Tales from the Trenches: Assumptions & Out-of-Country Investigations

Challenging Your Assumptions As an investigator, I’ve learned to be always challenge assumptions while also being keenly aware of the natural perspective I may bring to cases, which may blind me in problem solving. The cultural influences that I grew up with in the United States and the natural optics I view the world could be vastly different from the country where I am conducting an investigation. In one case, I found myself in a country in Latin America investigating a complicated persistent business compromise being implemented through both electronic and human means. I had already been working on

Artifacts, Speculation and Compromised Secrets at the Democratic National Committee and more...

Six different artifacts had been discovered with our MalNet Maltego transforms (connected to @Proofpoint Data), showing a possible six other compromises and or artifacts related to DNC networks. The buzz of cyber compromise has been booming since the AP released some interesting points on the Hillary Clinton email compromise. This was followed up by Brian Krebs on May 16th, 2016 noting less than average internet security practices by the Clinton foundation. We looked into some of the issues noted and discovered a few interesting data points relating to this compromise described in the screenshot below. To make cyber matters worse,

MalNet Maltego Transforms with ProofPoint Data

MalNet accesses the Proofpoint ET Intelligence™ comprehensive database that contains current and historical malicious IP addresses and domains. In this blog post we share screenshots of Maltego 4 and a quick youtube video. In this example, we cover 15 domains related to GozNym campaigns that operated in the month of April, 2016. MalNet with GozNym In the examples below, within the screenshots provided we cover malware associated with the domains manualtatex.com and houndsofcullen.com, identifying related malware, IP addresses, associated domains and IDS signatures related to traffic generated by malware. Starting with a Hash Get DNS Lookups Acquire Related

Tracking GozNym Campaigns with MalNet

In 2007, Don Jackson while at SecureWorks had written about the Gozi Trojan, sharing details on the modularization and monetization strategies utilized by this family of malware. More recently, (04/04/16) Limor Kessem from IBM had also provided some interesting background on Gozi and Nymaim . Correlating the different indicators and samples, we had been able to observe different recent campaigns had started on the 14th, of April with the following campaign dates of interest: 2016-04-04 (The outlier in our samples appears to be 04/04/16) 2016-04-14 2016-04-15 2016-04-16 2016-04-17 2016-04-18 2016-04-19 Looking at the sample submission dates and

Demonstration: Tracking Malware Campaigns and Domains Using MalNet

MalNet brings together the industry's most up to date and extensive threat information from Proofpoint with Maltego link analysis capabilities from ShadowDragon. MalNet enables threat analysts and researchers to identify and visualize malware connections in just minutes to expedite investigations and response. In this short 4 minute video we will demonstrate how MalNet enables analysts to track malware campaigns and domains using malnet. By starting with just an malware artifact, we'll show you how you can identify new domains, ip addresses and additional malware all related to this original artifact. Technical Audiances In this example we start off with the