is an attack surface According to OWASP, an...
ShadowTalk Update – 4.8.19

ShadowTalk Update – 4.8.19

April 8, 2019 | 3 Min Read

Jamie, Alex and Zuko sit down with Harrison to...
Predator: Modeling the attacker’s mindset

Predator: Modeling the attacker’s mindset

April 2, 2019 | 6 Min Read

Author: Richard Gold  The phrases...
ShadowTalk Update – 4.1.19

ShadowTalk Update – 4.1.19

March 29, 2019 | 3 Min Read

Christian and Jamie sit down with Harrison to...
ShadowTalk Update – 3.25.19

ShadowTalk Update – 3.25.19

March 25, 2019 | 4 Min Read

Harrison chats with Jamie and Alex this week on...
ShadowTalk Update – 3.18.19

ShadowTalk Update – 3.18.19

March 18, 2019 | 3 Min Read

Harrison sits down with Rose and Christian for a...
Detecting Exposed Company Data: The What, Why, and How

Detecting Exposed Company Data: The What, Why, and How

March 12, 2019 | 3 Min Read

What is data loss detection? A fundamental...
ShadowTalk Update – 3.11.19

ShadowTalk Update – 3.11.19

March 11, 2019 | 3 Min Read

This week Jamie and Alex join Harrison to look at...
Purple Teaming with Vectr, Cobalt Strike, and MITRE ATT&CK™

Purple Teaming with Vectr, Cobalt Strike, and MITRE ATT&CK™

March 6, 2019 | 7 Min Read

Authors: Simon Hall, Isidoros...
ShadowTalk Update – 3.04.19

ShadowTalk Update – 3.04.19

March 4, 2019 | 4 Min Read

This week Rose and Phil join Harrison to discuss...
SamSam But Different: MITRE ATT&CK and the SamSam Group Indictment

SamSam But Different: MITRE ATT&CK and the SamSam Group Indictment

February 26, 2019 | 16 Min Read

In our latest research report, A Tale of Epic...
ShadowTalk Update – 2.25.19

ShadowTalk Update – 2.25.19

February 25, 2019 | 4 Min Read

This week, Phil and Alex join Harrison to discuss...
ShadowTalk Update – 2.18.19

ShadowTalk Update – 2.18.19

February 19, 2019 | 3 Min Read

Alex and Jamie matched with Harrison in this...
Introducing Our Practical Guide to Reducing Digital Risk

Introducing Our Practical Guide to Reducing Digital Risk

February 12, 2019 | 5 Min Read

Download a copy of A Practical Guide to Reducing...
ShadowTalk Update – 2.11.19

ShadowTalk Update – 2.11.19

February 8, 2019 | 3 Min Read

Alex and Jamie join Harrison to discuss how the...
Understanding Digital Risk Protection

Understanding Digital Risk Protection

February 8, 2019 | 3 Min Read

There has been a lot of talk recently about...
SANS DFIR Cyber Threat Intelligence Summit 2019 – Extracting More Value from Your CTI Program

SANS DFIR Cyber Threat Intelligence Summit 2019 – Extracting More Value from Your CTI Program

February 5, 2019 | 7 Min Read

We were fortunate to attend the 2019 SANS DFIR...
ShadowTalk Update – 2.4.19

ShadowTalk Update – 2.4.19

February 4, 2019 | 4 Min Read

This week, Alex Guirakhoo and Jamie Collier join...
SingHealth Breach Post-mortem: Key Findings

SingHealth Breach Post-mortem: Key Findings

January 29, 2019 | 5 Min Read

On 10 January 2019, Singaporean authorities...
ShadowTalk Update – 1.28.19

ShadowTalk Update – 1.28.19

January 26, 2019 | 3 Min Read

This week Rose, Jamie, and Alex talk with...
ShadowTalk Update – 1.21.19

ShadowTalk Update – 1.21.19

January 19, 2019 | 3 Min Read

This week, Alex Guirakhoo and Philip Doherty join...
Don’t Just Read Intelligence: Learn From It

Don’t Just Read Intelligence: Learn From It

January 17, 2019 | 5 Min Read

The Importance of Learning in Cyber...
ShadowTalk Update – 1.14.19

ShadowTalk Update – 1.14.19

January 14, 2019 | 3 Min Read

We’ve just released our first Weekly...
Security Analyst Spotlight Series: Phil Doherty

Security Analyst Spotlight Series: Phil Doherty

January 10, 2019 | 5 Min Read

Organizations rely on Digital Shadows to be an...
The Most Popular Security Blog Topics of 2018

