Expert(s):
Principal Security Strategistfeature_status*/ ?>
Corelight

Comments Dotted : 22
September 03, 2020

Experts Reaction On CISA And FBI Rebut Reports About Hacked Voter Data On Russian Forum
It's not enough to install security devices that only try to stop malicious activity or create alerts on suspicious activity.
Every election network should be instrumented with a network security monitoring platform that creates an audit record of all activity on the wire. It's not enough to install security devices that only try to stop malicious activity or create alerts on suspicious activity. It's also important to have a neutral record of how the election network was used, not only for analysis at the time of the election, but as evidence to prove in the future that the elections were not subjected to tampering.
August 11, 2020

Expert On China Is Now Blocking All Encrypted HTTPS Traffic That Uses TLS 1.3 And ESNI
The Chinese Communist Party decided that level of encryption was beyond the capabilities of their Great Firewall to inspect.
Those who developed TLS 1.3 and ESNI believed that they could enable privacy by encrypting almost every aspect of a connection. The Chinese Communist Party decided that level of encryption was beyond the capabilities of their Great Firewall to inspect, so they are now blocking *all* TLS 1.3 and ESNI connectivity. This is a setback for those in China trying to access the free Internet, and probably not what the designers of TLS 1.3 and ESNI expected. I personally believe that liberal democracies .....Read More
Those who developed TLS 1.3 and ESNI believed that they could enable privacy by encrypting almost every aspect of a connection. The Chinese Communist Party decided that level of encryption was beyond the capabilities of their Great Firewall to inspect, so they are now blocking *all* TLS 1.3 and ESNI connectivity. This is a setback for those in China trying to access the free Internet, and probably not what the designers of TLS 1.3 and ESNI expected. I personally believe that liberal democracies worldwide should be working to undermine the Great Firewall. However, I also believe that cyber freedom fighters should think a step or two beyond their immediate purview when imagining how their protocols will be perceived by the very authoritarian regimes they also seek to undermine.  Read Less
June 15, 2020

Comment: US Congress Wants To Know What Commercial Spyware Other Countries Are Using
While PESTs have some benefit as resources for red teams, the cost of their use by intruders far outweighs any benefits.
While it’s useful to understand the prevalence of commercial spyware use by foreign actors, Congress would be shocked to learn that most threat actors rely on publicly available post exploitation software tools (PESTs) to compromise targets in the US and elsewhere. While PESTs have some benefit as resources for red teams, the cost of their use by intruders far outweighs any benefits.
April 16, 2020

US Issues Guidance On North Korean Hackers, Offers $5M Reward – Expert Comment
Offering a $5 mil award for information to identify and attribute DPRK hackers is a great idea.
Offering a $5 mil award for information to identify and attribute DPRK hackers is a great idea. It’s a comparatively low cost method to gain intelligence on a hard target, and plays to the economic incentives attractive to those in the criminal hacking scene.
April 08, 2020

The DarkHotel (APT-C-06) Attacked Chinese Institutions Abroad via Exploiting SangFor VPN Vulnerability
Qihoo would not be able to publish and maintain its findings without the approval of the Chinese government.
If we accept that Qihoo has correctly attributed this activity to Dark Hotel, and that Dark Hotel is a North Korean actor, this report presents a few interesting findings. First, it is surprisingly risky for a North Korean actor to target assets in an allied country, especially one that provides financial and other critical support. Second, Qihoo would not be able to publish and maintain its findings without the approval of the Chinese government, so the PRC might be signalling its disapproval.....Read More
If we accept that Qihoo has correctly attributed this activity to Dark Hotel, and that Dark Hotel is a North Korean actor, this report presents a few interesting findings. First, it is surprisingly risky for a North Korean actor to target assets in an allied country, especially one that provides financial and other critical support. Second, Qihoo would not be able to publish and maintain its findings without the approval of the Chinese government, so the PRC might be signalling its disapproval to the DPRK. Third, a combined approach that integrates server-side and client-side techniques, at the scale indicated by Qihoo, is a sign that the DPRK has improved its offensive asset management capabilities.  Read Less
March 31, 2020

