Phishing. If it started with an “F” you’d love it

Phishing. If it started with an ‘F’, you’d love it. Phishing, as they say, happens. Teaching people how to recognize phishing and avoid it is an entire industry.  Anyway, the same goes for understanding how to pull information from the phishing you receive so you can build intelligence. Instead of telling you about it, though,…

Read More
threat intel and realtors

Of Threat Intelligence and Realtors

It struck me the other day while talking to a friend about their journey to purchase a house on how alike threat intel analysts are to realtors. Ultimately, people come to both for the same or nearly the same reasons. Consider for a moment, the competencies you want to see in a realtor. You would want them to have an in-depth understanding of the area of your interest. After all, a realtor without background in the area can’t really guide you to a well-formed decision. The same, of course, goes for experience. A new realtor has energy and will but rarely have the practical skills that allow them to sidestep issues, work efficiently and answer the questions that can break a deal.

Read More

Intelligence Driven Incident Response Means Tracking Intelligence

Incident response (IR), by definition, happens after an incident occurs. By simple extension it is also fair to say the IR Team shows up on site (or convenes if it is an internal response) behind the power curve. The event that precipitates the incident response is the catalyst and in the first few hours (or longer) that may be all that is known until boots hit the ground and more investigative activity happens.

Read More
worldwide infection map of Wannacry

Thinking about WannaCry or WCRY ransomware

A lot of discussion is currently ongoing about the WannaCry or WCRY ransomware.  I’ll do my best to not retread that information.  There’s plenty of sources for hashes, onion domains, and various other atomic indicators to go around for everyone.  Just do a rapid raw search in your favorite search engine or haunt twitter and…

Read More

Building Blocks of Success with YARA

I like YARA. In fact, I think it is one of the more flexible and powerful tools in an incident responder’s toolkit. Same for threat intelligence, analysts and folks in digital forensics. A chief aspect of this fabulous program is its open source and integration into dozens of tools that are likely already in your…

Read More