Last one
Src |
Date (GMT) |
Titre |
Description |
Tags |
Stories |
Notes |
|
2021-10-13 20:17:09 |
FreakOut Botnet Turns DVRs Into Monero Cryptominers (lien direct) |
The new Necro Python exploit targets Visual Tool DVRs used in surveillance systems.
|
Tool
|
|
|
|
2021-10-12 17:41:00 |
Anomali Cyber Watch: Aerospace and Telecoms Targeted by Iranian MalKamak Group, Cozy Bear Refocuses on Cyberespionage, Wicked Panda is Traced by Malleable C2 Profiles, and More (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data leak, Ransomware, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Russian Cyberattacks Pose Greater Risk to Governments and Other Insights from Our Annual Report
(published: October 7, 2021)
Approximately 58% of all nation-state attacks observed by Microsoft between July 2020 and June 2021 have been attributed to the Russian-sponsored threat groups, specifically to Cozy Bear (APT29, Nobelium) associated with the Russian Foreign Intelligence Service (SVR). The United States, Ukraine, and the UK were the top three targeted by them. Russian Advanced Persistent Threat (APT) actors increased their effectiveness from a 21% successful compromise rate to a 32% rate comparing year to year. They achieve it by starting an attack with supply-chain compromise, utilizing effective tools such as web shells, and increasing their skills with the cloud environment targeting. Russian APTs are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% – largely agencies involved in foreign policy, national security, or defense. Following Russia by the number of APT cyberattacks were North Korea (23%), Iran (11%), and China (8%).
Analyst Comment: As the collection of intrusions for potential disruption operations via critical infrastructure attacks became too risky for Russia, it refocused back to gaining access to and harvesting intelligence. The scale and growing effectiveness of the cyberespionage requires a defence-in-depth approach and tools such as Anomali Match that provide real-time forensics capability to identify potential breaches and known actor attributions.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Brute Force - T1110
Tags: Fancy Bear, APT28, APT29, The Dukes, Strontium, Nobelium, Energetic Bear, Cozy Bear, Government, APT, Russia, SVR, China, North Korea, USA, UK, Ukraine, Iran
Ransomware in the CIS
(published: October 7, 2021)
Many prominent ransomware groups have members located in Russia and the Commonwealth of Independent States (CIS) - and they avoid targeting this region. Still, businesses in the CIS are under the risk of being targeted by dozens of lesser-known ransomware groups. Researchers from Kaspersky Labs have published a report detailing nine business-oriented ransomware trojans that were most active in the CIS in the first half of 2021. These ransomware families are BigBobRoss (TheDMR), Cryakl (CryLock), CryptConsole, Crysis (Dharma), Fonix (XINOF), Limbozar (VoidCrypt), Phobos (Eking), Thanos (Hakbit), and XMRLocker. The oldest, Cryakl, has been around since April 2014, and the newest, XMRLocker, was first detected in August 2020. Most of them were mainly distributed via the cracking of Remote Deskto |
Ransomware
Malware
Tool
Threat
Guideline
Prediction
|
APT 41
APT 41
APT 39
APT 29
APT 29
APT 28
|
|
|
2021-10-07 04:50:04 |
Code Execution Bug Affects Yamale Python Package - Used by Over 200 Projects (lien direct) |
A high-severity code injection vulnerability has been disclosed in 23andMe's Yamale, a schema and validator for YAML, that could be trivially exploited by adversaries to execute arbitrary Python code.
The flaw, tracked as CVE-2021-38305 (CVSS score: 7.8), involves manipulating the schema file provided as input to the tool to circumvent protections and achieve code execution. Particularly, the |
Tool
Vulnerability
|
|
|
|
2021-10-06 21:37:35 |
Exclusive: Researchers dumped Gigabytes of data from Agent Tesla C2Cs (lien direct) |
Resecurity researchers dumped Gigabytes of data from Agent Tesla C2Cs, one of the most well-known cyberespionage tools suffers a data leakage. Agent Tesla, first discovered in late 2014, is an extremely popular “malware-as-a-service” Remote Access Trojan (RAT) tool used by threat actors to steal information such as credentials, keystrokes, clipboard data and other information from […]
|
Tool
Threat
|
|
|
|
2021-10-06 19:06:00 |
Inside TeamTNT\'s Impressive Arsenal: A Look Into A TeamTNT Server (lien direct) |
Authored By: Tara Gould
Key Findings
Anomali Threat Research has discovered an open server to a directory listing that we attribute with high confidence to the German-speaking threat group, TeamTNT.
The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.
Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server.
This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools.
Overview
Anomali Threat Research has identified a TeamTNT server open to directory listing. The server was used to serve scripts and binaries that TeamTNT use in their attacks, and also for the IRC communications for their bot. The directory appears to have been in use since at least August 2021 and was in use as of October 5, 2021. The contents of the directory contain metadata, scripts, source code, and stolen credentials.
TeamTNT is a German-speaking, cryptojacking threat group that targets cloud environments. The group typically uses cryptojacking malware and have been active since at least April 2020.[1] TeamTNT activity throughout 2021 has targeted AWS, Docker, GCP, Linux, Kubernetes, and Windows, which corresponds to usual TeamTNT activity.[2]
Technical Analysis
Scripts (/cmd/)
Figure 1 - Overview of /cmd/
Contained on the server are approximately 50 scripts, most of which are already documented, located in the /cmd/ directory. The objective of the scripts vary and include the following:
AWS Credential Stealer
Diamorphine Rootkit
IP Scanners
Mountsploit
Scripts to set up utils
Scripts to setup miners
Scripts to remove previous miners
Figure 2 - Snippet of AWS Credential Stealer Script
Some notable scripts, for example, is the script that steals AWS EC2 credentials, shown above in Figure 2. The AWS access key, secret key, and token are piped into a text file that is uploaded to the Command and Control (C2) server.
