Thursday, February 2, 2017

Draft_Threat Detection Framework_Haren Bhatt

Dear All,

Tried to create a "Threat Detection Framework" which can map following parameters.
1- The "Kill Chain" Concept
2- Your Use Cases integrated on SIEM
3- Your data sources which are supposed to generate relevant logs.

I would shortly also share the challenges, advantages and dis-advantages.

Please share your views if any.

Friday, December 30, 2016

Threat Intel Annual Reads 2016

Intelligence Technology and Tradecraft in 2015 –
No, Norse is Not a Bellwether of the Threat Intel Industry but Does Hold Lessons Learned –
VB2015 paper: Effectively testing APT defences: defining threats, addressing objections to testing, and suggesting some practical approaches –
The Role of Curiosity in Security Investigations –

NSA’s TAO Head on Internet Offense and Defense –
Themes, Personal Notes, & Resources From SANS CTI Summit 2016 –
FireEye Releases Mandiant M-Trends Report with Insights from Advanced Attack Investigations –
Greater Visibility Through PowerShell Logging –
Detecting Offensive PowerShell Attack Tools –

The Problems with Seeking and Avoiding True Attribution to Cyber Attacks –
Questions for Evaluating an External Threat Intelligence Source –
Conducting Red Team Assessments Without the Use of Malware –
A Novel WMI Persistence Implementation –
Investigating PowerShell: Command and Script Logging –

PowerShell Takes Center Stage as Attackers Attempt to Cloak Attacks –
Hack Back! A DIY Guide –
Tradecraft Tuesday – Hacking Team Breach Overview –
What is Threat Hunting? –
Magical Thinking in Internet Security –
Sysmon logs at scale analyzed with Splunk –
Verizon’€™s 2016 Data Breach Investigations Report –

How to Fall Victim to Advanced Persistent Threats –
Unofficial Guide to Mimikatz & Command Reference –
A bomb just dropped in endpoint security… and I’m not sure anyone noticed –
Adversarial Tactics, Techniques & Common Knowledge –
Technical Report about the Malware used in the Cyberespionage against RUAG –
Targeted Attacks against Banks in the Middle East –
Windows Top 10 Events to monitor from My Dell Enterprise Security Summit Talk –

Common Ground Part 1: Red Team History & Overview –
Common Ground: Planning is Key –
Why Ransomware? Why Now? How Intelligence Would Address Infosec Questions –
Bears in the Midst: Intrusion into the Democratic National Committee –
Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues –
Shiny Object? Guccifer 2.0 and the DNC Breach –

The Darker Side of Threat Intelligence: Cyber Stockholm Syndrome –
The Threat Hunting Project –
Common Ground Part 3: Execution and the People Factor –
Spotting the Adversary with Windows Event Log Monitoring (version 2) –
How to Build a 404 page not found C2 –
5 Takeaways From The “Building A Strategic Threat Intelligence Program” Webinar –
An Important Internal Intelligence Source to Add to Your Collection Plan –
STIX 2.0 – CTI TC Development –

PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection –
Automating Detection of Known Malware through Memory Forensics –
procfilter – A YARA-integrated process denial framework for Windows-
How to Build Your Own Penetration Testing Drop Box –
The Shadow Brokers: Lifting the Shadows of the NSA’s Equation Group? –
Threat Intelligence Definition: What is Old is New Again –
Intelligence Defined and its Impact on Cyber Threat Intelligence –
Examining Recent Ransomware Infection Techniques (And Some Thoughts on Consuming Intelligence) –
The Laws of Cyber Threat: Diamond Model Axioms –
FIRST announces Traffic Light Protocol (TLP) version 1.0 –
RIPPER ATM Malware and the 12 Million Baht Jackpot –

