Wannacry – Can We Really Call It a New Thing?
Plenty out there spoken about Wanna Cry, including on this blog (post and post). At its heart, it’s less ransomware than a worm exploiting a Windows OS vulnerability that looks to the network to infect even more computers. In fact, it was overwhelmingly successful, much more so as a worm than anything remotely as…
Building Targets with CRITs
In a previous post (located here) we chatted about CRITs and using targets. While this was in relation to phishing, it doesn’t need to be. The Targets collection is really flexible, although I’ll freely admit you’ll need to massage it slightly. The original direction in CRITs development was to view a target an an individual…
CRITs – The Fulcrum for the Lever of Intel
As a services company, it’s probably no surprise that we help people. When companies need a hand or need to add in a capability that they previously didn’t have, we get a chance to get involved in some exciting situations. Sometimes exciting bad, like when an incident occurs, but just as often exciting good, when…
Phishing with CRITs
CRITs was introduced a bit earlier as a threat intelligence platform (TIP) worth your time to review, if not employ in your enterprise. Let me show a quick example why. Raise your hands – who has to deal with phishing? Okay. I couldn’t see who raised their hands, but given its ubiquity within everyone’s enterprise,…
Making CRITical Introductions
CRITical introduction–A play on words, to be sure. Collaborative Research in Threats, or CRITs for short, is a threat intelligence platform (TIP). It’s the repository where you store threat data and those sometimes fragile connections that you make to link everything together. Don’t just take my word for it–here’s a fragment of the introduction straight from their…
Negative space and filling gaps in YARA
Using negative space and inverse matching is a lesser-seen but excellent technique to type and classify files. Here the point is not to look for what is there, but to look for what isn’t there — when it should be. Besides an excellent presentation technique it’s also a method borrowed from threat intelligence (TI). One…
A Short Wcry/Wannacry Update
I previously wrote a short note on wannacry and indicated that I thought Patient Zero (those initial infections) were done via phishing and email. I still very much believe that, though I’ll admit I don’t have the necessary smoking gun to display as evidence. I received a fair amount of cynical responses to this declaration,…
Slicing Logic across Rules with YARA
Continuing our series on YARA, in part 3 (see here for Part 2 and Part 1) let’s spend some time diversifying logic across multiple rules. It is fast and easy to put together a monolithic rule but that approach suffers when it comes time to extend, expand or combine the rule. Slicing logic across multiple…
Samba Exploits on the Heels of SMB
If you’ve got the time (and I hope you do) take a second to review this advisory from Samba: https://www.samba.org/samba/security/CVE-2017-7494.html. It affects all versions of Samba from 3.5.0 onwards and patches a vulnerability to remote code execution – one that can be executed with a single line of code as long as a few simple…
Distributing Logic with YARA Rules
In Part I of the series, Building Blocks of Success with YARA, we introduced YARA and some of its capabilities. That introduction ended with a very short discussion on the distribution of logic across multiple rules and the use of constraints to ensure accuracy. Let’s expand on that. While in many cases its appropriate to…
Contact CyberDefenses today to learn how we can help your company’s cybersecurity needs.