Figure 3 - Chimaera_Kubernetes_root_PayLoad_2.sh
Another interesting script is shown in Figure 3 above, which checks the architecture of the system, and retrieves the XMRig miner version for that architecture from another open TeamTNT server, 85.214.149[.]236.
Binaries (/bin/)
Figure 4 - Overview of /bin
Within the /bin/ folder, shown in Figure 4 above, there is a collection of malicious binaries and utilities that TeamTNT use in their operations.
Among the files are well-known samples that are attributed to TeamTNT, including the Tsunami backdoor and a XMRig cryptominer. Some of the tools have the source code located on the server, such as TeamTNT Bot. The folder /a.t.b contains the source code for the TeamTNT bot, shown in Figures 5 and 6 below. In addition, the same binaries have been found on a TeamTNT Docker, noted in Appendix A.
|
Malware
Tool
Threat
|
Uber
APT 32
|
|
|
2021-10-06 14:30:00 |
Making the Case for a Threat Intelligence Platform (lien direct) |
Cyber Risks
As the cyber threat landscape becomes rapidly more complex, the risk of breaches increases. The potential for severe financial loss, reputational damage, and non-compliance with regulations drive companies to invest in threat intelligence platforms.
Threat Intelligence Platforms
Threat intelligence platforms (TIP) are critical security tools that use global intelligence data to help proactively identify, mitigate and remediate security risks. A TIP pulls together key cyber threat defense functions, creating a holistic threat intelligence system. Some of the key benefits are operationalizing data gathering, processing data into intelligence, integrating information from various sources, streamlining the intelligence cycle, and better navigate the threat landscape.
While this tool has obvious advantages to security professionals, making the business case to invest in a TIP can be a challenge.
Making the Business Case for a TIP
Speaking in a Language Management Understands
The case needs to be made from management's perspective to justify the investment in a TIP. Start with mapping security objectives with management objectives, understanding the business risks that concern them vs. cyber threats in general, and quantifying the return on investment.
Interviewing the heads of key intelligence stakeholders throughout the organization is a good way of gaining the insight needed to understand the business and how it is affected by cybersecurity. This communication can also create the trust that the security teams are working for them and their goals.
Communication style is also essential. Security terms that are part of the everyday vocabulary of SOC analysts and threat intelligence teams may not be readily understandable by those in other functional areas. More technical language should be translated into basic concepts, and information should be contextualized to resonate with the audience.
Visual mapping and use cases can be persuasive communication techniques. Visual mapping of the relationships between intelligence stakeholders can describe solutions in a way that transcends security terminology. Use cases from your own company or others in similar industries is an effective way of giving real-world context to a TIP implementation.
Threat Intelligence Platform Return on Investment
The bottom line for any investment is the quantifiable return it will have for the company. Cost savings are the most obvious contribution that threat intelligence tools can make to an organization. However, revenue generation can also be a significant payback of operationalized threat intelligence. Regulatory compliance can also contribute to a positive ROI.
TIP Cost Reductions
The cost of a devastating data breach is always top of mind for a company. Investing in a TIP that minimizes financial risk can be justified by focusing on relevant threats. Depending on the industry, the pure financial losses can be enormous. Breaches like those at Home Depot and Target have run into tens of millions of dollars. Potential direct operational fees for legal and forensic services, consultants, and customer care are most easily quantified. Harder to quantify but potentially just as costly are loss of brand equity and reputational damage.
Better utilization of assets is also a significant contribution to cost reductions. Automation of data gathering, processing, and intelligence reporting saves threat intelligence analysts' time, freeing them for more strategic threat hunting, etc. A TIP can also eliminate the need for additional headcount and reduce time spent on chasing false positives. By replacing unnecessary security tools with a TIP that functions more effectively, you can further reduce costs.
TIP Revenue Generation
While cost reductions are a more typical contributor to calcu |
Data Breach
Tool
Threat
|
|
|
|
2021-10-06 05:04:20 |
Threat hunting in large datasets by clustering security events (lien direct) |
By Tiago Pereira.
Security tools can produce very large amounts of data that even the most sophisticated organizations may struggle to manage. Big data processing tools, such as spark, can be a powerful tool in the arsenal of security teams.This post walks through threat hunting on large datasets...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Tool
Threat
|
|
|
|
2021-10-06 04:25:00 |
Six fonctions à activer pour améliorer vos cyber-défenses Six Functions to Activate to Improve Your Cyber Defenses (lien direct) |
Les conversations sur la cybersécurité sont de plus en plus axées sur les outils et les activités du Centre des opérations de sécurité (SOC).S'il est impossible de nier l'importance du SOC à la stratégie de sécurité d'une organisation, le SOC fait partie de la portée beaucoup plus large de cyber-défense .Lorsque la cyber-défense-qui englobe le SOC-ISN \\ 'n'a pas été correctement hiérarchisée, l'efficacité des personnes, des processus et des capacités utilisées pour défendre les environnements des dernières attaques est affectée.
Les cyber-défenses robustes sont nécessaires pour éviter les compromis, réduire l'impact des attaques et permettre aux organisations de continuer à fonctionner dans
Conversations on cyber security are increasingly focused on Security Operations Center (SOC) tools and activities. While it is impossible to deny the importance of the SOC to an organization\'s security strategy, the SOC is part of the much broader scope of Cyber Defense. When Cyber Defense-which encompasses the SOC-isn\'t properly prioritized, the effectiveness of people, processes and capabilities used to defend environments from the latest attacks is impacted.
