Note: This blog post was significantly revised on 17 November 2019 after initial release on 12 November 2019. The primary alteration is within the second paragraph, noting that the initial event that inspired this blog post – an exchange between a security researcher/responder and a journalist – was much more Read more
I recently had a discussion as to whether PSExec, the legitimate Microsoft Sysinternals tool often abused by malicious actors for remote code execution, should be included on a list of indicators related to a recent intrusion event. While my overall opinion of indicators of compromise (IOCs) as they are used Read more
“When I use a word,” Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean—neither more nor less.” – Through the Looking Glass, Lewis Carroll FireEye recently published a blog covering the tactics, techniques, and procedures (TTPs) for the “TRITON actor” when preparing Read more
Recently Juan Andreas Guerrero-Saade and Silas Cutler presented new research on the cluster of activity encompassing Stuxnet, Duqu, and Flame at the Kaspersky Lab-sponsored Security Analyst Summit. (Note for those reading this from US, Canadian, and related government networks: accessing the research link previously will display potentially leaked, non-public information Read more
19 and 20 December 2018 will likely blend into the overall insanity of the entire year, especially when considered from a US/UK political perspective. Yet these dates, aside from being consecutive, also featured an interesting juxtaposition in the world of cybersecurity threat intelligence. On 19 December 2018, the company Area1 Read more
On 15 November, something long-awaited (and presumably expected) came to pass in the information security community – CozyBear/APT29/CozyDuke/”The Dukes”/”Office Monkeys” were (or seemed to be) back. Subsequent reporting defined the scope of the event: a large phishing campaign on 14 November targeting multiple organizations spanning “military agencies, law enforcement, defense Read more
Recently I engaged in conversation with Dale Peterson dealing with the gas explosion events in Massachusetts. For background, following the event in question there were multiple unfounded claims of a “cyber” cause behind these events followed by significant pushback from various ICS security experts. Where Dale and I enter the Read more
Recently I was part of a Twitter conversation that started with excellent points on profiling and managing threats that led to some good comments on the value of “who-based” attribution. If you’ve followed this blog and my related works, you will know that I already have strong feelings on the Read more
YARA – or “yet another regex alternative” – is a pattern matching tool with multiple uses but extensive application in malware analysis and alerting. The framework itself is simple, relatively easy to understand (especially on basic string matching), and incredibly flexible. Yet in application and advertised use, YARA is often Read more
I had the pleasure to engage some really smart people on the subject of threat attribution and naming conventions via Twitter recently. I think the linked thread is useful as an example not only of some of the issues the cyber security community still has around terminology and definitions, but Read more