The Most Popular Security Blog Topics of 2018

December 18, 2018 | 3 Min Read

It’s been a busy year on the Digital Shadows...
ShadowTalk Update – 17.10.2018

ShadowTalk Update – 17.10.2018

December 17, 2018 | 3 Min Read

Following from our recent research, Tackling...
Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It

Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It

December 12, 2018 | 8 Min Read

Overall, the infosec community has done a...
ShadowTalk Update – 12.10.2018

ShadowTalk Update – 12.10.2018

December 10, 2018 | 3 Min Read

In this week's ShadowTalk, Rick Holland and...
2019 Cyber Security Forecasts: Six Things on the Horizon

2019 Cyber Security Forecasts: Six Things on the Horizon

December 5, 2018 | 9 Min Read

The new year is upon us! 2018 brought us Spectre...
ShadowTalk Update – 12.03.2018

ShadowTalk Update – 12.03.2018

December 3, 2018 | 3 Min Read

Michael Marriott, Dr Richard Gold and Simon Hall...
Threat Actors Use of Cobalt Strike: Why Defense is Offense’s Child

Threat Actors Use of Cobalt Strike: Why Defense is Offense’s Child

November 29, 2018 | 5 Min Read

I’m a big fan of the Cobalt Strike threat...
Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework

Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework

November 27, 2018 | 3 Min Read

Australian Signals Directorate Essential 8 The...
ShadowTalk Update – 11.26.2018

ShadowTalk Update – 11.26.2018

November 26, 2018 | 3 Min Read

With Black Friday kicking off the holiday...
ShadowTalk Update – 11.19.2018

ShadowTalk Update – 11.19.2018

November 19, 2018 | 2 Min Read

Leaked court documents surfaced this week...
Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

November 15, 2018 | 2 Min Read

VIPs and executives who are critical to your...
A Look Back at the ENISA Cyber Threat Intelligence-EU Workshop 2018

A Look Back at the ENISA Cyber Threat Intelligence-EU Workshop 2018

November 13, 2018 | 5 Min Read

I recently attended the ENISA (European Union...
ShadowTalk Update – 11.12.2018

ShadowTalk Update – 11.12.2018

November 12, 2018 | 2 Min Read

In this week's ShadowTalk, we discuss the big...
Security Analyst Spotlight Series: Adam Cook

Security Analyst Spotlight Series: Adam Cook

November 7, 2018 | 6 Min Read

Organizations rely on our cyber intelligence...
ShadowTalk Update – 11.05.2018

ShadowTalk Update – 11.05.2018

November 5, 2018 | 3 Min Read

In November 2016, Tesco Bank suffered a series of...
81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

November 2, 2018 | 5 Min Read

This morning, the British Broadcasting...
ShadowTalk Update – 10.29.2018

ShadowTalk Update – 10.29.2018

October 29, 2018 | 3 Min Read

In this week's ShadowTalk, Harrison Van Riper and...
Cyber Security Awareness Month: Week 4 – Privacy

Cyber Security Awareness Month: Week 4 – Privacy

October 25, 2018 | 6 Min Read

This week in Brussels, Apple’s chief executive...
ShadowTalk Update – 10.22.2018

ShadowTalk Update – 10.22.2018

October 22, 2018 | 3 Min Read

In this week's ShadowTalk, following on from last...
ShadowTalk Update – 10.15.2018

ShadowTalk Update – 10.15.2018

October 15, 2018 | 3 Min Read

In ShadowTalk this week, Digital Shadows' CISO...
ShadowTalk Update – 10.08.2018

ShadowTalk Update – 10.08.2018

October 8, 2018 | 3 Min Read

In this week’s Shadow Talk, Rafael Amado joins...
Cyber Security Awareness Month: Week 1 – Credential Hygiene

Cyber Security Awareness Month: Week 1 – Credential Hygiene

October 3, 2018 | 5 Min Read

It’s the opening week of the annual National...
Security Analyst Spotlight Series: Christian Rencken

Security Analyst Spotlight Series: Christian Rencken

October 2, 2018 | 5 Min Read

Organizations rely on our cyber intelligence...
ShadowTalk Update – 10.01.2018

ShadowTalk Update – 10.01.2018

October 1, 2018 | 3 Min Read

Rick Holland, CISO of Digital Shadows, joins...
ShadowTalk Update – 09.24.2018

ShadowTalk Update – 09.24.2018

September 24, 2018 | 3 Min Read

In ShadowTalk this week, Richard Gold, Simon Hall...
The 2017 FSB indictment and Mitre ATT&CK™