Some Favorite DerbyCon 6 Talks (2016)  –
Let the benchmarks hit the floor: Autopsy vs Encase vs FTK vs X-Ways (in depth testing) –
Welcome to the Cyber Analytics Repository –
Five Attributes of an Effective Corporate Red Team –
A Simple, Free, and Fast Open Source Workflow For Processing Indicators –
Indicators and Security Analytics: Their Place in Detection and Response –
How to Hunt: Detecting Persistence & Evasion with the COM –
The Effects of Opening Move Selection on Investigation Speed –
Detecting Data Staging & Exfil Using the Producer-Consumer Ratio –
Europol’s 2016 Internet Organised Crime Threat Assessment (IOCTA) –
Mind Games: International Championship – Intelligence Agency Calculus –

Securing Windows Workstations: Developing a Secure Baseline  –
The Diamond Model and Network Based Threat Replication –
The Windows Logging, File and Registry Auditing Cheat Sheets updated for Windows 10 and some cleanup and additions –
Why Threat Intelligence Sharing is Not Working: Towards An Incentive-Based Model –
The $5 Vendor-Free Crash Course: Cyber Threat Intel –
Nation State Threat Attribution: a FAQ –
Increased Use of WMI for Environment Detection and Evasion –
Building Threat Hunting Strategies with the Diamond Model –
Net Cease – Hardening Net Session Enumeration –
Threat Hunting – A Tale of Wishful Thinking and Willful Ignorance … –
Common Red Team Techniques vs Blue Team Controls Infographic –
MISP -The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform –

Securing Domain Controllers to Improve Active Directory Security  –
Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations –
Leak on Aisle 12! An Analysis of Competing Hypotheses for the Tesco Bank Incident –
The Hunter’s Den: Internal Reconnaissance (Part 1) –
2016 Targeted Threats in Review – What We’ve Learned –
Extending Linux Executable Logging With The Integrity Measurement Architecture –
Digital Forensics / Incident Response – The Definitive Compendium Project –
Microsoft replaces cmd.exe with PowerShell in latest Win10 build –
FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region –
6 Red Team Infrastructure Tips –
Hunting For and Detecting Advanced Threats with Sysmon –
How do security professionals study threat actors, & why do we do it? –
SAMRi10: Windows 10 hardening tool for thwarting network recon –
Detect Endpoint Threats by Analyzing Process Logs in QRadar –
“Sophisticated” and “Genius” Shamoon 2.0 Malware Analysis –
Windows 10: protection, detection, and response against recent Depriz malware attacks –
Evidence of Attackers’ Development Environment Left in Shortcut Files –
Sysmon – The Best Free Windows Monitoring Tool You Aren’t Using –
The Great Cyber Game: Commentary (2) – Analysis of a message of messages containing messages –
PowerShell Logging for the Blue Team –
Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units –
My Favorite Threat Intel Tweets of 2016 –
The Incident Response Hierarchy of Needs –
The Kings In Your Castle Part 5: APT correlation and do-it-yourself threat research –
Technical developments in Cryptography: 2016 in Review –

Insider Threats: “The Shadow Brokers” Likely Did Not Hack the NSA –

Original Link :

Saturday, April 16, 2016

Things You Should Never Do While Using TOR

1. Do not use Windows!
If privacy is your main concern while using TOR then it is advisable that you do not bundle it with Windows. Always use Linux based systems like Tails, or Whonix in order to remain completely anonymous. The problem with Windows is that it contains several vulnerabilities and bugs which could have a devastating effect on your online privacy.

2. Disable JavaScript, Flash, and Java
Binary applications such as JavaScript, Flash, and Java are capable of accessing and sharing your data since they operate with your user account’s privileges. Almost every website uses JavaScript to track its users. Whereas Java and Flash are capable of bypassing TOR’s protection by ignoring the proxy settings on your device. And even TOR is incapable of protecting your online anonymity when such agents are capable of interacting with the web directly without being routed through TOR.

