Threat Intelligence Report. April, 2015

(1)

Intelligence

Report

(2)

I

Executive Summary

3

II

Global Data Analysis

4

Malicious Activities – Source Countries 4

Attack Distribution – Top 03 Foreign Attackers 4

III

Malware Attacks

6

Most Probing Countries 6

Most Probing Countries – Unique IP Addresses 7

Most Probing IP Addresses 7

Most Attacking IP Addresses 8

Attacking IP Addresses – 10 Attacks 9

Top Vulnerabilities 11

Most Malwares Detected 12

Detected Malware Hashes 13

Cnc IP Addresses & Domains 13

Attacked Protocols 14

IV

SIP Attacks

15

What is SIP? 15

V

Web Attacks

16

IP Addresses Conducting Web Based Attacks 16

Web Attack Payloads 16

VI

Brute-Force Attacks

18

Most Usernames Used 18

Most Passwords Used 18

Top IP Addresses Conducting SSH Attacks 19

Tools Used For SSH Based Attacks 19

VII

_References

20

VIII

_{About TRIAM}

21

IX

_{About Contributors}

22

(3)

Executive

Summary

To be able to respond to any threat effectively, one must

first identify the threat agents, understand their motives

and study their means of attack comprehensively, i.e. one must achieve situational awareness to be able to defend against, respond to, or counter a threat.

In an effort to provide situational awareness to the in-dustry stakeholders, about the cyber threat landscape of Pakistan, the TRIAM Threat Intelligence Team is extremely proud to present you this monthly Threat Intelligence re-port for the month of April 2015.

In this edition of our monthly Threat Intelligence report we have observed interesting set of activities being per-formed in Pakistan cyberspace. One of the interesting observations has been the increased number of attacks coming IP Addresses of China coinciding with the Chi-nese Prime Minister’s visit to Pakistan in April. The details of these attacks, and all other attacks are documented in this report. The major set of attacks that have been dis-covered recently in Pakistan by global and TISS’ research and IR teams are summarized as follows:

Equation Group – Equation Group is the most advanced APT group found so far and is called the Crown Crea-tor of Cyber Espionage. According to Kaspersky Lab’s researchers the group is unique in almost every aspect of their activities: they use tools, that are very advanced and expensive to develop, in order to infect victims, re-trieve data and hide activity in a professional way, and also utilize classic spying techniques to deliver malicious payloads to the victims. More details for this advanced APT group can be found on:

https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/

Ransomware – Ransomware malware is constantly af-fecting Pakistan based organizations with key motive of

financial gains. Ransomware works by encrypting data of

infected machines belonging to organizations and indi-viduals thus completely blocking the access to the data. The decryption key is sent only if a ransom is paid. There has been exponential increase in number of Ransomware attacks in the year 2015 and taking preventive measures from this threat is highly recommended at all layers. If you require more details on these threats or are

ex-posed to these or different malwares, please reach out to us for focused and quick response.

This report has been compiled using our advanced threat intelligence gathering platform consisting of sensors like honeypots, web crawlers and aggregators deployed through-out Pakistan. The information obtained using these sensors are then enriched by correlating informa-tion from different sources. Our aim for releasing these monthly reports is to enable all stakeholders in Pakistan to keep abreast with on-going threats and remain vigi-lant in protecting their networks from potential attacks. Trillium will soon make these threat feeds available to Pakistan based organizations so that their Security Infor-mation and Event Management (SIEM) systems, Firewalls and Intrusion Detection / Prevention Systems can be fed

to provide protection against Pakistan specific attacks.

In month of

April

information gathered from our sensors indicates that:

• Multiple IP addresses particularly from China have been probing Pakistan cyberspace actively and look-ing for vulnerabilities to exploit.

• Attacks of different nature that materialized and had a major impact have been observed coming from Romania, China and Brazil.

• Among the detected malwares that are most active in Pakistan cyberspace, 96% activity has been ob-served for Net-Worm.Win32.Kido.ih – an infamous worm that hogs network resources and is spread by

exploiting Microsoft OS specific vulnerabilities.

The details of information gathered by our sensors are described further in this report.

We hope that you find this month’s report useful and feel

free to contact us with any feedback. DFIR Research team, Threat Intelligence

www.triam.com.pk www.infosecurity.com.pk

(4)

Global

Data Analysis

This section presents analysis of attack data from sensors deployed at different places in Pakistan. We process millions of log entries and security alerts that are being captured by our custom and purpose built sensors during the threat analysis. In order to provide real time threat intelligence and security alerts to our customers – we perform advanced analytics on the collected alerts by correlating security events from multiple sensors

The countries hosting IP addresses that are carrying out malicious activities in Pakistan cyberspace are shown in Figure 1.