The 2017 FSB indictment and Mitre ATT&CK™

September 20, 2018 | 11 Min Read

On  February 28th, 2017 the US Department of...
Non-traditional State Actors: New Kids on the Block

Non-traditional State Actors: New Kids on the Block

September 18, 2018 | 5 Min Read

Cyber threat reporting sits at a dichotomy. On...
ShadowTalk Update – 09.17.2018

ShadowTalk Update – 09.17.2018

September 17, 2018 | 2 Min Read

In this week’s ShadowTalk, Richard Gold and...
MITRE ATT&CK™ and the North Korean Regime-Backed Programmer

MITRE ATT&CK™ and the North Korean Regime-Backed Programmer

September 13, 2018 | 18 Min Read

On 6th September the US Department of Justice...
GAO’s Equifax Post-mortem Report

GAO’s Equifax Post-mortem Report

September 11, 2018 | 5 Min Read

It’s common for the exciting and novel issues...
ShadowTalk Update – 09.10.2018

ShadowTalk Update – 09.10.2018

September 10, 2018 | 3 Min Read

In this week’s ShadowTalk, Richard Gold and...
ShadowTalk Update – 09.03.2018

ShadowTalk Update – 09.03.2018

September 3, 2018 | 3 Min Read

Not a week goes by without an example where...
Security Analyst Spotlight Series: Heather Farnsworth

Security Analyst Spotlight Series: Heather Farnsworth

August 30, 2018 | 5 Min Read

Organizations rely on Digital Shadows to be an...
Understanding Threat Modelling

Understanding Threat Modelling

August 29, 2018 | 4 Min Read

What is a threat model? Threat modelling, as...
ShadowTalk Update – 08.27.2018

ShadowTalk Update – 08.27.2018

August 27, 2018 | 3 Min Read

With November’s U.S. midterm elections...
Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations

Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations

August 22, 2018 | 12 Min Read

On August 1, 2018, the US Department of Justice...
ShadowTalk Update – 08.20.2018

ShadowTalk Update – 08.20.2018

August 20, 2018 | 3 Min Read

In this week’s ShadowTalk, we dig into ATM...
ShadowTalk Update – 08.13.2018

ShadowTalk Update – 08.13.2018

August 13, 2018 | 3 Min Read

In this week’s ShadowTalk it's all things...
Digital Shadows Contributes to Insider Threat Research

Digital Shadows Contributes to Insider Threat Research

August 9, 2018 | 5 Min Read

On July 30, Forrester published its latest...
ShadowTalk Update – 08.06.2018

ShadowTalk Update – 08.06.2018

August 6, 2018 | 2 Min Read

In this week’s episode, JP Perez-Etchegoyen,...
ShadowTalk Update – 07.30.2018

ShadowTalk Update – 07.30.2018

July 30, 2018 | 3 Min Read

Richard Gold and Rose Bernard join Michael...
Cyber Threats to ERP Applications: Threat Landscape

Cyber Threats to ERP Applications: Threat Landscape

July 24, 2018 | 4 Min Read

What are ERP Applications? Organizations rely on...
ShadowTalk Update – 07.23.2018

ShadowTalk Update – 07.23.2018

July 23, 2018 | 3 Min Read

In this week's ShadowTalk, we discuss the Robert...
Mitre ATT&CK™ and the Mueller GRU Indictment: Lessons for Organizations

Mitre ATT&CK™ and the Mueller GRU Indictment: Lessons for Organizations

July 17, 2018 | 10 Min Read

A recent indictment revealed how the GRU...

Digital Risk Protection: Avoid Blind Spots with a More Complete Risk Picture

July 17, 2018 | 5 Min Read

“Digital Shadows leads the pack for digital...
ShadowTalk Update – 07.16.2018

ShadowTalk Update – 07.16.2018

July 16, 2018 | 2 Min Read

In this week's ShadowTalk, Digital Shadows’...
ShadowTalk Update – 07.09.2018

ShadowTalk Update – 07.09.2018

July 9, 2018 | 3 Min Read

In this week’s ShadowTalk, Richard Gold and...
Reducing Your Attack Surface: From a Firehose to a Straw

Reducing Your Attack Surface: From a Firehose to a Straw

July 5, 2018 | 6 Min Read

What is Attack Surface Reduction? Attack Surface...
ShadowTalk Update – 07.02.2018

