Enterprise immortality?

Too long ago I spent about a year at the Georgia Institute of Technology in Atlanta, continuing my university studies. Shortly after arriving, the person who was in charge of campus security gave us a talk in which he congratulated us on the fact that Atlanta was no longer the most dangerous city in the USA, but the second most dangerous (we are talking about 1999). He also warned, with emphasis on the younger ones, to be careful with the illusions of immortality typical of teenagers, to avoid unnecessary risks and to adopt certain safety measures.

I have a feeling that this kind of illusion applies quite adequately to many companies. In general, the thinking that still prevails in many organizations is the familiar one: it can’t happen to us. The equivalent is the one who gets in the car thinking that accidents happen to everyone but him and ignores seat belts and any “reasonable” speed limit.

[Read more…]

European Cybersecurity Framework

In recent times, the European Union has been reinforcing the regulatory framework on cybersecurity to deal with the growing threat posed by cyberattacks. To this end, it is providing the Member States with a common framework especially focused on cybersecurity aimed at guaranteeing the cyber-resilience of the processes that support different essential services for society.

The NIS Directive or Directive (EU) 2016/1148 was the first cybersecurity law of the European Union and provided a common framework to improve the resilience of the Union’s networks and information systems against cybersecurity risks. It has proven to be a useful Directive, but over the years it has also shown its limitations in the face of increasing cyber threats and the growing reliance on digital solutions.

That is why, at the end of last year, the European Commission presented the new EU cybersecurity strategy based on three main pillars:

  • Resilience, technological sovereignty and leadership;
  • Operational ability to prevent, deter and respond;
  • Cooperation to promote a global, secure and open cyberspace.
[Read more…]

Threat hunting (VII): hunting without leaving home. Process creation

See previous entries: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki, V: Jupyter Notebooks, VI: Creating our víctim

Good hunters, how’s the hunt going?

I hope you have had time to play with your lab and feel more and more comfortable consulting and analyzing the data.

As I said in the previous article, now it’s time to get down into the mud and start understanding what is happening in our laboratory. In this case we are going to talk about the creation of processes, what happens when a process is created, what ways there are to create them and the traces that creation leaves behind.

Understanding the environment

Windows is organized in layers as far as interaction with the system is concerned.

The upper layers are those with which the user or the programs that he launches interacts, the lower layers those used by the operating system itself to function.

For security reasons, the upper layers are well documented and Windows offers facilities to interact with them, but with the lower layers things change, they are not documented and due to the complexity of their operation, it is very difficult or directly not possible for security reasons.

[Read more…]

Mr Natural, an iced meeting in traffic

ISC’ crew have a montly Traffic Analysis Quiz, and I want to practice some Network Forensic Kung-Fu, so allow me to introduce you Mr Natural.

What we have

  • a packet capture (pcap) of infection traffic (let’s keep reading, don’t open it yet!)
  • an image of the alerts shown in Squil (em ok)
  • a text file listing the alerts with a few more details (now this is yummy)
  • a PDF document with answers to the questions below. (SPOILERS!)

What do we know

  • LAN segment range: ( thru
  • Domain: mrnatural.info
  • Domain controller: – MrNatural-DC
  • LAN segment gateway:
  • LAN segment broadcast address:

What our b0$$ want to know

  1. What is the IP address of the infected Windows host?
  2. What is the MAC address of the infected Windows host?
  3. What is the host name of the infected Windows host?
  4. What is the Windows user account name used on the infected Windows host?
  5. What is the date and time of this infection?
  6. What is the SHA256 hash of the EXE or DLL that was downloaded from
  7. Which two IP addresses and associated domains have HTTPS traffic with “Internet Widgets Pty” as part of the certificate data?
  8. Based on the alert for CnC (command and control) traffic, what type of malware caused this infection?
[Read more…]

What can Artificial Intelligence do for us? (Or against us)

AI is one of the technologies that will have a greater social and economic impact in the coming years (we are already experiencing). Some studies (PwC, Accenture) estimate this impact at a global scale up to 2030 to be around 16 trillion USD, led by China and the USA.

As expected, everyone is jumping on this bandwagon and the world of cyber security is no exception. But how much reality is in the applicability of AI to cybersecurity? Let’s take a look at the possibilities from both sides of the battlefield: the attacker and the defender.

Machine Learning (ML) techniques can be applied to detect vulnerabilities in software using fuzzing tools. This is done by the attackers and can be done by the developers, preventing vulnerabilities from reaching live environments.

One of the most successful AI recent advances is the ability to automatically generate “credible” text that is hard to distinguish from that written by humans. This technique is being used to generate fake news content in news sites or to comment on social networks.

[Read more…]

Exploiting APT data for fun and (no) profit (IV): conclusions

Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

Now you have some tips, evidence-based, for your APT talks (don’t forget to use these tips together with Sun Tzu’s “Art of War” quotes); with some more time, you can get to more stupid or interesting conclusions about threat groups activities, interests and origins. And exploiting other datasets (MITRE ATT&CK, here we go!) We can expand those conclusions.

