The underground economy is a complex world with criminal organizations that specialize in each element of making it run. While Money Mules may just be a portion of this economy, they are crucial to its success. Without mules, cybercriminals have no safe way to move money and product. There are 2 basic types of mules when it comes to cybercrime. You have money mules, which help to move money, and reshipping mules, which help to move stolen goods. Mule recruiters, another portion of this economy, specialize in finding individuals or small businesses that will help them move funds or product. In most cases, these mules are unwitting accomplices to the crime.
Threat analysts, as a general rule, are often concerned with the minutiae of the day-to-day threat landscape. Who was hacked this week? Do we have malware involved for this incident? Do we have indicators for the incident? What about exploits? Do we need patches? This is all key information related to properly defending a network, but often, taking a step back and looking at the environment holistically PRIOR to the incident helps to understand where the gaps may be.
We, the RSA FirstWatch team, are always at the forefront of solving the latest malware problems –one of those is malware encryption. Malware encryption is not new. It has been around since the DOS days, but has simply evolved to address the antivirus solutions designed to beat it. In this multi-part blog, I will discuss how malware encryption has evolved from the simple application of an encryption/decryption engine to the more complicated metamorphic engine.
Historically, security technologies tend to be focused in a single place, or at most, two places on the kill chain, but lack the entire context behind an event that a complete analysis system imparts. When using the phrase “stalking the kill chain”, we are focusing on the ability to use a structured approach to watching the network with the idea of identifying kill chain events in progress, across the entire kill chain.
By Will Gragido, Senior Manager, RSA FirstWatch Team On July 21, 2012 the RSA FirstWatch team blogged about a new campaign we had identified and discovered – a new campaign that we believed met the criteria for advanced persistent threats (APT) and subversive multi-vector threats (SMT). We conducted intensive, in-depth reconnaissance that saw us collect [...]
Recently, there has been some media noise generated by a new malware reportedly attacking targets in the Middle East such as Saudi Aramco. But what exactly does this attack look like once the malware compromised the system? Check out our visual examples of Shamoon, including a video showing its destructive payload in action.
By Alex Cox, Sr. Researcher, RSA
In 2009, incident responder Mike Cloppert with the Lockheed Martin CERT, published a series of articles that discussed security intelligence and leveraging indicators. In this series, he introduced a concept known as the “attacker kill chain”.
In Brazilian Jiu Jitsu (BJJ), a modern martial art focused on ground fighting, a common theme among practitioners is the concept of “position before submission”. In other words, the fighter seeks to establish physical and positional dominance before ending the fight with an attack resulting in submission. Embracing the concept allows the fighter to increase his chances of winning the confrontation by making sure he is in control of the situation prior to attempting a fight-ending attack. BJJ’s philosophical approach has direct relevance to cyber security as the same approach can be taken to establish a more proactive defense based on threat intelligence and network-wide visibility.
Shady Rat, Aurora, Poison Ivy, ZeuS, SpyEye, Ice IX, Stuxnet and Flame. This strange combination of terms may have no immediate relation to the layman, but for those involved in computer security and incident response, they speak of events that have sparked press coverage, executive interest and late nights.