Malicious Activities -

Source/Host Countries

Figure 1 - Percentage of events by source/host countries

The following figures present

the distribution of attack types originating from top three countries hosting the attacking IP addresses. It is quite evident from the following

figures that attack type distributions

of each originating/hosting country is very different from the other. These

figures reflect the fact that attack

types, motivation of attackers, and sophistication of attacks are different in different regions of the World.

Attack Distribution -

Top 03 Foreign Attackers

(5)

Figure 3 - Attacks Originating from IP Addresses Hosted in Romania

(6)

Malware

Attacks

Malware attacks are the major threats being faced by Pakistani organizations. Using the Internet, attackers employ unique malware based techniques to infect their target systems for different reasons varying from creating mere

nuisance to stealing credentials to eavesdropping on communication to capturing proprietary and highly confidential

information.

Attackers scan the Internet to look-out for vulnerable services and try to exploit them to gain access to the system and ultimately the network. Often root-kits (type of malware) are used to take over and maintain control of a compromised

system. The following section of the report will present the latest trends of malware based attacks which were identified

based on the information gathered from our sensors during the month of April.

The correlated information from different sensors reveals that there were more than 2,54,000 number of connection attempts to Pakistan cyberspace from different countires of the world. Furthermore, we detected more than 57,000

materialized attacks that were launched in this period. Over 9,000 unique IP addresses tried to establish a connection with our deployed sensors through-out Pakistan at-least once.

After thorough automated analysis and correlation, most of these connection attempts were classified as malicious and were doing intense scanning for figuring out running services (particularly the vulnerable ones) over Pakistan

cyberspace.

One of the top IP address that established most number of connections was found to be 89.40.31.192 with more than 38,400 connections. The origin of this IP address was found to be Romania. There were about 1900 unique IP addresses that succeeded in exploiting a particular vulnerability and uploaded some malware. Total number of attacks launched during this time period was more than 57,000.

One of the top IP addresses that initiated most number of attacks was found to be 89.40.31.192 with about 12,300

successful attacks. The origin of this IP address was found to be Romania. The most number of attacks were launched by exploiting MS08-067, MS08-068, MS09-001 vulnerabilities, which could allow remote code execution.

Furthermore, as per our correlated information, port 445 received the highest number of attack traffic with 87.48% of total attacks received. The service hosted on port 445 was SMBD (Server Message Block Daemon).

Further information related to IP addresses trying to make connections and doing attacks, top malware found, top vulnerabilities exploited and top protocol / services exploited is given below.

The IP Addresses from countries doing the most probing and connection attempts are shown in Figure 5.

Probing is done to find services

running on targeted systems and their corresponding vulnerabilities in the target machines which can be exploited.

Most Probing

Countries

(7)

The Figure 6 shows the countries hosting the highest number of unique IP addresses that are found to be making connections and doing probing.

Unique IP Addresses

The Figure 7 shows the list of individual IP addresses that are found to be making connections and doing probing.

Most Probing

IP Addresses

IP Addresses Connection Attempts Country

89.40.31.192 38,444 Romania 117.239.228.134 33,135 India 103.24.97.190 16,326 Pakistan 196.29.120.73 15,661 Ghana 94.248.197.73 10,788 Hungary 46.241.224.234 7,181 Armenia 78.106.81.248 6,639 Russian Federation 89.179.28.158 6,271 Russian Federation 128.75.169.45 4,830 Russian Federation 128.74.198.210 4,781 Russian Federation

Table 1 - IP Address Based Connection Distribution

Table 1, shows a list of Top 10 unique IP addresses that established highest number of connection attempts.

Figure 7 - IP Based Conection Distribution Figure 6 - Country Based Unique IP Distribution

(8)

Figure 8 gives the list of individual IP addresses that initiated most number of malware attacks by successfully exploiting vulnerabilities.

Most Attacking

IP Addresses

IP Addresses Successful Attacks Country

89.40.31.192 12357 Romania 117.239.228.134 10680 India 196.29.120.73 7266 Ghana 46.241.224.234 3576 Armenia 94.248.197.73 3402 Hungary 78.106.81.248 2175 Russian Federation 89.179.28.158 2053 Russian Federation 93.81.179.136 1384 Russian Federation 37.145.174.57 1228 Russian Federation 95.29.232.52 1101 Russian Federation

Table 2 below shows the list of Top 10 IP Addresses that launched highest number of attacks.

