The ability to add Internet connectivity to devices has become very easy with the addition of an additional chip to handle to connects. But adding the necessary security is no so easy. There is no chip that can be added to provide security.
http://www.cnbc.com/2016/03/04/how-the-internet-of-things-could-be-fatal.html
Follow On Twitter: ITSECSAM
Monday, March 7, 2016
Friday, March 4, 2016
Problems with reporting attribution of cyber attacks in Threat Intelligence.
Companies are trying to get headlines by announcing attribute for cyber attacks seen in Threat Intellingence reporting. There are problems with Attributing where a cyber attack which may lead to wrong decisions about how to block them.
http://www.robertmlee.org/the-problems-with-seeking-and-avoiding-true-attribution-to-cyber-attacks/
Follow on Twitter: ITSECSAM
http://www.robertmlee.org/the-problems-with-seeking-and-avoiding-true-attribution-to-cyber-attacks/
Follow on Twitter: ITSECSAM
Wednesday, March 2, 2016
Microsoft relases an updated Windows Defencer on Windows 10
Microsoft has just added Network Threat Protection to their Windows Defender built into Windows 10. http://news.softpedia.com/news/microsoft-launches-windows-defender-advanced-threat-protection-501198.shtml
Follow on Twitter: ITSECSAM
Paper about forenics on Virtual OS running on a Thumbdrive.
Performing Forensics on a Virtual OS on a Thumb Drive can be challenging. This paper walks through some of the gotchas.
Tracing Forensic Artifacts from USB-Bound Computing Environments on Windows Hosts
Follow on Twitter: ITSECSAM
Friday, February 26, 2016
New Threat Intelligence sharing coming from DHS
DHS has been tasked with sharing their Threat Intelligence with Businesses in an effort to improve cyber_security.
http://www.technewsworld.com/story/DHS-Ready-to-Share-Intelligence-With-Private-Sector-83127.html
Follow on Twitter: ITSECSAM
Follow on Twitter: ITSECSAM
Monday, February 22, 2016
Exploring Prefetch Files
One of the first things I look at when performing forensics on a system is the prefetch files which gives a report about recently run software on the system. Some malwre now recognize the importance of these files and delete them when they run.
For cases where there is still prefetch files there is a great open source tools to parse them and convert the output to a useable format.
Here is the link:
https://github.com/EricZimmerman/PECmd
Follow on Twitter:ITSECSAM
For cases where there is still prefetch files there is a great open source tools to parse them and convert the output to a useable format.
Here is the link:
https://github.com/EricZimmerman/PECmd
Follow on Twitter:ITSECSAM
MALTRAIL - Malware Network Sensor
There is a github project to build a network based malware detection system. This system uses blacklist and other open source information to build up a scoring system for network traffic that indicates the presence of malware.
I have not tested this system yet, however we are in the process of bringing in new equipment which frees up some older equipment to run tests on.
Here is the link:
https://github.com/stamparm/maltrail
Follow on Twitter: ITSECSAM
I have not tested this system yet, however we are in the process of bringing in new equipment which frees up some older equipment to run tests on.
Here is the link:
https://github.com/stamparm/maltrail
Follow on Twitter: ITSECSAM
Analyze Volume Shadow Copies
Back in December, Harlan Carvey posted a blog about the use of tools to analyze Volume Shadow Copies to uncover historic information about the operations of a system.
If malware has been running for a while or the user has been performing activities of interest, then looking at the Volume Shadow Copies can aid in that investigation.
Here is the link:
http://windowsir.blogspot.com/2015/12/working-with-shadow-volumes.html
Follow on Twitter: ITSECSAM
If malware has been running for a while or the user has been performing activities of interest, then looking at the Volume Shadow Copies can aid in that investigation.
Here is the link:
http://windowsir.blogspot.com/2015/12/working-with-shadow-volumes.html
Follow on Twitter: ITSECSAM
Using Python to mount a Forensics Image
The folks at Hacking Exposed have a good article about using the libraries in SleuthKit to mount image files using Python.
I have not tried this process out but I can image an automates tool which would make use of these libraries.
Here is the link:
Hacking Exposed Computer Forensics Blog: How to install dfVFS on Windows without compiling
Follow on Twitter: ITSECSAM
I have not tried this process out but I can image an automates tool which would make use of these libraries.
Here is the link:
Hacking Exposed Computer Forensics Blog: How to install dfVFS on Windows without compiling
Follow on Twitter: ITSECSAM
Critical Stack
In December I found Critical Stack which adds Threat Intelligence feeds to the BRO network monitoring tool. I find that BRO is a good compliment to running SNORT due to the ability to report on the URLs in the network traffic, what software is being used ( although SNORT is trting to add this feature), additional information about encrypted sessions, and netwflow data.
Critical Stack is easy to setup and has a web interface to pick and choose which Threat Intelligence feed you want to use. It then automates the process of receiving updates from the feeds, which are used to flag traffic as it goes by.
Here is the link:
https://criticalstack.com/
Follow on Tritter: ITSECSAM
Critical Stack is easy to setup and has a web interface to pick and choose which Threat Intelligence feed you want to use. It then automates the process of receiving updates from the feeds, which are used to flag traffic as it goes by.
Here is the link:
https://criticalstack.com/
Follow on Tritter: ITSECSAM
NMAP has been updated to version 7
Back in November, NMAP updated to version 7. This version now includes a large number of NSE scripts which is starting to look like the Nesus scanner.
For anyone interested in scanning networks with open source tools, here is the link:
https://nmap.org/
Follow on Twitter: ITSECSAM
For anyone interested in scanning networks with open source tools, here is the link:
https://nmap.org/
Follow on Twitter: ITSECSAM
Mandiant Volatility Plugin
Back in November Mandiant released a new Volatility plugin which looks for the ShimCache registry keys in memory. The Registry keys on the disk get up dated when the system shutdowns which in the case of an investigation is not normally done. This means the list of recently run executables is missed.
For anyoine doing Memory Forensics here is the link:
Shim Shady: Live Investigations of the Application Compatibility Cache « Threat Research | FireEye Inc
Follow on twitter: ITSECSAM
For anyoine doing Memory Forensics here is the link:
Shim Shady: Live Investigations of the Application Compatibility Cache « Threat Research | FireEye Inc
Follow on twitter: ITSECSAM
White House Cybersecurity initiative
Have not posted in a while, but I have been watching the developments in Ultra High Performance Concrete.
Reminds me of the Concrete ships in WWII which were a quick solution but failed due to rusting of the steel rebar. The new concrete does not need rebar or can use Basalt rebar as a replacement.
Back to posting on Cyber Security:
The White House released new executive order for improving cyber-security in the Federal Government. There is more money available with carious organizations given the job of leading the new efforts.
Here is the link to the document.
https://www.whitehouse.gov/sites/default/files/omb/memoranda/2016/m-16-04.pdf
Follow on twitter: ITSECSAM
Reminds me of the Concrete ships in WWII which were a quick solution but failed due to rusting of the steel rebar. The new concrete does not need rebar or can use Basalt rebar as a replacement.
Back to posting on Cyber Security:
The White House released new executive order for improving cyber-security in the Federal Government. There is more money available with carious organizations given the job of leading the new efforts.
Here is the link to the document.
https://www.whitehouse.gov/sites/default/files/omb/memoranda/2016/m-16-04.pdf
Follow on twitter: ITSECSAM
Subscribe to:
Posts (Atom)