Some key data we can conclude after this little analysis of data:

  • It seems clear that Russia plays in the APT Champions League. It’s the most active country in all kind of threat activities, from sabotage to espionage or financial gain.
  • The threat group leader is also a Russian one: Turla, operating from almost a quarter century -in this case we can confirm it’s still active- and with targets from a long list of countries and sectors.
  • The most loved by analysts threat group is also a Russian one: APT28. Maybe for this reason is the threat group with more synonyms.
  • The number of threat actors with CNA capabilities has increased during last years, once again with Russia leading the ranking.
  • Apart from classical players, two actors have been particularly actives in the last years: Iran and North Korea.
  • It should be interesting to identify a parameter for threat groups, something like “last time seen”, in order to calculate the years a group has been active.
  • Using different, vendor-dependent names, for the same threat actor is a little chaos when analyzing data. In this sense, a good effort is MISP’s UUID for each group (https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json#L2434), as @adulau noted.
  • With some imagination and gnuplot you can have your own APT Magic Quadrant for marketing purposes.
  • Disclaimer: this is just a simple blog post, not a scientific paper, so don’t expect non questionable sentences here!
  • And the most important conclusion: AWK is your friend. Remember:

Exploiting APT data for fun and (no) profit (III): (not so) simple analysis

Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

Once we have answered some silly & simple questions, it’s time to wonder more complex ones, so let’s imagine…

Are CNA threat actors increasing their activities during last years?

In the simple questions, we have concluded that sabotage and destruction motivations are not the most common among threat groups. But we are interested in these ones. Let’s see them among time:

for i in `grep "Sabotage and destruction" [0-9]*.txt|awk -F: '{print $1}'`; do grep \"meta\",\"date\"\] $i|awk '{print $2}'|sed 's/\"//g';done|awk '{a[$0]++}END{for(k in a){print k,a[k]}}’ >years.cna

Plotting the results, we have:

gnuplot> set boxwidth 0.5
gnuplot> set boxwidth 0.5
gnuplot> set xtics 1
gnuplot> set ytics 1
gnuplot> set yrange [0:5]
gnuplot> plot 'years.cna' with boxes

Since 2012, the number of these threat actors has increased significantly: 9 out of 14 groups in the last eight years, so we can say it’s a growing trend. Out of curiosity , the oldest group with CNA capabilities is dated in 2001. Can you guess its name? Yeah… Equation Group.

[Read more…]

Exploiting APT data for fun and (no) profit (II): simple analysis

Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

Once we have processed the gathered information we can start our analysis trying to ask the silly and simple questions that many times we wonder. Let’s go. 

Which are the groups with more synonyms?

The silliest question I always wonder is why we use so many names for the same actor. Which one is the group with more names? Let’s see:

$ for i in [0-9]*.txt; do c=`grep synonyms\", $i|grep -vi operation|wc -l `; echo $c $i;done |sort -n|tail -1
18 233.txt

The result is “233.txt”, which corresponds to APT 28, with 18 synonyms; the second one in the ranking, with 16 names, is Turla. Casually, both of them are from Russia (we’ll see later some curiosities about Russia).

Apart from that, a personal opinion: 18 names for the same group! Definitely, once again, we need a standard for threat actor names. This can be your first sentence when giving a talk about APT: where is an ISO committee when it’s needed?

Which groups are from my country?

Well, outside well known actors… how many groups are from my country? Spanish ISO 3166-1 country code is ES, so let’s look for Spanish threat actors with a simple command, as well as threat actors from other relevant countries

$ grep \"country\" [0-9]*.txt|grep -w ES
$ grep \"country\" [0-9]*.txt|grep -w DE
$ grep \"country\" *.txt|grep -w IL
183.txt:["values",183,"meta","country"] “US,IL"

No identified groups from Spain… well, I’m sure this has a technical explanation: Spanish groups are so stealth that they are difficult to discover, and their OPSEC is so strong that, in case of being discovered, attribution is impossible. For sure! But what about Germany? Where is your Project Rahab now? And what about Israel, with only a sad starring together with US? Yes, it’s Stuxnet, but only a single starring… I hope you are as good as Spanish groups: nobody can discover you, and attribution is impossible :) Another sentence for your APT talks: in the group of most stealth countries we can find Germany, Israel… or Spain.

[Read more…]

Exploiting APT data for fun and (no) profit (I): acquisition and processing

Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

When attending to talks about APT -or when giving them- sometimes you hear sentences like “most threat actors are focused on information theft” or “Russia is one of the most active actors in APT landscape”. But, where do all those sentences come from? We have spent a whole night exploiting APT data for fun and (no) profit, in order to provide you with some curiosities, facts, data… you can use from now in your APT talks!! :)

Since 2019 the folks at ThaiCERT publish the free PDF book “Threat Group Cards: A Threat Actor Encyclopedia” and they have an online portal (https://apt.thaicert.or.th/cgi-bin/aptgroups.cgi) with all the information regarding APT groups acquired from public sources. In this portal, apart from browsing threat groups and their tools, they present some statistics about threat groups activities (source countries, target countries and sectors, most used tools…). Most of these threat groups are considered APT (at the time of this writing, 250 out of 329, with last database change done 20 October 2020).

But what happens when you need specific statistics or correlations? You can download a JSON file and exploit it yourself:

$ curl -o out.json https://apt.thaicert.or.th/cgi-bin/getmisp.cgi?o=g 
[Read more…]

How they swindle $100,000 without blinking an eye – Forensic Analysis of a BEC (Business Email Compromise) (IV)

See the first part of this series, with some notes on the full series content, the second part and the third part

In the previous article, we saw how the attackers had been monitoring and manipulating the MINAF CEO’s email at will … and that they had done it through OWA (Outlook Web Access), the Exchange webmail.

To know how these logs work, we have to see how Exchange works. If we simplify it a lot, Exchange has two main components: CAS (Client Access Server) and DAG (Database Availability Group), which would be roughly equivalent to a web server and the database of a web application.