Passive DNS Monitoring – Why It’s Important for Your IR Team
DNS is an unsung hero among protocols during a network investigation. It’s almost universally used by other protocols such as HTTP, SMTP, and the like. It’s also a plaintext protocol, which can benefit an incident responder who cannot otherwise examine the contents of an encrypted connection. However, passive DNS monitoring (also known as DNS logging) […]
Detection Profile: Silent Periodic Activity
One hallmark for many malware events is the regular periodic behavior they present when rallying for and checking in with their command and control servers. The check-in interval can be a very useful metadata point in hunting an adversary. However, the constant state of change that attackers can use for their own infrastructure makes this […]
“Operation Cleaver” Blade Dulled
“Operation Cleaver” is an attack campaign Cylance details in a new report. They contend an Iran-based attack group has compromised hundreds of targets in multiple countries and industries. Regardless of the claims of attribution, the message is clear: well-financed, strategically focused attack groups continue to digitally plunder their targets. As a community, our decades-old approach to […]
Are Rogue Code Signing Keys in Your Environment?
Although this specific example has been exposed as part of a joke, the threat is real – code signing keys are often targeted by advanced attackers. Keys stolen during other breach operations have been used to sign malicious software. Perhaps this was inevitable – it appears the attackers behind the Sony breach are using stolen code signing keys […]