Monthly Archives: March 2018

• Developers in a RisingStack survey citeperformance, security, and deployment difficulties in production environments
  
• Not all security and performance is the result of ‘bad code’. Platforms and protocol implementations are more often than not the culprit
  
• Application services can address both security and performance problems
  
• Automation and self-service enabled services can ease deployment woes

For years we’ve been told ‘there’s an app for that’. And thus far, I have found that to be mostly true. I have apps for things I never thought I’d need an app for. But when I did and went looking there it was, like magic.

Now, no one goes around saying ‘there’s an application service for that’, but maybe they should. At least in the confines of IT. Because just as there’s often an app for what I need to do, there is often an application service for what a developer needs to do – or address – in production environments.

Take security, for example. It was the number one pain point in production according to developers in a RisingStack survey.

PAIN POINT: SECURITY

Now, the survey didn’t go into details with respect to what, exactly, about security is a pain point (though I’m sure if asked we’d get a wide variety of responses). What I do know is that 38% of respondents in an app role (developers) in our 2018 State of Application Delivery survey tagged “increasing sophistication of attacks” as their number one security challenge for the next year. 26% said a lack of IT skills in security, and 23% said difficulty in securing applications – particularly web apps – from attack.

If we view the pain point through that lens (and since it’s my blog, I’m going to) then there is an application service for that. Several, in fact. Even if the goal is to virtually patch or prevent an existing vulnerability from being exploited.

And there are a lot of those out there. The thing is that every breach, every unauthorized access, every bit of data that leaks tends to be blamed on a developer – even when the vulnerability was in a third-party library or hidden deep in the packets of a protocol or in a platform used by millions (literally) of other sites on the Internet. But Lori, you’re thinking, the 79% of an application comprised of libraries only accounts for 2% of known vulnerabilities according to careful inspection.

And yet some of the highest profile breaches and data loss have been due to that 2% – vulnerabilities in platforms and common libraries shared by millions of people.

A web application firewall (one of the thirty application services we track in our annual survey) addresses both – and the growing portfolio that attackers use to gain access, drain resources, or steal data. App access control, too, provides a layer of protection for credentials (valuable themselves) as well as the application and its data. Worthy of note is that 75% of all respondents in our annual survey indicated they use App access control to protect applications both on-premises and in the public cloud.

PAIN POINT: PERFORMANCE

Likewise, performance is not something a developer can always control. There’s the impact of code standards – which err on the side of long term sustainability – on app performance. Sometimes you can’t use the most efficient data structure or syntax. You have to keep in mind that someone else has to maintain and modify that code down the line. Sometimes it’s the impact of variables outside your control – capacity, demand, network conditions, and that customer that refuses to give up on that ten-year old PC running Windows ME.

There’s an application service (several, actually) to address that pain point, too. A veritable plethora of options from TCP optimization to caching to compression to offloading expensive cryptographic processing. All these application services can improve performance and delight users.

A good number of folks already employ just these services to make their apps go faster and safer, addressing both pain points of performance and security.

PAIN POINT: DEPLOYMENT

But developers indicated it isn’t just security or performance problems that give them headaches in production, it’s also deployment – which focuses on how you get those apps and application services executing in production.

This is bigger problem that can’t be solved by a single application service – or even a chain of application services. Solving the deployment pain point requires a more strategic initiative around automation and orchestration and embracing DevOps ideas like infrastructure as code.

It takes a concerted effort to move traditional NetOps to embrace the principles and methodologies of DevOps to codify the processes necessary to deploy the necessary changes in production required to support developers.

That means infrastructure vendors must provide API-enabled infrastructure, and support the ability to operate in a more declarative model that relies on templates and deployment artifacts rather than CLIs.

Of the three pain points developers note, deployment is the most difficult to address because there is no single tool or technology that can solve it. It requires collaboration and a concerted effort to transform IT from a manually driven deployment model to the automated assembly line approach of the future.

Regardless of the ease or difficulty in addresses developers’ pain points, the fact is all three can be addressed by NetOps in production. Whether with a liberal helping of application services or a more dedicated effort to internal digital transformation, NetOps can make moving into production a less painful – and more successful – experience for everyone.

via:  f5

Snapchat may still be getting a lot of heat for their redesign, but the company is continuing to devote resources to build out Snap Map, the map-based feature it introduced last year.

A new feature called Map Explore will let you thumb through Snap Map updates in a more methodical way, so that you can see where your friends are and where they’re traveling. These statuses are generated by your friends’ movements rather than them physically typing out something on their own. Snap Map is importantly an opt-in feature, so if you’re understandably creeped out by the privacy implications, carry on.

