Samba Exploits on the Heels of SMB
If you’ve got the time (and I hope you do) take a second to review this advisory from Samba: https://www.samba.org/samba/security/CVE-2017-7494.html. It affects all versions of Samba from 3.5.0 onwards and patches a vulnerability to remote code execution – one that can be executed with a single line of code as long as a few…
Distributing Logic with YARA Rules
In Part I of the series, Building Blocks of Success with YARA, we introduced YARA and some of its capabilities. That introduction ended with a very short discussion on the distribution of logic across multiple rules and the use of constraints to ensure accuracy. Let’s expand on that. While in many cases its appropriate to…
Phishing. If it started with an “F” you’d love it
Phishing. If it started with an ‘F’, you’d love it. Phishing, as they say, happens. Teaching people how to recognize phishing and avoid it is an entire industry. Anyway, the same goes for understanding how to pull information from the phishing you receive so you can build intelligence. Instead of telling you about it, though,…
Of Threat Intelligence and Realtors
It struck me the other day while talking to a friend about their journey to purchase a house on how alike threat intel analysts are to realtors. Ultimately, people come to both for the same or nearly the same reasons. Consider for a moment, the competencies you want to see in a realtor. You would want them to have an in-depth understanding of the area of your interest. After all, a realtor without background in the area can’t really guide you to a well-formed decision. The same, of course, goes for experience. A new realtor has energy and will but rarely have the practical skills that allow them to sidestep issues, work efficiently and answer the questions that can break a deal.
Intelligence Driven Incident Response Means Tracking Intelligence
Incident response (IR), by definition, happens after an incident occurs. By simple extension it is also fair to say the IR Team shows up on site (or convenes if it is an internal response) behind the power curve. The event that precipitates the incident response is the catalyst and in the first few hours (or longer) that may be all that is known until boots hit the ground and more investigative activity happens.
Thinking about WannaCry or WCRY ransomware
A lot of discussion is currently ongoing about the WannaCry or WCRY ransomware. I’ll do my best to not retread that information. There’s plenty of sources for hashes, onion domains, and various other atomic indicators to go around for everyone. Just do a rapid raw search in your favorite search engine or haunt twitter and…
Building Blocks of Success with YARA
I like YARA. In fact, I think it is one of the more flexible and powerful tools in an incident responder’s toolkit. Same for threat intelligence, analysts and folks in digital forensics. A chief aspect of this fabulous program is its open source and integration into dozens of tools that are likely already in your…