Table 2 - IP Address Based Distribution

(9)

IP Addresses Successful Attacks Country 89.40.31.192 12357 Romania 117.239.228.134 10680 India 196.29.120.73 7266 Ghana 46.241.224.234 3576 Armenia 94.248.197.73 3403 Hungary 78.106.81.248 2175 Russian Federation 89.179.28.158 2053 Russian Federation 93.81.179.136 1384 Russian Federation 37.145.174.57 1228 Russian Federation 95.29.232.52 1101 Russian Federation 37.146.102.200 1000 Russian Federation 78.106.128.120 995 Russian Federation 37.145.177.90 934 Russian Federation 89.179.191.88 641 Russian Federation 95.29.208.177 495 Russian Federation 95.29.218.25 364 Russian Federation 59.103.197.121 362 Pakistan 2.94.120.46 358 Russian Federation 128.75.187.7 300 Russian Federation 93.80.248.154 267 Russian Federation 93.80.189.33 259 Russian Federation 189.4.133.231 243 Brazil 93.80.239.232 229 Russian Federation 128.74.221.216 220 Russian Federation 93.81.184.86 220 Russian Federation 187.21.245.55 206 Brazil 37.145.178.237 188 Russian Federation 189.4.134.2 160 Brazil 187.21.246.10 157 Brazil 46.241.229.78 126 Armenia

Attacking

IP Addresses - 10 Attacks

Table 3, provides the list of IP addresses that initiated minimum of 10 malware based attacks on Pakistan cyberspace. It is advised to block these IP addresses on your gateways. Please contact us if you would like to have full list of suspicious IP addresses.

(10)

IP Addresses Successful Attacks Country 88.158.45.194 120 Romania 128.74.208.154 111 Russian Federation 93.81.170.38 110 Russian Federation 119.154.250.73 100 Pakistan 46.241.232.20 91 Armenia 37.146.72.76 80 Russian Federation 88.158.42.124 78 Romania 187.21.245.175 69 Brazil 46.241.234.236 60 Armenia 213.191.165.250 51 Bulgaria 46.241.234.241 50 Armenia 81.181.81.94 50 Romania 117.214.192.50 48 India 62.221.159.186 47 Bulgaria 37.145.168.50 46 Russian Federation 88.158.43.53 41 Romania 159.224.159.200 39 Ukraine 95.29.237.152 36 Russian Federation 46.241.232.90 35 Armenia 79.121.38.197 35 Hungary 117.220.141.170 24 India 176.63.146.35 24 Hungary 37.144.248.0 23 Russian Federation 176.73.36.100 21 Georgia 59.103.195.49 20 Pakistan 117.220.136.36 19 India 88.158.45.192 19 Romania 93.80.161.229 19 Russian Federation 92.87.135.28 16 Romania 46.241.243.195 14 Armenia 79.46.167.207 12 Italy 37.145.184.205 11 Russian Federation 37.145.148.107 10 Russian Federation

(11)

Top 10 Vulnerabilities

Below is the list and details of vulnerabilities that were exploited the most for malware based injection. It is strongly recommended to fully patch all of the known vulnerabilities related to OS and third-party programs installed in your network. You can contact us to perform security assessment of your IT infrastructure for any potential loopholes and vulnerabilities.

VUlneRABIlIty nAme

Unknown ClosePrinter

MS08-67 Net Path Canonicalize

MS06-66 Nw Change Password

MS07-065 QM Create Object Internals

MS05-39 PNP Query Res Conf List

MS05-017 QM Delete Object

MS04-12 Remote Create Instance

MS04-11 DS Roler Upgrade DownLevel

MS04-031 NDdeSetTrustedShareW

MS03-39 Net Add Alternative Computer

MS08-67

Vulnerability in Server service that could allow remote code execution.

http://support.microsoft.com/kb/958644

MS06-66

Vulnerabilities in Client Service for NetWare Could Allow Re-mote Code Execution.

https://technet.microsoft.com/en-us/library/security/ms06-066. aspx

MS05-39

Vulnerability in Plug and Play Could Allow Remote Code Ex-ecution and Elevation of Privilege.

MS05-017

Vulnerability in Message Queuing Could Allow Code Execu-tion.

MS04-12

Cumulative Update for Microsoft RPC/DCOM.

MS04-11

Security Update for Microsoft Windows.

