

Richard Bejtlich
Principal Security Strategistfeature_status*/ ?>
Corelight
Comments Dotted :
22
September 03, 2020
It's not enough to install security devices that only try to stop malicious activity or create alerts on suspicious activity.
Every election network should be instrumented with a network security monitoring platform that creates an audit record of all activity on the wire. It's not enough to install security devices that only try to stop malicious activity or create alerts on suspicious activity. It's also important to have a neutral record of how the election network was used, not only for analysis at the time of the election, but as evidence to prove in the future that the elections were not subjected to tampering.

August 11, 2020
The Chinese Communist Party decided that level of encryption was beyond the capabilities of their Great Firewall to inspect.
Those who developed TLS 1.3 and ESNI believed that they could enable privacy by encrypting almost every aspect of a connection. The Chinese Communist Party decided that level of encryption was beyond the capabilities of their Great Firewall to inspect, so they are now blocking *all* TLS 1.3 and ESNI connectivity. This is a setback for those in China trying to access the free Internet, and probably not what the designers of TLS 1.3 and ESNI expected. I personally believe that liberal democracies .....Read More

June 15, 2020
While PESTs have some benefit as resources for red teams, the cost of their use by intruders far outweighs any benefits.
While it’s useful to understand the prevalence of commercial spyware use by foreign actors, Congress would be shocked to learn that most threat actors rely on publicly available post exploitation software tools (PESTs) to compromise targets in the US and elsewhere. While PESTs have some benefit as resources for red teams, the cost of their use by intruders far outweighs any benefits.

April 16, 2020
Offering a $5 mil award for information to identify and attribute DPRK hackers is a great idea.
Offering a $5 mil award for information to identify and attribute DPRK hackers is a great idea. It’s a comparatively low cost method to gain intelligence on a hard target, and plays to the economic incentives attractive to those in the criminal hacking scene.

April 08, 2020
Qihoo would not be able to publish and maintain its findings without the approval of the Chinese government.
If we accept that Qihoo has correctly attributed this activity to Dark Hotel, and that Dark Hotel is a North Korean actor, this report presents a few interesting findings. First, it is surprisingly risky for a North Korean actor to target assets in an allied country, especially one that provides financial and other critical support. Second, Qihoo would not be able to publish and maintain its findings without the approval of the Chinese government, so the PRC might be signalling its disapproval.....Read More

March 31, 2020
There are encrypted alternatives for all of them.
The four TCP ports reported in this story are unencrypted communications channels. There are encrypted alternatives for all of them. If organizations remove these unencrypted protocols from their environment, they would mitigate the consequences of this threat actor's current mode of operation.

March 27, 2020
Intruders continue to target infrastructure, not just endpoints and servers.
Intruders continue to target infrastructure, not just endpoints and servers. Defenders cannot ignore infrastructure devices like routers, switches, and VPN concentrators, assuming they are trustworthy and safe to use. Instrument those devices using network security monitoring tools and methods to ensure that your trust is well-placed.

March 13, 2020
The new report integrates these recommendations, but it remains to be seen if anything changes in the federal government.
While this is yet another in a long line of reports projecting digital disaster, I was pleased to see an emphasis on incident detection and response via threat hunting as one of the more prominent recommendations. I began arguing in 2007, before 'threat hunting' was a defined term, that federal security teams should be 'projecting friendly forces' on their networks, assuming that they were already compromised. The new report integrates these recommendations, but it remains to be seen if.....Read More

February 03, 2020
Japanese defense contractors, and other elements of Japan's commercial sector, have been attacked for years.
In the early 2000s, defense contractors became the first non-military, non-intelligence targets of advanced persistent threats. Japanese defense contractors, and other elements of Japan's commercial sector, have been attacked for years. The company reported that the intruders enjoyed a seven month dwell time (December 2016 through June 2017), meaning they could operate at their leisure. This is far too long and methods like network security monitoring can decrease this period down to minutes if .....Read More

January 27, 2020
Because some network traffic analysis and monitoring systems log and parse FTP, and can extract the files transferred.
Because of the protocols used in this campaign, network security monitoring practitioners have a chance to gather the evidence they need to detect and respond to individual attacks. The intruders used file transfer protocol to transfer files that are executed as commands on victim systems. Because some network traffic analysis and monitoring systems log and parse FTP, and can extract the files transferred, defenders can leverage network forensics to identify the scope and nature of this.....Read More
