Real-time vs After the Fact: Pitfalls of Log-based Behavioral Threat Detection

Posted by Yaron Zinar on Apr 13, 2017 7:52:35 AM

It was recently published that Shadow Brokers, the group behind the Equation Group leak, are selling a new set of tools that have the ability to tamper with Windows event logs. What stood out to me is the inefficiency of security solutions that rely solely on logs for detecting threats. Implementing a security analytics or a UEBA product that relies on logs for detection of advanced cyber threats has advantages, but it is also risky.

Read More

Topics: APT, User and Entity Behavior Analytics, Threat Detection

How the CIA Twists the APT Kill Chain to Avoid Detection

Posted by Avi Kama on Apr 4, 2017 8:01:00 AM

A couple weeks ago, in my blog on Improving Hacking Techniques Used by the CIA, I talked about how DLL hijacking could be done easier.  In further looking at the CIA documents, I found an interesting twist that the CIA is taking on the APT kill chain. The APT kill chain is a well accepted description of the way APTs are operated. The chain contains 7 stages (as described on wikipedia): 

Read More

Topics: APT, Preempt Research Team, CIA

Taming ProjectSauron’s Evil Eye From Compromising Domain Controllers

Posted by Avi Kama on Aug 18, 2016 10:58:46 AM

In the past few days we all learned of the latest advanced cyber espionage spyware, ProjectSauron. An in-depth analysis was published by Kaspersky Lab, and found it to be one of the most advanced cyber-warfare malware ever made. The malware was named ProjectSauron after reference to the evil dark lord of Lord of the Rings was found embedded in the code.

Read More

Topics: APT, ProjectSauron, User and Entity Behavior Analytics, Domain Controller

Five Common Misconceptions in Enterprise Security Organizations - Part Two

Posted by Eyal Karni on Aug 3, 2016 8:00:00 AM

In my previous blog post (part 1), I talked about common misconceptions in Enterprise security organizations as they relate to IT security skills challenges along with the disadvantages of counting on log-based solutions for stopping advanced attacks. This week I’d like to focus on three other common misconceptions in IT security organizations. I’ll be talking about why bigger isn’t necessarily better, why User and Entity Behavior Analytics on its own is not enough and why “zero configuration” solutions will let you down.

Read More

Topics: User Behavior, APT, User and Entity Behavior Analytics

Five Common Misconceptions In Enterprise Security Organizations - Part One

Posted by Eyal Karni on Jul 28, 2016 9:40:49 AM

In Enterprise security organizations decisions are often made without looking at the big picture. Putting together a security strategy is hard. And sometimes it’s impossible to fully understand the different features and advantages different security solutions provide versus what the organization really needs. Current trends, rumours, lack of security skills or the need to feel secure might have an impact on these decisions. Without a comprehensive knowledge of security--like good attackers or good security researchers often have--an organization can leave themselves exposed.

Read More

Topics: Security Skills, APT, Domain Controller

Disrupting an Attacker from Exploiting Domain Credentials

Posted by Avi Kama on Jul 20, 2016 9:57:42 AM

We security professionals are constantly reading over and over: Time is not on our side. In the recent Verizon DBIR 2016 report they illustrate how quickly threat actors go in and out of networks. There are many other similar security data reports that list the possible reasons and detach responsibility which ultimately means “all we can do is our best.” 

Read More

Topics: User Behavior, APT, Credential Compromise