CYINT Analysis

TekDefense PCAP Challenge Write-Up

Earlier this week TekDefense posted a cool network challenge. The instructions were basic: investigate an IDS alert by analyzing the provided PCAP, determine what happened, and share the findings.

I’ve done a couple of PCAP exercises from Brad Duncan here and here. Those analyses were related to incidents dealing with exploit kits so I thought this challenge would be a fun opportunity to practice analyzing other kinds of threats.

Overall, I feel confident with the high-level findings. But I struggled to piece together some (probably key) details, even after a lot of research. Also, I didn’t author any Yara or Snort rules. (This was a second part of TekDefense’s challenge; I ended up grabbing a Yara rule from an Akamai report.)

Any feedback or tips are welcome : )

So here here’s my write-up!

Continue reading

A Simple, Free, and Fast Open Source Workflow For Processing Indicators

Open sources provide a wealth of valuable intelligence and, often times, network- and host-based indicators to enable detection and further investigation.

I’m interested in indicators from an investigative perspective. What overlaps or “centers of gravity” can we uncover? Do any of these provide other collection opportunities (e.g., tracking a particular domain registrant) or detection opportunities (e.g., a small netblock hosting dedicated C2 infrastructure)?

My investigative process around information culled from open sources used to be manual. Copying and pasting, one-by-one, indicators from blog posts into TXT and / or CSV documents. Querying indicators against various external or internal datasets. That process is neither efficient nor fun.

Fortunately, the availability and quality of open source threat intelligence tools have grown in-kind with the quality and quantity of the open source information. Exclusively using free tools, analysts can all but bypass manual processing and dive strait into their investigation within only or a minute or two.

Here’s one way to do that.

Continue reading

All The Rosetta Stones!

The ancient Rosetta Stone provided an approximate translation between Egyptian hieroglyphics, Egyptian Demotic script, and Ancient Greek. In threat intelligence, we use Rosetta Stones to translate the different names that our sources assign to threat activity groups into our own “native language.” What one source calls “APT1,” another source calls “Unit 61398.” But, in your security operations shop’s “native language,” those names translate to “Comment Crew.” All told, it makes for a confusing situation (that isn’t going away) as analysts juggle and triangulate reports describing threats and malware and their associated reams of indicators.

Continue reading

Examining Recent Ransomware Infection Techniques (And Some Thoughts on Consuming Intelligence)

Even though ransomware is one of the threats du-jour, it’s not something I’ve closely studied. So I decided that this weekend was as good a time as any to conduct some research and develop a better understanding of this threat.

I wish I could say I identified novel features of what I discovered were large, multi-wave ransomware campaigns between May and August. But that didn’t happen. The reality is pretty mundane: I pulled together existing research and documented—in my own words—what others have already reported.

As an analyst, I’m okay with that. I’ve found this type of research to be typical. And it brings up thoughts (and tips!) I have on intelligence consumption. But more on those soon… First, let’s look at the recent ransomware activity.

Continue reading

An Important Internal Intelligence Source to Add to Your Collection Plan

Earlier this week Scott Roberts provided a useful list of intelligence collection sources for threat intelligence and security teams. His list included:

– Internal incident data
– Honeypots & the like
– Vendor reports
– Sharing communities
– Free IOC feeds
– Paid IOC feeds

I like this list because it covers automated machine-based collection—internal data, honeypots, and IOC feeds—and analyst-based, human collection: vendor reports and sharing communities. Analysts have to critically read and process reports and must dedicate time to developing external relationships, building trust. These tasks cannot be automated.

Similar to these “analyst-based” sources (which I suppose we could call, but which I’ll refrain from calling, HUMINT), I would add an additional source: internal IT and IT security staff.

Continue reading

Strategic Threat Intelligence: Communicating to Non-Technical Audiences

In a recent article in War on The Rocks, More Art Than Science: Intelligence and Technical Topics, authors  Brian Holmes and Max Greenlee write about communicating technical intelligence subjects to policymakers.

Scientific and technical intelligence analysts thus face the great challenge of quickly, effectively, and clearly conveying information to policymakers. – Brian Holmes and Max Greenlee

Continue reading

A Fun Saturday Analysis: Comment Spam Attack!

A wave of comment spam has been hitting my blog today. Gross! The volume of spam (up to 50+) piqued my curiosity. So let’s check it out! Continue reading

More PCAP Analysis Practice

It’s time to tackle another PCAP analysis exercise from Brad Duncan. I’ve only done a couple of these (I posted one of my write ups here), and would like to put myself in a more technical DFIR analyst mindset—completing more of these exercises seems like a great way to do that.

I previously attempted some of Duncan’s more complex exercises (such as this one) and found myself stumped. So, my plan is to get some more practice on the basic exercises before attempting the more advanced analyses.

The following write-up is based on the 2014-12-08 Traffic Analysis Exercise. Rather than answer each practice question one by one as I did in my first write-up, I’ve attempted to write something that resembles a real-world report and also addresses as many of the questions as possible.

Lastly, I did not check my answers before making this post – I thought it would be a little more fun that way. After I have a chance to review the answers, I may update this post (especially if my errors were egregious!)

So here we go!

Continue reading

My Favorite Threat Intel Tweets of 2015

I wanted to compile a list of my favorite threat intelligence tweets and Twitter discussion from 2015. I simply scrolled through all of my “likes” and pulled out my favorite ones. So here they are!

Continue reading

« Older posts

Copyright © 2016 CYINT Analysis

Theme by Anders NorenUp ↑