Recent Articles
Threat Landscape: Malvertising
Still WIP
Malvertising vs. SEO Malicious advertising, also known as “malvertising,” refers to the use of online advertising to spread malware or to redirect users to malicious websites. Threat actors leveraging malvertising often target various advertisement programs such as Google Adsense, Bing Ads, and Yahoo Gemini. To display the malvertisement, you often must mimic the user search with the same search engine.
These advertisement programs use a Traffic Distribution System (TDS), which is a type of network infrastructure that is used to distribute network traffic across multiple servers.
read more
Hardened CTI Environment
Purpose Configure a hardened cyber threat intelligence (CTI) environment to reduce attack surface and attributable information that could lead back to the researcher. This threat model will focus on security and privacy alike.
Virtualization Software Selection VMWare, Oracle VirtualBox, or QEMU are all options. VMWare and VirtualBox favor ease of configuration, however there are many QEMU front-ends that are available for simplifying/automating the use of QEMU. While most analysts will largely be confined to doing the majority of their research from a guest VM on top of their host, some situations may allow for access to a private virtual private server (VPS) that provides separation or a proxy for intelligence probing.
read more
Auditing GNU/Linux with OSQuery
Intro Many incident responders struggle with Linux as exposure is limited, considering that corporate environments rarely have user interaction within a Linux desktop environment (outside of the occasional sysadmin). This prevents analysts from “knowing normal”, thus the processes and activity quickly become an enigma. Attacks in these environments rarely have a delivery mechanism tailored towards users, such as maldocs contained in emails or staged on compromised/malicious sites. Most attacks inevitably occur from misconfigured or unpatched services that interface with the public web, which commonly are vulnerabilities within components of web applications or respective plugins.
read more