a bad outlook

I strongly believe in the importance of approaching security from both a proactive and pragmatic perspective. Compliance and policy focused security, while it may promote the enforcement of some valuable controls, tends to stagnate and create a bloated security program that is fraught with misprioritisation. Too often it leads security teams to be so caught up in working from checklists that they overlook threats that are unique to their organisation. This begs the question; how does one go about adopting an approach that addresses these shortcomings?

angry_bear

Continue reading “a bad outlook”

learnings from the battlefield

The past 12 months have seen 6 New Zealand security professionals embark on a volunteer project that is focused on finding security issues that concern New Zealand businesses and our address space. This group has become known as “Threat Safari”.

A large percentage of the findings that we’ve made are phishing sites and dumped credentials, but we’ve also made some significant achievements in discovering and aiding the resolution of botnet and malware infrastructure in New Zealand.

This post was originally published in May of this year, and has been updated and republished to accompany my purplecon talk: Roast Criminals, Not Marshmallows.

lion_hiding

Continue reading “learnings from the battlefield”

building the rats nest

This short and sweet blog post will cover some recent additions to my Malware Hunting repo.

happy_rat

A good part of my (spare) time over the past few months has been devoted to constantly building upon my BSides Wellington talk, which – because I like to practice what I preach (and only preach what I truly believe in) – has also involved rolling out a good deal of the content of the talk to my workplace network… the defensive measures that is, not the malware. All I can say is Bro + Critical Stack Intel Client + ELK = badass!

Continue reading “building the rats nest”

missing links

Over the past couple of months I’ve been preparing a talk entitled ‘Beer, Bacon and Blue Teaming’. It covers building solid defense on a shoestring budget, with an outline along the lines of:

  • OSINT sources.
  • Spam traps.
  • Honeypots.
  • Automated analysis.
  • Dissecting LuminosityLink:
    • IDS.
    • Sysmon.
    • Configuration extraction.
    • Yara rule creation.

In this short blog post I’ll run over a few of the items in brief detail. Continue reading “missing links”

worthless protection

This is just a short post detailing a quick trick to remove VBA project protection in MS Office documents: tested with a Word 2003 document linked attached to a banking themed email.

unp_2

The document in question is one of a range that comes as an attachment, apparently from one of several Australian/NZ banks (as outlined here):

  • nab.com.au
  • anz.com.au
  • westpac.com.au
  • suncorp.com.au
  • commbank.com.au

Continue reading “worthless protection”

herding sheep

It goes without saying that Pokemon GO is a craze of magnitude that we haven’t seen for a long time, and undoubtedly one that will be around for quite some time. If memory serves me correctly, not even Angry Birds grew in popularity this rapidly – and it didn’t have the same positive effects (e.g. getting gamers outside and socialising with others).

“prepare for trouble, and make it double”

Whilst most observers may see the primary negative effect as the game being yet another contributor to mobile phone addiction – diluting what are likely already diluted “real world” skills – those of us with a more nefarious view of the world will see this as a prime opportunity to pop some shells. Just as the Rio Olympics have spurred a wave of phishing and malware attacks, it comes as no surprise that Pokemon GO has too. So, this made me think… exactly how easy is it to weaponise Android applications?
Continue reading “herding sheep”

held to ransom

As of late I’ve been keeping fairly busy, unfortunately with not a lot that I can blog about. I’ve built a new house, planned some overseas travel for later in the year, am in the midst of planning a security conference with some of the other ISIG and OWASP blokes (more on that later) and have been incredibly excited about Battlefield 1. I could have been left for another month and probably remained quiet on the blogging front, alas someone has prompted me to break the silence.

After a recent incident I was quizzed by this someone about how I approach handling situations where defenses fail and malware does make an impact – and they suggested I make a blog post to explain this. Well, I’m feeling pretty motivated today so let’s make that happen.

Most days I receive a couple of suspect files, emails or URL’s passed my way for inspection (the thought of those that I don’t receive is what keeps me awake at night), so I’ve selected one to illustrate basic analytical process: a pretty standard case of ransomware via email, sent to one of our helpdesk staff.
Continue reading “held to ransom”