Aug 102017
 

An important aspect of effective threat hunting is to understand what is normal in an environment. If a threat hunter is able to baseline the normal behaviour in a system then any abnormality is most likely due to an actor that has newly entered the environment. This actor could be a new software installation, new user or an attacker. On endpoints, the execution of certain Windows processes is well documented. If we can map out Read More…

May 162017
 

Before we start to configure our decoys and put it in our production environment, let’s take a look at what exactly it is and how it differs from the usual honeypot. Honeypots are vulnerable systems configured to lure the attacker who is present in an organization. This attacker need not be from outside the environment. Many a times even employees tend to rome around in the network in order to see if they can find Read More…

May 042017
 

Most organizations face a barrage of attacks every day from threat actors around the globe. Among the various vectors, attackers have found relatively high degree of success by (spear) phishing employees of the organization. This allows attackers to bypass perimeter defences and gain a foothold in the internal network. SOC teams have multiple approaches to detect such phishing attempts. Most common ones are listed below: An alert user notifies them of receiving suspicious email Email Read More…

Aug 152016
 

One of the key security devices in a lot of organizations is an HSM – Hardware Security Module. All banks use it to store your debit card and credit card PINs. An HSM can be used to store any super-secret piece of information. Administration of the HSM is done via a custom client or CLI or directly on the physical panel of the HSM. This article outlines an audit methodology for an HSM that extends the PCI Council’s Read More…

Mar 012016
 

Introduction When an attacker compromises an end-point system in an organization, he needs some sort of confirmation that: his code was executed on the targeted system he is able to send data out of the organization without raising any alarm with the SOC Simple innocuous data from the compromised host to the attacker’s controlled system – sometimes known as the beacon – helps the attacker fulfill the two goals mentioned above. The channel the beacon Read More…

Jan 292016
 

This write-up summarizes a workshop/humla conducted by Ashfaq Ansari on the basics of various kinds of attacks available for exploiting the Windows Kernel as of this date. It describes and demonstrates some of the very common techniques to illustrate the impacts of bypassing Kernel security and how the same could be achieved by exploiting specific flaws in kernel mode components. A knowledge of basic buffer overflow exploits through user mode applications is a plus when understanding Read More…