CYINT Analysis

Examining Recent Ransomware Infection Techniques (And Some Thoughts on Consuming Intelligence)

Even though ransomware is one of the threats du-jour, it’s not something I’ve closely studied. So I decided that this weekend was as good a time as any to conduct some research and develop a better understanding of this threat.

I wish I could say I identified novel features of what I discovered were large, multi-wave ransomware campaigns between May and August. But that didn’t happen. The reality is pretty mundane: I pulled together existing research and documented—in my own words—what others have already reported.

As an analyst, I’m okay with that. I’ve found this type of research to be typical. And it brings up thoughts (and tips!) I have on intelligence consumption. But more on those soon… First, let’s look at the recent ransomware activity.

Continue reading

An Important Internal Intelligence Source to Add to Your Collection Plan

Earlier this week Scott Roberts provided a useful list of intelligence collection sources for threat intelligence and security teams. His list included:

– Internal incident data
– Honeypots & the like
– Vendor reports
– Sharing communities
– Free IOC feeds
– Paid IOC feeds

I like this list because it covers automated machine-based collection—internal data, honeypots, and IOC feeds—and analyst-based, human collection: vendor reports and sharing communities. Analysts have to critically read and process reports and must dedicate time to developing external relationships, building trust. These tasks cannot be automated.

Similar to these “analyst-based” sources (which I suppose we could call, but which I’ll refrain from calling, HUMINT), I would add an additional source: internal IT and IT security staff.

Continue reading

Strategic Threat Intelligence: Communicating to Non-Technical Audiences

In a recent article in War on The Rocks, More Art Than Science: Intelligence and Technical Topics, authors  Brian Holmes and Max Greenlee write about communicating technical intelligence subjects to policymakers.

Scientific and technical intelligence analysts thus face the great challenge of quickly, effectively, and clearly conveying information to policymakers. – Brian Holmes and Max Greenlee

Continue reading

A Fun Saturday Analysis: Comment Spam Attack!

A wave of comment spam has been hitting my blog today. Gross! The volume of spam (up to 50+) piqued my curiosity. So let’s check it out! Continue reading

More PCAP Analysis Practice

It’s time to tackle another PCAP analysis exercise from Brad Duncan. I’ve only done a couple of these (I posted one of my write ups here), and would like to put myself in a more technical DFIR analyst mindset—completing more of these exercises seems like a great way to do that.

I previously attempted some of Duncan’s more complex exercises (such as this one) and found myself stumped. So, my plan is to get some more practice on the basic exercises before attempting the more advanced analyses.

The following write-up is based on the 2014-12-08 Traffic Analysis Exercise. Rather than answer each practice question one by one as I did in my first write-up, I’ve attempted to write something that resembles a real-world report and also addresses as many of the questions as possible.

Lastly, I did not check my answers before making this post – I thought it would be a little more fun that way. After I have a chance to review the answers, I may update this post (especially if my errors were egregious!)

So here we go!

Continue reading

My Favorite Threat Intel Tweets of 2015

I wanted to compile a list of my favorite threat intelligence tweets and Twitter discussion from 2015. I simply scrolled through all of my “likes” and pulled out my favorite ones. So here they are!

Continue reading

Intelligence Technology and Tradecraft in 2015

With 2015 wrapped up, I wanted to reflect on some of the changes I noticed in the cyber threat intelligence (CTI) field over the course of the year. I originally had (overly) ambitious plans for this post, hoping to offer a sweeping and comprehensive review on threat intelligence. But alas. Time has expired–it’s already 2016! Instead, I decided to focus on two aspects of CTI that I’m passionate about: technology and tradecraft.  Continue reading

SMS Spam/Scam Campaign?

It’s the holiday season which means offers received via email or text that seem to good to be true probably are. I wanted to post information about some text spam I received tonight.

Continue reading

A Quick Look at A Likely NewPOSThings Sample

Executive Summary

  • Nick Hoffman identified what is likely a new variant of NewPOSThings (MD5: 761d23e1e2f496f1a6a2385808afc6eb).
  • Based on static analysis, the malware likely conducts the same activity observed in earlier NewPOSThings variants wherein it searches for and dumps passwords associated with VNC applications (e.g., RealVNC, UltraVNC). The malware also contains the hard-coded C2 domain flowerstick[.]net.
  • An actor using the alias You Chung and email address brian45345[at] registered nine domains–including flowerstick[.]net–between August 1 and September 13, 2015. These sites are almost certainly used as C2 nodes for POS and/or other malware. For example, one additional NewPOSThings sample (MD5 b6c1d46e25a43d9ae24c85c38c52d6a4) communicates to chiproses[.]net, which was registered to Chung on August 17.
  • It is assumed that actors using the malware are targeting small- to medium-sized businesses given the malware’s focus on VNC applications. Small businesses are generally more likely to use remote administration software for their POS terminals so that 3rd parties can manage the terminals.

Below is a Maltego graph showing the identified links between the malware, actor, and infrastructure.

Screen Shot 2015-10-25 at 2.59.58 PM

Continue reading

« Older posts

Copyright © 2016 CYINT Analysis

Theme by Anders NorenUp ↑