Robust Cyber Defenses are needed to prevent compromise, reduce attack impact, and enable organizations to continue to operate in |
Tool
|
|
★★★
|
|
2021-10-06 00:00:00 |
Using CRIMZON⢠to assess cybersecurity hazards with an insurance portfolioThe CRIMZON⢠framework allows insurance carriers to gain insights into the hazard of cyber without needing to run external scans.Read More (lien direct) |
In recent years, the rise to prominence of cyber risk, both as a peril and as a line of business, has created opportunities and threats to insurance companies in equal measure. Insurance executives, exposure managers and underwriters need now more than ever to understand, quantify and manage their exposures, in order to sustain profitability and to protect their balance sheets. By definition, cyber events occur due to vulnerable technology. It is therefore tempting to conclude that understanding these exposures requires knowing the full map of technologies and service providers an insured relies upon, including the granular details on how data is stored and accessed. The issue with this approach is that while this information is certainly valuable to assess the risk, it is challenging to obtain atscale due to the difficulties that arise from accessing and analyzing the data properly. Help in solving this dilemma is provided by using techniques to analyze the cyber footprint of an insured,mapping the technologies and service providers most exposed to the external world. The premise being that such analysis provides insurers with the same point of view of potential threat actors. It is fair to say this is currently the gold standard of cyber hazard analysis. Insurance carriers with large affirmative cyberbooks rely on external scans for underwriting as well as for portfolio management, often augmenting this data with information provided by the insured, mostly from third-party vendors. A direct relationship with the insured is the best way forward to understand their level of risk, however,itâs disingenuous to assume every stakeholder in the insurance industry is able to access the same level of data. Within the same company, portfolio managers often donât have access to the same level of details as underwriters, and across entities reinsurers rely on their clients passing on data, which requires overcoming hurdles around data confidentiality as well as technical limitations on data volumes.Moreover, external scans are expensive and might not be a viable option when cyber coverage is offered as an endorsement on other lines of business.Assessing hazard insured by insured is therefore not always possible and cannot be expected to be the only way. Kovrr has developed an open framework, CRIMZON, which allows insurance stakeholders to understand hazard without running expensive analysis tools and collecting only a minimum amount of data points. This framework is designed to answer basic questions on cyber risk accumulations and estimates of Probable Maximum Loss (PML). It allows full flexibility around the type of risk analyzed,whether the focus is ransomware or cyber liability, and is consistent and compatible with the catastrophe model methodology deployed in our probabilistic cyber risk quantification solution.âââMr. Hetul Patel, Advisor to Kovrr and Chief Actuary atLiberty Mutual Re said: âCRIMZON⢠are a novel way to address the very real need for better cyber risk aggregation.Recent events have clearly highlighted that cyber loss events canât be managed through the traditional tools that reinsurers currently use. CRIMZON have the potential to create a market standard, similar to the way cresta zones are used for natural catastrophe modelling. The use of which goes beyond aggregate and risk management, and into outward reinsurance purchasing and attracting third party capital.â ââGrouping Companies Together by CRIMZONâ¢Kovrrâs open framework Cyber Risk Accumulation Zones (CRIMZONâ¢) groups companies together based on three characteristics: industry, location and entity size. This framework for grouping is based on research that shows that companies sharing these characteristics tend to share cyber risks. Cyber attacks would then be more likely to spread through companies within the same CRIMZON rather than hitting companies randomly.For example, a cyber attack might b |
Ransomware
Tool
Threat
|
|
★★★
|
|
2021-10-05 18:28:00 |
Anomali Cyber Watch: New APT ChamelGang, FoggyWeb, VMWare Vulnerability Exploited and More (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, FoggyWeb, Google Chrome Bugs, Hydra Malware, NOBELIUM and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google Just Patched These Two Chrome Zero-day Bugs That Are Under Attack Right Now
(published: October 1, 2021)
Google has warned users of Google Chrome to update to version 94.0.4606.71, due to two new zero-days that are currently being exploited in the wild. This marks the second update in a month due to actively exploited zero-day flaws. The first of these common vulnerabilities and exposures (CVEs), CVE-2021-37975, is a high severity flaw in the V8 JavaScript engine, which has been notoriously difficult to protect and could allow attackers to create malware that is resistant to hardware mitigations.
Analyst Comment: Users and organizations are recommended to regularly check for and apply updates to the software applications they use, especially web browsers that are increasingly used for a variety of tasks. Organizations can leverage the capabilities of Anomali Threatstream to rapidly get information about new CVEs that need to be mitigated through their vulnerability management program.
Tags: CVE-2021-37975, CVE-2021-37976, chrome, zero-day
Hydra Malware Targets Customers of Germany's Second Largest Bank
(published: October 1, 2021)
A new campaign leveraging the Hydra banking trojan has been discovered by researchers. The malware containing an Android application impersonates the legitimate application for Germany's largest bank, Commerzbank. While Hydra has been seen for a number of years, this new campaign incorporates many new features, including abuse of the android accessibility features and permissions which give the application the ability to stay running and hidden with basically full administrator privileges over a victim's phone. It appears to be initially spread via a website that imitates the official Commerzbank website. Once installed it can spread via bulk SMS messages to a user's contacts.
Analyst Comment: Applications, particularly banking applications, should only be installed from trusted and verified sources and reviewed for suspicious permissions they request. Similarly, emails and websites should be verified before using.
Tags: Banking and Finance, EU, Hydra, trojan
New APT ChamelGang Targets Russian Energy, Aviation Orgs
(published: October 1, 2021)
A new Advanced Persistent Threat (APT) group dubbed “ChamelGang” has been identified to be targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks. Researchers at Positive Technologies have been tracking the group since March 2017, and have observed that they have attacked targets in 10 countries so far. The group has been able to hi |
Ransomware
Malware
Tool
Vulnerability
Threat
Guideline
|
Solardwinds
Solardwinds
APT 27
|
|
|
2021-10-04 19:15:08 |
CVE-2021-41118 (lien direct) |
The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. In affected versions unsanitised input of regular expression date within the parameters of the DPL parser function, allowed for the possibility of ReDoS (Regex Denial of Service). This has been resolved in version 3.3.6. If you are unable to update you may also set `$wgDplSettings['functionalRichness'] = 0;` or disable DynamicPageList3 to mitigate. |
Tool
|
|
|
|
2021-10-04 18:15:09 |
CVE-2021-32762 (lien direct) |
Redis is an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. This is a result of a vulnerability in the underlying hiredis library which does not perform an overflow check before calling the calloc() heap allocation function. This issue only impacts systems with heap allocators that do not perform their own overflow checks. Most modern systems do and are therefore not likely to be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator which is also not vulnerable. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. |
Tool
Vulnerability
|
|
|
|
2021-10-04 11:00:00 |
The Need for Intelligence-Driven XDR to Address Security Team Challenges (lien direct) |
As organizations continue to expand and evolve their digital footprint, security staff struggle to adapt operations quickly enough to ensure effective monitoring and response to incidents in their environment. These challenges are even more difficult due to limited staff and expertise.
