NCSC-UK Annual Review 2018 and Active Defence

On 16 October, NCSC-UK (part of GCHQ) released their second annual review for 2018. The report is really well-written and provides insights on how large scale impact can be achieved. This is a really good example of planning and implementing a well structured and funded cyber security program and National Cyber Security Strategy.

What caught my attention is the Active Cyber Defence (ACD) services and their impact:

Continue reading “NCSC-UK Annual Review 2018 and Active Defence” →

CrowdStrike’s 2018 Mid-Year Review

During the past week CrowdStrike published its 2018 Mid-Year Review call “Observation from the front lines of threat hunting“. This report provides insights, trends and details on today’s most sophisticated cyber attacks observed by CrowdStrike Falcon OverWatch team.

Some interesting points of the report include:

Continue reading “CrowdStrike’s 2018 Mid-Year Review” →

Anti-Virus Log Analysis Cheat Sheet (v1.5)

Florian Roth published the new version of Anti-Virus Log Analysis Cheat Sheet (version 1.5). I highly recommend to implement monitoring of the events included in this cheat sheet. To my mind, this is the easiest and quickest win and AV logs are one of the first things I hunt whenever I go to a new environment.

The new version has information on :

Continue reading “Anti-Virus Log Analysis Cheat Sheet (v1.5)” →

Latest advances in MITRE’s ATT&CK framework

Lots of good stuff going on for MITRE ATT&CK framework. It’s great to see the whole project evolving and stimulating cybersecurity community to better analyse intrusions and actors, enhance controls and active defense activities. See some of the latest updates:

Continue reading “Latest advances in MITRE’s ATT&CK framework” →

Costin Raiu on future sophisticated attacks

It was ~2 weeks ago when Costin Raiu wrote an article on “Where are all the ‘A’s in APT?”. In this article, Costin focused on what is regarded as sophisticated in observed APT attacks as well as how future detected sophisticated attacks will look like:

Continue reading “Costin Raiu on future sophisticated attacks” →

Mapping Threat Actor TTPs to ATT&CK Framework

This is a great blog post from Digital Shadows . Their team has gone through Mueller GRU indictment and mapped the mentioned capabilities to ATT&CK framework TTPs (accompanied with mitigation advice per TTP).

Blue teams should learn from this type of analysis:

Continue reading “Mapping Threat Actor TTPs to ATT&CK Framework” →

GhostPack: C# Offensive Framework

This is a game changer for red teaming and offensive security. The guys from SpecterOps have just published GhostPack. This represents the transition from Offensive PowerShell frameworks to C# frameworks. This was much expected as blue teams are catching up on PowerShell detection/prevention controls. Moreover, red teams need “offense in depth” having different variations of their toolset based on the engagement needs.

GhostPack is a collection various C# implementations of previous PowerShell functionality, and includes six separate toolsets being released:

Continue reading “GhostPack: C# Offensive Framework” →

Tilting at windmills

A blog about threat intelligence, incident response, threat hunting, red/purple/blue teaming.