APT

Does DDoS Takedowns Really Change Extortion Rules of Engagement?

The proliferation of account takeovers, DDoS attacks,  ransomware and outright cyber extortion targeting individuals and institutions is not only disrupting the hack attack landscape, but also raising questions around our rules of engagement. How are we supposed to deal with all of this knowing the bad guys aren’t playing by the same rules that we…

E5 – The Flies and the Hornet – Insect Bites

A cool breeze whisked through the window causing the scrolls on the Wizard’s desk to rattle and tremor.  The wise man shifted a large scroll to weigh down some loose papers.  He reallocated a heavy paper weight to secure some more papers.  The weather had turned cold but the Wizard enjoyed the brisk air flowing…

E5 – The Flies and the Hornet – Holes in the Screen Door

The Hunter sat in the shadows cast by the immense castle tower. Beneath his right hand purred his intrepid companion, The Cat. Together they languished in the relatively coolness of the shade waiting patiently. Their position gave them an excellent view of the gate leading into the inner realm of the castle. Staring across the…

Reconnaissance: A Walkthrough of the “APT” Intelligence Gathering Process

Rotem Kerner of RSA Research has penned a short paper, Reconnaissance: A Walkthrough of the “APT” Intelligence Gathering Process.   It is first in a series that we will publish the follows The Cyber Kill Chain[i]. The Cyber Kill Chain model was developed by Lockheed Martin’s Computer Incident Response Team earlier in the decade.   It breaks…

The Targeted Forensics Series: Examination of Command Line RAR and 7-ZIP Prefetch Files (Part 2)

As an Advisory Consultant for RSA’s Advanced Cyber Defense practice, one of my objectives is show our clients how to focus on incident investigation and not just resolution. This is a holistic solution, made of many components, one of which I always recommend, is performing live response/targeted forensics. This series is focused on establishing procedures…

Hunting Webshells with ECAT

 INTRODUCTION The term webshell is commonly used to describe a web-based application which provides remote access/command execution capability to the web servers where they are installed. These are normally small files that execute user (i.e. attacker) commands and provide the result back via a web page to that same user (i.e. attacker). These webshells normally use…

The Targeted Forensics Series: Examination of Command Line RAR and 7-ZIP Prefetch Files (Part 1)

As an Advisory Consultant for RSA’s Advanced Cyber Defense practice, one of my objectives is to show our clients how to focus on incident investigation and not just resolution. This is a holistic approach, made of many components, one of which I always recommend, is performing live response/targeted forensics. This series is focused on establishing…

An APT Case Study

The RSA IR team deals with APT actors on a daily basis on networks of various sizes. Regardless of the size of the network, or the number of advanced actors we find in them, one thing is paramount to both us and our customers during investigations: the ability to quickly scope severity of the intrusion. …

Wolves Among Us: Abusing Trusted Providers for Malware Operations

Within the past year the RSA Incident Response (IR) team has worked multiple APT engagements where they’ve identified the adversary’s malware using a unique method of determining its Command and Control (C2) server. By leveraging trusted content providers, such as popular shopping sites and discussion forums, adversaries can perform operations within a network in plain…

We’re not gonna take it!

After listening to the White House Summit on Cybersecurity and Consumer Protection last Friday, I went out to dinner with some friends in the security industry and we jokingly discussed “if the cybersecurity industry had a theme song what should it be?”  We all agreed that Twisted Sister’s “We’re not gonna take it” would be…