Red Teaming for Blue Teamers: A Practical Approach Using Open Source Tools

| | blue team, events, Red Team, rsa
For the majority of people in the information security world, the act of offensive hacking is something they are tasked with protecting against but have little ability to do themselves. That is like asking a professional boxer to enter the ring without knowing how to throw a punch. Sure, you ... Read More
ISA Global Cybersecruity Alliance: Your Expertise is Needed

ISA Global Cybersecurity Alliance: Your Expertise is Needed

The ISA/IEC 62443 series of standards, developed by the ISA99 committee and adopted by the International Electrotechnical Commission, provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. These standards not only address configuration weaknesses to harden systems against vulnerabilities, but ... Read More

Using ATT&CK As a Teacher

Over the past few years, I’ve had the pleasure of welcoming interns on our security research team. One of my goals was to pass on knowledge of security to these folks and pique their interest in (a career in) security. The goal of any teacher is to pass on their ... Read More
pyramid of pain

Hash Hunting: Why File Hashes are Still Important

According to Gartner, threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable intelligence. When security research teams or government agencies release threat intelligence reports, some of the more tactical actionable intelligence is in the indicators. These indicators include (but are not limited to) IP addresses, domain names, ... Read More

The Masquerade Ball: Train Yourself to Detect Spoofed Files

Masquerading is a technique used in which a file name is maliciously named something similar to one which may be trusted. This specific technique is outlined in detail in the MITRE ATT&CK framework, as well. For example, a file named explorer.exe may seem more benign than one called explor3r.exe. However, ... Read More

Incident Response Basics: Getting started with DFIR

The digital world has borrowed terminology and principals form the kinetic world for decades. We’ve all heard of an upcoming cyber war using cyber bullets spawned from the digital pearl harbor. We have gangs, as well as cyber-gangs, or criminals, as well as cyber criminals. The reason there are so ... Read More
What is the MITRE ATT&CK™ Framework?

The MITRE ATT&CK Framework: Command and Control

Most malware these days has some level of Command and Control. This can be to exfiltrate data, tell the malware what instructions to execute next, or download encryption keys in the case of ransomware. In each case of command and control, the attacker is accessing the network from a remote ... Read More
What is the MITRE ATT&CK™ Framework?

The MITRE ATT&CK Framework: Exfiltration

Once an attacker has established access and pivoted around to the point of gathering the necessary data, they will work on exfiltration of that data. Not all malware will reach this stage. Ransomware, for example, usually has no interest in exfiltrating data. As with the Collection tactic, there’s little guidance ... Read More
What is the MITRE ATT&CK™ Framework?

The MITRE ATT&CK Framework: Collection

The Collection tactic outlines techniques an attacker will undertake in order to find and gather the data they need to meet their actions on objectives. I see most of these techniques as being useful for describing what a piece of malware or threat actor is up to rather than looking ... Read More
What is the MITRE ATT&CK™ Framework?

The MITRE ATT&CK Framework: Lateral Movement

It will be rare that an attacker exploits a single system and does not attempt any lateral movement within the network. Even ransomware that typically targets a single system at a time has attempted to spread across the network looking for other victims. More often than not, an attacker will ... Read More