Enter extended detection and response or XDR. Depending on who you ask, you'll get differing opinions about what XDR is, where it came from, and whether or not you need it.
The fact is security teams continue to struggle with too many security tools from different vendors, with little integration of data or relevant threat intelligence.
These tools generate an alarming volume of alerts, leading to analysts chasing false positives or not looking into data because they lack the intelligence and expertise to prioritize the alerts that matter.
They’re also working in siloed environments, which makes it hard to collaborate and leads to more problems, including:
Overwhelming volumes of data make it difficult to prioritize security efforts and response
They lack insight into global threats and incidents and are unable to recognize the potential impact of known and unknown threats
The detection technologies they’ve installed are riddled with false positives that waste staff time
The reliance on a single vendor and the inability to tune security controls across multi-vendor security stacks makes it harder to prioritize investigations and incident response efforts
This is where XDR solutions come into play. We’ve aligned ourselves with Gartner’s definition of XDR, which states:
"XDR is a security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components."
In layman's terms:
XDR provides a holistic, more straightforward view of threats across an organization's entire technology landscape, providing the real-time information needed to deliver threats to the right people for better, faster outcomes.
Security teams can no longer only rely on the same tools they’ve used for threat detection and response.
Automation and big data management are needed to collect data across all installed security telemetry, along with advanced intelligence to understand and correlate threats. The improved automation allows teams to sift through the never-ending deluge of data to pinpoint relevant threats and quickly respond to those that matter before they turn into something catastrophic.
Anomali’s XDR solution combines our global threat intelligence with extended detection capabilities to stop breaches and attackers. Anomali XDR delivers:
Unified threat detection utilizing all installed security telemetry
Precision detection with timely alerts to stop threats earlier
Increased ROI with less administrative overhead
Higher fidelity alerts to reduce false positives and empower stretched IT teams
Retrospective search capabilities across 5+ years
Take a look at our webinar to learn more about how we can help you Pinpoint Relevant Threats w |
Tool
Threat
Guideline
|
|
|
|
2021-10-03 15:39:54 |
Video: CVE-2021-40444 Maldocs: Extracting URLs, (Sun, Oct 3rd) (lien direct) |
In this video, reacting to a reader&#;x26;#;39;s comment, I explain how you can add your own regex to my re-search.py tool (without changing the code).
|
Tool
|
|
★★★★
|
|
2021-10-01 10:15:09 |
New Tool to Add to Your LOLBAS List: cvtres.exe , (Fri, Oct 1st) (lien direct) |
LOLBAS (âLiving Off the Land Binaries And Scriptsâ) is a list of tools[1] that are present on any Windows system because they are provided by Microsoft as useful tools to perform system maintenance, updates, etc. This list is maintained and upgraded regularly. This is a good starting point when you need to investigate suspicious processes activity on a system (proactively or in forensics investigation).
|
Tool
|
|
|
|
2021-10-01 09:55:31 |
Android, Java bug bunting tool Mariana Trench goes open source (lien direct) |
Mariana Trench originated as an internal Facebook tool. |
Tool
|
|
|
|
2021-09-30 20:25:27 |
How to run network diagnostic tests on Chrome OS (lien direct) |
Is your Chromebook having networking issues? Jack Wallen introduces you to a tool that could help you solve those problems. |
Tool
|
|
|
|
2021-09-30 15:32:05 |
Fake Amnesty International Pegasus scanner used to infect Windows (lien direct) |
Threat actors are trying to capitalize on the recent revelations on Pegasus spyware from Amnesty International to drop a less-known remote access tool called Sarwent. [...] |
Tool
Threat
|
|
|
|
2021-09-30 14:22:27 |
.NET 5, Source Generators, and Supply Chain Attacks (lien direct) |
IDEs and build infrastructure are being a target of various threat actors since at least 2015 when XcodeGhost has been discovered - https://en.wikipedia.org/wiki/XcodeGhost - malware-ridden Apple Xcode IDE that enabled attackers to plant malware in iOS applications built using it.
Attacks executed through builds abuse trust we have in our build tools, IDEs, and software projects. This is slowly changing (for example Visual Studio Code added Workspace Trust feature in one of the recent releases: https://code.visualstudio.com/docs/editor/workspace-trust ), yet at the same time, .NET 5 added a powerful yet dangerous feature that could make attacks similar to described above easier to implement, deliver, and stay under the radar.
Source Generators introduction
Back in 2020 (https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/ ) Microsoft announced a new and exciting feature of the upcoming .NET 5 - Source Generators. This functionality is intended to enable easier compile-time metaprogramming. Similar in purpose to macros or compiler plugins Source Generators offer more flexibility as they're independent of IDE & compiler and do not require modifications of the source code.
Source Generators can be present in your software solution as a part of Visual Studio solution structure, visible as a separate project in the IDE Solution browser. They can also be added, more often, as a nuget library similarly to any other dependency.
Compilation pipeline that includes Source Generator, source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/&…;
As Source Generators follow the same concept as Analyzers they may need to have the install and uninstall script. In a simple scenario, the install script will modify the given project csproj file in order to trigger Source Generator at build time. Similarly - uninstall script will remove any references to the Source Generator from csproj file.