The feature, first noted by The Verge, is furthering Snapchat’s idea of a map-based feed in Snap Map, but Map Explore integrates some more conventional UI elements and notifications to call users’ attention to items of interest that might otherwise get lost in the expanse. It’s just a start, but it’s definitely a necessary move. Expecting users to pan around a map is daunting enough for the immediate surrounding area, but when you’re trying to get users to see where your friends are vacationing or doing other cool stuff, it’s a lot more difficult.

The feed can give updates on the jet-setting habits of friends who are going on trips; it also can give location updates when they’re off to the beach or at another noteworthy spot. What’s perhaps most interesting is that Snapchat says they’ll be using the feature to push updates or breaking news updates to users based on areas of the Snap Map that are seeing a lot of traffic tied to news events.

The feature is going to be rolling out globally in the next few weeks.

via:  techcrunch

“All editions” of Windows 10 will be able to run in S Mode, a setup Microsoft believes will help prevent novice users from clogging up machines with crapware.

• It will be free to switch any version of Windows 10 out of S Mode, which locks the OS to only running apps from the Microsoft Store.
  
• Windows 10 PCs in S Mode will be available in stores following Windows’ next big feature upgrade, expected in April.

Microsoft appears to have reversed an earlier decision to charge users to unlock certain Windows 10 PCs to run apps from outside the Microsoft Store.

Joe Belfiore, Microsoft’s corporate VP in the operating systems group, confirmed it will now be free to switch any edition of Windows 10 out of S mode, which locks the OS to only running apps from the Microsoft Store.

This move seems to be an about-turn from when Microsoft revealed Windows 10 S as a new edition of the OS last year. At that stage, Microsoft said users of Windows 10 S machines would eventually be charged $49 to switch to an unlocked version of Windows 10 Pro.

Belfiore confirmed that “all editions” of Windows 10 will be able to run in S Mode, a setup that Microsoft believes will help prevent novice users from clogging up their machines with software that slows performance or that poses a security risk. It will also offer admins of corporate PCs another option for controlling how staff use their machines.

Following the next big feature update to Windows 10, which appears to be the Redstone 4 update due around April, Belfiore said “customers can choose to buy a new Windows 10 Home or Windows 10 Pro PC with S Mode enabled, and commercial customers will be able to deploy Windows 10 Enterprise with S mode enabled”.

While Microsoft initially sold Windows 10 S as a new edition of Windows 10, it more recently emerged that Microsoft planned to offer the locked-down S Mode across all Windows 10 editions.

Yesterday, Microsoft also released a preview of new features heading to Windows 10 later this year, when it updated the ‘Skip ahead’ build of the OS available under the Windows Insider Program.

Key among these new features in the build is Sets, which will mark quite a departure for Windowsby introducing support for tabbed windows. The feature will allow users to group together related apps, documents, files and websites, by keeping them in separate tabs in a single desktop window.

Apps that will initially support Sets’ tabbed interface will be File Explorer, Mail & Calendar, OneNote, Notepad, Windows Command Prompt, PowerShell, MSN News and the Edge browser.

The new build also features a range of other fixes, which you can read about here, and carries a warning that it may cause issues for users of Windows Mixed Reality features.

Sets and other upcoming features in this latest build are expected to be rolled out to all Windows 10 users from about October this year, when the Redstone 5 feature update is made widely available.

via:  techrepublic

Cyber Incident Response Tools are more often used by security industries to test the vulnerabilities and provide an emergency incident response to compromised network and applications and helps to take the appropriate mitigation steps.

Here you can find the Comprehensive Cyber Incident Response Tools list that covers to use in various types of incident response phases at all the Environment to handing the incidents by Penetration Testers and  security Analyst.

All in one Incident Response Tools

• Belkasoft Evidence Center – The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps
  
• CimSweep – CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows
  
• CIRTkit – CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes
  
• Cyber Triage – Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focuses on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further.
  
• Digital Forensics Framework – DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response
  
• Doorman – Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery’s TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness
  
• Envdb – Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a (cluster) node agent that can communicate back to a central location
  
• Falcon Orchestrator – Falcon Orchestrator by CrowdStrike is an extendable Windows-based application that provides workflow automation, case management and security response functionality.
  
• GRR Rapid Response – GRR Rapid Response is an incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent
  
• Kolide Fleet – Kolide Fleet is a state of the art host monitoring platform tailored for security experts. Leveraging Facebook’s battle-tested osquery project, Kolide delivers fast answers to big questions.
  
• Limacharlie – an endpoint security platform. It is itself a collection of small projects all working together, and gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment allowing you to manage and push additional modules into memory to extend its functionality
  
• MIG – Mozilla Investigator (MIG) is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security
  
• MozDef – The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers
  
• nightHawk – the nightHawk Response Platform is an application built for asynchronus forensic data presentation using ElasticSearch as the backend. It’s designed to ingest Redline collections.
  
