Don't second guess. Go with experience.




Making CRITical Introductions

CRITical introduction–A play on words, to be sure.  Collaborative Research in Threats, or CRITs for short, is a threat intelligence platform (TIP).  It’s the repository where you store threat data and those sometimes fragile connections that you make to link everything together.  Don’t just take my word for it–here’s a fragment of  the introduction straight from their…

Read More

Negative space and filling gaps in YARA

Using negative space and inverse matching is a lesser-seen but excellent technique to type and classify files. Here the point is not to look for what is there, but to look for what isn’t there — when it should be. Besides an excellent presentation technique it’s also a method borrowed from threat intelligence (TI). One…

Read More

A Short Wcry/Wannacry Update

I previously wrote a short note on wannacry and indicated that I thought Patient Zero (those initial infections) were done via phishing and email. I still very much believe that, though I’ll admit I don’t have the necessary smoking gun to display as evidence. I received a fair amount of cynical responses to this declaration,…

Read More

Slicing Logic across Rules with YARA

Continuing our series on YARA, in part 3 (see here for Part 2 and Part 1) let’s spend some time diversifying logic across multiple rules. It is fast and easy to put together a monolithic rule but that approach suffers when it comes time to extend, expand or combine the rule. Slicing logic across multiple…

Read More

Samba Exploits on the Heels of SMB

If you’ve got the time (and I hope you do) take a second to review this advisory from Samba: It affects all versions of Samba from 3.5.0 onwards and patches a vulnerability to remote code execution – one that can be executed with a single line of code as long as a few simple…

Read More

Distributing Logic with YARA Rules

In Part I of the series, Building Blocks of Success with YARA, we introduced YARA and some of its capabilities. That introduction ended with a very short discussion on the distribution of logic across multiple rules and the use of constraints to ensure accuracy. Let’s expand on that. While in many cases its appropriate to…

Read More

Phishing. If it started with an “F” you’d love it

Phishing. If it started with an ‘F’, you’d love it. Phishing, as they say, happens. Teaching people how to recognize phishing and avoid it is an entire industry.  Anyway, the same goes for understanding how to pull information from the phishing you receive so you can build intelligence. Instead of telling you about it, though,…

Read More
threat intel and realtors

Of Threat Intelligence and Realtors

It struck me the other day while talking to a friend about their journey to purchase a house on how alike threat intel analysts are to realtors. Ultimately, people come to both for the same or nearly the same reasons. Consider for a moment, the competencies you want to see in a realtor. You would...

Read More

Intelligence Driven Incident Response Means Tracking Intelligence

Incident response (IR), by definition, happens after an incident occurs. By simple extension it is also fair to say the IR Team shows up on site (or convenes if it is an internal response) behind the power curve. The event that precipitates the incident response is the catalyst and in the first few hours (or...

Read More
worldwide infection map of Wannacry

Thinking about WannaCry or WCRY ransomware

A lot of discussion is currently ongoing about the WannaCry or WCRY ransomware.  I’ll do my best to not retread that information.  There’s plenty of sources for hashes, onion domains, and various other atomic indicators to go around for everyone.  Just do a rapid raw search in your favorite search engine or haunt twitter and…

Read More

Contact CyberDefenses today to learn how we can help your company’s cybersecurity needs.