Note: supply chain attacks that utilize install scripts or build event scripts are certainly viable and were already attempted in the wild but technique described in this blog post does not use scripts making potential attacks harder to detect.
Generators can be used for various purposes, in the most trivial case to inject code that'll be callable from first-party code snippet.
Source: https://devblogs.microsoft.com/dotnet/introducing-c-source-generators/
using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.CodeAnalysis;
using Microsoft.CodeAnalysis.Text;
namespace SourceGeneratorSamples
{
[Generator]
public class HelloWorldGenerator : ISourceGenerator
{
public void Execute(SourceGeneratorContext context)
{
// begin creating the source we'll inject into the users compilation
var sourceBuilder = new StringBuilder(@"
using System;
namespace HelloWorldGenerated
{
public static class HelloWorld
{
public static void SayHello()
{
Console.WriteLine(""Hello from generated code!"");
Console.WriteLine(""The following syntax trees existed in the compilation that created this program:"");
");
// using the context, get a list of syntax trees in the users compilation
var syntaxTrees = context.Compilation.SyntaxTrees;
// add the filepath of each tree to the class we're building
foreach (SyntaxTree tree in syntaxTrees)
{
sourceBuilder.AppendLine($@"Console.WriteLine(@"" - {tree.FilePath}"");");
}
// finish creating the source to inject
sourceBuilder.Append(@"
}
}
}");
// inject the created source into the users compilation
context.AddSource("helloWorldGenerator", SourceText.From(sourceBuilder.ToString(), Encoding.UTF8));
}
public void Initialize(InitializationContext context)
{
// No initialization required for thi |
Malware
Tool
Threat
|
|
|
|
2021-09-30 13:25:16 |
New CISA Tool Helps Organizations Assess Insider Threat Risks (lien direct) |
The United States Cybersecurity and Infrastructure Security Agency (CISA) this week released a tool to help organizations assess their insider threat risk posture.
|
Tool
Threat
|
|
|
|
2021-09-30 07:19:56 |
(Déjà vu) CISA releases Insider Risk Mitigation Self-Assessment Tool (lien direct) |
The US CISA has released a new tool that allows to assess the level of exposure of organizations to insider threats and devise their own defense plans against such risks. The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Insider Risk Mitigation Self-Assessment Tool, a new tool that allows organizations to assess their […]
|
Tool
|
|
|
|
2021-09-30 06:22:42 |
Facebook released Mariana Trench tool to find flaws in Android and Java apps (lien direct) |
Facebook released Mariana Trench, an internal open-source tool that can be used to identify vulnerabilities in Android and Java applications. The Facebook security team has open-sourced the code for Mariana Trench, an internal open-source tool used by the company experts to identify vulnerabilities in Android and Java applications. The name comes from the Mariana Trench, the […]
|
Tool
|
|
|
|
2021-09-29 19:32:34 |
Facebook Open-Sources \'Mariana Trench\' Code Analysis Tool (lien direct) |
Facebook's security team on Wednesday pulled the curtain on Mariana Trench, an open-source tool that it has been using internally to identify vulnerabilities in Android and Java applications.
|
Tool
|
|
|
|
2021-09-29 17:00:40 |
Google Maps tracks global warming with new “Fire” layer, tree canopy tool (lien direct) |
"Fire" will be a top-level layer just like traffic, satellite, and transit maps. |
Tool
|
|
|
|
2021-09-29 16:11:22 |
Facebook open-sources tool to find Android app security flaws (lien direct) |
Facebook today open-sourced a static analysis tool its software and security engineers use internally to find potentially dangerous security and privacy flaws in the company's Android and Java applications. [...] |
Tool
|
|
|
|
2021-09-29 14:17:43 |
CISA releases tool to help orgs fend off insider threat risks (lien direct) |
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool that allows public and private sector organizations to assess their vulnerability to insider threats and devise their own defense plans against such risks. [...] |
Tool
Vulnerability
Threat
|
|
|
|
2021-09-29 10:59:29 |
Facebook Releases New Tool That Finds Security and Privacy Bugs in Android Apps (lien direct) |
Facebook on Wednesday announced it's open-sourcing Mariana Trench, an Android-focused static analysis platform the company uses to detect and prevent security and privacy bugs in applications created for the mobile operating system at scale.
"[Mariana Trench] is designed to be able to scan large mobile codebases and flag potential issues on pull requests before they make it into production," the |
Tool
|
|
|
|
2021-09-29 10:51:00 |
FoggyWeb malware latest tool of dangerous Nobelium APT (lien direct) |
Pas de details / No more details |
Malware
Tool
|
|
|
|
2021-09-28 11:19:08 |
ImmuniWeb Launches Free Tool for Identifying Unprotected Cloud Storage (lien direct) |
Switzerland-based web and application security company ImmuniWeb on Tuesday announced the launch of a free online tool designed to help organizations identify unprotected cloud storage.
|
Tool
|
|
★★★
|
|
2021-09-28 01:32:38 |
New BloodyStealer Trojan Steals Gamers\' Epic Games and Steam Accounts (lien direct) |
A new advanced trojan sold on Russian-speaking underground forums comes with capabilities to steal users' accounts on popular online video game distribution services, including Steam, Epic Games Store, and EA Origin, underscoring a growing threat to the lucrative gaming market.
Cybersecurity firm Kaspersky, which coined the malware "BloodyStealer," said it first detected the malicious tool in |
Malware
Tool
Threat
|
|
|
|
2021-09-23 20:48:44 |
Urgent Apple iOS and macOS Updates Released to Fix Actively Exploited Zero-Days (lien direct) |
Apple on Thursday released security updates to fix multiple security vulnerabilities in older versions of iOS and macOS that it says have been detected in exploits in the wild, in addition to expanding patches for a previously plugged security weakness abused by NSO Group's Pegasus surveillance tool to target iPhone users.