• Open Computer Forensics Architecture – Open Computer Forensics Architecture (OCFA) is another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data
  
• Osquery – with osquery you can easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Queries in the incident-response pack help you detect and respond to breaches
  
• Redline – provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile
  
• The Sleuth Kit & Autopsy – The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things
  
• TheHive – TheHive is a scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
  
• X-Ways Forensics – X-Ways is a forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis
  
• Zentral – combines osquery’s powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients.

Books

• Dfir intro – By Scott J. Roberts
  
• The Practice of Network Security Monitoring: Understanding Incident Detection and Response – Richard Bejtlich’s book on IR

Communities

• augmentd – Community driven site provididing a list of searches that can be implemented in and executed with a variety of common security tools.
  
• Sans DFIR mailing list – Mailing list by SANS for DFIR
  
• Slack DFIR channel – Slack DFIR Communitiy channel – Signup here

Disk Image Creation Tools

• AccessData FTK Imager – AccessData FTK Imager is a forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems
  
• Bitscout – Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact.
  
• GetData Forensic Imager – GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats
  
• Guymager – Guymager is a free forensic imager for media acquisition on Linux
  
• Magnet ACQUIRE – ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.

Evidence Collection

• bulk_extractor – bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness
  
• Cold Disk Quick Response – uses a streamlined list of parsers to quickly analyze a forenisic image file (dd, E01, .vmdk, etc) and output nine reports
  
• ir-rescue – ir-rescue is a Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
  
• Live Response Collection – The Live Response collection by BriMor Labs is an automated tool that collects volatile data from Windows, OSX, and *nix based operating systems

Incident Management

• Cyphon – Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.
  
• Demisto – Demisto community edition(free) offers full Incident lifecycle management, Incident Closure Reports, team assignments and collaboration, and many integrations to enhance automations (like Active Directory, PagerDuty, Jira and much more…)
  
• FIR – Fast Incident Response (FIR) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike
  
• RTIR – Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker
  
• SCOT – Sandia Cyber Omni Tracker (SCOT) is an Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user
  
• threat_note – A lightweight investigation notebook that allows security researchers the ability to register and retrieve indicators related to their research

Linux Distributions

• ADIA – The Appliance for Digital Investigation and Analysis (ADIA) is a VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.
  
• CAINE – The Computer Aided Investigative Environment (CAINE) contains numerous tools that help investigators during their analysis, including forensic evidence collection
  
• CCF-VM – CyLR CDQR Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously
  
• DEFT – The Digital Evidence & Forensics Toolkit (DEFT) is a Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection
  
• NST – Network Security Toolkit – Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional
  
• PALADIN – PALADIN is a modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included
  
• Security Onion – Security Onion is a special Linux distro aimed at network security monitoring featuring advanced analysis tools
  
• SIFT Workstation – The SANS Investigative Forensic Toolkit (SIFT) Workstation demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated

Linux Evidence Collection

• FastIR Collector Linux – FastIR for Linux collects different artefacts on live Linux and records the results in csv files

Log Analysis Tools

• Lorg – a tool for advanced HTTPD logfile security analysis and forensics

Memory Analysis Tools

• Evolve – Web interface for the Volatility Memory Forensics Framework
  
• inVtero.net – Advanced memory analysis for Windows x64 with nested hypervisor support
  
• KnTList – Computer memory analysis tools
  
• LiME – LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices
  
• Memoryze – Memoryze by Mandiant is a free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis
  
• Memoryze for Mac – Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however
  
• Rekall – Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples
  
• Responder PRO – Responder PRO is the industry standard physical memory and automated malware analysis solution
  
• Volatility – An advanced memory forensics framework
  
• VolatilityBot – VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation
  
• VolDiff – Malware Memory Footprint Analysis based on Volatility
  
• WindowsSCOPE – another memory forensics and reverse engineering tool used for analyzing volatile memory. It is basically used for reverse engineering of malwares. It provides the capability of analyzing the Windows kernel, drivers, DLLs, virtual and physical memory

Memory Imaging Tools

• Belkasoft Live RAM Capturer – A tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system
  
• Linux Memory Grabber – A script for dumping Linux memory and creating Volatility profiles.
  
• Magnet RAM Capture – Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows
  
• OSForensics – OSForensics can acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done

OSX Evidence Collection

• Knockknock – Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX
  
• mac_apt – macOS Artifact Parsing Tool – Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files
  
• OSX Auditor – OSX Auditor is a free Mac OS X computer forensics tool
  
• OSX Collector – An OSX Auditor offshoot for live response

Other Lists

• List of various Security APIs – A collective list of public JSON APIs for use in security.