3. Never use P2P
The TOR network was never intended to be used for P2P sharing. Downloading torrents over TOR network slows down the browsing of other networks. Apart from this, if you’re adamant on downloading files over P2P then beware! This might compromise with your online anonymity. If you’re using BitTorrent clients with TOR then you’re allowing such clients to send your IP address to other peers as well as the trackers, directly.  And once such a communication is made, your online identity is exposed to anyone in charge of such traffic.

4. Delete your Cookies and Local Data
Although, TOR may direct your data through a series of relays in order to hide your online identity. But it is possible that the websites can use cookies, local data, and other network packets for tracking your online activities. You’re not completely anonymous on the TOR network unless you delete your cookies and local data at regular intervals.

5. Do not ‘Google’
Popular search engines like Google are notorious for storing your browsing information and search data while you’re looking up for something on the internet. This enables them to show personalized ads onto the user’s device. Thus, it is advisable that you should not ‘Google’ something while using TOR. Instead of Google, you could use DuckDuckGo or Startpage to the same effect. These search engines do not keep a log of your IP or stores cookies onto your computer. Thus, while using TOR, use such alternatives to keep your anonymity intact.

6. Never send unencrypted data over TOR
TOR only encrypts your connection and not the data that you send over it. This makes anyone who is in control of the exit nodes, access such sensitive information. Thus, it is highly advisable that you must always send encrypted data over the TOR network to keep your privacy concerns at bay.

Yes, TOR has helped us to browse the internet in the most secure way possible. However, there have been instances where people have been busted mainly because they have been careless on the network. We have enumerated such situations, where your anonymity might be compromised with. Just keep the points mentioned above in mind to avoid a situation where your online identity could be exposed even while you’re using TOR.

Wednesday, April 15, 2015

“Cyber Threat Intelligence” What Is Needed For Identification and Response?

“Cyber Threat Intelligence”
What Is Needed For Identification and Response?

What is cyber threat intelligence?
CTI “Cyber Threat Intelligence “is a term used to address any information which can be used to protect your organization IT assets against an attacker.

This IT (Threat Intelligence) can be of many forms like internet bases IP addresses, Attacker geolocations TTP’s (Tools , Tactics and Procedures ), which would work as an indicator OR early warnings of attacks or an attempt to harm the IT Infrastructure in turn harming business.

There are number vendors on the globe who give TI feeds which can be integrated with your security controls like SIEM, GRC tool and other correlation engines.

This is an attempt to identify the information which is needed as actionable TI which can used to defend your organization.

