Connecting the Dots in a Malicious Campaign with Graph Analysis

Many times, members of incident response teams get hints from different sources on malicious activity occurring in their environment. The so-called indicators of compromise (IOCs) include the IP address or the domain name of a compromised web site, a user-agent string used by a known threat actor or a URL format commonly used in a…

Detecting and Investigating Webshells – Another Reason for Deepening Your Security Visibility

What would you call a piece of code or a script that runs on a server and enables remote server administration?  If you answered – “Webshell” – you would be correct.  While often used for legitimate administrative purposes, it is also a favored technology used by attackers for illegitimate purposes.  Attackers often infiltrate externally accessible…

Catching Phish with a Spear: Familiarity Breeds Contempt

Every week, or even every day, we all see emails from our banks, credit card issuers, or insurance companies, where we are asked to urgently click on a link due to a compromised account or to download an important notice. Even worse, we all have friends or relatives who have sent a cool video or…

Introducing RSA Archer GRC 6 to Our Federal Community

Through the years, as federal information assurance professionals, we’ve seen a lot of adjustments and evolution. We had an arms race in buying newer and better firewalls, more secure networking devices, IDSs, IPSs, and SIEM tools. We bought generations of scanners and sensors. We watched several iterations of C&A and A&A methodologies come and go.…

Browser Locked? Call This Number.

A new form of browser locker has recently surfaced.  Browser-lockers are websites or pop-ups that redirect the browser to a website that locks-up the browser.  The user is prevented from continuing any normal operation including closing the offending browser window, opening a new page, or closing the application itself. This new browser locker calls itself…

E3 – Hordes at the Gate – The Call of the Siren

“Don’t you think you are being a bit paranoid?” Greg asked Marty as the two exited the cafeteria.  “I mean, the DDOS attack was pretty severe. I think whoever was behind it accomplished their goal. Look at all the time and expense it took to control it. Not to mention the downtime, the annoyed customers,…

Peering into GlassRAT

Today RSA is reporting GlassRAT, a previously undetectable Remote Access Tool (RAT) which was discovered by the RSA Incident Response Team and investigated by RSA Research during an engagement with a multi-national enterprise.   While the malware was not detectable by endpoint antivirus products, RSA Security Analytics was able to identify and alert on its network…

Help Wanted: Growing the Pipeline of Cyber Talent

In my last blog post , I started a discussion on my experience at the National Institute for Cyber Education (NICE) Conference 2015. Here, I’ll give you actions and key ideas on how we can make a difference and develop the next generation of cyber professionals. We need more industry representation on this issue of…

David vs. Goliath

Yes. Yes. You are very good at what you do (even the best!). You have skills, techniques, speed and strength. But is that enough? Just being the best at what you do doesn’t mean you will win against any opponent. Have you ever thought what will happen to a boxer entering the Octagon with an MMA fighter? If…

The Innovator’s Dilemma in Cybersecurity

Our final keynote at RSA Conference Abu Dhabi 2015 was given by Richard Clarke, always an interesting and challenging speaker. As I listened to his discussion of responding to cyber threats, however, I was struck by his strong emphasis on preventative measures and the relatively little discussion of the essential role of ongoing visibility and…