Other Tools

• Cortex – Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.
  
• Crits – a web-based tool which combines an analytic engine with a cyber threat database
  
• domfind – domfind is a Python DNS crawler for finding identical domain names under different TLDs.
  
• DumpsterFire – The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations.
  
• Fenrir – Fenrir is a simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI
  
• Fileintel – Pull intelligence per file hash
  
• HELK – Threat Hunting platform
  
• Hindsight – Internet history forensics for Google Chrome/Chromium
  
• Hostintel – Pull intelligence per host
  
• imagemounter – Command line utility and Python package to ease the (un)mounting of forensic disk images
  
• Kansa – Kansa is a modular incident response framework in Powershell
  
• rastrea2r – allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X
  
• RaQet – RaQet is an unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system
  
• Stalk – Collect forensic data about MySQL when problems occur
  
• SearchGiant – a commandline utility to acquire forensic data from cloud services
  
• Stenographer – Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It’s ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic
  
• sqhunter – a threat hunter based on osquery and Salt Open (SaltStack) that can issue ad-hoc or distributed queries without the need for osquery’s tls plugin. sqhunter allows you to query open network sockets and check them against threat intelligence sources.
  
• traceroute-circl – traceroute-circl is an extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Responce Center Luxembourg
  
• X-Ray 2.0 – A Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors

Playbooks

• Demisto Playbooks Collection – Playbooks collection
  
• IRM – Incident Response Methodologies by CERT Societe Generale
  
• IR Workflow Gallery – Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,… Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download
  
• PagerDuty Incident Response Documentation – Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on GitHub.

Process Dump Tools

• Microsoft User Mode Process Dumper – The User Mode Process Dumper (userdump) dumps any running Win32 processes memory image on the fly
  
• PMDump – PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process

Sandboxing/reversing tools

• Cuckoo – Open Source Highly configurable sandboxing tool
  
• Cuckoo-modified – Heavily modified Cuckoo fork developed by community
  
• Cuckoo-modified-api – A Python library to control a cuckoo-modified sandbox
  
• Hybrid-Analysis – Hybrid-Analysis is a free powerful online sandbox by Payload Security
  
• Malwr – Malwr is a free online malware analysis service and community, which is powered by the Cuckoo Sandbox
  
• Mastiff – MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats
  
• Metadefender Cloud – Metadefender is a free threat intelligence platform providing multiscanning, data sanitization and vulnerability assesment of files
  
• Viper – Viper is a python based binary analysis and management framework, that works well with Cuckoo and YARA
  
• Virustotal – Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners
  
• Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)

Timeline tools

• Highlighter – Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise
  
• Morgue – A PHP Web app by Etsy for managing postmortems.
  
• Plaso – a Python-based backend engine for the tool log2timeline
  
• Timesketch – open source tool for collaborative forensic timeline analysis

Videos

• Demisto IR video resources – Video Resources for Incident Response and Forensics Tools
  
• The Future of Incident Response – Presented by Bruce Schneier at OWASP AppSecUSA 2015

Windows Evidence Collection

• AChoir – Achoir is a framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows
  
• Binaryforay – list of free tools for win forensics (http://binaryforay.blogspot.co.il/)
  
• Crowd Response – Crowd Response by CrowdStrike is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats
  
• FastIR Collector – FastIR Collector is a tool that collects different artefacts on live Windows systems and records the results in csv files. With the analyses of these artefacts, an early compromise can be detected
  
• FECT – Fast Evidence Collector Toolkit (FECT) is a light incident response toolkit to collect evidences on a suspicious Windows computer. Basically it is intended to be used by non-tech savvy people working with a journeyman Incident Handler
  
• Fibratus – tool for exploration and tracing of the Windows kernel
  
• IOC Finder – IOC Finder is a free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only
  
• Fidelis ThreatScanner – Fidelis ThreatScanner is a free tool from Fidelis Cybersecurity that uses OpenIOC and YARA rules to report on the state of an endpoint. The user provides OpenIOC and YARA rules and executes the tool. ThreatScanner measures the state of the system and, when the run is complete, a report for any matching rules is generated. Windows Only.
  
• LOKI – Loki is a free IR scanner for scanning endpoint with yara rules and other indicators(IOCs)
  
• Panorama – Fast incident overview on live Windows systems
  
• PowerForensics – Live disk forensics platform, using PowerShell
  
• PSRecon – PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally
  
• RegRipper – Regripper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis
  
• TRIAGE-IR – Triage-IR is a IR collector for Windows

via:  gbhackers

Digital threat detection isn’t as easy as it was more than a decade ago. The threat landscape no longer evolves slowly in pace with signature-based malware. It moves quickly and thereby complements the rate at which new software flaws are discovered and computer criminals exploit those weaknesses to compromise vulnerable systems.

