— Javelin Networks (@JavelinNetworks) July 24, 2017
One of the uprising trends in Red Team vs. Blue Team is the use of the marketing term “Distributed Deception”—offerings which are actually Honey Tokens, Honey Bread Crumbs, and Honey Pots used to detect attackers who have already breached the networks and are developing a plan to compromise or achieve the objective.
However, after reviewing some of the solutions offered by the cybersecurity community, we came to the conclusion that attackers with minimal knowledge can detect some of them or at least try to avoid “Honey-*” that might seem suspicious and/or fake.
Want to know how attackers avoid your deceptions?
Fake Sessions and Injected Memory Credentials Tokens
This LOGON_NETCREDENTIALS_ONLY fake session is a method many solutions use to spread their fake tokens. Attackers can easily detect it when reviewing these two flags:
The latest craziness called Petya (had some other nicknames like Petna, NotPetya, Nyetya) started this week on June 27, allegedly coming from Ukraine.
Ah, Russian espionage. It reminds me of the classic James Bond movies from the 60s:
But that was a different time.
Hoodies have replaced suits. Computers have replaced pistols. Geeks have replaced spies.
And we think for the better.
Red-Team is the best simulation you can do to improve your network security against APTs.
Active Directory has existed since Windows 2000 Server edition. It was designed to give companies and their users a great UX for single sign-on and easy integration with other applications. For a normal Active Directory Domain User, it’s like having a Google search engine inside yellow pages:
This enables the attacker to gather information without raising alarms in the target environment. The hacker uses reconnaissance to learn where sensitive data is and what the high privileged accounts are so that he can formulate a plan. From Microsoft’s perspective, this is not a vulnerability or security issue since it’s by design that they allow other great functionalities to work for the domain environment. From a hacker’s perspective, this “Google Search” of the company’s domain is GOLD. Read More..
1. People are still the most vulnerable asset in the organization:
a. 1 in 14 users were tricked into opening an attachment or following a link
b. 80% of hacking-related breaches leveraged either stolen and/or weak passwords
APT32 (aka Ocean Lotus), a threat actor observed by FireEye since 2014 allegedly connected to the Vietnamese state, is targeting multinational businesses with interests in Vietnam, both from the private sector and from government related institutes.
Among the victims, you can find technology infrastructure, network security, consulting firms, banking, media, hospitality, consumer products, government agencies, research institutes, maritime agencies, sea construction, shipping enterprises, and even journalists, activists, regime dissidents and bloggers.
It’s been a few days since the ransomware WannaCry wreaked havoc across the globe. Now after few nights of rest and reflection, I want to look at what this incident means for the state of cyber security.
According to an announcement from the Israel National Cyber Defense Authority, from April 19 to April 24, there was an ongoing attack on more than 120 Israeli academic, pharmaceutical, and government organizations. A total of 250 phishing emails were involved in the attack.
According to almost every cyber security vendor, the biggest trend in the last few years is the use of Non-Malware attacks. Scripting languages are becoming more prominent than before—a few lines of PowerShell code can be used as a full hacking toolkit, open source hacking frameworks based on PowerShell and Python are easily accessible, and the bad guys are taking advantage of the “new reality” we’re living in.