Example Use Cases

For many businesses, providing effective threat detection and response for their networks and endpoints is a huge challenge due to the rapidly increasing volume and sophistication of attacks from many global sources. Implementing an effective security program with the latest security technologies is typically beyond the scope of most smaller companies because they simply lack the on-site expertise and security operators needed to keep up with these advanced threats.

The following use case examples illustrate just a few of the many cyber threats that require close and constant attention. These advanced threats typically demand enterprise grade detection and response solutions that are costly and very complicated to implement.

Protecting Financial Systems from Exploitation Kit with Zero-day Exploits

Many businesses today rely on Point-of-Sale (PoS) devices for onsite financial transactions. Regardless of form-factor (cash registers, computers with PoS software, or tablets with PoS apps) all of these devices depend on the ability to connect securely to centralized systems to process the transactions, typically Virtual Private Cloud (VPC) environments in the Cloud. Because they process sensitive and valuable financial and credit card information, business with PoS systems are targets of a wide range of potential threats from cyber security exploits.

In this scenario, a restaurant’s computer with PoS software operates within a VPC environment using Virtual Private Network (VPN) encryption over a wireless 3G connection. The computer is used both for transactions as well as internet access via a centrally located proxy solution.

Protecting Resources by Thwarting Cryptojacking and Cryptomining Malware

Modern IT-environments should follow industry best practices and consistently apply updates to running software in order to manage the threat exposure and vulnerabilities. This can be done via regular software update systems or using a client’s own application for CI/CD implementations. However, this can make commercial and open-source software providers a high-effort, but also high-volume, high-reward targets for attackers. By compromising the supply chain of such providers and injecting malicious code into the otherwise legitimate software, attackers quickly gain foothold in the companies that use and trust the affected software. While the purpose of such compromises can be governmental or Industry espionage, it can also be used to take over your resources for the sake of commercial gains.

While there can be a many legitimate reasons for increased CPU utilization, in this example, the company’s assets were being used by the attacker to perform cryptojacking (unauthorized illegal cryptomining) of the privacy-focused currency Monero.

Detecting and Responding to WannaCry Ransomware

The WannaCry ransomware cryptoworm and its variants, have been at the center of cybersecurity efforts since 2017 when WannaCry launched a worldwide cyberattack. The attack targeted exposed systems that were running non-patched versions of the Microsoft Windows operating system either due to having reached end-of-life (EOL), or because of poor patching practices. WannaCry proved to be extremely efficient in successfully infecting systems not protected by the Microsoft MS17-010 security update. It exploited systems using EternalBlue and then used the compromised systems to swiftly spread itself even further.

NTT Security successfully detected and responded to WannaCry infections roughly 10 hours before WannaCry was even recognized as an ongoing campaign and named by the cybersecurity industry.

Stopping TrickBot and Other Banking Trojans

TrickBot is a banking trojan that originally emerged in 2016 and has been a global problem ever since with its multiple forms and variances. By design, TrickBot is modular in nature which is largely responsible for its massive success. Evan as the security industry made progress in detecting and responding to TrickBot, the attackers easily swapped out the detectable modules which changed the means of initial compromise, propagation, persistence, encryption, and even objectives without having to create an entirely new trojan. This made Trickbot extremely evasive and persistent in nature.

While seemingly harmless or even legitimate, a user opens a spam email that includes a malicious Word attachment containing macro code. If the attachment is opened, the macro code would execute causing the system to download TrickBot from an external server and infect the client. Once infected, the compromised client will attempt to reach out to Command and Control (C2) nodes for node registration and further instructions.

How CTS-AI Can Help

For many companies struggling to maintain information security and respond to threats, CTS-AI can be a game changer because of the way it applies artificial intelligence to provide automated threat detection and automated responses without the need to hire dedicated security teams.

CTS-AI is powered by the same human-validated, threat intelligence engine curated by NTT and WhiteHat Security for large and medium-sized enterprises but with pricing and simplicity designed for smaller enterprises and applications. Using just your mobile phone, you can leverage over 100 threat intelligence feeds from NTT’s global security operations center (SOC) network plus data from more than 50 of our security ecosystem partners.