ShadowTalk Update – 07.02.2018

July 2, 2018 | 3 Min Read

In this week's ShadowTalk, following news that a...
ShadowTalk Update – 06.25.2018

ShadowTalk Update – 06.25.2018

June 25, 2018 | 3 Min Read

In this week’s ShadowTalk, Simon Hall and...
ShadowTalk Update – 06.18.2018

ShadowTalk Update – 06.18.2018

June 18, 2018 | 3 Min Read

In ShadowTalk this week, Dr Richard Gold and...
Shadow Talk Update – 06.11.2018

Shadow Talk Update – 06.11.2018

June 11, 2018 | 3 Min Read

In Shadow Talk this week, Dr Richard Gold joins...
Shadow Talk Update – 06.04.2018

Shadow Talk Update – 06.04.2018

June 4, 2018 | 3 Min Read

In this week's Shadow Talk, Dr Richard Gold joins...
7 Ways The Digital Risk Revolution Changes Risk and Compliance – Webinar Key Insights

7 Ways The Digital Risk Revolution Changes Risk and Compliance – Webinar Key Insights

May 30, 2018 | 5 Min Read

Lockpath’s Vice President of Development Tony...
Shadow Talk Update – 05.29.2018

Shadow Talk Update – 05.29.2018

May 29, 2018 | 4 Min Read

The focus in this week’s Shadow Talk is on...
Security Analyst Spotlight Series: Rose Bernard

Security Analyst Spotlight Series: Rose Bernard

May 23, 2018 | 5 Min Read

Organizations rely on our cyber intelligence...
Shadow Talk Update – 05.21.2018

Shadow Talk Update – 05.21.2018

May 21, 2018 | 3 Min Read

In this week’s episode of Shadow Talk, Digital...
Shadow Talk Update – 05.14.2018

Shadow Talk Update – 05.14.2018

May 14, 2018 | 3 Min Read

In this week’s episode Shadow Talk we look at...
Shadow Talk Update – 05.07.2018

Shadow Talk Update – 05.07.2018

May 7, 2018 | 3 Min Read

In this week’s episode Shadow Talk, it’s a...
Shadow Talk Update – 04.30.2018

Shadow Talk Update – 04.30.2018

April 30, 2018 | 2 Min Read

In this week’s episode of Shadow Talk, we cover...
Keys to the Kingdom: Exposed Security Assessments

Keys to the Kingdom: Exposed Security Assessments

April 24, 2018 | 4 Min Read

Organizations employ external consultants and...
Shadow Talk Update – 04.23.2018

Shadow Talk Update – 04.23.2018

April 23, 2018 | 3 Min Read

This week’s Shadow Talk discusses Russia’s...
Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

April 18, 2018 | 4 Min Read

For organizations dealing with proprietary...
When There’s No Need to Hack: Exposed Personal Information

When There’s No Need to Hack: Exposed Personal Information

April 17, 2018 | 4 Min Read

With Equifax‘s breach of 145 million records...
Shadow Talk Update – 04.16.2018

Shadow Talk Update – 04.16.2018

April 16, 2018 | 5 Min Read

This week’s Shadow Talk discusses a Cisco Smart...
Escalation in Cyberspace: Not as Deniable as We All Seem to Think?

Escalation in Cyberspace: Not as Deniable as We All Seem to Think?

April 12, 2018 | 5 Min Read

The recent assassination attempt on former...
Leveraging the 2018 Verizon Data Breach Investigations Report

Leveraging the 2018 Verizon Data Breach Investigations Report

April 10, 2018 | 5 Min Read

Today, the 11th edition of the Verizon Data...
Shadow Talk Update – 04.09.2018

Shadow Talk Update – 04.09.2018

April 9, 2018 | 4 Min Read

Back from the Easter break, this week’s Shadow...
When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

April 5, 2018 | 4 Min Read

Our recent report “Too Much Information”,...
Shadow Talk Update – 03.26.2018

Shadow Talk Update – 03.26.2018

March 26, 2018 | 4 Min Read

This week’s Shadow Talk discusses what the...
Shadow Talk Update – 03.19.2018

Shadow Talk Update – 03.19.2018

March 19, 2018 | 5 Min Read

This week’s Shadow Talk features the latest...
Shadow Talk Update – 03.12.2018

Shadow Talk Update – 03.12.2018

March 12, 2018 | 3 Min Read

This week’s Shadow Talk features more...
Ransomware in 2018: 4 Things to Look Out For