Chief among them is CVE-2021-30869, a type confusion flaw |
Tool
|
|
|
|
2021-09-22 16:00:00 |
How to Build a Winning Cybersecurity Resume (lien direct) |
Career advancement is an art form with many facets. One vital tool is your cybersecurity resume, the quality of which can mean the difference between getting an interview for your dream job and not being considered at all. Following the standard advice on building a resume will give you a standard resume that won’t set […]
|
Tool
|
|
|
|
2021-09-21 21:57:41 |
How to use the FILTER() dynamic array function in Excel (lien direct) |
Microsoft Excel's new FILTER() function is a great tool for reporting and dashboards. We'll show you how to use it to get more done. |
Tool
|
|
|
|
2021-09-21 19:57:00 |
Automation in Reverse Engineering C++ STL/Template Code (lien direct) |
There are three major elements to reverse engineering C++ code that uses STL container classes:
Determining in the first place that an STL container is being used, and which category, i.e., std::list vs. std::vector vs. std::set
Determining the element type, i.e., T in the categories above
Creating data types in your reverse engineering tool of choice, and applying those types to the decompilation or disassembly listing.
Though all of those elements are important, this entry focuses on the last one: creating instantiated STL data types, and more specifically, types that can be used in Hex-Rays. The main contribution of this entry is simply its underlying idea, as I have never seen it published anywhere else; the code itself is simple enough, and can be adapted to any reverse engineering framework with a type system that supports user-defined structures.
I have spent the pandemic working on a new training class on C++ reverse engineering; the images and concepts in this blog entry are taken from the class material. The class goes into much more depth than this entry, such as by material on structure and type reconstruction, and having individual sections on each of the common STL containers.
(If you are interested in the forthcoming C++ training class, it will be completed early next year, and available for in-person delivery when the world is more hospitable. If you would like to be notified when public in-person classes for the C++ course is ready, please sign up on our no-spam, very low-volume, course notification mailing list. (Click the button that says "Provide your email to be notified of public course availability".) )
Overview and MotivationAt a language level, C++ templates are one of the most complex features of any mainstream programming language. Their introduction in the first place -- as opposed to a restricted, less-powerful version -- was arguably a bad mistake. They are vastly overcomplicated, and in earlier revisions, advanced usage was relegated to true C++ experts. Over time, their complexity has infested other elements of the language, such as forming the basis for the C++11 auto keyword. However, the basic, original ideas behind C++ templates were inconspicuous enough, and are easy to explain to neophytes. Moreover, reverse engineers do not need to understand the full complexity of C++ templates for day-to-day work.
Let's begin with a high-level overview of which problems in C software development that C++ templates endeavored to solve, and roughly how they solved them. Put simply, many features of C++ were designed to alleviate situations where common practice in C was to copy and paste existing code and tweak it slightly. In particular, templates alleviate issues with re-using code for different underlying data types.
C does offer one alternative to copy-and-paste in this regard -- the macro preprocessor -- though it is a poor, cumbersome, and limited solution. Let's walk through a small real-world example. Suppose we had code to shuffle the contents of a char array, and we wanted to re-use it to shuffle int arrays.
|
Tool
Guideline
|
|
|
|
2021-09-21 16:09:00 |
Anomali Cyber Watch: Vermillion Strike, Operation Layover, New Malware Uses Windows Subsystem For Linux and More (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, ELF, Data Leak, MSHTML, Remote Code Execution, Windows Subsystem, VBScript, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
CISA: Patch Zoho Bug Being Exploited by APT Groups
(published: September 17, 2021)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical authentication bypass vulnerability, registered as “CVE-2021-4053,” that affects Zoho’s “ManageEngine ADSelfService Plus.” The vulnerability affects ManageEngine, a self-service password management and single sign-on solution from the online productivity vendor. The vulnerability is a Remote Code Execution (RCE) bypass vulnerability that could allow for remote code execution if exploited, according to the CISA. A successful exploitation of the vulnerability allows an actor to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, lateral movement, and exfiltrating registry hives and Active Directory files. Zoho released a patch for this vulnerability on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August.
Analyst Comment: Users should immediately apply the patch released by Zoho. Continuing usage of vulnerable applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits to vulnerable software with malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Valid Accounts - T1078
Tags: APT, Bug, Vulnerability, Zoho
Operation Layover: How We Tracked An Attack On The Aviation Industry to Five Years of Compromise
(published: September 16, 2021)
Cisco Talos, along with Microsoft researchers, have identified a spearphishing campaign targeting the aviation sector that has been targeting aviation for at least two years. The actors behind this campaign used email spoofing to masquerade as legitimate organizations. The emails contained an attached PDF file that included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine. The malware was used to spy on victims as well as to exfiltrate data including credentials, screenshots, clipboard, and webcam data. The threat actor attributed to this campaign has also been linked to crypter purchases from online forums; his personal phone number and email addresses were revealed, although these findings have not been verified. The actor is located in Nigeria and is suspected of being active since at least 2013, due to IPs connected to hosts, domains, and the attacks at large originate from this country.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a |
Spam
Malware
Tool
Vulnerability
Threat
|
|
|
|
2021-09-21 14:54:13 |
Microsoft PC Health Check adds detailed Windows 11 compatibility info (lien direct) |
Microsoft has released an updated PC Health Check tool that provides detailed information about whether a device's hardware is compatible with Windows 11. [...] |
Tool
|
|
|
|
2021-09-21 10:49:49 |
MPT\'s Value at Veracode (lien direct) |
You finally have some budget to buy tools for your application security (AppSec) program! GREAT! Purchasing the correct tools for your AppSec pogram can be overwhelming. Even when looking only at point solutions, there still may be some confusion on the value that various tools can provide. Sometimes you'll find the perfect tool, but others may offer you a similar tool with added manual penetration testing (MPT) as part of the overall bundle. That seems like a great idea for the budget. Let's dive in and see what these types of value these other offerings really provide.