At the same time, advanced persistent threats (APTs) render pattern-based approaches and blacklisting less effective in developing protections for a wide pool of users. That’s because APTs customize their malware to hone in on a single target. In response to a one-target campaign, more traditional detection methods can’t use a “patient zero” to help secure others.

Attackers also have access to an increasingly diverse arsenal of sophisticated tools that they can use to remotely control systems, steal corporate data, and evade detection. For instance, bad actors can make use of zero-day threats and social engineering to bypass organizations’ layers of security. They can then hide within plain sight amidst the noise of innumerable security events and carry out their malicious activity.

The speed, sophistication, and stealth of digital threats today reframe detection as a “downstream” or reactive approach to security. Organizations can no longer rely on detection alone to fully protect themselves. They need something more.

That’s where foundational prevention comes in.

Foundational prevention is a proactive approach that enterprises can use to block computer criminals and limit their nefarious activity. It helps organizations identify the systems on their networks, determine if they can harden them, and detect when changes have occurred. Foundational prevention underscores these three objectives with its focus on foundational security controls such as asset discovery, security configuration management (SCM), file integrity monitoring (FIM), vulnerability management (VM), and log management.

Here’s how foundational prevention picks up where traditional detection leaves off:

1. CENTERS ON REDUCING THE ATTACK SURFACE

An attack surface constitutes all the ways an attacker can get into an organization’s systems. Detection doesn’t work to block an attacker’s entry into a corporate network. But foundational prevention does just that via two security controls. First, it leverages asset discovery to help companies build and monitor inventories of authorized and unauthorized devices and software. Security teams can then designate secure configurations for and manage the states of all authorized hardware and software.

2. INTEGRATES WITH DYNAMIC AND ACTIVE INTELLIGENCE

In some important areas, foundational prevention helps improve the effectiveness of detection methods. Such a strategy can share endpoint telemetry and attack forensic data with security information and event management (SIEM) solutions, for instance, to help reveal risks associated with known vulnerabilities and/or breaches. Indeed, security teams can use the controls of continuous vulnerability assessment and log management to respond faster to potential digital security threats.

3. ENABLES MULTI-LAYERED APPROACHES

Foundational security controls together make up a multi-layered approach that organizations can use to identify malicious activity wherever it is. As such, they can leverage foundational prevention to protect email and web browsers, implement malware defenses, and oversee the use of network ports, protocols, and services.

THE RECOGNITION THAT THREATS ARE DYNAMIC

Organizations shouldn’t just focus on traditional methods of detection such as signature analysis as means of protecting themselves against computer criminals. They should also invest in foundational prevention to deny computer criminals’ entry and block any nefarious activity should those bad actors happen to get in.

This back-to-basics approach usually proves less expensive than the costs associated with recovering from a security event. At the same time, foundational security controls can help contribute to organizations’ holistic threat stance and deliver the flexibility to adapt and change.

via:  tripwire

The online travel company Orbitz has suffered a major data breach possibly exposing the personal information associated with the owners of up to 880,000 payment cards.

The company, a subsidiary of Expedia, said in a statement that the payment card information was taken during a breach that hit its consumer and partner platforms. The exposed consumer data was taken from certain purchases made between January 1, 2016 and June 22, 2016, while information from purchases was exposed from the partner platform between January 1, 2016 and December 22, 2017.

Orbitz did not disclose the nature of the data breach, but a few industry executives believe either an Orbitz partner may be to blame or an internal staffer’s credentials were compromised.

“Orbitz mentions it believes the hacker got into the ‘Orbitz consumer and business partner platform.’ It’s not entirely clear to me what the company is referring to, but by the sounds of it third parties are able to access Orbitz customer information, which for some reason includes payment card details. Orbitz hasn’t provided any additional details about how the breach occurred, but I suspect one of the partners on this platform was compromised,” said Paul Bischoff, privacy advocate at Comparitech.com.

However, Perry Chaffee, VP of strategy at authentication company WWPass, said that the target was stored in a centralized database that was most likely accessible to “trusted” admins who could have been compromised without their knowledge and that database was probably also accessible on the back end.

“According to Verizon’s DBIR, there’s an 81 percent probability that the compromised credentials of a trusted admin were the root cause of this attack.  There’s a 19 percent chance that access resulted from a more complex back-end attack, but I’d be more focused on the 4/5 chance that an admin’s password was guessed, stolen, intercepted, or cracked,” he said.

