1272 Bond Street, Naperville, IL 60563 630-505-7500

Article by ATI partner Dan Kaplan of Trustwave

Not long ago, researchers from the Trustwave SpiderLabs team documented several storylines that emerged from their sojourns to the dark web. The goal of their probe into the underbelly of the internet was to remove the natural disconnect that occurs between cyberattack victim and their assailants.

For many, the dark web is a mysterious and untouchable place, with little being known about it beyond that it is, at least in certain parts, a hotbed of criminal activity.

But once the veil is lifted on the criminal community populating the far recesses of the internet, a much more organized picture emerges, one resembling anything but dysfunction. In fact, the makeup is so bustling and orchestrated that organizations like yours can extract enormous insights and trends by studying it, including expanding knowledge into the latest hacking techniques, malicious tools and what stolen data is being sold.

Of course, not everyone is savvy, experienced, curious or brave enough to visit the web’s nether regions. Which is why the Trustwave SpiderLabs team is always happy to take the lead – and chronicle what they find along the way.

Here are some of the stranger impressions our researchers took away from their most recent investigation.

1) Dark web dwellers don’t take kindly to malware infections (of each other).

A set of 17 forum rules our researchers stumbled upon wreaked of irony from start to finish – including an admonition not to post any personal information about fellow members – but perhaps none more than No. 3: “Don’t attempt to infect members with trojans, viruses or backdoors.” The truth is, rules like this must exist for an organized system to fully function and flourish. It’s no wonder that professional cybercrime is booming.

2) They are grooming the next generation of cybercriminals.

Like any well-developed economy, the cybercriminal underground requires tasks of all specializations, right down to the lowly duty of data entry. But to attract the right crop of people to these “entry-level” positions that require little skill, leaders must appeal to the interests of youth – and they do this by graffitiing job offers, leveraging popular communication platforms to hawk the openings and using slang. The goal is much larger than finding someone to fill a CAPTCHA solver role: Cultivate a career cybercriminal.

3) They love the gig economy for washing their dirty money.

Capitalizing on the ride- and home-sharing boom, crooks who need to launder their ill-gotten proceeds recruit drivers and hosts who never so much as need to put a car into drive or make a bed. Instead they perform fake rides or accept fake visitors, receive “payment” from the “customers,” and then the funds make their way through legitimate company systems and come out clean on the other side. Part of the money is then paid back to the criminal, and the person who played driver or host walks away with a tidy profit for minimal effort.

Article by ATI partner Dan Kaplan of Trustwave


Article by ATI partner Dan Kaplan of Trustwave


Cybercriminals aren’t going to exert more effort than they have to. For all the talk of the sophisticated investment required to discover and exploit vulnerabilities to obtain a foothold into a targeted environment, email remains a perfectly welcoming – and far more time- and cost-effective – medium.

The payoff is simply too good for cybercriminals. Of course, that doesn’t mean attackers aren’t shifting tactics or developing innovative ways to take advantage of this low-hanging fruit and stay one step ahead of the defenders.

As always, knowledge is power when it comes to combatting the latest cyberthreats. Here is what Trustwave SpiderLabs incident investigators are seeing in the world of email.


1) Sextortion Messages

There is a rise in email-based blackmail, in which malicious senders attempt to trick users into believing that an attacker has obtained embarrassing information about them visiting pornographic websites and has collected pictures and audio from a hacked webcam. The sender threatens to release the allegedly compromising content to everyone in the victim’s contact/friend list or upload to their social media profile unless a payment is made (usually in cryptocurrency). For additional reading on this particularly terrifying threat, our Fahim Abbasi covered produced two blog posts.

2) IoT Botnets Delivering Spam

A collection of compromised IoT devices can form a formidable botnet (as was evident when Mirai arrived on the scene in late 2016) and the susceptibility and sheer growth of connected smart devices is providing a conducive pathway for more to emerge. Most of the action we have observed has been because of home routers, which failed to undergo proper patching as these devices rarely receive any kind of support after their release. Many of 2018’s biggest botnets used 5- or even 8-year-old vulnerabilities in router/modem firmware. These include Pitou, Type52 and Xinbot

3) A New Host Nation

Brazil has risen as a new source of phishing and banking attacks. Campaigns from this country were mainly targeting Latin American financial institutions, but customers from other regions, predominantly North America and EMEA, were affected as well.

4) File Extensions

As more users are trained to recognize tell-tale signs of phishing and spam, such as misspellings, grammatical errors and language issues, well-crafted messages greatly increase attack success rates, as do the usage of popular file types, a common way for malicious actors to mimic third-party communication and avoid detection by traditional email security. Most attachments used in malicious email files continue to be file formats related to message visual aspects (.gif .js) and MS Office documents (.xls and .doc) with malicious macros.

