This is ThreatGeek's Typepad Profile.
Join Typepad and start following ThreatGeek's activity
Join Now!
Already a member? Sign In
ThreatGeek
Recent Activity
Image
Welcome back to our blog series on reducing detection time from months to minutes. In our first and second posts, we showed how you can use metadata to quickly resolve phishing attacks and investigate threats retroactively. While those two scenarios are pretty common, here’s one that may be new to you: detecting credentials in the clear. First, let’s take look at a typical day in a typical office. Employees (including top executives) are accessing external applications without HTTPS for authentication. Somewhere, the mail administrator is using an ftp application that doesn’t encrypt credentials. Normal activities. What could possibly go wrong?... Continue reading
Posted 7 days ago at Threat Geek
Image
In late February, Fidelis Cybersecurity observed a strategic web compromise on a prominent U.S. lobbying group that served up malware to a very specific set of targets. The malware we observed has been used exclusively by Chinese nation-state threat actors. Based on our observations, we estimate that it is highly probable that this activity – which we’re calling ‘Operation TradeSecret’ - targeted key private-sector players involved in lobbying efforts around United States' foreign trade policy. Trade policy was at the center of the recent U.S. presidential election and is sure to feature prominently on the agenda when President Trump meets... Continue reading
Posted Apr 6, 2017 at Threat Geek
Image
Welcome back to reducing detection time from months to minutes. In the first post in this series, we showed how metadata holds the power to quickly disarm one of the most effective cyberattack methods in the attackers’ arsenal – phishing. But what about detecting threats in the past? You’ve read the headlines: Ransomware Hits. Data Stolen. E-mails Hacked. Perhaps a high-profile organization in your industry was compromised, had to report the breach, and a new zero-day exploit is uncovered. No sooner do you get the details about the event when you get a phone call from the CEO, asking, “Has... Continue reading
Posted Mar 30, 2017 at Threat Geek
Image
Interesting changes are happening in the world of cybersecurity legislation. Notably, these changes are impacting the role of the chief information security officer (CISO). No longer are CISOs just the sacrificial lamb (read: scapegoat) when a company suffers a data breach. The changes revolve around newly minted regulations in the New York State Department of Financial Services along with a proposed Senate bill, The Cybersecurity Disclosure Act of 2017 S.536. The Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 took effect March 1, 2017. One of the significant things this regulation does is define a cybersecurity event as “any... Continue reading
Posted Mar 28, 2017 at Threat Geek
Image
Nviso Labs recently published a fascinating blog post illustrating the use of the Lua programming language over the Suricata DPI engine to detect obfuscations in PDF files. Deep analysis of content seen on networks is a topic close to our heart at Fidelis Cybersecurity. After reading that post, we decided to investigate how we could implement this detection by creating a rule in the Yara content scanning engine within one of our own products. This blog walks you through our logic and shows how trivial it is to apply it to PDF content in network traffic. Analysis First, a bit... Continue reading
Posted Mar 24, 2017 at Threat Geek
Image
Every day, attackers tunnel under, sneak through, go around, go over and squeeze past your security technologies. While you’re armed with more security tools than you can count, most of them are hiding a dirty little secret: They actually create more work for people, not less. Security teams are inundated by alerts indicating potential incidents. These products don't come with job requisitions. They do come with alert overload. Defenders are often unable to quickly validate whether an alert is real or not, mostly because they receive little context – aka useful insight – from each alert. Without context, it’s a... Continue reading
Posted Mar 15, 2017 at Threat Geek
Image
Many research teams have reported on their observations of exploits involving the use of the Apache Struts vulnerability CVE-2017-5638 since Cisco Talos published their post on Wednesday March 8. Fidelis Cybersecurity Threat Research is also seeing widespread activity and contrary to some reporting, we're not seeing any reduction in scanning over the course of the day. Apache Struts 2 is an open-source development framework for Java web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. Apache Struts2 is used to build websites by a wide variety of organizations. Even as... Continue reading
Posted Mar 11, 2017 at Threat Geek
Image
There’s a reason why airport security x-rays your bags. It’s because the only way you can tell if something is a true threat is to actually look at the contents. It’s the same with network security. The only way to prevent modern intrusions is to actually inspect the content on your network in real time…which brings us to the first requirement for stopping modern intrusions. Requirement #1: Deep Visibility into Network Content (Not Just Packets) in Real Time As we pointed out in the first blog post in this series (“Would You Re-Hire Your IPS Today?”), the vast majority of... Continue reading
