Rats in the walls (and in your network)
Ever had an inspector tell you that you have rats in your walls? Given, it’s not likely to be something you’ll want to widely admit, but it happens–no matter how clean, how affluent, or how prestigious you might be. All it takes is the confluence of the right factors. Just add kids, left over…
Petya 2017: Are we looking at ransomware or cyber attack?
By Monty St. John & Chris Rogers The attack began small, but rapidly got everyone’s attention. It didn’t take long in the first hours of Tuesday’s attack for it to become pretty clear that Ukraine was the epicenter of the strike. In fact, more than half of the reports of new “Petya” malware were located…
Wannacry – Can We Really Call It a New Thing?
Plenty out there spoken about Wanna Cry, including on this blog (post and post). At its heart, it’s less ransomware than a worm exploiting a Windows OS vulnerability that looks to the network to infect even more computers. In fact, it was overwhelmingly successful, much more so as a worm than anything remotely as…
Building Targets with CRITs
In a previous post (located here) we chatted about CRITs and using targets. While this was in relation to phishing, it doesn’t need to be. The Targets collection is really flexible, although I’ll freely admit you’ll need to massage it slightly. The original direction in CRITs development was to view a target an an individual…
CRITs – The Fulcrum for the Lever of Intel
As a services company, it’s probably no surprise that we help people. When companies need a hand or need to add in a capability that they previously didn’t have, we get a chance to get involved in some exciting situations. Sometimes exciting bad, like when an incident occurs, but just as often exciting good, when…
Phishing with CRITs
CRITs was introduced a bit earlier as a threat intelligence platform (TIP) worth your time to review, if not employ in your enterprise. Let me show a quick example why. Raise your hands – who has to deal with phishing? Okay. I couldn’t see who raised their hands, but given its ubiquity within everyone’s enterprise,…
Making CRITical Introductions
CRITical introduction–A play on words, to be sure. Collaborative Research in Threats, or CRITs for short, is a threat intelligence platform (TIP). It’s the repository where you store threat data and those sometimes fragile connections that you make to link everything together. Don’t just take my word for it–here’s a fragment of the introduction straight from their…
Negative space and filling gaps in YARA
Using negative space and inverse matching is a lesser-seen but excellent technique to type and classify files. Here the point is not to look for what is there, but to look for what isn’t there — when it should be. Besides an excellent presentation technique it’s also a method borrowed from threat intelligence (TI). One…
A Short Wcry/Wannacry Update
I previously wrote a short note on wannacry and indicated that I thought Patient Zero (those initial infections) were done via phishing and email. I still very much believe that, though I’ll admit I don’t have the necessary smoking gun to display as evidence. I received a fair amount of cynical responses to this declaration,…
Slicing Logic across Rules with YARA
Continuing our series on YARA, in part 3 (see here for Part 2 and Part 1) let’s spend some time diversifying logic across multiple rules. It is fast and easy to put together a monolithic rule but that approach suffers when it comes time to extend, expand or combine the rule. Slicing logic across multiple…