5) Emotet

This banking Trojan obtains financial information by injecting computer code into the networking stack of an infected computer, allowing sensitive data to be stolen via transmission. Emotet is often concealed in documents delivered through emails that pretend to be from financial institutions. The emails came with a Word document embedded with malicious macro code. Once executed, the code downloads and runs Emotet. The malware is not the final payload, though, as it acts as a downloader for additional malicious code.

6) Supply Chains

Attackers are increasingly use the supply chain in their email evil-doing, utilizing legitimate business partners – which are the victim of an initial attack – to distribute phishing/spam emails by using compromised legitimate addresses. Most of these third-party companies are unaware that they were spreading malware to all their business contacts. This approach increases ingress success rates for attackers by adding a “trusted” source of communication.

Article by ATI partner Dan Kaplan of Trustwave

Technical advancements breed new and greater security threats and digital transformation initiatives opens the door to larger gaps in cyber-defense strategies.

Threats and vulnerabilities will continue to flourish. In 2017 alone, the increase in annual data breaches was close to 30% (2017 Cost of Cybercrime Study, Accenture). This will increase and the problem isn’t access to enterprise-grade security methods and strategies. Instead, the lack of understanding what products fit within the your current environment and the ‘it won’t happen to me’ mentality ends up leaving businesses vulnerable.

The Reality: Security continues to simmer on the back-burner. 65% of companies believe they have appropriate in-house security measures in place, yet 80% have been victims of a successful cyber attack or breach in the previous year.

Learn where to start adding security to your portfolio with this eBook.


Securing information is becoming more important than ever. Damages from cybercrime are expected to exceed $6 trillion annually by 2021. Malware is constantly evolving; DDoS attacks are on an exponential rise and ransomware is no longer just a threat to enterprise organizations, but to every company that is online.

With state-sponsored cyberattacks growing in frequency and sophistication and threat actors being governments and professional organizations who focus on hiring the best talent, the profile of a cybercriminal is no longer an early-twentysomething hacking from his mother’s basement.

It goes without saying, the cybersecurity field is in HIGH demand. There is a negative unemployment rate and a huge skills gap with an expected shortage of 2 million positions by 2019. Only one in three IT leaders believe they have the skills in-house to address their needs. That means demand for security professionals and solutions is only growing and it comes from businesses of all sizes and industries. 

The biggest vulnerabilities companies face include:

DDoS Attacks

A distributed denial of service (DDoS) attack is an attempt to block an online service by flooding it with traffic. You may be familiar with last year’s DDoS attack on Dyn which disrupted thousands of sites across the US and Europe. For any company that has a mostly online presence like an ecommerce retailer or someone who captures leads online, a DDoS attack could be very costly to their business.


Short for malicious software, malware comes in a number of forms from viruses and worms to spyware and Trojans, all designed to be undetected and transmit personal data. Credit card numbers still have their value but it is pennies compared to the premium paid for healthcare records on the black market. These threat actors make their way in through social engineering, outdated software, EOL machines, non-password protected IoT devices and basic human error.


Ransomware happens as a result of social engineering and phishing schemes and attempts to extort money out of victims by locking them out of their files. No matter how smart people are, they do stupid things like click an email from a “Nigerian Prince”.

Social Engineering and Human Error

Referenced as a cause for all the items listed above, human error happens. The best line of defense against these cyberthreats is well trained personnel. As attacks become more sophisticated, even the most email-savvy employees fall victim to social engineering. Poor password hygiene and incomplete exit strategies for departing employees also leave companies in vulnerable positions.

So where to start? We are here to educate and work together on a strategic road-map. Let’s start with a no obligation security assessment



Article by ATI partner Craig D’Abreo from Masergy

Do you need a survival guide to find the right Managed Security Services Provider (MSSP)? Forrester Research and Masergy have joined forces to help you navigate the world of outsourced security.

When firewalls materialized in the 1990s, protecting your network was easier, and outsourcing cybersecurity to a service provider wasn’t necessary. Today, however, it’s a very different story. Defending your network from sophisticated attackers requires a laundry list of services and technologies that must correlate data from multiple devices and sources. When you factor compliance requirements and government regulations with a rapidly growing list of security incidents and seemingly never-ending alerts to monitor and distill down to a short list of high-priority actions, it’s easy to become deluged by the responsibilities. Security has become an untenable situation for most IT teams, stretching personnel resources and budgets to the max.

