Friday, March 5, 2021

The new "LinkedInSecureMessage"​ ?


Image of a stage 1 malware, from a pdf in a inkedin mail phishing message


With all the talk of secure messenger applications lately, I bet you’d like to have just one more, right? In the past few weeks, we’ve noticed a new variant on a typical cred-stealer, in this case offering itself up as a new, secure messaging format used right here on the career website LinkedIn.

There’s only one problem with this… there is no such thing as a “LinkedIn Private Shared Document”.

Not Quite Secure

Victims will receive an ordinary message, likely from someone which they already are connected with. These are not from the more recent, unsolicited “InMail” feature, but a regular, internal “Message” on LinkedIn. There is nothing interesting about the message, although it contains a 3rd-party link, claiming to be a “LinkedInSecureMessage” which serves up the nice-looking pdf file shown above.

If you click “VIEW DOCUMENT,” it opens up a convincing LinkedIn login page. ...


...this diary was published on the Internet Storm Center website, read the complete article at:

https://isc.sans.edu/forums/diary/The+new+LinkedInSecureMessage/27110/


Wednesday, October 7, 2020

Thank you's and inspirations for "Comparing open source adversary emulation platforms for red teams" (Re-post including new content)



I'll be mostly focusing the next several months on MacOS malware and any new or innovative threats and defenses that come up. I'll also revisit an awesome friend and discuss how the threat-landscape prioritization has evolved over the past 18 months, so I'd better share this re-post now.



Since last spring when I set out to compare "red team" emulation platforms, and explore this notion of cyber "emulation" in general, I felt like there were not enough thanks given, as well as "shout-outs" to a small selection of the folks who's work have inspired me to continue learning every week.

As well since I worked on this topic, the community at large has even further embraced "emulation" including lots of great, new documentation up on the Atomic Red Team project sites, see for example, the wiki page at the Invoke-Atomic repository There are a series of short instructional videos on this YouTube channel. You can also find an in-depth 2 hour webcast here with 11 hands-on labs here.As well, on that page, Invoke-AtomicRedTeam installation and use instructions can be found on the index to the right (in the sidebar).

Monday, January 13, 2020

Featured on the Brakeing Down Security Podcast






I just revisited a show we did recapping the year in InfoSec, looking forward to 2020, and which focused largely around building community and gaining insight from other industries. Instead of a special guest, Bryan, Amanda, and Brian invited the leaders of their online community, including myself, to come join the show this time around. If you haven't heard this already it is worth checking out if the topic sounds interesting to you. If you're not a regular BrakeSec listener, but follow me, you may remember a show from over 2 years ago which I recorded for BrakeSec at Sans Berlin.


Below are the complete "show notes" from the Brakeing Down Security Podcast's [sic] website, which you can find here with all complete contact information, and as well here is the show link on iTunes:


https://brakeingsecurity.com/2019-046-end-of-the-year-end-of-the-decade-predictions-and-how-weve-all-changed


---


End of year, end of decade Good, Bad, Ugly The Future Other topics Recent news News Stories from 2010 (see if they still make sense, or outdated)

x


Are things better than 10 years ago? 5 years ago?


If there was one thing to change things for the better, what would that be?






Did naming vulns make things better?


Which industries are doing a good job of securing themselves? Finance?


What do you wished never happened (security/compliance wise)?


Ransomware infections with no bounties


Still have people believing “Nessus” is a pentest






https://nrf.com/


https://www.retailitinsights.com/eventscalendar/eventdetail/1c77d5c6-8625-4f2b-bb98-89cca6590c49


https://monitorama.com/


https://www.apics.org/credentials-education/events






PREDICTIONS!!!


Bryan: The rise of the vetting programs (Companies will want to vet content creators in their eco-systems)


Cybuck: An uptick in surveillance tech; both disguised as cool home smart gadgets and straight up public safety. Triggering a US GDPR type response.


Injection remains as the undisputed heavyweight champion of app sec vulnerability (OWASP top 10). And wishful thinking...broken authentication moves lower, denial of service goes down. https://twitter.com/WeldPond/status/1207383327491137536/photo/1


JB: a major change in social media/generational shift in how we use it, legal or focus on new types of mobile tech for example… Human networking in real-life in the age of ‘social’ ….“When you hire someone… you also hire their rolodex” --- what do you think about this statement? ..it’s role in InfoSec? Talent?






JB- shouted out https://github.com/redcanaryco/atomic-red-team (Invoke-Atomic framework with powershell now on Linux, OSX, and Windows)






JB - Link to hunting/stopping-human-trafficing org i mentioned :


Shoutout


Sherrie Caltagirone, Executive Director, Global Emancipation Network @GblEmancipation


https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1569941622.pdf






Mentioned https://monitorama.com/ https://github.com/viq/air-monitoring-scripts (viq form brake sec )









Talk about where you were 10 years ago, and what you did to get where you are?