Ransomware in 2018: 4 Things to Look Out For

March 8, 2018 | 4 Min Read

Ransomware remains an active threat for...
Shadow Talk Update – 03.05.2018

Shadow Talk Update – 03.05.2018

March 5, 2018 | 3 Min Read

On this week's Shadow Talk podcast, the Research...
Shadow Talk Update – 02.26.2018

Shadow Talk Update – 02.26.2018

February 26, 2018 | 3 Min Read

In this week’s podcast, the Digital Shadows...
Prioritize to Avoid Security Nihilism

Prioritize to Avoid Security Nihilism

February 20, 2018 | 3 Min Read

In many situations associated with cyber...
Shadow Talk Update – 02.19.2018

Shadow Talk Update – 02.19.2018

February 19, 2018 | 3 Min Read

In this week’s Shadow Talk podcast, the Digital...
Cryptojacking: An Overview

Cryptojacking: An Overview

February 13, 2018 | 5 Min Read

What is Cryptojacking? Cryptojacking is the...
Shadow Talk Update – 12.02.2018

Shadow Talk Update – 12.02.2018

February 12, 2018 | 4 Min Read

With the 2018 Winter Games beginning this week,...
Shadow Talk Update – 02.05.2018

Shadow Talk Update – 02.05.2018

February 5, 2018 | 3 Min Read

In this week’s podcast episode of Shadow Talk,...
Why Marketing Leaders Must Take Action To Manage Digital Risk And Protect Their Brand

Why Marketing Leaders Must Take Action To Manage Digital Risk And Protect Their Brand

January 30, 2018 | 7 Min Read

I am one of you. I have been in the marketing...
Shadow Talk Update – 01.29.2018

Shadow Talk Update – 01.29.2018

January 29, 2018 | 4 Min Read

In this week’s Shadow Talk podcast episode, the...
Data Privacy Day: 8 Key Recommendations for GDPR Readiness

Data Privacy Day: 8 Key Recommendations for GDPR Readiness

January 26, 2018 | 4 Min Read

This Sunday is Data Privacy Day, “an...
Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

January 16, 2018 | 5 Min Read

This post originally appeared on...
GDPR: Why You Need to Consider the Personal Data That Lies Outside of Your Organization

GDPR: Why You Need to Consider the Personal Data That Lies Outside of Your Organization

January 4, 2018 | 3 Min Read

In 2010, reports emerged that the Information...

Digital Shadows’ Most Popular Blogs of 2017: Analysis of Competing Hypotheses For The Win

December 12, 2017 | 3 Min Read

This time last year, we looked back at the blogs...
GDPR – Not Just a European Concern

GDPR – Not Just a European Concern

November 20, 2017 | 6 Min Read

This post originally appeared...
Why “Have a Safe Trip” Is Taking On Greater Meaning

Why “Have a Safe Trip” Is Taking On Greater Meaning

November 14, 2017 | 5 Min Read

This post originally appeared...
Groupthink

Know Where to Find Your Digital Risk

November 10, 2017 | 4 Min Read

This post originally appeared on SecurityWeek....
equifax research report

2017 Equifax Breach: Impact and Lessons Learned

September 28, 2017 | 3 Min Read

Equifax experienced a data breach that occurred...
powershell

PowerShell Security Best Practices

October 8, 2019 | 9 Min Read

Updated as of October 8, 2019 Threat actors...
equifax breach update

An Update on the Equifax Data Breach

September 13, 2017 | 8 Min Read

The credit reporting agency Equifax...
Equifax Breach Assessment

Equifax Breach: The Impact For Enterprises and Consumers

September 8, 2017 | 9 Min Read

What we know about the Equifax breach On...
Computer Worms Blog

Return of the Worm: A Red Hat Analysis

September 7, 2017 | 4 Min Read

A computer worm is a piece of malware that is...
Credential Exposure Data Loss Blog

Bitglass: Compromised Credentials are Just One Way Your Corporate Data is Being Exposed

August 18, 2017 | 2 Min Read

A guest blog from Bitglass, read the original...
Threat Intelligence Social Media Security

All That Twitterz Is Not Gold: Why You Need to Rely on Multiple Sources of Intelligence

August 9, 2017 | 3 Min Read

Twitter has become an extremely valuable tool for...
Threat Model

What is a Threat Model, and Why Organizations Should Care

July 31, 2017 | 4 Min Read

Many organizations are exquisitely aware that...
Criminal Market Place Bitcoin Virtual Currency

