Papers, Publications, and External Postings

The following is a listing of those items posted, published, or otherwise disseminated by entities outside of my little website. In some cases, the direct report is linked here, in most (to properly honor and respect the entity that invited my contribution) I’ve linked to the original publication or site.

White Papers and Long-Form Items

Threat Intelligence & Threat Operations

• Developing an Intelligence-Driven Threat Hunting Methodology – Gigamon
• Exorcising the Ghost in the Machine: Debunking Myths Around Supply Chain Intrusions – Gigamon
• Conceptualizing a Continuum of Cyber Threat Attribution – DomainTools
• Formulating a Robust Pivoting Methodology – SANS CTI/DomainTools
• Spyware Stealer Locker Wiper: LockerGoga Revisited – TROOPERS / Dragos
• Threat Intelligence and the Limits of Malware Analysis – SANS CTI Summit / Dragos

Industrial Control System & Operational Technology Issues

• Zeroing In On XENOTIME: Analysis of thte Entities Responsible for the Triton Event – VirusBulletin 2022
• The Baffling Berserk Bear: A Decade’s Activity Targeting Critical Infrastructure – VirusBulletin 2021
• Stuxnet to CRASHOVERRIDE to TRISIS: Evaluating the History and Future of Integrity-Based Attacks on Industrial Environments – Dragos
• Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – VirusBulletin 2018
• Defense Informs Offense Improves Defense: How to Compromise an Industrial Control Systems Network – and How to Defend It – Magdeburger Jounral zur Sicherheitsforschung
• CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack – Dragos
• Evolution of ICS Attacks and the Prospects for Future Disruptive Events – Dragos

Blogs, Postings, and Short-Form Publications

Dragos

• The False Choice of IT vs OT
• Combating ICS Threats
• The Disappearing IT-IoT Divide and the Malware Poised to Take Advantage
• Implications of IT Ransomware for ICS Environments
• Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
• Questions and Considerations from the Alleged Ukraine Chemical Plant Event
• The Myth of the Adversary Advantage
• Indicators and ICS Network Defense
• Threat Analytics and Activity Groups

DomainTools

• Extrapolating Adversary Intent through Infrastructure
• Analyzing Network Infrastructure as Composite Objects
• Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity
• Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign
• Identifying Critical Infrastructure Targeting through Network Infrastructure Creation
• Unraveling Network Infrastructure Linked to the SolarWinds Hack
• Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident
• Holiday Bazar: Tracking a TrickBot Related Ransomware Incident
• The Devil’s in the Details: SUNBURST Atttribution
• Change in Perspective on the Utility of SUNBURST-Related Network Indicators
• Visibility, Monitoring, and Critical Infrastructure Security
• The Continuous Conundrum of Cloud Atlas
• Centreon to Exim and Back: On the Trail of Sandworm
• Examining Exchange Exploitation and its Lessons for Defenders
• COVID-19 Phishing with a Side of Cobalt Strike
• An Undersea Royal Road: Exploring Malicious Documents and Associated Malware
• Leaping Down a Rabbit Hole of Fraud and Misdirection

Gigamon

• Tracking Darkside and Ransomware: The Network View
• Hold the Door: Examining Exfiltration Activity and Applying Countermeasures
• Observations and Recommendation from the Ongoing REvil-Kaseya Incident
• Ghosts on the Wire: Expanding Conceptions of Network Anomalies
• Rendering Threats: A Network Perspective
• Infrastructure, Security and the Need for Visibility
• Bear in the Net: A Network-Focused Perspectrive on Berserk Bear
• Network Security Monitoring Opportunities and Best Practices for Log4j Defense
• The Log Keeps Rolling On: Evaluating Log4j Developments and Defensive Requirements
• Focusing on “Left of Boom”
• Gaining Visibility into Active Directory Enumeration
• The Visibility Paradox in Critical Infrastructure Monitoring
• Revisiting the Idea of the “False Positive”
• Considering Threat Hunting

Huntress

• Investigating Intrusions from Intriguing Exploits
• Contextualizing Events & Enabling Defense: What 3CX Means
• Calm in the Storm: Reviewing Volt Typhoon
• Identity: The Third Phase of Security Operations
• Spidering Through Identity for Profit and Disruption
• Move It On Over: Reflecting on MoveIT Exploitation
• 2023 SMB Threat Report