CozyBear – In from the Cold?

On 15 November, something long-awaited (and presumably expected) came to pass in the information security community – CozyBear/APT29/CozyDuke/”The Dukes”/”Office Monkeys” were (or seemed to be) back. Subsequent reporting defined the scope of the event: a large phishing campaign on 14 November targeting multiple organizations spanning “military agencies, law enforcement, defense Read more…

Speculation and Judgment

Recently I engaged in conversation with Dale Peterson dealing with the gas explosion events in Massachusetts. For background, following the event in question there were multiple unfounded claims of a “cyber” cause behind these events followed by significant pushback from various ICS security experts. Where Dale and I enter the Read more…

YARA for Hunting

YARA – or “yet another regex alternative” – is a pattern matching tool with multiple uses but extensive application in malware analysis and alerting. The framework itself is simple, relatively easy to understand (especially on basic string matching), and incredibly flexible. Yet in application and advertised use, YARA is often Read more…

Perception is Reality

Nate Beach-Westmoreland wrote a Tweet recently that piqued my interest, as it aligned very closely to one of my major concerns in a former IR position: how does one ensure that sensitive data isn’t manipulated? Typically, cyber defense focuses on two key impacts: the loss or theft of sensitive (or Read more…

Sources and Methods to the Madness

The term “sources and methods” brings passionate, sometimes pained reactions within the information security community. On the one hand, there are those engaged in traditional intelligence operations for whom “sources and methods” are vital resources, to be maintained and preserved at almost any cost to ensure continuous collection. Contrary to Read more…