Technical

From the Archives: Automation of Fraud – The Voxis Platform

During the recent months RSA  FirstWatch has identified a growing demand for tools to automate fraud related operations among the cybercriminals in their online communities and blackmarkets. Voxis is a fraudulent platform used by criminals to monetize stolen credit card credentials and increase their illicit revenues by automating fake transactions through multiple payment gateways. The FirstWatch…

The Targeted Forensics Series: Examination of Command Line RAR and 7-ZIP Prefetch Files (Part 1)

As an Advisory Consultant for RSA’s Advanced Cyber Defense practice, one of my objectives is to show our clients how to focus on incident investigation and not just resolution. This is a holistic approach, made of many components, one of which I always recommend, is performing live response/targeted forensics. This series is focused on establishing…

Terracotta VPN: Enabler of Advanced Threat Anonymity

Today, RSA Research published an in-depth report on a commercial VPN network, originating in China, which we are calling “Terracotta”.  It is being used as a launch platform for APT actors including the now well-known Shell_Crew / Deep Panda group (which RSA exposed in a January 2014 report, http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf ). Terracotta’s network of 1500+ VPN…

CARIS Workshop Summary and Reflection

The Internet Architecture Board (IAB) and the Internet Society (ISOC) hosted a day-long Coordinating Attack Response at Internet Scale (CARIS) workshop which took place last Friday in coordination with the Forum for Incident Response and Security Teams (FIRST) Conference in Berlin. The workshop included members of the FIRST community, attack response working group representatives (APWG,…

CVSS Scoring: Why your Smart Refrigerator does not need to be Patched (Yesterday)

Is a CVSS score of 10, really a 10 in your environment? Vulnerability Risk Management is a work in progress for most organizations. Having dealt with many customers in this space, we have seen it all – the mature folks who utilize asset management to define ownership to multiple remediation teams – all the way…

An APT Case Study

The RSA IR team deals with APT actors on a daily basis on networks of various sizes. Regardless of the size of the network, or the number of advanced actors we find in them, one thing is paramount to both us and our customers during investigations: the ability to quickly scope severity of the intrusion. …