Posted Mar 9, 2017 at Threat Geek
Image
Modern messaging apps, many of which offer end-to-end encryption, are used every day by millions of people. These apps come with the expectation of privacy. However, we recently observed an interesting operational security issue involving one such popular messaging app, Telegram. We're posting our observations to alert users of this app to potential privacy concerns. Changing Scammer Tactics Relentless calls from telemarketing scammers are a bane of existence in modern life. Whether it's the "can you hear me now" scam, fake charity scams, or fake tech support scams, the pace of attacks on consumers is relentless. The problem is particularly... Continue reading
Posted Mar 2, 2017 at Threat Geek
Image
Downloaders and droppers (aka malware that delivers other malware) have been forced to live in the shadow of more famous stages of the exploit kit chain, like landing pages or the malware that's eventually dropped. One reason they are often overlooked and not analyzed as often is because they typically (and conveniently) wipe themselves from compromised hosts once they completely deliver their malicious payload. But don't mistake the lack of attention for lack of importance. Downloaders and droppers play a vital role in the web exploitation ecosystem. They're often used across multiple exploit kits and they are effective at delivering... Continue reading
Posted Feb 9, 2017 at Threat Geek
Image
We're counting down the last few days to RSA 2017. As you pack your suitcase and map out your schedule, plan on joining us for a demo at Booth #933. Stop by and say hello and grab your limited edition t-shirt. Here’s a quick rundown on where you can find us: RSA 2017 EXPO: Join Fidelis Cybersecurity at Booth #933, South Hall, at San Francisco’s Moscone Center, February 14 - 16. See a full listing of Fidelis’ RSA activities. AGC’s 2017 INFORMATION SECURITY & BROADER TECHNOLOGY GROWTH CONFERENCE: At 2:00 pm on February 13, Fidelis President and CEO Peter George... Continue reading
Posted Feb 8, 2017 at Threat Geek
Image
Producers of the 1995 James Bond film “GoldenEye” packed the plot with all the signature elements fans expect from the successful franchise. Over-the-top supervillain – check. Cool spy gadgets – check. Exotic locations – check. And, of course, 007 saves the day. The film was also slightly ahead of its time. The internet, computers and cyberespionage all factor into the plot. In the movie, a criminal element called Janus conspires to steal vast sums of money from the Bank of England. To cover their tracks and spark a global financial meltdown, they plan to knock out the planet’s electronics and... Continue reading
Posted Feb 2, 2017 at Threat Geek
Image
What does 2017 hold for security professionals and the industry as a whole? To answer this question, let’s take a quick look at what has not changed. For one, ransomware continues to be an effective extortion tool for attackers. They’re constantly honing their ability to use backdoors and rootkits to gain access. Across the board, attackers continue to create new variants of the same malware family. When they find an effective approach, they will continue to exploit it until security experts stop them. Only then do attackers move on to something different. Yet the new year also brings new challenges... Continue reading
Posted Jan 26, 2017 at Threat Geek
Image
Earlier this month, security news media reported attackers holding internet-exposed MongoDB and Elasticsearch databases for ransom. Attackers said they’d return the data if they got paid -- otherwise, the data would be erased. In many reported instances, attackers simply deleted the data. Unfortunately, more attacks are underway. Last week, Fidelis Cybersecurity Threat Research observed similar attacks on Internet-facing Hadoop Distributed File System (HDFS) installations. Like the MongoDB and Elasticsearch incidents, attackers would erase all the data on the system. To make matters worse, we confirmed additional attacks on HDFS instances worldwide. For these events, attackers are leveraging a logical blend... Continue reading
Posted Jan 18, 2017 at Threat Geek
Image
Security got the boring end of the stick when names for the generations were handed out. Instead of Millennials, Gen X, Baby Boomers or the Greatest Generation, we're stuck with "Next Gen." What comes after "Next Gen"? And where were the creative minds hiding when we needed them most? In this post, I’m going to focus on a sliver of the next-gen security stack that we get asked about every day. Specifically, where do next-gen firewalls stop and where do next-gen IPSs pick up the baton. But first, to understand next-gen security we need to take a quick trip down... Continue reading
Posted Dec 1, 2016 at Threat Geek
Image
There are two types of runners: long-distance runners and sprinters. Everything about them is different. Sprinters are built for power while marathoners are built for endurance. But what if you could break the mold and find all of those capabilities in a single athlete? Endpoint detection and response (EDR) tools have faced a similar conundrum. Vendors have historically forced users to choose between architectures that were optimized for one activity at the expense of others. In short, the choices have been: Optimize for Speed: These tools generally use a peer-to-peer architecture that enable endpoints to communicate with each other. The... Continue reading
Posted Nov 30, 2016 at Threat Geek