The Future of Marketplaces: Forecasting the Decentralized Model

July 17, 2017 | 4 Min Read

Last week we wrote about the disappearance of...
AlphaBay Hansa Seized

AlphaBay Disappears: 3 Scenarios to Look For Next

July 14, 2017 | 6 Min Read

The AlphaBay dark web marketplace has been...
Penetration Testing

Threat Led Penetration Testing – The Past, Present and Future

July 10, 2017 | 5 Min Read

What is Threat Led Penetration Testing? Threat...
Cyber Criminal Attack Vectors

Keep Your Eyes on the Prize: Attack Vectors are Important But Don’t Ignore Attacker Goals

June 23, 2017 | 5 Min Read

Reporting on intrusions or attacks often dwells...
Wanna Cry Ransomware

WannaCry: An Analysis of Competing Hypotheses – Part II

June 7, 2017 | 7 Min Read

Following the furore of last month’s WannaCry...
Encrypted Files WannaCry

WannaCry: An Analysis of Competing Hypotheses

May 18, 2017 | 6 Min Read

On 12 May 2017, as the WannaCry ransomware spread...
NIST Authentication

Authentication Nation: 5 Ways NIST is Changing How We Think About Passwords

May 9, 2017 | 4 Min Read

Passwords have taken a beating over the past...
Brand Reputation Digital Risk

The 3 Pillars of Digital Risk Management: Part 3 – The Top 5 Main Risks of Reputational Damage

April 27, 2017 | 2 Min Read

In this 3-part blog series, we discuss how each...
Cyber Threats

The 3 Pillars of Digital Risk Management: Part 1 Understanding Cyber Threats

April 13, 2017 | 3 Min Read

What is Digital Risk Management? The National...
Research Intelligence Sources

All Sources Are Not the Same; Why Diversity Is Good for Intelligence

April 11, 2017 | 3 Min Read

As we all know, if you listen to just one side of...
Mobile App Screen

5 Risks Posed By Mobile Applications That SearchLight Helps You Manage

March 14, 2017 | 2 Min Read

Organizations face a wide range of risks online,...
Penetration Testing

Step by Step: The Changing Face of Threat Led Penetration Testing

February 28, 2017 | 4 Min Read

Organizations are increasingly adopting the...
Intelligence Cycle

F3EAD: Find, Fix, Finish, Exploit, Analyze and Disseminate – The Alternative Intelligence Cycle

February 8, 2017 | 4 Min Read

The F3EAD cycle (Find, Fix Finish, Exploit,...
Intelligence Sources

Two Ways to Effectively Tailor Your Intelligence Products

January 17, 2017 | 4 Min Read

In my previous blog, “Trump and Intelligence: 6...
Intelligence Consumer Trump

Trump and Intelligence: 6 Ways To Deal With Challenging Intelligence Consumers

January 4, 2017 | 4 Min Read

It is no secret the President Elect Trump is...
Forecasts Cyber Security

You Should Consider Forecasts, Not Predictions

December 9, 2016 | 4 Min Read

Well it’s that time of year again. Sorry, not...
Chess Game

A Model of Success: Anticipating Your Attackers’ Moves

December 1, 2016 | 4 Min Read

In a previous blog, we discussed the role of...
Tesco Bank

Leak on Aisle 12! An Analysis of Competing Hypotheses for the Tesco Bank Incident

November 11, 2016 | 5 Min Read

On November 6, 2016 multiple UK media outlets...
Email Security

Five Tips For Better Email Security

November 8, 2016 | 4 Min Read

While security is everyone’s responsibility,...
Professional Services Digital Shadows

Digital Risk Monitoring Is A Service, Not a Distinct Capability

October 11, 2016 | 2 Min Read

Digital Shadows was recently recognized as a...
Strategic Support Force

Balancing the Scales: The PRC’s Shift to Symmetrical Engagement

October 6, 2016 | 4 Min Read

Over the past few years we have observed the...
Five Tips To Make Your Passwords Better

Five Tips To Make Your Passwords Better

September 26, 2016 | 4 Min Read

While security is everyone’s responsibility,...
Forrester

Digital Risk Monitoring Can Negate ‘Indicators of Exhaustion’

September 26, 2016 | 2 Min Read

When I first joined Digital Shadows in January, I...
breached data

The Industrialized Uses of Breached Data

September 21, 2016 | 4 Min Read

In our first blog, we outlined a number of...
credential compromise

Beauty and the Breach: Leaked Credentials in Context

September 21, 2016 | 4 Min Read

Our analysts recently researched credential...
New report: 97 percent of the top 1,000 companies suffer from credential compromise