Experts Insight On A Mysterious Hacker Group Is Eavesdropping On Corporate Email And FTP Traffic
There are encrypted alternatives for all of them.
The four TCP ports reported in this story are unencrypted communications channels. There are encrypted alternatives for all of them. If organizations remove these unencrypted protocols from their environment, they would mitigate the consequences of this threat actor's current mode of operation.
March 27, 2020

Chinese Hacker Group APT41 Uses Recent Exploits To Target Companies Worldwide
Intruders continue to target infrastructure, not just endpoints and servers.
Intruders continue to target infrastructure, not just endpoints and servers. Defenders cannot ignore infrastructure devices like routers, switches, and VPN concentrators, assuming they are trustworthy and safe to use. Instrument those devices using network security monitoring tools and methods to ensure that your trust is well-placed.
March 13, 2020

Experts Comments On Cyberspace Solarium Commission Report – US At Risk Of A “Catastrophic cyber-attack”
The new report integrates these recommendations, but it remains to be seen if anything changes in the federal government.
While this is yet another in a long line of reports projecting digital disaster, I was pleased to see an emphasis on incident detection and response via threat hunting as one of the more prominent recommendations. I began arguing in 2007, before 'threat hunting' was a defined term, that federal security teams should be 'projecting friendly forces' on their networks, assuming that they were already compromised. The new report integrates these recommendations, but it remains to be seen if.....Read More
While this is yet another in a long line of reports projecting digital disaster, I was pleased to see an emphasis on incident detection and response via threat hunting as one of the more prominent recommendations. I began arguing in 2007, before 'threat hunting' was a defined term, that federal security teams should be 'projecting friendly forces' on their networks, assuming that they were already compromised. The new report integrates these recommendations, but it remains to be seen if anything changes in the federal government.  Read Less
February 03, 2020

NEC Defense Contracts Info Potentially Compromised In Breach
Japanese defense contractors, and other elements of Japan's commercial sector, have been attacked for years.
In the early 2000s, defense contractors became the first non-military, non-intelligence targets of advanced persistent threats. Japanese defense contractors, and other elements of Japan's commercial sector, have been attacked for years. The company reported that the intruders enjoyed a seven month dwell time (December 2016 through June 2017), meaning they could operate at their leisure. This is far too long and methods like network security monitoring can decrease this period down to minutes if .....Read More
In the early 2000s, defense contractors became the first non-military, non-intelligence targets of advanced persistent threats. Japanese defense contractors, and other elements of Japan's commercial sector, have been attacked for years. The company reported that the intruders enjoyed a seven month dwell time (December 2016 through June 2017), meaning they could operate at their leisure. This is far too long and methods like network security monitoring can decrease this period down to minutes if implemented properly.  Read Less
January 27, 2020

U.S. Govt Agency Hit With New CARROTBALL Malware Dropper
Because some network traffic analysis and monitoring systems log and parse FTP, and can extract the files transferred.
Because of the protocols used in this campaign, network security monitoring practitioners have a chance to gather the evidence they need to detect and respond to individual attacks. The intruders used file transfer protocol to transfer files that are executed as commands on victim systems. Because some network traffic analysis and monitoring systems log and parse FTP, and can extract the files transferred, defenders can leverage network forensics to identify the scope and nature of this.....Read More
Because of the protocols used in this campaign, network security monitoring practitioners have a chance to gather the evidence they need to detect and respond to individual attacks. The intruders used file transfer protocol to transfer files that are executed as commands on victim systems. Because some network traffic analysis and monitoring systems log and parse FTP, and can extract the files transferred, defenders can leverage network forensics to identify the scope and nature of this activity.  Read Less