Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Threat Hunting

Hunting AWS RDS security events with Sysdig

The AWS RDS service itself falls on the AWS side of the Shared Responsibility model, but the day-to-day management of the RDS security instances falls on your side. When it comes to shared responsibility, your obligation depends on the AWS services that you deploy, and also other factors including (but not limited to) the sensitivity of your data, your company’s requirements, and applicable laws and regulations.

Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun

The security landscape is constantly developing to provide easier ways to establish endpoint visibility across networks through the use of endpoint detection and response (EDR) utilities. However, certain challenges still remain, particularly as a result of many organizations' need for systems running legacy or proprietary operating systems, such as Solaris. If such systems are not adequately protected using other security controls or unless they can only be accessed by systems with appropriate endpoint-based detection/prevention capabilities, this can cause a gap in visibility for an organization that an adversary could abuse.

What is TTP Hunting?

TTP hunting is an intelligence-based type of cyber threat hunting that analyzes the latest TTP (Tactics, Techniques, and Procedures) used by hackers and cybercriminals. TTP threat hunters study the newest tools and technologies used by cybercriminals, learn how to detect new attack trends, and gather enough cyber threat intelligence so that companies can fully protect their attack surface.

PwnFox - An IDOR Hunter's Best Friend

Maybe I’m a bit late to the game on this one, but I recently discovered PwnFox and it has quickly one of my favorite tools yet. So, what is PwnFox? To put it simply, it’s a BurpPro extension that works with Firefox. It accomplishes two things. First, it helps containerize up to eight (yes, that’s right… eight!) different sessions within one browser and secondly, it organizes all your proxied traffic in Burp BY COLOR! I’ll dive a bit more into #2 in a second.

Featured Post

Proactive Threat Hunting Bears Fruit: Falcon OverWatch Detects Novel IceApple Post-Exploitation Framework

The CrowdStrike Falcon OverWatch™ proactive threat hunting team has uncovered a sophisticated .NET-based post-exploitation framework, dubbed IceApple. Since OverWatch's first detection in late 2021, the framework has been observed in multiple victim environments in geographically distinct locations, with intrusions spanning the technology, academic and government sectors.

Automated Threat Hunting: A Closer Look

Proactively finding and eliminating advanced threats through threat hunting is a growing necessity for many organizations, yet few have enough resources or skilled employees to do it effectively. For those who do have an active threat hunting program, the process is often manual and time consuming. With cloud security automation, however, you can implement rules that automatically adjust your security policies based on the latest threat data.

Tools for Threat Hunting and IT Service Risk Monitoring

Cybersecurity can often seem intimidating for IT teams. After all, things like “threat hunting,” “red teaming,” and “blue teaming” are not used in IT operations. On the other hand, just because these words are terms of art doesn’t mean that they’re activities you don’t do already. You’re probably already using log data as part of your IT operations incident response.

You Bet Your Lsass: Hunting LSASS Access

One of the most commonly used techniques is to dump credentials after gaining initial access. Adversaries will use one of many ways, but most commonly Mimikatz is used. Whether it be with PowerShell Invoke-Mimikatz, Cobalt Strike’s Mimikatz implementation, or a custom version. All of these methods have a commonality: targeting LSASS.

Building Your Security Analytics Use Cases

It’s time again for another meeting with senior leadership. You know that they will ask you the hard questions, like “how do you know that your detection and response times are ‘good enough’?” You think you’re doing a good job securing the organization. You haven’t had a security incident yet. At the same time, you also know that you have no way to prove your approach to security is working. You’re reading your threat intelligence feeds.

Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack

In an effort to stay ahead of improvements in automated detections and preventions, adversary groups continually look to new tactics, techniques and procedures (TTPs), and new tooling to progress their mission objectives. One group — known as BlackCat/ALPHV — has taken the sophisticated approach of developing their tooling from the ground up, using newer, more secure languages like Rust and highly customized configuration options per victim.