How they swindle $100K without blinking an eye – Forensic Analysis of a BEC (Business Email Compromise) (I)

Note 0: This series of articles is a description (hopefully entertaining) of the case study (fictional, beware) that Maite Moreno and myself presented at the c1b3rwall digital security and cyber-intelligence conference, organized by the Spanish National Police. If you want more information on CEO scams you can check the (in Spanish) slides of our talk,full of data as well as a real case that we researched.

Note 1: We emphasize that this case is fictitious. However, the techniques and procedures used are identical to those used by the attackers, with the difference that we offer evidence to study them in detail. Note that he investigation could have been done more efficiently, but we wanted to show some interesting elements and techniques to deep into Exchange, hence the steps taken.

Note 2: Before starting the case study… you can play it! We have set up an open-access forensic CTF you can use to practice your technical skills. Try it before reading these articles (recommended), or later to reinforce concepts. If you only want the raw evidence, you can get them here. You can also download the step-by-step guide with all the tools and evidence needed for each step of the articles, perfecto to continue with the slides.

Those of us who work in incident response and forensics would love want attackers to warn us before doing their wrongdoing. We want it together with the Lamborghini, the yacht and the unicorn with a rainbow in the background, but we get the same response in almost all cases: no f****** way.

What a pain in the ass it is to have an incident at 14:55 on a Friday,” you would think. There are worse things: a call from your boss at 15h on a Saturday while you are taking a nap: “Grab your incident suitcase, ‘we’re going to party’».

The party consists of about 4 hours of travel from Madrid to Ponferrada, where the headquarters of the MINAF (Minerías Alcázar y Ferrán) is located. MINAF is a mining company that will not ring a bell, but which has a turnover of more than 40 million euros and operates in 12 countries.

[Read more…]

Threat hunting (IV): hunting without leaving home. Jupyter Notebooks

See previous posts: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki.

Do you remember the first post when we talked about what is and what is not Threat Hunting? Well, an essential part of it is the generation of intelligence.

It’s good that we are the best at detecting abnormal behavior, but if all that acquired intelligence is not transformed into structured and repeatable information we lose one of the most valuable parts of the process.

Structured, so that anyone other than the author can use it and understand it. Repeatable in the better way possible, so that the detection teams can generate alerts with it or so that any other analyst can perform the queries in the most comfortable way possible.

In our laboratory we are going to use another part of HELK, the all powerful Jupyter Notebook.

[Read more…]

Sandbox evasion: Identifying Blue Teams

Last March, Roberto Amado and I (Víctor Calvo) gave a talk at RootedCON 2020 titled Sandbox fingerprinting: Avoiding analysis environments. The talk consisted of two parts, the first of which dealt with classifying public sandbox environments for malware analysis, and the second with demonstrating whether it was possible to identify and even attack the person analyzing our samples. This second part is the one that will occupy this entry.


During Red Team exercises it is always important to know who you are dealing with, their security measures and who is managing them. At this point we wondered if it would be feasible to reach the Blue Team and to know if our devices had been identified and if they were still useful in the exercise.

With this approach, we focused on malware analysis websites such as VirusTotal,, Hybrid Analysis… which are continually consulted by analysts to find information on samples or analyze them. The results are displayed on the web interface of these tools, showing useful information for the analysts such as IP addresses or domains to which they connect, commands executed, payloads introduced and a long list dedicated to making the life of the defenders easier.

With this information in mind, our approach was to find vulnerabilities in the web interface of these services in order to identify users. Cross-site scripting (XSS) was the perfect option for this task.

[Read more…]

Threat hunting (IV): hunting without leaving home. Grafiki

See first, second and third part.

Teoría de Grafos: Análisis relacional de las Redes Sociales

Today’s post covers something very special to me.

In the previous entry we saw the exploitation of information with Kibana and its usefulness in seeing potential anomalies at a glance. After a lot of work with Kibana, spending many hours creating visualizations and dashboards, there was one visualization that I missed: the graphs!

In that sense, I read some time ago the sentence “Defenders think in lists. Attackers think in graphs“.

Although it can raise a lot of controversy, if that were true it would leave us, defenders, at a clear disadvantage. In a world where threats are increasingly complex, being able to “connect the dots” makes the difference between finding our threat or not.

From this idea and an increase in my free time due to lockdown, Grafiki emerged. Let’s take a look at it.

[Read more…]

Business continuity: things to consider

Let’s continue with business continuity. Today I would like to review some points to be taken into account during the implementation of a Business Continuity Plan, which I consider essential to achieve a successful outcome:

1. The scope.

2. Senior management support

3. Investment

4. Setting the objective recovery times.

And with this extremely short introduction, let’s go into the matter.