Best Hacking tool?


Best Enterprise Tool?






https://www.zdnet.com/article/more-than-38000-people-will-stand-in-line-this-week-to-get-a-new-password/


https://www.phoronix.com/scan.php?page=news_item&px=CERN-MALT-Microsoft-Alternative


https://www.iotworldtoday.com/2019/12/21/2020-predictions-apis-become-a-focus-of-iot-security/


https://www.jonesday.com/en/insights/2018/10/california-to-regulate-security-of-iot-devices










https://www.infosecurity-magazine.com/magazine-features/what-makes-a-ciso-employable/


https://www.csoonline.com/article/2231454/verizon-s-2010-dbir--rise-in-misuse--malware-and-social-engineering.html


https://www.owasp.org/index.php/OWASPTop10-2010-PressRelease

Tuesday, October 22, 2019

Behavior-based Threat Hunting






I had the privilege of attending the Sans Threat Hunting and Incident Response Summit a few weeks ago as a volunteer for Sans. I also volunteered as an in-class simulcast moderator for Matt Bromiley’s Forensics 508 class as I shared a couple weeks ago. This is the first of 3 diaries I’d like to share with you over the next few months, of some ideas I’ve brought back to community at large.

There was no official “theme” of the Summit, but I would summarize the most important take-away as “Stay Focused.” Use your creativity to chase threats down rabbit-holes, but stay focused on the correct rabbit-holes at the right times, and do not deviate even when you see something else that may be interesting. In other words, in your daily work, analysis, managing, or hunting... work innovatively but not recklessly. If you work in a very large organization, this is especially crucial.

Today I’m going to briefly share with you knowledge and links from a talk which I found very valuable, suggest a few ways you might apply this at a high-level to your daily work, and point to a few ideas which I’m researching further, which may also spur your own creativity.

David Pearson, currently working at a company called Awake Security, shared a talk he called “Remote Access Tools: Thee Hidden Threats Inside Your Network.” Here is a link to his slides. I was happy to spend some time with David after his talk, and gain more insight into his ideas. I’d recommend for you to read the following highly technical posts if you are interested specifically in his security research on the hazards of TeamViewer and LogMeIn, as well as this historical, 3-part-series from Optiv on the TeamViewer Application.

The below image is a great illustration of the differences of traditional defense, such as trying to block a specific file-executable or hash (which is a very “painful,” infinitely-changeable type of telemetry, see David Bianco's work on the pyramid of pain if you are new to this concept):
why behavior-based threat hunting versus vs traditional
credit:  David Pearson


You can see also in this specific example below, the striking difference between RDP traffic at rest, and a file-upload, which may be an indicator of mal-activity vs an administrator doing their daily work. File ex-filtration stands out like a toddler writing all-over the wall with a bright red crayola:

file exfiltration example chart - RDP exfil versus vs normal traffic at rest
credit: David Pearson

Three open-source tools were mentioned with which anyone could use to effectively perform behavior-based hunting: Wireshark, (and writing Lua Dissectors for Wireshark), as well as the browser-based tool Cyberchef (you'll want to host your own version internally). There is a great example of writing custom Lua dissectors also in the book Attacking Network Protocols by James Forshaw, which we've been reading this year in the InfoSec Book Club.

In most organizations, innovation and supporting your developers and/or customers must take priority over actions like simply blocking applications. This then, is a perfect example of where advanced defenses like behavior-based threat hunting can be used. Behavior-based analysis is a key concept to brainstorm about, and use to stomp out similar threats of unwanted or potentially unwanted aka “pup” applications, before they become malicious, regardless of your exact job function

Threat-hunting has been a buzzword in the past few years in InfoSec--but in reality, you can employ behavior-based analysis to almost any area of work. A personal favorite resource of mine, if you’d like a strong, classic example of anomaly-based threat hunting is “Threat-hunting using 16th Century Math and Sesame Street” from the RSA Conference this year by Vernon Habersetzer.

If you’d like to be in touch feel free to DM me on the Brakeing Down Security [sic] Slack, DShield / Internet Storm Center Community Slack, Threat Hunters' Guild or on twitter, all as @cherokeejb_.

Please also let me know if you’ve ever written Lua dissectors for Wireshark as well; this is something that currently I’m looking into with renewed interest, along with a few other members of the security community.

The new "LinkedInSecureMessage"​ ?

With all the talk of secure messenger applications lately, I bet you’d like to have just one more, right? In the past few weeks, we’ve noti...

Follow by RSS