threathunting   187

« earlier    

IBM Builds 'SOC on Wheels' to Drive Cybersecurity ...
Chris Crummey, executive director of IBM X-Force Command, said one of the key lessons learned among companies who test their response skills is they need to be more proactive in threat hunting while investigating an incident. "Customers want to put out fires, but in reality, you have to figure out if the fires are related," he explained. Another common weakness is neglecting to look for places where security problems commonly begin.
"The most mature customers, they go hunting for their blind spots," Crummey added
ibm  cybersecurity  threathunting  training 
20 days ago by bwiese
The Rise of Adversary Emulation – NVISO Labs
Bloodhound + GoFetch
Empire + DeathStar
Caldera
Red Team Automation (RTA)
Atomic Red Team (ART)
pentest  threathunting  cybersecurity  tools  attack  apt  training 
20 days ago by bwiese
Using Certificate Transparency as an Attack / Defense Tool - SANS Internet Storm Center
Anyway, the Cert Transparency program has Certifficate Authorities keeping a transparent log of EV certificates since Jan 1, 2015, and logs for DV and OV certificates as of May 2, 2018 (more here: https://www.certificate-transparency.org/ ).  This means that there are central, queriable repo's for all SSL certificates.  As soon as I hear "central database" and "API", I tend to ask "how can I use that for other purposes" - for instance, how I use that in Penetration Tests?

https://crt.sh/?q=sans.org gets us a nice list of certs

Entrust interface at https://www.entrust.com/ct-search/ is a bit easier to navigate, but doesn't have that easy ability to translate a browser based query to a curl or other script based approach.

Where else can you find a decent interface to a certificate transparency feed? So far, I've been using:
https://sslmate.com/certspotter/howitworks

This gives you pretty much everything, including the ability to download the certificates themselves, export to excel or csv.
https://transparencyreport.google.com/https/certificates

Of course there's a Google interface to search certificates. And of course it's extremely complete - if there's info to find, it'll be easy to find in this one!
https://developers.facebook.com/tools/ct/search/
tls  certificates  cybersecurity  threathunting  pentest 
6 weeks ago by bwiese
Hunting for Suspicious Processes with OSSEC - SANS Internet Storm Center
OSSEC is a free security monitoring tool/log management platform which has many features related to detecting malicious activity on a live system like the rootkit detection or syscheck modules. Here is an example of rules that can be deployed to track malicious processes running on a host (it can be seen as an extension of the existing rootkit detection features).
threathunting  cybersecurity  monitoring  ossec 
6 weeks ago by bwiese
Cheat-Sheets
"Windows logging Cheat Sheet", "Splunk Logging Cheat Sheet"
Windows  Security  Registry  Powershell  Forensics  SIEM  Splunk  ThreatHunting  DFIR  CheatSheet 
8 weeks ago by snkhan
ThreatStream Matches As Notable Events in Splunk? Here's How...
The search looks like this:

| `ts_tstats_all` | `ts_lookup_details` | `ts_get_time_offset(_time, ts_date_last)` | where ts_confidence >= 80 AND Age < 31 AND (like(ts_itype, "apt%") OR like(ts_itype, "c2%") OR like(ts_itype, "mal%")) | eval orig_sourcetype=sourcetype
splunk  anomali  threatstream  threathunting  cyberthreatintel 
9 weeks ago by bwiese
Building Integrations for Splunk Enterprise Security | Splunk
Splunk ES - includes prepackaged dashboards, correlations, and incident response workflows to help security teams analyze and respond to their network, endpoint, access, malware, vulnerability, and identity information.

Use Frameworks: Notable Events, Asset & Identity, Threat Intelligence, Risk, Adaptive Response
splunk  cybersecurity  siem  threathunting 
9 weeks ago by bwiese
Attack inception: Compromised supply chain within a supply chain poses new risks – Microsoft Secure
Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload. The attack seemed like just another example of how cybercriminals can sneak in malware using everyday normal processes.

The plot twist: The app vendor’s systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.

In early 2017, we discovered operation WilySupply, an attack that compromised a text editor’s software updater to install a backdoor on targeted organizations in the financial and IT sectors. Several weeks later, another supply chain attack made headlines by initiating a global ransomware outbreak. We confirmed speculations that the update process for a tax accounting software popular in Ukraine was the initial infection vector for the Petya ransomware. Later that same year, a backdoored version of CCleaner, a popular freeware tool, was delivered from a compromised infrastructure. Then, in early 2018, we uncovered and stopped a Dofoil outbreak that poisoned a popular signed peer-to-peer application to distribute a coin miner.
cybersecurity  supplychain  scrm  software  pdf  threathunting 
11 weeks ago by bwiese

« earlier    

related tags

ad  ai  analysis  analytics  anomali  anomaly  apt  aptsimulator  attack  auditing  automation  azure  bash  blog  blueteaming  book  bro  c2  carbonblack  certificates  cheatsheet  china  commandline  conference  course  cryptocurrency  cryptojacking  cuckoosegg  cyberkillchain  cyberreason  cybersec  cybersecurity  cyberthreatintel  defenderatp  dfir  dlp  dns  domain  download  dragos  drupal  edr  elasticsearch  endgame  eventlogs  exfil  fileless  flash  forensics  gdpr  github  goldenticket  graphs  helk  history  html  hunting  ibm  ics  incidentresponse  informationsecurity  infosec  isc  jpcert  jumpbox  kerberos  lateralmovement  lockheedmartin  machinelearning  maliciousadvertising  malvertising  malware  metasploit  mht  microsoft  mimikatz  misp  mitre  monitoring  network  news  notpetya  ossec  passivetotal  pdf  pentest  philosophy  podcast  powershell  presentation  producerconsumerratio  psexec  python  quote  r  ransomware  redcanary  redteam  redteaming  reference  registry  rtb  sans  satellite  scom  scripting  scrm  securid  security  segmentation  siem  sigma  soar  software  splunk  sqrrl  supplychain  symantec  sysmon  threatactors  threatstream  thrip  tls  todo  tools  tor  toread  training  ueba  unittest  url  video  vimeo  virustotal  vulnerability  vulnwhisper  webinar  whitelisting  whois  windows  winrm  wmi 

Copy this bookmark:



description:


tags: