How to Make Your Sandbox Smarter

Sandboxes are a great tool with two primary uses: 1.) A tool to assist malware analyst during their analysis and 2.) A first line security tool for Tier 1/Level 1 (T1/L1) analysts to help determine if a file exhibits malicious behavior and to rate the severity of an incident. It is the later use that I am going to focus on. When used correctly, sandboxes can enhance a T1/L1 analysts ability to detect and classify incidents for an organizations’ Security Operation Centers (SOC).

Beyond the Zero Day: Detecting JVM Drive-bys – Part 1 of 3

With all the recent Java Virtual Machine (JVM) exploits, a lot of attention is being focused on figuring out how best to mitigate the vulnerability. Detection has been limited to signature-based attempts, mostly firing on class names or well-known strings within the JAR/Class. While this works for the commodity malware based on pre-packaged kits like Black Hole and Redkit, a clever adversary will re-write the exploit and avoid that simple detection method.

Emerging UPnP Vulnerabilities

Several vulnerabilities with multiple implementations of Universal Plug and Plan (UPnP) were announced January 29 by security firm Rapid7. These vulnerabilities can result in remote code execution and affect “between 40 and 50 million” internet connected devices (according to Rapid7). Said another way, this affects products made by “over 1,500 vendors and 6,900 products”. The Rapid7 announcement, available here, discusses their findings in depth.

The Evolution of Malware Encryption Part I: Basic Malware Encryption

We, the RSA FirstWatch team, are always at the forefront of solving the latest malware problems –one of those is malware encryption. Malware encryption is not new. It has been around since the DOS days, but has simply evolved to address the antivirus solutions designed to beat it. In this multi-part blog, I will discuss how malware encryption has evolved from the simple application of an encryption/decryption engine to the more complicated metamorphic engine.

Understanding Indicators of Compromise (IOC) Part II

Introduction In the first installment of this blog series we discussed several principle ideas and concepts necessary for security analysts as they seek to master an understanding of indicators of compromise (IOC).  We discussed how IOCs relate to observables and how observables tie or relate to measurable events or stateful properties on a host.  We…

Dark Side of Shamoon

Recently, there has been some media noise generated by a new malware reportedly attacking targets in the Middle East such as Saudi Aramco. But what exactly does this attack look like once the malware compromised the system? Check out our visual examples of Shamoon, including a video showing its destructive payload in action.

Air Gaps and Smart Grid

As more information about the attack on Saudi Aramco has emerged, such as in the article in Dark Reading last week, it increasingly appears to be an aggressive and significant attack, with one attacker claiming to have compromised 30,000 of the company’s clients and servers. As described in the Saudi Aramco press release, however, the…

Rogue Mobile Apps, Phishing, Malware and Fraud

Mobile apps, and the content they provide, are the reason smartphones and tablets are so popular; recent statistics show that mobile users around the globe download over 67 million app every day! Although these numbers are staggering, security-awareness did not follow, and it was a matter of time – and only logical for cybercriminals – before online threats, such as phishing and malware, became a reality on mobile devices.

Whitehats vs. Blackhats: Techniques of the Cybercrime Elite Trickle Down to the Public Domain

Advances made in the cybercrime world over the past year prove that the trickle-down effect does not only apply to tablet computers and space tourism. Rather, much like real world products, techniques that were once reserved for the cybercrime elite have trickled down to the public domain, bestowing low-skilled botmasters with the same research-thwarting tools that not too long ago were used solely by malware experts.

Stalking the Kill Chain: Tired of Being Hunted?

Shady Rat, Aurora, Poison Ivy, ZeuS, SpyEye, Ice IX, Stuxnet and Flame. This strange combination of terms may have no immediate relation to the layman, but for those involved in computer security and incident response, they speak of events that have sparked press coverage, executive interest and late nights.