First, let's cover the shortcoming of other Automated Tools + Manual Penetration Testing bundles. This is going to be pretty high level and will avoid comprehensive dives for ease of consumption. If you read anything, read the short bulleted list!
Who is doing your MPT as part of this engagement?
Veracode has world-famous authors and hackers on their MPT teams. Please reach out and ask for our MPT team profile and then google them! Chances are that your bundled MPT is being conducted by offshore teams to provide cost savings.
Apps don't get great coverage with MPT
This is a light MPT engagement when bundled. Ask for regular pricing so you can see the difference. Typically you can gauge the effectiveness of the offering by comparing the 1-day retail price of MPT to what is offered in the bundled offering.
Cheap MPT and any other labor-intensive-based offerings DO NOT SCALE!
Think about it. MPT on demand? Do they have people staffed and waiting for you to make a request? How is it that the queue is not long? Also, claimed less than 1% FP rates due to manual labor scrubbing DO NOT SCALE. Remember, anything labor-intensive requires people being on payroll and WORKING. If they are not WORKING, they are on stand-by. We all know that no one is hired to be on stand-by.
Why Veracode's Manual Penetration Testing value can NOT be beaten
Veracode's value in MPT can be summarized into four major points. Single Pane Looking Glass reports Comprehensive Security Analysis Value, Remediation and AppSec Program Assistance, and scalability.
Single pane looking glass report
Veracode has a single pane looking glass capability that is unmatched in the industry. You can purchase Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration testing. Then you can generate a report with all the findings on one PDF in the context of a single application. With our big data analytics tools, you can then generate views on the entire organization portfolio or per team application's security posture.
Comprehensive security analysis value
If you already are a customer of our automated tools, then MPT with Veracode generates a value proposition that CAN NOT be beaten. For example, if you are running daily/weekly SAST, DAST, and SCA checks. MPT will skip all the findings in those reports. This allows us to find more complex and nefarious things that automated tools simply can not do.
With other MPT offerings, the vendors must use the hours and will not know to skip the low-hanging fruit that our tools already caught such as SQL Injections, cross-site scripting, etc. Since other vendors don't have access to the same analysis, they must generate as many findings as they can per hour. When you compare hour for hour MPT offerings against Veracode- you will find that Veracode can do more with an hour of MPT than any other vendor can.
Remediation and AppSec program assistance
Other vendors won't have the experience in providing remediation advice or AppSec program assistance that Veracode has. Don't spend hours looking for answers. Speak to one of our services experts to help you fix the findings we generate or help manage your application security program. This is not an extra add-on, this is included upfront so it is easy to forecast and budget. If your security or dev teams have questions- Veracode is there to help.
Scalability
No other Vendor can scale like Veracode. In our automated tools, we don't lean on manual labor to generate better findings. I |
Tool
|
|
|
|
2021-09-20 19:00:00 |
Zero Trust: Follow a Model, Not a Tool (lien direct) |
The zero trust model is going mainstream, and for good reason. The rise in advanced attacks, plus IT trends that include the move to hybrid cloud and remote work, demand more exacting and granular defenses. Zero trust ensures verification and authorization for every device, every application and every user gaining access to every resource. This […]
|
Tool
|
|
|
|
2021-09-17 16:24:00 |
(Déjà vu) Free REvil Decryptor Launched (lien direct) |
New Bitdefender tool unlocks many files encrypted by REvil ransomware prior to July 13 |
Ransomware
Tool
|
|
|
|
2021-09-16 15:49:03 |
(Déjà vu) Bitdefender offers free decryptor for REvil ransomware victims (lien direct) |
The free decryption tool will help victims restore their encrypted files from attacks made before July 13, 2021, says Bitdefender. |
Ransomware
Tool
|
|
|
|
2021-09-15 19:15:09 |
CVE-2021-33701 (lien direct) |
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability. |
Tool
Guideline
|
|
|
|
2021-09-15 17:15:10 |
CVE-2021-39392 (lien direct) |
The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code. |
Tool
|
|
|
|
2021-09-14 22:44:26 |
ELFant in the Room – capa v3 (lien direct) |
Since our initial public
release of capa, incident responders and reverse engineers have
used the tool to automatically identify capabilities in Windows
executables. With our newest code and ruleset updates, capa v3 also
identifies capabilities in Executable and Linkable Format (ELF) files,
such as those used on Linux and other Unix-like operating systems.
This blog post describes the extended analysis and other improvements.
You can download capa v3 standalone binaries from the project's release page and
checkout the source code on GitHub.
ELF File Format Support
capa finds capabilities in programs by parsing executable file
formats, disassembling code, and then recognizing features in
functions. In versions v1 and v2, capa only understood the PE file
format, so its analysis was restricted to Windows programs. Thanks to
our colleagues at Intezer, capa
now recognizes ELF files! This means you can use the tool to identify
behaviors in malware that targets Linux computers. Figure 1 shows a
rule that describes techniques to fetch the current user on Linux.
Figure 1: capa rule identifying
capabilities on Linux
We're excited Intezer leverages capa and thrilled they are sharing
their improvements with the community. In addition to the code
updates, Intezer proposed 36 capa rules to identify various
capabilities in ELF files, such as reconnaissance, persistence, and
host interaction techniques. Please read Intezer's
blog post for more details.
New Features capa Can Recognize
As we taught capa to recognize ELF files, we also wanted rule
authors to tune their rules to find behaviors specific to different
operating systems (OS), CPU architectures, and file formats. For
example, the APIs exposed by Windows are very different from those
found on Linux systems; therefore, rules should clearly designate
which pattern to use on Windows versus Linux.