1. The scope

The first aspect that we must take into account is the scope of our Business Continuity Plan (BCP), in two different areas. On the one hand, in an horizontal sense, it is necessary to clearly define which services, activities or processes are going to be included in the BCP, if we also intend to certify the management system in ISO 22301 standard. Although from a BCP’s usefulness point of view the most logical thing is to include the entire organization, especially in small companies where the infrastructure is shared for all the organization, it is also possible to choose a reduced scope that covers relatively independent elements (a local branch or the company’s headquarters, for example), or simply include those processes that are known beforehand to be the most critical for the organization’s continuity, such as production or logistics in a more industrial company, or the web portal in a purely e-commerce company.

[Read more…]

Cognitive bias in Threat Hunting tasks

As any analyst knows, the very nature of Threat Hunting entails the application of generic approaches for the detection of anomalies. Unlike the reactive positions of rule-based security, proactive analysis delegates a significant percentage of detection to the analyst. This means that, as it happens to a conventional intelligence analyst, errors of interpretation tend to occur, due to the large number of casuistry found on a daily basis, and which the brain tends to classify as legitimate or malicious in hundredths of seconds.

According to Richard Heuer’s definition in “Psychology of Intelligence Analysis“, an analyst has limits in the interpretation of information, determined by his personality, his beliefs and his cognitive biases. After the identification of the anomaly, the analyst must be able to make a prediction. That is to say, it is the interpretation of a detection and its association to a possible threat that represents a security alert.

And not only this, but, as defined by Steven Rieber in his “Intelligence Analysis and Judgmental Calibration“, the analyst must also be capable of weighing the criticality of an anomaly, which also remains within subjective positions in the form of subjective probability.

[Read more…]

Guidelines for putting together a good report

We live in a society that gravitates around information, so there is no doubt about the importance of communication skills and abilities today. Regardless of the type of project, service or activities, knowing how to transmit information effectively and efficiently to those responsible and interested agents is undoubtedly a critical aspect.

Undoubtedly, communication is an essential process of any organization, capable of propelling and revaluing other strategic or primary processes. In the professional field, an important part of this communication is materialized in the reports, due to their more formal nature and element of transmission of information both vertically and horizontally. For this reason, they must respond to the usual principles of communication: transparency and accessibility according to the information classification model, so that they are available to all interested parties; suitability, so that their contents are relevant to the recipients; credibility, providing true, exact and appropriate information; and clarity, being understandable and avoiding all ambiguity. Beyond these variables, it should never be forgotten that reports are often used as decision support tools.

Source: Jesús Gómez

Threat hunting (III): hunting without leaving home. Kibana

See first and second part.

Hey, hunters! How’s the hunting season going?

After what we saw in previous posts, in this article we will continue to understand and improve our Threat Hunting lab.

Kibana "Hello World" Example - Part 3 of the ELK Stack Series -

We have already learned how to enter our data about real attacks and now we will learn how to exploit that data. Being able to visualize the data in a comfortable way is, along with selecting good data sources, the most important part of a laboratory. All the time we invest in an intuitive and pleasant visualization will be time saved during the analysis.

Now we are going back to the laboratory, this time we are going to learn how to handle some of the HELK functionalities that we have not seen yet.

[Read more…]

IOCs are dead, long live IOCs!

An Indicator of Compromise (IOC) is defined as a piece of information that can be used to identify the potential compromise of an environment: from a simple IP address to a set of tactics, techniques and procedures used by an attacker in a campaign. Although when we speak of IOC we always tend to think of indicators such as IP or domains, the concept goes beyond this, and depending on their granularity, we can find three types of indicators:

  • Atomic indicators: those that cannot be broken down into smaller parts without losing their usefulness, such as an IP address or domain name.
  • Calculated indicators: those derived from data involved in an incident, such as a hash of a file.
  • Behavioral indicators: those that, from the treatment of the previous ones, allow the representation of the behavior of an attacker, his tactics, techniques and procedures (TTP).
[Read more…]

Cloud: building from security

Continuing this series of posts related to the cloud, it’s time to talk about how to face the world of possibilities that the cloud offers. This article aims to shed some light on such a huge task and to show different aspects to be taken into account. It is an interesting path, with multiple options, which can bring enormous value both to the business and to our quality of life, as long as it is approached from an objective, realistic and critical point of view. We should not be reticent to change, but neither should we apply change for change’s sake.

La imagen tiene un atributo ALT vacío; su nombre de archivo es image-35.png

Leaving philosophical mantras aside, saying that the cloud is the panacea makes as little sense as saying that the cloud does not bring value to the business.

As always, and sorry for the insistence, it will depend on each organization and its needs. What is fundamental, within the analysis of the business case and in calculating the return on investment of the implementation of these new technological paradigms, is that the consequences, needs and capabilities of security are considered. Both in the process of migration to the cloud, as well as in the face of any technological change.

Having said this, and getting to the point, there is no doubt that migrating to the cloud has a significant cost. Whether this cost is greater or lesser will depend on how you compare, but it can be said that it is not a “cheap” decision. If we do the simple exercise of comparing a physical server to a cloud server, the difference is fairly clear. However, putting everything into context, and above all, emphasizing security, there are many other costs to be assessed.

[Read more…]