MS08-67

Vulnerability in Server service that could allow remote code execution.

http://support.microsoft.com/kb/958644

MS04-031

Vulnerability in NetDDE Could Allow Remote Code Execution. https://technet.microsoft.com/en-us/library/security/ms04-031. aspx

MS03-39

Buffer Overrun In RPCSS Service Could Allow Code Execution. https://technet.microsoft.com/en-us/library/security/ms04-011. aspx

MS07-065

Vulnerability in Message Queuing Could Allow Remote Code Execution.

(12)

Top Few Detected Malwares

Table 5 gives the list of most malwares that have been detected in Pakistan cyberspace. The naming convention used for

these malwares is based on Kaspersky detection. You can find the same malware with different name which are given

to them by other antivirus engines.

Name Percent Net-Worm.Win32.Kido.ih 94.12% Backdoor.Win32.Rbot.bni 2.28% Net-Worm.Win32.Allaple.e 1.20% Net-Worm.Win32.Kido.kj 1.08% Trojan-Downloader.Win32.Kido.bu <1% Trojan-Spy.Win32.Small.pex <1% Trojan.Win32.Genome.tusc <1% Backdoor.Win32.Agent.aknp <1% Trojan.Win32.Genome.ahpxd <1%

Table 5 - Top Malwares Detected

Detected Malwares Hashes

Table 6, provides the list of hashes for the most malwares detected in Pakistan cyberspace. These hashes may be helpful in quickly retrieving the detail of a particular malware from different online sources.

To verify whether your antivirus engine detects the malwares given in Table 6, simply put the hash value in virustotal.com.

Malware Presence MD5 Hash

Net-Worm.Win32.Kido.ih 94.12% 029e95604293d13fbf621a10ae11edfe 099384dc46cca644e859cb7fb1d6de8b 0af49bbed7ec17b2e8b5ae7b87920715 0ea2203e8c7a1700b29271755e371392 0ea2203e8c7a1700b29271755e371392 Backdoor.Win32.Rbot.bni 2.28% c1989130056c32fa305e3de57f6f40f1 Net-Worm.Win32.Allaple.e 1.20% 247a51c8a6ea90209fad9bc9208dd48e Net-Worm.Win32.Kido.kj 1.08% B8099f59ec27f47e13ca2445731776c8 Trojan-Downloader.Win32.Kido.bu <1% 4bb05060ae675d1d7177df05e1ac15b4 Trojan-Spy.Win32.Small.pex <1% f4d56bac967e0217a0049fe717cc634b Trojan.Win32.Genome.tusc <1% b0426ed44d7819d1ab5ead9b12fd2879 Backdoor.Win32.Agent.aknp <1% 7867de13bf22a7f3e3559044053e33e7 Trojan.Win32.Genome.ahpxd <1% 4d56562a6019c05c592b9681e9ca2737 Net-Worm.Win32.Kido.dam.ak <1% 468348280af746400d629a00ab782f21

(13)

Following tables show the list of IP addresses and domain names that are found to be malicious and were communicating with infected machines

IP Addresses Country 221.8.69.25 China 204.27.59.22 India 195.22.26.231 Portugal 195.223.0.0 Italy 212.184.0.0 Germany 149.20.56.32 United States 149.20.56.33 United States 149.20.56.34 United States 221.8.69.25 China 54.235.146.190 United States 54.235.146.225 United States 216.146.38.70 United States 216.146.39.70 United States 216.146.43.70 United States 91.198.22.70 United Kingdom 128.30.52.37 United States 204.95.99.86 United States Table 7 - CnC IP Addresses Domains xqpjtkqid.biz yeigidwnrda.ws zwvnfggq.ws smcxq.biz abyoqc.cn ztcabv.cn gwjewwqgig.cn pdcpbbkit.cn xiammogc.cn checkip.dyndns.com xdz.no-ip.org Table 8 - CnC Domains

(14)

Table 9, below, shows the list of protocols which were found being exploited for most number of attacks.

PRotoCol exPloItAtIonS SMB 87.48% SIP 4.94% MSSQL 3.85% MYSQL 1.55% HTTP 1.24% EPMAP <1% MIRROR <1% RSH <1%

SMB: The Server Message Block, operates as an appli-cation-layer network protocol mainly used for providing

shared access to files, printers, serial ports, and miscel -laneous communications between nodes on a network.

The Hypertext Transfer Protocol (HTTP) is an applica-tion protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web. Hypertext is structured text that uses logical links (hyperlinks) be-tween nodes containing text.

