The Blue Team is charged with defending an organization against an array of technical security threats.
The Blue Team Diaries allow the reader to ride along with the Blue Team at Syntatic, a Seattle-based cloud company, who are charged with keeping millions of customer records safe.
Based on the author's real-world experiences, the diaries tell fictionalised versions of responding to actual security incidents. A must-read for anyone interested in computer security or the incident response field.
Labs are fun. You go in planning to do task A then realize a monitor isn't working so you fix that which requires sub-tasks A-F and once you're done, it's too late to go back and start task A.
At least the service is using the correct XML config now and I built a custom MSI package that can distribute the install amongst all hosts 🤷 #Homelab#HIDS#BlueTeam
Normally I post something about a threat intel report but I have been reading the Microsoft Digital Defense Report for 2023 and there is just too much to post. That being said, I am going to share some of the numbers Microsoft presented and my thoughts on them. Let's start with ransomware:
📊 80-90% of all successful ransomware compromises originate from unmanaged devices.
📊 70% of organizations encountering human-operated ransomware had fewer than 500 employees.
📊 13% of human-operated ransomware attacks that moved into the ransom phase included some form of data exfiltration.
📈 Human-operated ransomware attacks are up more than 200%
Hey you! Yeah you. You want some promo codes to download some of the InfoSec Diaries Series Audiobooks (https://infosecdiaries.com) for free on Audible? Of course you do! - here you go! Go quick because these can only be used once:
we're running a half-off promo through January at Phobos Group for our RTG services! (the 1hr and 2hr offerings)
If you need an hour or two consult for redteam or blueteam related work, or could find a second set of eyes helpful in the short term, we're here to help!
#infosec#blueteam
I have a weird issue and I need some help. I am dealing with an adversary who is impersonating our brand, but has now hidden the impersonation behind a login page as a way to stop takedown efforts. In order to register, they don't want an e-mail, they want a phone number in their country code to which a verification text message is sent.
Is there an app or service like the google phone service that can let me send or receive text messages from a number in another country?
The Intel 471 team provides their findings of the #BumbleBee loader as it makes its comeback after a two month break. Taking the place of the #BazarLoader (the source code was leaked when the #Conti leak occurred). The BumbleBee loader has been associated with distributing ransomware and is currently being used by multiple threat actors. My favorite part of this article though (and not surprising) is all the MITRE ATT&CK mappings that provide all the #ThreatHunters a place to start looking, so thank you for that team! I hope you all enjoy and Happy Hunting!
The BlackBerry research team reports on a financially motivated threat actor that is targeting banks and cryptocurrency trading entities. The malware seen in these attacks is the #AllaKore RAT (remote access trojan) that contains a suite of capabilities and the targets were organizations that had a large revenue.
Through the analysis, the team was able to identify some PowerShell scripts, the user-agent used by the malware, and the ability to capture input text and screen captures. You can find more technical analysis in this report that I haven't mentioned! Enjoy and Happy Hunting!
Fake job scams are through the roof at the moment, for obvious reasons.
Not only do they suck because they are generally a terrible way to scam people who are having an especially hard time, but they also place employees of the impersonated companies at risk.
The Blue Team Diaries story, Recruit - is a tale about the impact of such a scam, based on real world events of course. You can find it on Kindle (Unlimted members download for free) and Audible. It's also part of the Blue Team Diaries paperback, which you can find at most places books are sold.
The NCC Group has created a series that I look forward to finishing, titled "Unveiling the Dark Side: A Deep Dive into Active Ransomware Families". The first installment covers the #BlackCat#ransomware (a.k.a. #ALPHV) and an incident that they observed that it was involved in that included new service and new accounts being created, and data being staged and believed to be exfiltrated. If you like technical reports like I do, this is one you don't want to miss! Enjoy and Happy Hunting!
It’s that time of year again where I’m reminded that my book Digital Forensic Diaries is on a couple of college reading lists (which is both awesome and humbling). To this end, I’ve made the Kindle versions of the stories in the book free to download for the next few days, since everything is already expensive enough. You can grab them here: https://www.amazon.com/dp/B095J8K7SD?binding=kindle_edition&ref=dbs_dp_awt_sb_pc_tukn
We had a customer shift their assessment date out 2 months, so our march is available if there's anyone out there who needs assessment/architecture/engineering/redteam/bluteam work on short notice
As planned (but a little later than I would have wanted) comes Part 2 of my posts related to the Palo Alto Networks Unit 42 article on #AgonizingSerpens. In my first installment, I covered the TTPs and behaviors of the APT that were presented by the team and in this post I am going to cover the TTPs and behaviors observed by the first wiper they discussed, the #MultiLayerWiper. Enjoy and Happy Hunting!
what's the best way to follow #defcon from afar if you don't have a Twitter account. Who to follow on Fediverse. Is there great blogs? Perhaps livestreams on YouTube or twitch?
Ending the mini-series that covers the Cisco Talos Intelligence Group's Year In Review report, we will be diving into the MITRE ATT&CK Technique T1068, Exploitation for Privilege Escalation. This technique falls under the Tactic of Privilege Escalation (TA0004) and has no sub-techniques. This technique can be seen when adversaries "exploit software vulnerabilities in an attempt to elevate privileges" (https://attack.mitre.org/techniques/T1068/) and has been used by groups like #ScatteredSpider and seen in the #Stuxnet malware.