To survive, enterprises need outside partners with solutions that ingest data from a wide variety of sources, leveraging machine learning and behavior analytics to discern what’s normal and what should sound the alarms. A must-have for any enterprise is a 24/7 dedicated team of internal resources in place to monitor and manage alerts and incident response. Building such a team often stretches internal IT resources even further, and requires a large budget to cover:

  • Staffing
  • Facilities
  • Equipment/tools
  • Training
  • Compliance

The security market has become so saturated that it’s difficult to navigate the plethora of products and services in order to make a smart decision about who and what should be trusted to protect your most important asset–your company data. However, choosing an MSSP can also be daunting, because the selection process is about more than just the features of a given cybersecurity product or solution. It’s a contract to deliver services over a number of years, and once selected, you’re committed to learn to work with your MSSP.

When selecting new technologies and services, questions that are often asked are:

  • What should I be looking for in a managed security service provider?
  • Are there industry gold standards that set the best of the best apart from the mediocre MSSPs?
  • What questions should I ask potential MSSPs before placing my organization’s well-being in their hands?
  • How does a Security Operations Center (SOC) work? What does the escalation process look like? What will be required of my team?
  • And finally, what data will need to be exchanged on a regular basis, and how is that data secured?

We find these questions are best answered by the experts. That’s why Masergy has partnered with Forrester Research, to provide you with a survival guide that will assist in your search for the right MSSP. Forrester Research’s Principal Analyst Jeff Pollard and Masergy’s V.P. of Security, Craig D’Abreo have joined forces to help enterprises chart a course for more informed cybersecurity decision making. During the June 13, 2018 webinar, The MSSP Survival Guide, they will discuss the tips you need to know and the traps you need to avoid as you map out a comparison strategy to identify the best partner for your needs.

Article by ATI partner Craig D’Abreo from Masergy

Learn more about Managed Security.


Article by ATI Partner Chris Nyhuis, CEO – Vigilant 

In today’s world of Cyber security Incident Response we are seeing evolving threats that are no longer detectable by standard detection. You heard that right, effective evolving threats that can move around artificial intelligence behavior analytics and SIEM. To make it worse, if the security services/solutions you are using are easy to purchase that means threats can purchase them also, testing in their labs prior to attacking bringing them success on the first try.

One of these evolving tactics is in the realm of ransomware. Traditionally, Ransomware was thrown to the wind by the attacker, hoping to hit a random company who the attacker could charge a lion share of bitcoin after encrypting all their data. This approach was successful for quite some time, however, the good guys realized that with the proper backup strategy a company can respond and recover the encrypted data fast taking the wind out of the sails of the attack and money out of their pockets.

Ransomware went dormant for a while, which for us in the security community, meant there was some re-grouping and that there would be another trick up their sleeve. Silence means a wave is on the horizon.

Here’s what they are doing now and it’s ingenious.

  • Attacker enters the company using everyday malware, not anything special. 
  • Next they manually jump off of that original computer before it’s cleaned by AV and pivots to a few other systems so they have redundancy in the control of the network.
  • The attacker then manually identifies and takes over critical servers within the customer’s environment. Notice the manual actions here – it’s not easy to detect manual attacks so most organization’s security solutions will miss it.
    • They take over the following:
      • Firewalls – Ability to Defend
      • Exchange – Ability to Communicate
      • File Servers – Customer’s Data
      • Active Directory – Ability to Control Access
      • Backup Servers – Ability to Recover
  • Once they are on all of these they do a surgical encryption of these systems. Not widespread, surgical and at that point the company’s entire data structure and recovery ability is gone.

Did you see that? The attacker took out a company’s ability to RECOVER by destroying their backups! You can see that the threats your customers face each day are not automated dumb attacks. Threat actors can make significant revenue with these attacks, they are smart, agile and evolve in minutes. Vigilant’s been contacted by three companies in the last week ranging from 10 Million in revenue to 2.2 Billion in size completely encrypted and shut down. Two of them will go out of business and one will recover. The hard part for us is knowing that if we were there prior to the attack we could have stopped all three from happening. Vigilant is a Security as a Service organization who specializes in:

  • Intrusion Detection
  • Intrusion Prevention 
  • Incident Response 
  • Targeted Vulnerability Management

Vigilant performs a 5-Day no cost threat assessment for your customers to show them a much different and effective approach to security. Schedule one today.

Article by ATI Partner Chris Nyhuis, CEO – Vigilant 

Learn more about managed security with Vigilant’s CyberDNA. 



Why Red Teaming isn’t Pen Testing

Red Teaming has become a buzz word in the security industry of late and is often mistaken to be the same as penetration testing. But how does a Red Teaming engagement actually differentiate from pen testing? 

In this webinar, Ed Williams, Director of SpiderLabs at Trustwave for Europe, Middle East and Africa, will offer key tips to help you manage the complexity of today’s advanced threat landscape and understand some of the real benefits of Red Team engagements for your organisation. 

Tune in to learn: 

• What Trustwave SpiderLabs Red Teaming is all about and what makes it unique 
• How Red Teaming is different than pen testing 
• Key benefits of a Red Team engagement for your organization