The intrusion was discovered on March 1, 2018 and most likely took place between October 1, 2017 and December 22, 2017, Orbitz said. The company was conducting an investigation on an older Orbitz.com platform when its researchers found evidence that unauthorized access had been gained.

The information that was likely accessed may include full name, payment card information, date of birth, phone number, email address, physical and/or billing address, and gender. The company said that despite the information being unsecure it has not found any direct evidence that this personal information was actually taken from the platform.

“Our investigation to date has not found any evidence of unauthorized access to other types of personal information, including passport and travel itinerary information. For U.S. customers, Social Security numbers were not involved in this incident, as they are not collected nor held on the platform,” Orbitz said.

Orbitz was acquired by Expedia in February 2015 for $1.6 billion in cash.

“Orbitz is not alone in its lack of visibility into some systems. Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or non-production systems. As is the case with most audits and post-mortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted,” said Mike Schuricht, VP product management for Bitglass.

George Avetisov, CEO of HYPR, said that while how part of the breach has not been made public the fact that this amount of personal information was stored in one locale is problematical.

“The Orbitz breach is yet another example of what happens when personal credentials are centralized. The centralization of biometrics, pins, passwords, and credit cards has proven to create a single point of failure targeted by hackers. Large enterprises are moving towards decentralized authentication in order to prevent large scale breaches, eliminate fraud and ensure user privacy,” he stated.

via:  scmagazine

Over the past three years, The National Institute of Standards and Technology defined 800-171 security requirements. These requirements were designed to protect Controlled Unclassified Information in Nonfederal information systems, as well as organizations.

When the DFAR (Defense Federal Acquisition Regulations) came out, most believed this mandate would finally create protection between government contractors who run the federal agencies to ensure that certain types of federal information are protected in any environment. The Department of Defense created milestones that each and every federal system integrator or contract holder must meet to uphold these requirements.

WHAT ARE THE 800-171 REQUIREMENTS?

There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests that affected programs must meet.

1. Access Control
   
2. Audit and Accountability
   
3. Awareness and Training
   
4. Configuration Management
   
5. Identification and Authentication
   
6. Incident Response
   
7. Maintenance
   
8. Media Protection
   
9. Physical Protection
   
10. Personnel Security
    
11. Risk Assessment
    
12. Security Assessment
    
13. System and Communications Protection
    
14. System and Information Integrity

The 800-171 requirements stem from NIST 800-53, which is a DFAR that controls unclassified information shared between the federal government with a non-federal entity.

Since 2015, we have watched and engaged with many system integrators, as well as manufacturers to ensure our federal government contractors meet all 800-171 DFAR mandates. The final date when all contractors had to meet DFARS 800-171 has passed, and most are not in compliance per the December 2017 deadline. Additions and controls are to be made in upcoming months, so if you are not compliant, you need to be.

UNDERSTANDING WHAT IS AT STAKE

There will be consequences for non-compliance, as not being able to conduct business with the federal government means large revenues lost and existing federal contracts being held at a standstill or withdrawn completely.

As Beverly Cornelius points out in a blog on The State of Security, the following three things are inevitable:

• Contract Termination. It is reasonable to expect that the U.S. government will terminate contracts with prime contractors over NIST 800-171 non-compliance since it constitutes a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant as a whole.
  
• Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act, for it fits the definition of any act intended to deceive through a false representation of some fact resulting in the legal detriment of the person who relies upon the false information.
  
• Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., NIST 800-171 controls).

As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.

STEPS TO BECOME COMPLIANT

To become compliant, you can do the following things:

1. Make someone responsible for the efforts.
   
2. Review your current outlook and what needs to be done.
   
3. Contact an organization that can help.

In watching many OEM companies’ attempts to sell their products, it has become clear that some are not advertising their solutions. The “unclear” presentation of their solutions has burned cycles for the contractors who have been desperately trying to meet the federally mandated dates. It is clear that some of the controls are complex, hard to implements and certainly can’t be met with one or two company’s solutions.

No one company can meet the mandates, so when a company says they can cover every control or that they can even cover a single control in full, be prepared to question them thoroughly. There are very few like Tripwire that can fully cover a single control in full.

Therefore, in order to meet these mandates, companies like Tripwire have cross-pollinated with other best-of-breed solutions providers and found ways to bring together multiple products to meet the requirements.

Tripwire’s collaborative efforts breaks down the walls between vendors and creates the solutions that multiple vendors provide to accurately meet 800-171 and protect our federal government’s data. It has simplified the research for IT staff, so that you only need to reach out to one POC. You will immediately have a team that will guide any contract holders to meet all DFAR requirements.

via:  tripwire

Personal information belonging to 1.3 million customers of Walmart jewelry partner MBM Company has been exposed because yet another Amazon S3 bucket was left open on the internet.

