ECAT

Moving from Low to High-Fidelity Security

In the 1940s and 50s home audio systems went through a high-fidelity revolution. This is the period when the music recording industry and stereo manufacturers dramatically improved the audio experience for consumers.  Technically it had to do with the improved audio capture, more sophisticated mastering (stereophonics), and dramatically improved reproduction of music, all at a…

David vs. Goliath

Yes. Yes. You are very good at what you do (even the best!). You have skills, techniques, speed and strength. But is that enough? Just being the best at what you do doesn’t mean you will win against any opponent. Have you ever thought what will happen to a boxer entering the Octagon with an MMA fighter? If…

The Case of Threat Intelligence in ETDR

It seems like every day we’re hearing about a new major security breach that’s affecting thousands, if not millions. Cybercriminals have many motives, and no organization should consider itself invulnerable. These attackers are advanced and have been able to penetrate deep layers of defenses. Years ago, organizations thought that technologies like Antivirus(AV), firewalls, Host Intrusion…

Another day. Another Ransomware.

TeslaCrypt is a ransomware trojan that targets computers with user data and specific computer games installed. Once the system is infected, the malware searches for various file types related to personal documents and different games, including Call of Duty series,World of Warcraft, Minecraft and World of Tanks, and then encrypts them.  The victim is then prompted with a…

Hunting Webshells with ECAT

 INTRODUCTION The term webshell is commonly used to describe a web-based application which provides remote access/command execution capability to the web servers where they are installed. These are normally small files that execute user (i.e. attacker) commands and provide the result back via a web page to that same user (i.e. attacker). These webshells normally use…

An APT Case Study

The RSA IR team deals with APT actors on a daily basis on networks of various sizes. Regardless of the size of the network, or the number of advanced actors we find in them, one thing is paramount to both us and our customers during investigations: the ability to quickly scope severity of the intrusion. …

Wolves Among Us: Abusing Trusted Providers for Malware Operations

Within the past year the RSA Incident Response (IR) team has worked multiple APT engagements where they’ve identified the adversary’s malware using a unique method of determining its Command and Control (C2) server. By leveraging trusted content providers, such as popular shopping sites and discussion forums, adversaries can perform operations within a network in plain…

Beyond the Zero Day: Detecting JVM Drive-bys – Part 1 of 3

By Erik Heuser, RSA Advanced Cyber Defense Services Advisory Practice Consultant With all the recent Java Virtual Machine (JVM)exploits, a lot of attention is being focused on figuring out how best to mitigate the vulnerability.  Detection has been limited to signature-based attempts, mostly firing on class names or well-known strings within the JAR/Class.  While this…