“The Attack Range is a detection development platform, which solves three main challenges in detection engineering. First, the user is able to build quickly a small lab infrastructure as close as possible to a production environment. Second, the Attack Range performs attack simulation using different engines such as Atomic Red Team or Caldera in order to generate real attack data. Third, it integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.” — Splunk Attack Range GitHub.
So the Attack Range in a nutshell is a way to spin up an environment…
Hopefully a write up that will help you weigh up your choice with the INE Cyber Security pass.
Cheap isn’t always bad
So I needed a platform or feed of training that was quite T shaped i.e. it covered a lot of areas, I recently started up https://vanguardcybersecurity.co.uk and could no longer afford the likes of SANS training despite how amazing the training is.
I was lucky enough to get the INE Cyber Security pass on an offer they ran, so roughly $1000. That might seem a lot but it gives you access to the whole eLearnSecurity curriculum and more!
If you want to automate the deployment of the tooling here…
Please see my Github for a .ps1 script to automate the install of the above, all you’ll need to do is retrieve your unique configuration for winlogbeat from Logzio.
Sigma is an open standard for writing rules that can be used in SIEM and log management solutions. Imagine Snort rules for NIDS, YARA for malware… Sigma for SIEM.
The first set of resources you need to get started are:
When consulting our open sources for potentially vulnerable devices worldwide, we’re still seeing a high volume of public facing devices that are not patched.
Speaking with industry partners, we recognise that patching isn’t just as simple as applying a patch. We need visibility, a risk and the right tooling & people.
Netlogon is a high risk vulnerability that impacts Microsoft domain controllers… what does this mean for you? Your organisation, if unpatched, could be compromised already.
Vanguard Cyber Security offer a cutting edge, cloud based compromise assessment platform. …
Ransomware is now seasonal
“And how your educational year starts?”
Recently, we’ve seen two high profile attacks on two UK based universities. Both attacks bearing hallmarks of ransomware, with one being claimed by DoppelPaymer.
I recently read an article about general crime being seasonal, the same appears to be apparent with the cyber space. We can see in the below screenshot, the DoppelPaymer gang highlighting the crucial time of the year for the university to be facing such issues.
Hardened version of Ubuntu required as Host OS. (Use Linux if the malware sample targets Windows to avoid any outbreak otherwise us Windows if it targets Linux!)
WindowsAPI Primer for Malware Analysis
The Windows API is a common method Windows based malware will interface with the operating system to accomodate its functionality. Functions are required to ‘do something’, such as decrypting strings, making connections to IP addresses or enumerating processes on the victim machine.
These functions exist within DLL’s (Dynamic Link Libraries), let’s take URLDownloadToFile() as an example, referring to MSDN (Microsoft Developer Network), we can see that URLDownloadToFile purpose is to “Downloads bits from the Internet and saves them to a file.”.
We can also see the arguments (parameters) it takes to perform correctly, along with…
GoLang based malware has been known to spike since the beginning of 2019 and poses a big threat to even experienced Malware Analysts. There are over 53 known malware families known using this language and it is very flexible. Read about it here: https://unit42.paloaltonetworks.com/the-gopher-in-the-room-analysis-of-golang-malware-in-the-wild/
Malwology wrote this article (He’s a SANS610 instructor). He covers some very good Python based tools for statically analysing PE’s, some of those that seem unconventional compared to your current arsenal of tools. …
To get you started, read https://digital-forensics.sans.org/media/malware-analysis-cheat-sheet.pdf
You’ll see multiple articles numbered “MA-X”, for example “MA-01 — Emerging Malware Analysis News/Intel”, I recommend you read them sequentially if you’re new. You can refer to the series as a handbook.
These are going to be questions that you want to answer when analysing malware, what you want to achieve essentially by performing malware analysis.
Does the file pose a threat to the org, specifically? I.e. does it check for specific infrastructure, services or files that only the org’s users would hold.
What ways to defend against this threat, can we carve out…
In a landscape where we see odd traffic all the time in networks, pulling PCAP’s and remembering your Wireshark expressions can sometimes be a bit of a nightmare… That never ending list in your notes of expressions.
I’ve experimented with Security Onions tools such as ELK, Bro, Squill, Snort, Squert etc. and now integrated these with some nice lightweight bash scripting and CLI aliases to make for a very quick analysis platform to get an early verdict on your traffic.