Reminder. For #iinfosec cyber defenders, there’s only one thing you can find where you are required by law to notify the feds immediately, before even your employer.
I am extremely fortunate I’ve never run into it, but I know #blueteam and #dfir people who have.
Always be the good guys. And leave these bad guys to the professionals. The amateur ‘catch a predator’ people have fubar’ed cases by not following legal procedure. Don’t give the villains an out.
The Blue Team is charged with defending an organization against an array of technical security threats. The Blue Team Diaries allow the reader to ride along with the Blue Team at Syntatic, a Seattle-based cloud company, who are charged with keeping millions of customer records safe. Based on the author's real-world experiences, the diaries tell fictionalized versions of responding to actual security incidents.
🔒 Delve into the gripping tales of true cybersecurity challenges in the InfoSec Diaries – where real-world incidents, investigations, and penetrating test discoveries come to life.
📘 Discover these compelling stories, now available in Paperback, Kindle, and Audiobook formats.
MITRE just published the Sensor Mappings to ATT&CK Project (SMAP). SMAP builds on MITRE ATT&CK Data Sources by connecting the conceptual data source representations of information that can be collected to concrete logs, sensors, and other security capabilities that provide that type of data. #MITRE#ThreatIntel#BlueTeam
I am soon starting a new job doing #threathunting, and I feel way out of my comfort zone. They told me I did well on the technical interview, but I was just applying my incident response experience and freestyling it. I feel a bit like threat hunting is peak #blueteam, and it is a bit soon to peak after just a year and a half in the industry, so I have managed to give myself impostor syndrome anxiety. Oh well. If I managed to trick my way this far, I should keep going and see how far it takes me.
🚨 Get ready for an exciting episode of #SharedSecurity dropping this Monday! 👀 We're thrilled to have Luke Jennings, VP of R&D at Push Security, joining us to dive deep into the world of SaaS attacks! 🔒💼
🔥 Episode Preview Thread: 🔥
1/ 💡 Ever wondered how attackers can compromise an entire organization without even touching an endpoint or network? 😱 Luke will unveil the secrets behind these stealthy SaaS attacks! 🕵️♂️
2/ 📚 Luke's been working on cutting-edge SaaS attack research. We'll explore why SaaS-based attacks differ from traditional network attacks and what makes them a whole new ballgame in cybersecurity. 🔄🛡️
3/ 🌐 The SaaS Attack Matrix! 📈 This matrix serves as a game-changer for both red and blue teams in assessing and defending against SaaS threats. 🎯🤖
4/ 👥 Join us in discussing the importance of sharing and discussing this critical research within the cybersecurity community. Knowledge is power, and together, we can stay one step ahead of the adversaries! 💪🌐
Don't miss out! Tune in this Monday as we explore the fascinating world of SaaS attacks with Luke Jennings. 🎧🔒 Stay tuned for the full episode!
It’s that time of year again where I’m reminded that my book Digital Forensic Diaries is on a couple of college reading lists (which is both awesome and humbling). To this end, I’ve made the Kindle versions of the stories in the book free to download for the next few days, since everything is already expensive enough. You can grab them here: https://www.amazon.com/dp/B095J8K7SD?binding=kindle_edition&ref=dbs_dp_awt_sb_pc_tukn
The #APT known as #Kimsuky strikes again, this time targeting think tanks, academia, and media organizations with a social engineering. The goal? Stealing Google and subscription credentials of a news and analysis service that focuses on North Korea. Enjoy and Happy Hunting!
Link in the comments!
This one is a little different. In this article, SentinelLabs mentioned ReconShark being used. Can you provide me with any TTPs that are associated with that #malware?
As we continue down the "Year in Review" from Cisco Talos Intelligence Group we move to the MITRE ATT&CK Technique, which is second on their list of top 20 most common seen, T1078, Valid Accounts.
T1078 or Valid Accounts is used when "adversaries obtain and abuse credentials of existing accounts as a means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion." Basically, the adversary is leveraging your own users against you! Of course, the more privileges the account has the better!
This technique also has 4 sub-techniques, which helps defenders get a little more specific with the technical details. These include the abuse of Default Accounts, Domain Accounts, Local Accounts, and Cloud accounts, all of which have their own little role to play in an adversaries attack!
We had a customer shift their assessment date out 2 months, so our march is available if there's anyone out there who needs assessment/architecture/engineering/redteam/bluteam work on short notice
Just because you are in the midst of a pen test // red team exercise doesn’t mean the malicious behavior belongs to the red team. Physical penetration attempts, phishes, and other means of entry are still being used by adversaries while testing is occurring. The real adversaries don’t care about your calendar. #infosec #blueteam
For anyone that ever wanted to get some threat hunting experience, feel free to join us on March 20th for our monthly workshop, this time we will be tackling the MITRE ATT&CK Tactic of Initial Access! Hope to see you there!
As LLM’s take over the world, a reminder that you can still buy hand crafted, small batch collections of words.
Stand out from the crowd this holiday season with a Mike Sheward InfoSec book - written the old fashioned way - by hand, and fueled by an undying rage that can only exsist in someone who uses JIRA.
Available wherever you buy books and also Walmart.
I am flattered that I have the opportunity to present my 2-day training "A Beginner's Guide To Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs" again at Black Hat USA 2024 and that early bird registration is open and you have two opportunities to take the course!
Day 1 begins with a theory section where we discuss resources and models that can help aid our threat hunting from both an intel and communication perspective. We then move to a section that covers how to extract artifacts from an intel report and how to make those artifacts actionable. Then we create some hypotheses and test them against a set of data to see what we can find.
Day 2 will put all the theory and applications to the test where the students will break into teams, process another intel report, create hypotheses, and hunt again!
Last year was a lot of fun and we receive high ratings, so we hope you can join us again this year for the fun! I hope to see you there, but until then, Happy Hunting!
Introducing entropyscan-rs, a #RustLang entropy scanner for analyzing files and directories during incident response. Used carefully, this can quickly identify likely malware when not all stages of an attack have been discovered, such as during a web server compromise without adequate logging. Enjoy!
Ending the mini-series that covers the Cisco Talos Intelligence Group's Year In Review report, we will be diving into the MITRE ATT&CK Technique T1068, Exploitation for Privilege Escalation. This technique falls under the Tactic of Privilege Escalation (TA0004) and has no sub-techniques. This technique can be seen when adversaries "exploit software vulnerabilities in an attempt to elevate privileges" (https://attack.mitre.org/techniques/T1068/) and has been used by groups like #ScatteredSpider and seen in the #Stuxnet malware.
IN another example, the #REvil ransomware-as-a-service group used this technique when they targeted the Microsoft Windows Malware Protection Engine and abused it by side-loading a DLL that executed the ransomware. Of course, I can't leave you empty handed, so here is the Community Hunt Package that you can use to hunt for that activity!
The BlackBerry research team reports on a financially motivated threat actor that is targeting banks and cryptocurrency trading entities. The malware seen in these attacks is the #AllaKore RAT (remote access trojan) that contains a suite of capabilities and the targets were organizations that had a large revenue.
Through the analysis, the team was able to identify some PowerShell scripts, the user-agent used by the malware, and the ability to capture input text and screen captures. You can find more technical analysis in this report that I haven't mentioned! Enjoy and Happy Hunting!