This time last year, we looked back at the blogs that caught our readers’ attention the most. In 2016, it was our Analysis of Competing Hypotheses of the Tesco Bank incident that reached the top of the pile. In 2017, it was yet another ACH that topped the cash app slots Shadows blog charts.
In May, the WannaCry ransomware spread across computer networks across the world. Despite a range of explanations offered, there was a lot of confusion as to the actors behind the campaign and their objective(s).
Using ACH, our analysts recorded their assumptions, evidence and hypotheses on one matrix. This identified the hypotheses that were least likely to be valid. (In the end, we actually posted an additional, updated ACH as more evidence emerged: http://www.activeblogging.com/blog-and-research/wannacry-an-analysis-of-competing-hypotheses-part-ii/).
This structured approach is significant as it facilitates easier collaboration and peer review. Indeed, we were happy to see others getting involved with ACHs, including SANS Internet Storm Center handler who did some on this area.
ACH can’t be used in all circumstances, but the transparency it provides is useful and aligns with the values of intelligence tradecraft that Jim Marchio espoused in his paper ‘.
For those ACH nerds out there, you can view all the ACH’s we’ve done here: http://www.activeblogging.com/blog-and-research/tag/ach/
The was arguably the biggest story of 2017, so it’s only understandable that this blog attracted plenty of readers. When events like this break, it’s always tricky to find the correct balance of a quick response and providing accurate and useful information. We’ve found that transparency helps here and use the following structure:
- What we know
- What we don’t know
- What we expect to happen next
By taking this approach, we can cut through the hype and identify intelligence gaps. It’s definitely a structure we’ll be using for future breaking events.
For those interested in lessons we can learn from the Equifax breach, check out this short paper we published: .
The final of the top three blogs of 2017 focused on the cybercriminal ecosystem, and the mechanisms criminals have in place to detect fraud from other criminals.
Those who commit this type of fraud are known as “rippers” and there are several mechanisms in place to protect against them, including and blacklists. One service, called ripper[.]cc is an innovative approach to identifying rippers, demonstrating how professionalized the cybercriminal ecosystem has become. Ripper[.]cc allows users to identify profiles that have been previously reported, and do so across different platforms. There’s even a Chrome plugin to make this even easier. You can read more about ripper[.]cc in this blog: http://www.activeblogging.com/blog-and-research/innovation-in-the-underworld-reducing-the-risk-of-ripper-fraud/
Check out these three blogs and keep an eye out for the exciting research we have planned for 2018.