Presentation on APT groups in Manchester NH

If anyone is in the NH area tonight (9/19/13) I am giving a presentation on 3 active APT groups at the ISSA meeting in Manchester. ISSA membership is not required but non-members will be handed a membership application at some point :) Follow the link for details and to register.

Continue reading...

Bit9 hacked and keys used to sign malware

Brian Krebs reported today that security firm Bit9 has suffered a breach. Apparently the bad guys got access to Bit9’s code signing certificates. This is bad for many reasons. I’m guessing that this code signing certificate is signed by a trusted CA. This would mean that malware signed with it would “appear” legitimate. What’s worse is that according to reports the Bit9 software will automatically trust anything signed by the Bit9 certificate.

Ruh Roh Shaggy.  This should make the RSA Conference experience very interesting for Bit9.


Continue reading...

Help Desk as a Cyber Threat Intel source

For many organizations there is a good source of cyber intelligence right under their nose. Few have have tapped into this resource. It’s your help desk / support desk / client services or what ever you call it. This is the place where users call when they are having computer issues. As it happens sometimes cyber attacks manifest themselves in just such a fashion.

Many client side attacks that are part of cyber threat actor arsenals can cause issues in the client system. IE crashes when a certain site is visited, the PDF opens but is blank, the word document also opens a command window, etc. Fortunately for us cyber sleuths many times the user will call the help desk and report the issue. Hopefully your help desk has a ticketing system (like Remedy or Peregrine) that you can search in.

Once a week I go into our help desk ticketing system and search for the following:

IE / Internet Explorer
Office document
Word, PowerPoint, Excel
Other terms depending on current activities

Honestly I do not find things every week but I feel it is well worth the 30 minutes a week I spend.

Continue reading...

Cyber Intelligence Challenges

I was on a discussion panel today at the Annual Advanced Cyber Security Center Conference. The discussion topic was Threat Sharing. We spent a good amount of time discussing challenges when wanting to share threat data, including Indicators of Compromise, outside of your organization. It was a great discussion and worthy of a blog post, which I will do soon. This post I want to talk about a side of threat sharing that isn’t covered often. The ability of an organization to consume threat intelligence data.

The discussion today made me realize that in addition to challenges in sharing threat data there are also challenges in receiving that data. I’ve recently had the opportunity to talk to Incident Response and advanced threat / intelligence teams for several very large organizations. What stuck out was the variance in maturity levels within these organizations security programs. The more advanced ones had a cyber threat intelligence function and someone(s) focusing on advanced threats (I.e. APT…there I said it :). It is these functions that are almost a necessity to process threat data and IoCs from other sources. The challenge is that these functions are still not that common in organizations. Why? Well it’s hard to show ROI for these functions.

These functions are almost considered a luxury in man organizations. My team and I get paid to “hunt” more or less. Our ammunition is IoCs and threat actor TTPs. If we find something today but don’t find anything else for a week does that mean there was nothing to find or we did a poor job looking? That’s a question that is almost unanswerable. It’s a leap of faith or an investment that organizations make to support those functions. The very functions that are an integral part of processing threat data. Without which an intelligence driven security model is very tough to get of the ground and support,

So before you run out and sign up with threat intel providers, private mailing lists and other sources of threat data and IoCs ask yourself a question. If someone gave me the file hash of a specific Trojan, could I actually do anything useful with it? The same would apply to other IoCs like HTTP user agent strings or email MTAs. If the answer is no, what then?

I was asked during the panel why some of the IR teams I met with had cyber intel / advanced threat capabilities and others did not. I can say that there was a direct correlation between an organizations maturity level in the IR department and whether or not they have had a major breach. The ones who have been breached realize these functions are not a luxury but an absolute necessity to combat the current cyber threats we are all facing.

Continue reading...
Older Entries

Bad Behavior has blocked 710 access attempts in the last 7 days.

Rodney's 404 Handler Plugin plugged in.