‘Motive – Opportunity – Impunity’ cycle shapes the cybersecurity threat landscape for years

Motive – Opportunity – Impunity: without breaking this cycle in the global private and public sectors cooperation, there’ll be no end to cybercrime nor to politically motivated hacks. Motive Money. That’s what’s directly behind the majority of cyber attacks today. Another much less frequent but very dangerous motive is politics with state actors seeking influenceContinue reading “‘Motive – Opportunity – Impunity’ cycle shapes the cybersecurity threat landscape for years”

Analyzing binaries in place with Velociraptor and CAPA

Velociraptor aims to provide the “last step” in the process of digital forensic investigations, security monitoring and threat hunting.Β  CAPA detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is aContinue reading “Analyzing binaries in place with Velociraptor and CAPA”

Threat hunting with Microsoft Defender – Valid Accounts

In the previous post I explained how to hunt for exact same scenario using CrowdStrike. I thought it’d be fun to see how would it look like with Microsoft Defender for Endpoint using its Advanced Hunting module and the Kusto query language.

Threat hunting with CrowdStrike – Valid Accounts

Techniques of interest:  https://attack.mitre.org/techniques/T1078/ https://attack.mitre.org/techniques/T1021/ |_ Remote Services: Remote Desktop Protocol |_ Remote Services: SMB/Windows Admin Shares   Hypothesis:  If a Threat Actor (TA) would successfully employ the above-mentioned sub-techniques of T1021 then in Windows Active Directory environment it should demonstrate itself by Windows logon events with types 3 and 10 being generated on target machines.   If we were able to identify any single userContinue reading “Threat hunting with CrowdStrike – Valid Accounts”

How to make smart investments in cybersecurity

Developing and prioritizing investment needs is not an easy task for most of the CISOs out there. Most of them face strong budgeting constraints and need to extensively justify every penny they request. Some will only get significant spending approved after their organization experienced a significant breach. This article aims to provide a noninclusive listContinue reading “How to make smart investments in cybersecurity”

Subjective list of the 5 most important things you should be doing to improve cybersecurity in your organization

Have the response team No matter how good your organization is in risk management and implementing security measures it is certain that sooner or later it will experience a severe security incident or a breach. When this happens the only thing that can effectively minimize the impact and quickly recover from the incident is theContinue reading “Subjective list of the 5 most important things you should be doing to improve cybersecurity in your organization”

Proactive Threat Hunting – no longer a whim

Originally posted in 2018. We are undoubtedly in the era of huge security alert fatigue. This has been caused by the vast number of false positive alerts generated every day by countless security products that organizations put in place to improve their defences. Because of this, it’s hard to justify resources who would essentially focusContinue reading “Proactive Threat Hunting – no longer a whim”

What can we learn from the GAO report on the US Weapon Systems Cybersecurity

Posted on: October 23, 2018 At the beginning of this month the United States Government Accountability Office released a public report titled: β€œWEAPON SYSTEMS CYBERSECURITY DOD Just Beginning to Grapple with Scale of Vulnerabilities” The assessment was performed as the US Department of Defense β€œ(…) plans to spend about $1.66 trillion to develop its current portfolio ofContinue reading “What can we learn from the GAO report on the US Weapon Systems Cybersecurity”

Let’s start with the basics. Windows security events monitoring.

Originally published in 2015. Security logs collection and analysis is crucial for security incident detection and response. There are many tools that can help in this activity but they can be only as good as the data that is sent to them. This guide concentrates on providing recommendations and ideas to consider when planning logContinue reading “Let’s start with the basics. Windows security events monitoring.”

Let me mine some coin with your browser, Alice!

Originally published in 2017. Recently while I was reviewing AV logs in a large organization one of the things that caught my attention was a large number of hits categorized as JavaScript with the word ‘Miner’ in the threat’s signature name. I looked up some of the files’ hashes in VirusTotal and downloaded some samples.Continue reading “Let me mine some coin with your browser, Alice!”

Finding newly registered domains for hunting and blocking.

Originally published in 2015. Email addresses in freshly registered short lived domains are increasingly used to send spam and malware. They are also used in spear phishing campaigns often combined with bitsquatting/typosquatting techniques to fool users into trusting the message content. The same applies to websites serving malicious content that are linked by the phishingContinue reading “Finding newly registered domains for hunting and blocking.”