A Security Multitasker

A number of years ago,  I decided that I wanted to learn to do something artistic.  My solution was to teach myself how to cook.  Many hours, good meals, bad meals and a kitchen full of tools later, I’m a pretty decent cook and can whip something up pretty easily. Part of my “culinary education”…

What You need to Know About Heartbleed

The world has been talking about a new security buzzword and that buzzword is “HeartBleed”.  What is Heartbleed? Heartbleed is the nickname given to the vulnerability known as CVE-2014-0160, which is a flaw in the TLS/DTLS heartbeat extension implementation in certain versions of OpenSSL.  In plain English, this vulnerability allows an attacker to use a…

Mandiant Malware? Not Exactly.

By Alex Cox, Senior Researcher, RSA FirstWatch team The RSA FirstWatch team uses a number of techniques to detect emergent threats and trends.  Much of the output of the analysis process becomes inputs for the RSA FirstWatch Feeds and new rules to detect botnet variants, malicious user-agent strings, and suspicious queries that would be strong…

Don’t Fear the Hangover – Network Detection of Hangover Malware Samples

By Alex Cox, Senior Researcher, RSA FirstWatch team Today, Norman and Shadowserver released a paper that revealed a large attack infrastructure in which they detailed an ongoing campaign, running as far back as September 2010.  This campaign, reportedly run out of India, used spear-phishing attacks and multiple strains of malware to breach targets of interest…

“What’s your question?” – Next Generation Analysis in the Compromise Landscape

By Alex Cox, Sr. Researcher, RSA FirstWatch team The FirstWatch team recently had its team planning meeting, where we discussed plans for the year, current events and experiences.   One of my teammates and fellow analysts, Pat Belcher, raised an interesting point in regards to security analysis, consulting and understanding your environment. Threat analysts, as a…

Stalking the Kill Chain: Tying it All Together

By Alex Cox, Sr. Researcher, RSA FirstWatch team The Single Event Mentality Historically, security technologies tend to be focused in a single place, or at most, two places on the kill chain, but lack the entire context behind an event that a complete analysis system imparts. When using the phrase “stalking the kill chain”, we…

Stalking the Kill Chain: The Attacker’s Chain

By Alex Cox, Sr. Researcher, RSA In 2009, incident responder Mike Cloppert with the Lockheed Martin CERT, published a series of articles that discussed security intelligence and leveraging indicators. In this series, he introduced a concept known as the “attacker kill chain”. This concept breaks attacker methodology into a series of sequential stages. Each stage…

Stalking the Kill Chain: Position Before Submission

By Alex Cox, Sr. Researcher, RSA Advanced Threat Intelligence Research Group In Brazilian Jiu Jitsu (BJJ), a modern martial art focused on ground fighting, a common theme among practitioners is the concept of “position before submission”. In other words, the fighter seeks to establish physical and positional dominance before ending the fight with an attack…

Stalking the Kill Chain: Tired of Being Hunted?

By Alex Cox, Senior Researcher, RSA First Watch Shady Rat, Aurora, Poison Ivy, ZeuS, SpyEye, Ice IX, Stuxnet and Flame. This strange combination of terms may have no immediate relation to the layman, but for those involved in computer security and incident response, they speak of events that have sparked press coverage, executive interest and…