New report: 97 percent of the top 1,000 companies suffer from credential compromise

September 20, 2016 | 2 Min Read

Data breaches and credential compromise are not...
SCADA hacks

Show me the context: The hacking proof of concept

September 8, 2016 | 2 Min Read

A common feature at security conferences,...
HackBack

The cyber defender and attacker imbalance – a disproportionate impact

September 6, 2016 | 3 Min Read

You might be forgiven for thinking that...
SWIFT network

Hybrid cyber/physical criminal operations – where network intrusions meet the physical world

August 30, 2016 | 3 Min Read

At some stage, almost every crime committed...
Shadow Brokers

Four Things We’ve Learned From the Alleged Equation Group Code Leak

August 22, 2016 | 4 Min Read

The wake of the deeply bizarre auction of...
False flag operations

False flags in cyber intrusions – why bother?

August 17, 2016 | 3 Min Read

False flag operations have long existed in the...
Wall of Sheep

Gambling with Security in Vegas: Not Your Best Bet

July 27, 2016 | 4 Min Read

With BSides Las Vegas, Black Hat, and DEF CON...
TTPs

Getting In Gear: Accounting for Tactical and Strategic Intelligence

July 26, 2016 | 3 Min Read

We’ve written before about how we like to map...
thedarkoverlord

Thedarkoverlord – losing his patients?

July 26, 2016 | 4 Min Read

In late June 2016, we observed a spate of attacks...
Indicator of Compromise

5 Takeaways From The “Building A Strategic Threat Intelligence Program” Webinar

July 26, 2016 | 3 Min Read

Last week, the great Mike Rothman (of Securosis...
Syrian Electronic Army

Towards a(nother) new model of attribution

July 21, 2016 | 4 Min Read

Actor attribution is a common issue and activity...
breach disclosure

5 Key Lessons From The FDIC’s Breach Disclosure Debacle

July 18, 2016 | 4 Min Read

Last week, the United States House Science, Space...
Lulz Boat

Open Source Intelligence versus Web Search: What’s The Difference?

July 11, 2016 | 4 Min Read

“I can get that from Google!” – is a common...
thedarkoverlord

10 ways to prepare for credential leak incidents

June 30, 2016 | 2 Min Read

From LinkedIn to MySpace, threat actors like...
threat intelligence

Spidey-sense for the people

June 23, 2016 | 5 Min Read

If you liked Marvel’s SpiderMan then you will...
cyberspace

Standoff in cyberspace

June 17, 2016 | 3 Min Read

In physical security terminology, standoff is the...
Intelligence Collection

Inconsistencies in Intelligence Collection

June 17, 2016 | 4 Min Read

Amid the rising talk of “intelligence” within...
intelligence cycle

Building an Intelligence Capability: Agility, Creativity and Diversity

June 2, 2016 | 2 Min Read

The Internet is a big old place, full of...
risk

Are you certain you know what risk means?

May 31, 2016 | 5 Min Read

You’re the person in charge of safety on the...
OpAfrica

Data breaches targeting financial services: 2016 so far

May 26, 2016 | 3 Min Read

It’s been a busy year for data breaches...
Advanced Persistent Threat

The Plan is Mightier than the Sword – Re(sources)

May 24, 2016 | 3 Min Read

After having discussed the importance of planning...
Operational Relay Boxes

The Plan is Mightier than the Sword – Persistence

May 24, 2016 | 5 Min Read

In the last blog post, I talked about the...
Advanced Persistent Threat

The Plan is Mightier than the Sword – Planning

May 24, 2016 | 4 Min Read

Media reports of breaches against major...
Bozkurt Hackers

Bozkurt Hackers continue to leak bank data

May 13, 2016 | 4 Min Read

A threat actor calling itself “Bozkurt...
DBIR

Analyzing the 2016 Verizon Data Breach Investigations Report

May 2, 2016 | 4 Min Read

Last week Verizon released the 2016 Data Breach...
Intelligence Cycle

Getting Strategic With Your Threat Intelligence Program

April 26, 2016 | 4 Min Read

Tactical feeds have dominated the threat...
Artificial Intelligence

Roboanalyst: The Future of Threat Intelligence?