1.       Drivers
a.       These are conditions of the attacks like a Zero Day, Business related breaking news/ announcements for the organization.
2.       Prerequisites
a.       What would the attacker need to generate and trigger an attack on your organization e.g.:  Type of security controls on your perimeter, network and endpoints. Type of devices (endpoints, internet facing web servers, routers firewalls etc.  ) which are exposed to the internet.   
3.       Capabilities
a.       Capabilities of the attacker and the attack itself e.g.: The script Kidde’s would be able to generate an attacks but then would not possess the capability of post attack activity. OR a professional attacker would have the capabilities of generating an attack but the defense mechanism would be able to partially stop the attack where the attack would not get the attacker the intended results.  
4.       Components
a.       Attacking component TTP’s (Tools, Tactics and Procedures) which are used in past attacks conducted by the attacker. This would help us with indicators for defending the attack.
5.       Measurement
a.       This component is important as the measurement of the attack in terms of number and type of security events generated pre- attack condition.
6.       What is the threat?
a.       Measurements the threat of the past attack would help us in mapping the threat findings with our organization
7.       What are the threat vectors,
a.       These vectors would be more of a “type of attacks” which would be seen in the attack phase.
8.       Where else the threat vector seen on the globe?
a.       Historical threat vectors used by the attacker in past should be a part of the TI information.
9.       What was the threat impact?
a.       Historical threat impact on the victims would help to measure the attackers TTP’s
10.   What were the parameters of compromise?
a.       What would be the needed condition and parameters for a successful compromise to be conducted? 
11.   What could be the early warnings?
a.       Early warnings and indicators of past attacks conducted by the attacker.
12.   What would be a practical and approachable defense mechanism?  
a.       Historical data in terms of approach taken by the defender to defend the attacks.
13.   What would be the business impact?
a.       What was the business impact on victims in terms of data theft, ransomware and business dis-continuity  
14.   What type of IT for Zero Days?
a.       What information would the TI share in terms of Zero Days in terms of IP addresses, Geolocations, Domains names, ISP information, file names, MD5 hashes etc.?
15.   Pattern of attacks in past
a.       What patterns where generated by the attackers OR what type of internet traffic (Inbound/Outbound) per-attack conditions
16.   Attack timelines before a successful compromise.
a.       These timelines would help us to understand the skills of the attacker and allow us the decide max time frame to respond against a business accepted condition of a known vulnerability
17.   Zero Day detection and patterns based on packet, ports and geolocations.
a.       What type of traffic patterns are generated in case of Zero Days for a pre-compromise conditions
18.   What and how security controls where bypassed?
a.       The historical data of the TTP’s for bypassing of the security controls is very important as this would give us pinpointed information which would help us to defend such attacks.
19.   Post compromise (Forensics Investigation) information.               
a.       Post compromise information like...
                                                               i.      File names
                                                             ii.      MD5 hashes    
                                                            iii.      Inbound and Outbound Traffic
                                                           iv.      Internal traffic patterns
                                                             v.      Detection by internal security controls
                                                           vi.      Auto-defense OR events generated by security controls
                                                          vii.      OS and application level errors generated by the attack vector

The above are few indicators which a TI tool vendor should provide. I strongly believe that if the above information is provided by the vendors, we can surely respond and try to defend attacks.

Comments and inputs are most welcome.   

Friday, June 27, 2014

StealthWalker The Swiss army knife of privacy application

StealthWalker The Swiss army knife of privacy version 2.5.3 released. It is more stable you also have a global system key to renew TOR IP. Get your full functional copy today :)

Wednesday, December 18, 2013

Cyber Threat Protection for Executives to be Included in 2014 Business Plans

Most high profile executives can be easier targets as they are usually absent from routine security training which now exists in most firms. Over 80% of breaches or threats result from common sense security protocols not being implemented by the executive or his/her immediate staff.

These can include:
  • Not doing routine upgrades on personal machines
  • Accepting or using random memory drives
  • Not having apps verified by IT/security departments before installing on phones, tablets or computers
  • Leaving an office unlocked or making it accessible
  • Taking sensitive work home
  • Using generic email addresses (gmail, hotmail etc) for work
  • Not having the latest anti-virus or internet security software installed
  • Giving low level IT staff access to Super Admin on company servers
  • Not having a security filter installed on company emails
  • Lack of proactive cyber scanning for threat chatter or discussion relating to the executive
  • Using unverified cloud backup services
  • Not using a shredder (old school trash digging is still done by serious adversaries)
  • Using public wifi
  • Never changing passwords or using passwords which are weak
  • Not doing due diligence on vendors and giving them access
  • Randomly clicking links on “alarming emails” or alerts (designed to make you click)
(This is by no means a complete list)

Wednesday, October 16, 2013

Things You Should Never Assume When it Comes to Network Security

Things You Should Never Assume When it Comes to Network Security

  • The security systems we have are good enough.
  • Our security architecture is so complex no attacker will be able to get into our network.
  • We only REALLY need to worry about inbound firewall policies. The danger is out there! (not in the network).
  • We're up to date on patching our vulnerabilities so we are in the clear.
  • The firewall configuration is secure because it’s managed by an outside firm.
  • If no one is screaming about an outage or a virus then everything is hunky dory.
  • Network operations and application owners understand security.
  • Security is more important than business operations.
  • The security processes we have are good enough – they are written down on paper.
  • Employees will follow most if not all of the security policies.
  • It’s much more secure if we virtualize it.