Technical

An APT Case Study

The RSA IR team deals with APT actors on a daily basis on networks of various sizes. Regardless of the size of the network, or the number of advanced actors we find in them, one thing is paramount to both us and our customers during investigations: the ability to quickly scope severity of the intrusion. …

Wolves Among Us: Abusing Trusted Providers for Malware Operations

Within the past year the RSA Incident Response (IR) team has worked multiple APT engagements where they’ve identified the adversary’s malware using a unique method of determining its Command and Control (C2) server. By leveraging trusted content providers, such as popular shopping sites and discussion forums, adversaries can perform operations within a network in plain…

Attacking a POS Supply Chain: Part 1

Among FirstWatch’s regular threat seeking tasks is hunting for incidents of specific targeting. Recently, we came across an email exploit attempt, aimed at a European Point of Sales (POS) vendor.  In this post we will show links to a recently publicized PoS malware campaign, and describe possible threat motivations behind this or other POS vendor…

RSAC 2015: Memory Forensics for IR – Leveraging Volatility to Hunt Advanced Actors

Memory forensics is a critical evidentiary goldmine that helps paint the picture of triage – a host is paramount; timing is everything. While it is well known, memory holds critical volatile information such as network connections, malware-based artifacts and other non-paged data, it also holds many of the same artifacts that were previously known to…

Teaching Analysts to Fish; How to Become Better at Detection and Response – RSAC 2015

Daily the media replays stories of yet another company that is the victim of an intrusion or breach. With all this attention, and sometimes hyperbole, are we as practitioners improving at detecting malicious activity inside our networks? Regardless of the size of your company and its vertical or horizontal markets, your network may become the…

Zeus Toolkit infected with a Ramnit Worm

RSA Research monitors and analyzes the malicious activity of online cybercrime infrastructures on an ongoing basis. In a recent discovery, the lab’s researchers studied the workings of a customized Zeus Trojan Admin panel, which had apparently picked up a Ramnit worm that infects any machine that installs the Zeus Panther Admin panel. A History Lesson…