Image
In Part 1 of this series we asked the question: Would you re-hire your IPS if you interviewed it today? But it’s not a totally fair question. Because, before you hire someone (or in this case buy something) it’s pretty obvious that you need a deep and thorough understanding of what the job entails. Otherwise, frustration, handwringing, and assorted HR crises will emerge. So, we pose this question to you: Can you even remember why you bought your IPS in the first place? It seems like a self-answering question for a product whose name, after all, is an Intrusion Prevention... Continue reading
Posted Nov 15, 2016 at Threat Geek
Image
Vawtrak, a.k.a. Neverquest, has been a prominent trojan in the banking world and numerous researchers have reported their findings about this malware. In August 2016, we blogged about the addition of a DGA to the banking trojan known as Vawtrak. The actors behind Vawtrak reacted to this attention by adjusting their tactics - enough to warrant a change in their DGA implementation. On November 9, 2016 the Threat Research Team at Fidelis Cybersecurity noticed a Vawtrak sample that appeared to be using an updated implementation of the DGA routine. The sample we analyzed was delivered by using Hancitor embedded in... Continue reading
Posted Nov 12, 2016 at Threat Geek
Image
Commodity Remote Access Trojans (RATs) -- which are designed, productized and sold to the casual and experienced hacker alike -- put powerful remote access capabilities into the hands of criminals. RATs, such as H-W0rm, njRAT, KilerRAT, DarkComet, Netwire, XtremeRAT, JSocket/AlienSpy/Adwind and others, hold special interest for the Threat Research Team at Fidelis Cybersecurity. We're constantly following, detecting and monitoring the lifecycle of these RATs as they appear, disappear and often reappear under a new moniker. There have been recent reports 1, 2 about a new version of one such commodity RAT, H-W0rm (Hworm), and the various campaigns it is being... Continue reading
Posted Nov 9, 2016 at Threat Geek
Image
Metadata gathered from your network can be a powerful ally in the battle against cyberattacks. In fact, you can do seemingly impossible things with the right metadata. In Part 1, we explored how metadata can help you spot phishing emails, find man-in-the-middle attacks, locate weak encryption and more. In Part 2, we take a look at five more seemingly impossible tasks. If these examples sound interesting, watch the webinar I recently did with Hardik Modi, our VP of Threat Research: 3 Ways to Reduce Detection Time from Months to Minutes. Impossible Task #6. See lateral movement within the network. If... Continue reading
Posted Oct 31, 2016 at Threat Geek
Bloomberg reporter Jordan Robertson recently sat down with Fidelis Cybersecurity Senior VP Mike Buratowski to discuss the malware and other data that attackers used to pull off the breach of the Democratic National Committee’s (DNC) servers. By examining the clues the attackers left behind, Mike explains how it's possible to attribute the attacks to a specific group of nation-state actors. Listen to Bloomberg Technology’s Decrypted Podcast and get the full story. Want to learn more? Read our analysis of the DNC intrusion malware. Continue reading
Posted Oct 27, 2016 at Threat Geek
Image
Network Intrusion Prevention Systems have been a mainstay of the network security stack for well over a decade. When they first entered the mainstream in the early 2000s, the iPhone hadn't been invented. We were still in the age of the PalmPilot (anyone remember using that stylus?). But, at the time, IPSs represented real innovation. They were a welcome departure from the classic firewall, which was limited by its primitive accept-and-deny rules that were inadequate for the more sophisticated attacks to come. IPSs were a breath of fresh air. They came with new detection languages, like Snort. They could operate... Continue reading
Posted Oct 26, 2016 at Threat Geek
Image
Deception and crime go hand in hand. But knowing when you’re being deceived means you need to think like the bad guys and know what to look for. There are three elements of deception. To see these elements in action, we need look no further than a few notable cases -- including the alleged Russian state actors behind the DNC and DCCC breaches as they continue to dump documents intended to influence the upcoming U.S. election. Let’s take a look at the three elements of effective deception. 1. Plan and Prepare The key is to create a storyline that’s mostly... Continue reading
Posted Oct 25, 2016 at Threat Geek
Image
Metadata is data that describes other data. And while it may not sound sexy, metadata gathered from your network can be a powerful ally in the battle against cyberattacks. Continue reading
Posted Oct 17, 2016 at Threat Geek
Image
In November 2015, the Dyre banking trojan seemingly disappeared overnight surprising security researchers worldwide. Months later it was announced that Russian authorities had arrested most of the gang responsible for its operations. Prior to that, it was a relatively rare act for Russian authorities to take action in such matters. Since then, nothing has been heard from those actors but the speculation was that some of programmers and other elements of the criminal operation would be subsumed into other cybercriminal operations. In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has... Continue reading
Posted Oct 15, 2016 at Threat Geek