Catch Malware Hiding in WMI with Sysmon

Security is an ever-escalating arms race. The good guys have gotten better about monitoring the file system for artifacts of advanced threat actors. They in turn are avoiding the file system and burrowing deeper into Windows to find places to store their malware code and dependably trigger its execution in order to gain persistence between reboots. […]

Read more

For of all sad words of tongue or pen, the saddest are these: 'We weren't logging'

It doesn't rhyme and it's not what Whittier said but it's true. If you don't log it when it happens, the evidence is gone forever. I know personally of many times where the decision was made not to enable logging and was later regretted when something happened that could have been explained, attributed or proven had the logs been there. On the bright-side there're plenty of opposite situations where thankfully the logs were there when needed. […]

Read more

Experimenting with Windows Security: Controls for Enforcing Policies

Interest continues to build around pass-the-hash and related credential artifact attacks, like those made easy by Mimikatz. The main focus surrounding this subject has been hardening Windows against credential attacks, cleaning up artifacts left behind, or at least detecting PtH and related attacks when they occur. All of this is important […]

Read more

Which security functions outsource poorly, and which outsource well

The IT security industry’s skill shortage is a well-worn topic. Survey after survey indicates that a lack of skilled personnel is a critical factor in weak security posture. If the skills are not available in your organization then you could: a) ignore the problem and hope for the best, or b) get help […]

Read more

Report All the Binary Code Executing on Your Network with Sysmon Event IDs 1, 6, 7

Computers do what they are told, whether good or bad. One of the best ways to detect intrusions is to recognize when computers are following bad instructions – whether in binary form or in some higher level scripting language. We’ll talk about scripting in the future, but in this article I […]

Read more

Three paradoxes disrupting IT Security

2017 has been a banner year for IT Security. The massive publicity of attacks like WannaCry have focused public attention like never before on a hitherto obscure field. Non-technical people, including board members, nod gravely when listening as the CISO or wise friend harangue them for attention, behavior change or budget on the topic of […]

Read more

Ransomware’s Next Move

Have we seen the true business impact of of ransomware yet, or has this just been a proof-of-concept? The recent news about WannaCrypt and Petya ransomware should not come as a surprise. The outbreaks are due not only to the ransomware’s ability to spread but also to mutate. While IT security teams identify, hunt, and remove specific variants of the ransomware, there may already be unknown mutated varieties lurking dormant and ready to execute. We expect stories like this will continue to pop up as organizations only hunt “known” threats after enough other organizations come across them. Read on to find out what the next biggest threat will be. […]

Read more

Yet Another Ransomware That Can be Immediately Detected with Process Tracking on Workstations

As I write this, yet another ransomware attack is underway. This time it’s called Petya, and it again uses SMB to spread. But here’s the thing — it uses an EXE to get its work done. That’s important because there are countless ways to infect systems, with old ones being patched […]

Read more

WannaCry: What to do if you can’t update Microsoft Windows

A global pandemic of ransomware hit Windows based systems in 150 countries in a matter of hours. The root cause was traced to a vulnerability corrected by Microsoft for supported platforms (Win 7, 8.1 and higher) in March 2017, about 55 days before the malware was widespread. Detailed explanations and mitigation steps are […]

Read more

When a SIEM is Like an Exercise Machine Stuck Behind the Junk in Your Garage

I’m a big believer in security analytics and detective controls in general. At least sometimes, bad guys are going to evade your preventive controls, and you need the critical defense-in-depth layers that detective controls provide through monitoring logs and all the other information a modern SIEM consumes. Better yet, going on […]

Read more

Top three high risk behaviors that compromise IT Security

The insider threat is typically much more infrequent than external attacks, but they usually pose a much higher severity of risk for organizations when they do happen. While they can be perpetrated by malicious actors, it is more common the result of negligence. In addition to investing in new security tools and technology […]

Read more

Ransomware is only getting started

Ransomware is about denying you access to your data via encryption. But that denial has to be of a great enough magnitude create sufficient motivation for the victim to pay. Magnitude of the denial is a factor – Value of the encrypted copy of the data, which is a function of […]

Read more

SIEMphonic and the Cyber Kill Chain

The Cyber Kill Chain model by Lockheed Martin describes how attackers use the cycle of compromise, persistence and ex filtration against an organization. Defense strategies that focus exclusively on the perimeter and on prevention do not take into account the kill chain life cycle approach; this is a reason why attackers are continuing to be so successful […]

Read more

‘Twas the Night Before Christmas – an EventTracker Story

‘Twas the night before Christmas and all through HQ Not a creature was stirring, except greedy Lou – An insider thief who had planned with great care A breach to occur while no one was there. Lou began his attack without trepidation, For all his co-workers were on their vacations. He logged into Payroll and […]

Read more

Work Smarter – Not Harder: Use Internal Honeynets to Detect Bad Guys Instead of Just Chasing False Positives

Log collection, SIEM and security monitoring are the journey not the destination. Unfortunately, the destination is often a false positive. This is because we’ve gotten very good at collecting logs and other information from production systems, then filtering that data and presenting it on a dashboard. But we haven’t gotten that good at distinguishing events […]

Read more