The open S3 bucket, named “walmartsql,” housed an MSSQL database backup, named MBMWEB_backup_2018_01_13_003008_2864410.bak, that “contained internal MBM mailing lists, encrypted credit card details, payment details, promo codes, and item orders, which gives the appearance that this is the main customer database for MBM Company Inc.,” according to a report by Kromtech Security, which discovered the open server on Feb. 3. Dates on the records ranged from 2000 to early 2018.

“The negligence of leaving a storage bucket open to the public after the publication of so many other vulnerable Amazon S3 buckets is simple ignorance,” Kromtech said in a report detailing its findings. “Furthermore, to store an unprotected database file containing sensitive customer data in it anywhere directly online is astonishing, and it is completely unfathomable that any company store passwords in plain text instead of encrypting them.”

Fred Kneip, CEO at CyberGX, said the implications are reminiscent of the breach that hit Target a few years ago. “A small third party that most people have never heard of has its weak security controls exploited, allowing hackers to access customer data from a major retailer whose name gets dragged into headlines, affecting the retailer’s reputation and bottom line. That sentence describes the infamous 2013 Target breach where attackers compromised a small HVAC vendor, but could just as easily be applied to the recent Walmart breach caused by a jewelry partner,” said Kneip. “Hackers are increasingly targeting vendors, partners and other third parties to access sensitive data, and retailers need to understand that they are going to be held responsible for the security shortcomings of any third party in their digital ecosystem.”

Noting that “organizations must understand where they are storing their data, whether the storage system is appropriate for the data they’re keeping there, and whether they have the internal resources to responsibly secure those data systems,” Threat Stack CSO Sam Bisbee said, “the onus must also be on AWS” because while “the shared responsibility model for security is accurate and fair,” it’s starting “to feel disingenuous as AWS continues to release point solution tools, yet leaks keep occurring.”

Threat Stack’s research shows that open storage buckets aren’t limited to S3 buckets, but “nearly three-quarters of organizations have critical AWS misconfigurations of some kind,” particularly “large organizations that have grown rapidly over time, both organically and inorganically, and often rely on third parties.”

Bisbee explained that “it can be very difficult to maintain security visibility into your infrastructure as assumed knowledge gets dispersed, particularly as business leaders continually prioritize speed over security.”

via:  scmagazine

It’s a war out there. Malware forms are proliferating and growing ever-more sophisticated. IoT and software and hardware innovation are creating new capabilities, while also resulting in new gaps and vulnerabilities. And massive information breaches have enabled cyber criminals to create rich profiles of consumers, as well as identify pressure points for senior leaders across industries.

In fact, cybercrime is slated to hit $6 trillion dollars annually by 2021. Anyone can witness the real-time bombardment of cyber assaults on maps like Norse. It’s alarming – and it’s getting worse, day after day.

There’s seemingly nothing to be done – or is there?

Here are three ways to combat cybercrime:

1.      Throw more talent and technology at the problem: As cybercrime escalates, so should enterprises’ response. One common solution: Do more of everything. Cybersecurity spending will skyrocket to $1 trillion by 2021, as companies hire top talent, including elite white-hat teams that hack their own companies’ networks, and invest in technology systems like security incident and event management (SIEM) systems to monitor networks edge to edge. The goal: To get smarter about finding the proverbial needle in the haystack.

But is it working? We’ve seen account after account of cyber breaches caused by human error, such as failure to patch systems on a timely basis or turning off the torrent of alerts caused by SIEM. Then there are massive hardware issues that catch us by surprise, such as Intel’s revelation that its chips were vulnerable to the Spectre and Meltdown vulnerabilities. And now we’re seeing a rise in file less attacks, which lower the barrier to entry and bypass security systems more effectively than malicious executable files. There’s simply no guarantee that crackerjack talent or shiny toys with new bells and whistles can meet the latest generation of threats. The cracks are already showing.

2.      Improve cyber governance. To fight cyber war, you don’t need a gun or bullets: You need a strategy, a plan, and guidance from war-savvy generals who are leading the battle from the front. This requires the cooperation of the entire C-suite. If CEOs aren’t aware of the need for cyber governance – and they should be – security leaders need to close the gap and elevate cyber risk to the board level.

There are many ways to describe cyber governance. Here’s a simple one: Cyber governance is the creation and application of methodologies, rules, programs and policies applied holistically across the enterprise to assess and manage cyber risk.