RSH: The remote shell (rsh) is a command line comput-er program that executes shell commands as anothcomput-er user, and on another computer across a computer net-work.

Microsoft EPMAP (End Point Mapper), also known as DCE/RPC Locator service, used to remotely manage services including DHCP server, DNS server and WINS. Also used by DCOM.

Table 9 - Attacked Protocols

MSSQL: Tabular Data Stream protocol which is used by Microsoft SQL Server. It listens to tcp/1433 and al-lows clients to login. It can decode queries run on the database.

Mirror: (Managing Isolation in Replicated Real time Ob-ject Repositories), a concurrency control protocol

spe-cifically designed for firm-deadline application operat -ing on replicated real-time databases.

• Connectors (Connector/C, Connector/J, and so forth)

• MySQL Proxy

• Communication between master and slave

replica-SIP: The Session Initiation Protocol is a communications protocol for signaling and controlling multimedia com-munication sessions. The most common applications of SIP are in Internet telephony for voice and video calls.

(15)

SIP

Attacks

What is SIP

The Session Initiation Protocol (SIP) is a communication protocol for signaling and controlling

multimedia communication sessions. The most common applications of SIP are in Internet telephony

for voice and video calls, as well as instant messaging using Internet Protocol (IP) networks.

SIP Attacks division

Most SIP attacks can be divided into two groups. First represents various types of a PBX scanning

and probing. Attacker send OPTION message and wait for an answer or simply try to place a call

with immediate cancellation (It means INVITE message followed by CANCEL message). The second

group represents flood attacks using REGISTER message. REGISTER message is used by a user

agent to register to the registrar (SIP Server). An attacker sends continuous REGISTER messages to

the SIP Server in order to downgrade the Server performance and ultimately making it inaccessible

for authorized users.

Register flooding attack

Application layer attack on the Session Initiation Protocol (SIP) is used in VoIP services, targeted

at causing denial of service to SIP servers. A SIP register flood consists of sending a high volume

of SIP register packets to SIP servers, therefore exhausting their bandwidth and resources. 96%

messages type were REGISTER based in our sensors.

SIP Message No. of Distinct Connections Total Messages

Register 3862 73448

Table 10 - SIP REGISTER Message

Malicious IP Total 85.25.160.106 42037 212.129.61.222 9909 188.138.26.190 18088 195.154.39.5 3057 212.83.137.238 211

(16)

Web

Attacks

As websites and web based applications are rapidly growing so are the threats. Complex business

applications are now being delivered over the web (HTTP) and paving way for attackers to exploit

any kind of vulnerability.

The following section presents important data relevant to the web attacks faced by Pakistan

cyberspace.

The countries hosting IP Addresses performing the most attacks are shown in Figure 9:

Top Few Countries With

Most Web Attacks

IP Addresses Attacks % Countries

66.74.17.157 21.25% United States 176.99.122.190 17.70% Ukraine 176.10.99.200 13.21% Switzerland 212.83.167.175 10.45% France 118.138.9.49 10.33% Germany 176.10.99.201 9.12% Switzerland 18.239.0.155 7.95% United States 176.126.252.12 5.82% Romania 69.197.148.26 2.18% United States 109.163.234.4 1.99% Romania

Table 12 - IP Addresses Conducting Web Based Attacks Figure 9 - Countries with Web Based Attacks

Following is the list of IP addresses which are found to be launching highest number of Web attacks. It is recommended to block these IP addresses to secure your system from such attacks.

Top Few IP Addresses

-Most Web Attacks

(17)

Figure 10 - Web Based Attacks

Among the type of attacks that we observed, SQL injection was seen the most in Pakistan cyberspace.

Top Few

(18)

Brute-Force

Attacks

A brute-force attack is the simplest method to gain access to an application or operating system by applying different credentials. In brute-force attack, an attacker tries different but exhaustive combinations of usernames and passwords, over and over again, until he is successfully logged-in. The following section presents the data relevant to brute-force activities performed on SSH protocol in Pakistan cyberspace.

Below table lists the most user attempts seen in Pakistan for SSH. The root username was tried the most number of times. It is strongly recommended to avoid such user names or use complex user names or two factor authentications.

Most Commonly

Used Usernames

Usernameroot Attempts119497

ubnt 251 admin 113 guest 28 test 26 support 23 tester 14 testing 14 user 12

Table 13 - Most Usernames Used

Below table lists the most attempted passwords. The admin password was tried the most number of times. It is strongly recommended to avoid these types of passwords.