Based on discussions and feedback collected from users and
contributors, we've extended capa's rule format to describe OSes, CPU
architectures, and file formats. The rule shown in Figure 2 uses os features to distinguish techniques used to get
networking interface information on Windows and Linux. Note that the
rule is explicit about which APIs are found on each OS, making it easy
for both humans and machines to interpret the matching logic.
Figure 2: capa rule using the os feature
to distinguish OS specific features
We've also added arch (such as arch: i386 for 32-bit Intel code) and format (such as format:
elf for ELF files) features to distinguish between CPU
architectures and file formats. To learn more about these and capa's
rule syntax see the rule
format documentation on GitHub.
Unfortunately, rules with these new features are not backwards
compatible with older versions of capa. Therefore, you should prefer
to upgrade your capa installation to take advantage of our enhanced rules.
Substring Features
To make many rules easier to read, we've added a convenience feature
named substring that acts |
Malware
Tool
Guideline
|
|
|
|
2021-09-14 15:00:00 |
Anomali Cyber Watch: Azurescape Cloud Threat, MSHTML 0-Day in The Wild, Confluence Cloud Hacked to Mine Monero, and More (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, Confluence, Cloud, MSHTML, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
S.O.V.A. – A New Android Banking Trojan with Fowl Intentions
(published: September 10, 2021)
ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
(published: September 9, 2021)
Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud.
Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl |
Ransomware
Spam
Malware
Tool
Vulnerability
Threat
Guideline
|
Uber
APT 41
APT 15
|
|
|
2021-09-14 14:30:00 |
How to configure Invoice Plane for in-app invoice mailing (lien direct) |
Invoice Plane is a powerful open-source invoicing tool perfectly suited for small-business data centers. Jack Wallen shows you how to add invoice emailing to the application. |
Tool
|
|
|
|
2021-09-14 06:00:39 |
Vermilion Strike, a Linux implementation of Cobalt Strike Beacon used in attacks (lien direct) |
Researchers discovered Linux and Windows implementations of the Cobalt Strike Beacon developed by attackers that were actively used in attacks in the wild. Threat actors re-implemented from scratch unofficial Linux and Windows versions of the Cobalt Strike Beacon and are actively using them in attacks aimed at organizations worldwide.Cobalt Strike is a legitimate penetration testing tool designed as an attack […]
|
Tool
Threat
|
|
|
|
2021-09-13 20:42:07 |
Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide (lien direct) |
Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild.
The as-yet undetected version of the penetration testing tool - codenamed "Vermilion Strike" - marks one of the rare Linux ports, which has been |
Tool
|
|
|
|
2021-09-09 14:00:00 |
Optimizing Your Cybersecurity with Intelligence-Powered Detection (lien direct) |
The recent large-scale cyberattacks have shown that any organization, regardless of size or industry, may be targeted at any time. Despite deploying multiple tools, security teams struggle to pinpoint relevant threats, wasting time sifting through incoming data and false positives and cannot act swiftly to real threats facing their business.
A recent Dark Reading study revealed that while many organizations have improved their threat detection capabilities over the last few years, they lack threat visibility and are still reliant on too many manual processes. These shortcomings in combating cyber threats result in alert fatigue, smoldering fires, and siloed threat intelligence.
The question then becomes:
“How can my organization optimize its threat detection system?”
Threat Detection as Process
There are multiple ways to detect a potential threat. These can include global threat intelligence, human expertise in threat identification, and advanced tools for identifying malicious activity. While all are essential elements, they need to working effectively to create an optimized security program. Too often, the security process goes in one direction, from threat intelligence gathering to analysis and monitoring by the security operations center (SOC) and then on to security engineering to prioritize remediation.
Creating a collaborative system with feedback loops between security teams and other key stakeholders is a much more effective way to avoid siloed intelligence and rapidly identify relevant threats. In this security ecosystem approach, the threat intel team automates intelligence gathering, prioritizes against intelligence initiatives, and incorporates any new requirements coming from security engineering. The SOC then monitors and prioritizes the continually updating threat requirements to help the threat team find relevant attacks. Security engineering prioritizes remediation and then feeds the revised intelligence requirements back to the SOC, reflecting any changes in vulnerabilities.
Intelligence-Powered Threat Detection
Implementing an effective collaborative system with two-way fluid communication requires intelligence-powered threat detection. Detection enables intelligent orchestration through your security organization and ensures that the global intelligence is relevant. Machine learning is leveraged to make sure severity scoring is conducted quickly and effectively. An intelligence-driven platform can process millions of indicators of compromise (IoCs) and billions of internal log entries, operationalizing threat data and automatically showing security teams what is relevant to them and which data are actionable intelligence. The identified indicators of interest can then be fed directly to the endpoints and firewalls for blocking.
Extended Detection and Response or XDR
Extended detection and response or XDR is a security framework that unifies threat detection and response into a single platform. It collects and correlates data automatically from disparate security components installed in a customer's environment. XDR can provide better security than isolated tools by reducing the complexity of security configuration and incident response.
For example, you can extinguish smoldering fires using XDR, as big data support on the backend enables quick indexing and searches going back years. Alert fatigue is relieved by the automated updating of IRs and allowing threat intelligence teams to focus on relevant IoCs. And, because it bridges different tools and systems, XDR can also facilitate feedback loops between cybersecurity teams and stakeholders.
Vendor-agnostic XDR platforms |
Tool
Threat
|
|
|
|
2021-09-08 21:15:10 |
CVE-2021-30605 (lien direct) |
Inappropriate implementation in the ChromeOS Readiness Tool installer on Windows prior to 1.0.2.0 loosens DCOM access rights on two objects allowing an attacker to potentially bypass discretionary access controls. |
Tool
|
|
|
|
2021-09-08 18:43:43 |
Machine learning is a great tool for cybersecurity, but be cautious, expert says (lien direct) |
Supervised and unsupervised machine learning are good ways to detect threats. But what's the difference? |
Tool
|
|
|
|