The Intellicta platform fast tracks the activation of cyber governance with its risk framework and helps the non-technical executives in the c-suite get up to speed. This is not just another toy – Intellicta is a risk dashboard that layers over your other systems, business processes, regulations, and more to give you a holistic look at risk, security, compliance and governance. It analyzes risks and vulnerabilities, assigns them a score, and gives them a price tag. Imagine knowing at one glance that ransomware is a $10M threat, an end-of-life system is creating a $30M exposure, or password-based logins are creating a $250M risk. Wouldn’t that help guide your thinking? Wouldn’t that shape your strategy, investments, and roadmap?

While investing in good cyber governance takes time, talent, and yes, investment, there is no time to waste. Cybercriminals are getting smarter, and you need to fight an air battle, not a ground war.

3.      Get control over AI: AI is heralded as the shiny new savior of cyber security. Leverage analytics, automate processes, use machine learning to get smarter and smarter, and poof – cyber risks be gone.

But, let’s not kid ourselves. The bad guys already have access to AI technologies and gargantuan amounts of data required to cause havoc on AI routines.

Those of us in cyber security know AI is a big boon to our industry, especially when it can make intelligent defense decisions on humans’ behalf, but it is not our salvation. Here’s why.

AI is already being used for analytics, but it must be taught to get smart on various use cases and ignore false positives, which takes time. As we’re deploying it on processes, gaining more expertise, and extending it across use cases – cyber criminals are, too. It’s not that farfetched to imagine real-time wargaming with enterprises’ best talent using AI to identify and eliminate cyber attacks that cybercriminals have identified, designed, and launched with AI.

When it comes to that level of hand-to-hand combat, you are going to wish you had risen above. You are going to need a framework and a platform to have eyes on the skies on all your threats and deploy your best talent and technology on the most important ones. You are going to have to make critical decisions and triage. Not every risk is worth fighting, but the important ones demand everything you’ve got.

So why not start now? Contact TechDemocracy to learn more about cyber risk governance and Intellicta, our real-time enterprise risk intelligence and assurance platform.

Cyber risk is a war – build your war machine today.

via:  linkedin

Microsoft has added the ability to ask about, have read, and respond to Outlook email using Cortana, its digital assistant. Here’s how it works.

• Microsoft has given Cortana the ability to read emails aloud and take dictation for responses, making it the second digital assistant to integrate those features by default.
• The features are only available for Harma
• n Kardon Evoke smart speakers and Windows 10 devices, with no word on whether they’re coming to the iOS or Android apps. They’re also only available for Outlook accounts, and not Outlook.com or other email services.

As announced on the Windows Insider Webcast, Microsoft’s digital assistant Cortana will now read and take dictation for email responses.

Features like this have been among those commonly requested by digital assistant users, but Cortana is only the second assistant, after Apple’s Siri, that can read email aloud and take dictation without third-party addons.

Along with announcing the change to Cortana’s capabilities, the Cortana team also announced a change in the way you get the digital assistant’s attention: You don’t need to say “hey, Cortana” anymore—simply “Cortana” will suffice.

How to use Cortana’s email features

As reported by Windows Central, all it takes to get Cortana to read email or take dictation is to ask if you have any unread emails. Cortana can also search for email from specific people or specify unread emails by a specific date, as well as take dictation to be sent as an email.

Microsoft hasn’t released any commands to use to access these features, though our sister site ZDNet reports saying “did I get any new email since last night” has generally worked.

If you want to access the new Cortana features you’ll either have to have an updated Windows 10 PC or a Harman Kardon Evoke, a smartspeaker with Cortana integration. The features aren’t yet available for the Cortana app on Android or iOS, and Microsoft hasn’t said when (or if) they will be.

Also of note, ZDNet reports that the new Cortana features only work on an actual Outlook account—not Outlook.com, Gmail, or any other services. So if you don’t have an enterprise-managed Outlook account you may be out of luck.

Getting your other digital assistant to handle your email

The lineup of digital assistants all offer different features when it comes to reading email aloud, taking dictation, or even interacting with an email account.

Apple’s Siri is the digital assistant when it comes to controlling email with your voice, provided you use the native iOS email app. Any account you’ve added email support for can be accessed via Siri simply by asking if you have any new email. Siri can also take dictation, find emails from particular senders, and do everything that Cortana can now do, without being locked to an Outlook account.

Google Assistant can check for emails, display results on the screen, and even take dictation, but it doesn’t include reading emails aloud as one of its features, which is a bit stifling. It can read text messages and will turn on your flashlight if you say “lumos,” but sadly, email recital is missing.

Amazon Alexa doesn’t offer native email support, but you can install the Newton skill to get it to read email back to you. Bad news: Using the Newton skill requires a paid Newton subscription, which is $49.99/year.

Kudos to Microsoft for adding this new feature, but by locking it to one particular email service it’s still leaving Cortana behind the competition, which in this case is solidly led by Apple.

via:  techrepublic