Most Commonly

Used Passwords

Password

Attempts admin 88 root 82 123456 70 ubnt 67 password 62 1qaz2wsx 57 passw0rd 29 1q2w3e4r 29 !qaz@wsx 28 qwerty 25 abc123 25

(19)

Below table lists the IP addresses with origin that have carried out maximum SSH attacks in Pakistan cyberspace. It is strongly recommended to block these IP address on gateway level.

Top few IP Addresses

Conducting SSH Attacks

IP Address Attempts Country

58.218.199.49 1538 China 61.160.213.190 1302 China 58.218.204.245 1241 China 58.218.213.254 1175 China 221.229.166.28 1157 China 117.21.174.111 1150 China 58.218.204.226 1149 China 221.229.166.27 1138 China 58.218.204.248 1087 China 58.218.199.195 1040 China

Table 15 - IP Addresses Conducting SSH Attacks

Below is the list of tools that were used to gain access on SSH in Pakistan cyberspace.

Mostly Used Tools For

SSH Based Attacks

ToolsSSH-2.0-PUTTY Connections40138

SSH-2.0-libssh2_1.4.3 1962 SSH-2.0-libssh2_1.4.1 620 SSH-2.0-JSCH-0.1.51 90 SSH-2.0-libssh2_1.5.0 72 SSH-2.0-PuTTY_Release_0.63 34 SSH-2.0-Granados-1.0 24 SSH-2.0-PuTTY_Local:_ May_14_2009_21:12:18 20 SSH-2.0-libssh2_1.4.2 12

(20)

Figure 1 - Percentage of events by source countries

4

Figure 2 - Attacks Originating from IP Addresses Hosted in China

4

Figure 3 - Attacks Originating from IP Addresses Hosted in Romania

5

Figure 4 - Attacks Originating from IP Addresses Hosted in Brazil

5

Figure 5 - Country Based Connection Distribution

6

Figure 6 - Country Unique IP Distribution

7

Figure 7 - IP Based Connection Distribution

7

Figure 8 - IP Address Based Distribution

8

Figure 9 - Countries with Web Based Attacks

16

Figure 10 - Web Based Attacks

17

list of tables

Table 1 - IP Address Based Connection Distribution

6

Table 2 - IP Address Based Distribution

7

Table 3 - IP Based Distribution – 10 Attacks

8

Table 4 - Top 10 Vulnerabilities

10

Table 5 - Top Malwares Detected

12

Table 6 - Detected Malware Hashes

12

Table 7 - CnC IP Addresses

13

Table 8 - CnC Domains

13

Table 9 - Attacked Protocols

14

Table 10 - SIP REGISTER Message

15

Table 11 - SIP – Malicious IP Addresses

15

Table 12 - IP Addresses Conducting Web Based Attacks

16

Table 13 - Most Usernames Used

18

Table 14 - Most Passwords Used

18

Table 15 - IP Addresses Doing SSH Attacks

19

(21)

About

TRIAM

With almost a decade of experience, expertise and leadership in the information security

market, Trillium Information Security Systems (Pvt) Ltd. has launched Pakistan’s first

and only focused Managed Security Service Provider brand – TRIAM.

TRIAM’s portfolio of information security services is backed by the industry’s leading minds. Our team has an accumulated experience of more than 150 years of delivering successful information security projects to leading enterprises from all industry verticals of Pakistan, and the region. In addition to our industry experience, TRIAM researchers have published over 45 research papers – thereby enabling TRIAM to explore/study/understand niche areas of the information security domain.

TRIAM is hence launched as the one of the regions most skilled and experienced information security service provider – delivering services to customers that are backed by world leading threat intelligence.

TRIAM Service Portfolio

• Security monitoring

Stored Data Security Analytics Real-Time Data Security Analytics

• Digital Forensics & Incident Response Services

malware Analysis

Digital Forensics & Investigation Incident Handling & Reporting

• Security Assessment Services

Application Security Assessment

Infrastructure Security Assessment

• threat Intelligence Services

threat Feeds Botnet tracking

(22)

About

Contributers

This research has been conducted by Trillium Information Security Systems

(TISS) in collaboration with Applied Security Engineering Research Group at the COMSATS Institute of Information Technology.

We would like to thank the team members of the TRIAM Threat Intelligence Team and the TISS OPSEC Team for their attention and contribution to the publication of this report.

For more

Information

To learn more about Trillium Information Security Systems and its brand TRIAM, please visit: