Blog

Category: Botnets

Splunking The Modern Honey Network: Community Data (Part 4)

Over the last 3 weeks, I’ve looked at: ingesting Modern Honey Network data into Splunk, adding context to MHN data using threat feeds, and creating alerts using MHN data.In this post I am going to give you a brief insight into the data that was reported back from...

Read More

Decreasing Dwell Time - How Long Intruders Go Undetected

The evaluation of technical threat intelligence data is a nascent art. When evaluating Indicator sources many focus on counting the number of indicators the source has. The next step in evaluating indicator sources is usually based upon the number of True Positive alerts generated by the IoCs compared to the...

Read More

Targeted Ransomware Activity

OverviewSince late 2013 there has been a growing trend of Ransomware activity. In these attacks actors encrypt files on hard drives, and request that a ransom be paid in order to decrypt the files. Many of these attacks have focused on client side vulnerabilities using phishing messages as a delivery...

Read More

Three Month FrameworkPOS Malware Campaign Nabs ~43,000 Credit Cards from Point of Sale Systems

Threatstream Labs came across an interesting FrameworkPOS sample that given it is two months old, its digitally signed and its certificate hasn't been revoked. FrameworkPOS is a malware family that targets POS (Point of Sale) terminals and its main objective is to steal credit card data from them in...

Read More

How To Prevent Threats From Slipping Through the Big Data Cracks

When it comes to data breaches, the risk for organizations is high – from the easily calculable costs of notification and business loss to the less tangible effects on a company's brand and customer loyalty. In recent years, many businesses have been increasing their budget allocations for security –...

Read More

Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels

ThreatStream Labs recently became aware of a campaign beginning on 30 June 2015 by the omniprescent Wekby threat actors (a/k/a TG-0416, APT-18, Dynamite Panda). The Wekby actors have recently been observed compromising organizations in the Manufacturing, Technology and Utilities verticals, but have had a long standing interest in the...

Read More

The Blind Spot

In cyber security ignorance is never blissful.  It is down-right scary.  Many security operation teams have yet to develop an internal threat intelligence strategy and are currently operating with large blind spots when it comes to threats.  Let's walk through a simple scenario to help you...

Read More

Digging into ShellShock Exploitation attempts using ShockPot Data

Late last week we developed and relasesed a new open source honeypot, Shockpot, designed to mimic servers vulnerable to ShellShock (CVE-2014-6271) and automatically download payloads from exploitation attempts.  In this blog post we characterize the attacks our global deployment of Shockpot honeypots saw as well as the payloads...

Read More

Introducing ShockPot: The intelligence driven defense against ShellShock

While the security community is still recovering from the Heartbleed exploit disclosed this past April, here comes another game changing vulnerability: ShellShock.  The simple but severe vulnerability is one of the most commonly deployed command line software shells and puts millions of systems at risk to local and...

Read More

The Security Operations Holy Grail

Responding to a data-breach is hard.  But understanding how you got there is key to moving an effective defense towards reality.  In security operation centers (SOC), it's often said you have to crawl before you walk. Most enterprise firms are just now capable of walking. To us,...

Read More
Register for a Free Anomali Account Register now