Threat Intelligence Brief – February 2017


Data Backup Best Practices

This month, we’re focusing on a different kind of threat; one that originates within internal IT processes and puts organizations and individuals at significant risk.
We’re talking about the lack of data backup best practices.
It’s a widespread issue and something that significantly enhances threat actor effectiveness. Without a proper backup of the affected data, your options for recovery are limited in the event of compromise. In the case of ransomware, this means you’ll either have to pay or risk the possibility of losing the affected data entirely.
While not inherently an exciting topic, data backups are critical to the restoration of operations post-incident. That’s why we decided to take a break from our standard external threat-focused format to stress the importance of data backups and the best practices every organization should incorporate into their security program.

How to Create a Data Backup Plan

  • Identify and classify your data. Before implementing a backup plan, you must determine what data you want to protect and the importance of that data. This process determines the frequency your backups should occur. Additionally, by classifying the data, you can also determine any storage requirements. If there’s PII, financial or medical data, then additional considerations must be taken when establishing your backup plan, such as encryption and retention policies.
  • Make a backup plan. Carefully lay out what data will be backed up and at what interval. The plan should also cover retention periods and offsite storage agreements. It’s not advisable to keep all backups on the same network or at the same site. During the planning phase, you might find that offsite storage solutions are too expensive for your organization and a cloud-based backup solution would be a better fit. For offsite locations, ensure that data is encrypted while at rest and while being transferred to offsite locations.
  • Test your backups in a non-production environment. Rolling out an untested backup plan to a production or live network can cause significant interruptions or loss of data. It’s wise to roll out and test your backup plan in a non-production environment. Testing should cover various scenarios where data would be lost or compromised.
  • Roll out the backup plan. Once you have cleared the testing hurdle, roll out the backup plan to your live environment. After implementation, testing should occur during times that wouldn’t incur significant downtime should something go awry.
  • Monitor your backup operations. Just having a plan and deploying it isn’t enough. You must continually monitor the backup process, check the logs and run periodic tests to ensure that your backups will work as intended in the event of compromise.

Malicious IPs

In addition to reliable backup procedures, you should also be actively blocking known bad IPs from your network.
As with every month, we’ve provided a list of IPs, which are just some of the many malicious IPs we see probing and launching targeted attacks on our customers within our environment. While the attacks varied, we saw a rise in WordPress brute force attacks in addition to ever-present SSH attacks and SQL injections. We’ve taken steps to ensure that they’re blocked from our systems. If these IPs are accessing your system, it would be prudent to scrutinize those connections and interactions.

Malicious IP List



A ransomware attack just needs one person to open a tainted link or email to infect a network and lock users out of their data. Unfortunately, for a small town in Ohio, this scenario unfolded when government employees discovered they were unable to access their computer or phone systems. The attackers demanded payment for the officials to resume using the town’s systems. This isn’t the first time a local government was hit with ransomware, and, unfortunately, it won’t be the last. The full details of the ransomware strain used in this attack haven’t been released, but as with any ransomware case, backups and user training are the most effective means of recovery and prevention.

Learn More


Phishing remains the most effective means of gaining access to target networks and delivering malware. Since its inception, phishing campaigns have been resource intensive since managing hosts and covering tracks is time-consuming. In 2016, we saw the advent of phishing services for hire. These companies provide compromised websites and hosts from which to launch phishing campaigns – dramatically lowering phishing campaign costs. We expect to see an increase in phishing services as well as new campaigns. Now more than ever, users need to be wary of clicking links or opening suspicious attachments.

Read More


A 2012 virus that targeted computers belonging to the state-owned Saudi Arabian oil industry has resurfaced against similar targets. The Saudi Kingdom sent an alert to their organizations after the virus affected the Saudi labor ministry as well as a Saudi chemicals firm. Thought to be the work of Iranian-sponsored hackers, the infection collects file information of affected hard drives and then uploads that data back to the attacker. When finished uploading, the data and boot record are deleted – leaving the operating system unable to boot without administrative intervention. This new variant, Shamoon 2.0, is just as destructive as the original. Another interesting detail from the story is the fact that the attacks were launched with credentials stolen by the hacking group Greenbug. Unlike other state-sponsored malware which might attempt to collect information without alerting their target, Shamoon wants its victims to understand they were targeted.

Learn More