home.social
Sign in Create account

#ctisummit — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #ctisummit, aggregated by home.social.

  1. Silas Cutler @[email protected] ·

    I'm speaking at the @SANSInstitute #CTISummit on an operation against #Rhadamanthys years before #OperationEndgame.

    sans.org/u/1CtB

    #ctisummit #rhadamanthys #operationendgame
  2. Chris Sanders 🔎 🧠 @[email protected] ·

    The alert tells you that one artifact of Bazar has been discovered. Your first task should be finding at least one other Bazar artifact to determine if the malware has actually infected the system.

    With any alert that mentions named malware, you’ve got a leg up because you can leverage everything the world already knows about the malware. But, you’ve got to do the research work! Some Googling reveals lots of published information about Bazar. For example, check out these two articles:

    1. unit42.paloaltonetworks.com/ba
    2. fortinet.com/blog/threat-resea

    From these articles, you want to look for artifacts that are easy to find given the evidence sources you have available. Ideally, those artifacts are tied to events in the timeline near the event you already know about — the potential C2 traffic. For example, you could…

    1. Look for C2 network traffic that matches the pattern in the article
    2. Identify executions of new DLLs
    3. Seek newly written registry RUN key entries

    Among other things…

    Not many folks in the replies actually did research on the malware, but a few did mention doing it. My response of the week goes to @thomaspatzke, who captured some of those ideas (infosec.exchange/@thomaspatzke). Doing research is part of the job and a skill to develop. It involves identifying relevant info, synthesizing it, and knowing your evidence sources well enough to focus your efforts. You get better at it by doing it more and internalizing feedback on what works and doesn’t. Lots of analysts feel like spending time reading about malware is distracting them from the real world of looking at the evidence. Overcome that worry -- doing that reading when alerts like this come up is a core part of the work.

    By the way... if you were at the #CTISummit, I did some live forecasting for this scenario 😄

    Speaking of research… some folks focused on network artifacts while others focused on host artifacts. Where do you normally focus? In what circumstances might that limit you? That’s something to think about… 🚀 #InvPath #DFIR #SOCAnalyst #ThreatIntel

    #ctisummit #invpath #dfir #socanalyst #threatintel