April 25, 2016 | 3 Min Read

Artificial Intelligence (AI) is currently going...
Hacking Team

The Hacking Team breach – an attacker’s point of view

April 22, 2016 | 3 Min Read

On 17 April 2016, two posts were added to...
antifragile security

Antifragile Security: Bouncing Back Stronger

March 21, 2016 | 3 Min Read

Strong, robust, stable, resilience – these are...
VMware

Moar Sand!

March 10, 2016 | 3 Min Read

Let’s face it, many organizations have their...
Human in the Loop

Uncertainties in the Language of Uncertainty – and why we need to talk about it

February 25, 2016 | 4 Min Read

If you know much about Digital Shadows...
3 letter guys

Intelligence vs. Infosec: The 3-letter-guy to the rescue?

February 25, 2016 | 3 Min Read

Whenever Royal Marines deploy on operations, they...
data breach

WHAT DO YOU MEAN IT WAS AN ACCIDENT?

February 25, 2016 | 4 Min Read

We always want to find someone or something to...
DDoS extortion

Using News Reports as a Source of Intelligence

February 23, 2016 | 4 Min Read

It’s often tempting to overplay the importance...
Sans

Another SANS Cyber Threat Intelligence Summit is in the books

February 11, 2016 | 5 Min Read

Last Thursday we wrapped up the 4th annual SANS...
intelligence collection

Waiter, there’s a hole in my intelligence collection!

February 10, 2016 | 3 Min Read

We’re all swimming in data. There’s data...
Digital Shadows Announcement

Relevance: The missing ingredient of cyber threat intelligence

February 8, 2016 | 3 Min Read

Today we’ve announced the closing of our Series...
strategic corporal

The Strategic Corporal and Information Security

January 18, 2016 | 3 Min Read

For those unfamiliar with the term “strategic...
Analyst Education

Lots to learn? Academia and intelligence

January 4, 2016 | 3 Min Read

With the ongoing emergence of CTI you could be...
Intelligence Communication

Communicating Intelligence: The Challenge of Consumption

December 10, 2015 | 4 Min Read

In my previous blog in this series I discussed...
Intelligence Communication

Communicating Intelligence: Getting the message out

December 8, 2015 | 4 Min Read

In my previous blog I discussed some of the...
TalkTalk

TalkTalk Information Likely to be Discoverable on The Dark Web

December 4, 2015 | 3 Min Read

Last month, TalkTalk disclosed that they been the...
Intelligence Communication

Communicating Intelligence: A Battle of Three Sides

December 2, 2015 | 2 Min Read

Good intelligence depends in large measure on...
ABI

Activity Based Intelligence – Activating Your Interest?

November 25, 2015 | 4 Min Read

Some threat actors love to make noise. Be it a...
MitM

The Way of Hacking

November 10, 2015 | 3 Min Read

In the Japanese martial art of Aikido it is said...
ransomware

Emerging Markets: Online Extortion Matures via DDoS Attacks

November 9, 2015 | 5 Min Read

Unlike scenes from books or movies where shadowy...
TalkTalk

TalkTalk: Avoiding The Hype

October 28, 2015 | 4 Min Read

There has been no shortage of media coverage on...
Internet of Things

How the Internet of Things (IoT) is Expanding Your Digital Shadow

September 9, 2015 | 2 Min Read

The Internet of Things (IoT) is a development...
Cyber Intelligence

The Intelligence Cycle – What Is It Good For?

September 9, 2015 | 10 Min Read

It seems that the concept of ‘intelligence’...
multilingual domain

Working In Multilingual Sources

September 8, 2015 | 5 Min Read

Introduction Here at Digital Shadows we collect...
Intelligence Trinity

The Intelligence Trinity

September 8, 2015 | 5 Min Read

My name is Steve and I’ve been working in...
Sources

Source Evaluation

September 8, 2015 | 5 Min Read

My name is Ben and I’ve been working for...
Analytics

Analytical Tradecraft at Digital Shadows

September 8, 2015 | 3 Min Read

This week my colleague and I attended the SANS...
Groupthink

The Dangers of Groupthink

September 7, 2015 | 4 Min Read

In my previous blog post I discussed...
groupthink

The Dangers of Groupthink: Part 2

September 7, 2015 | 5 Min Read

9th April 2015: In my previous blog post I...
Adult Friend Finder

The Adult Friend Finder Breach: A Recap

September 7, 2015 | 5 Min Read

27th May 2015: Last week, news quickly...
Al Hayat

Saudi Arabia MOFA Breach

September 7, 2015 | 5 Min Read

Introduction As of April 2015 there were more...