This Week's Read List - 03-09 JAN 2021
This Week's Read List (TWRL) is a collection of articles, blog posts, and other content that I've discovered throughout the last week. The collection may seem eclectic at times, but my hope is that you'll find these articles just as helpful and interesting as I have.
SolarWinds Compromise
FireEye's Mandia: 'Severity-Zero Alert' Led to Discovery of SolarWinds Attack - An interesting look in to the discovery of FireEye's compromise, and the discovery of the SolarWinds compromise. A great reminder that even the smallest seemingly normal, but just slightly off event can be just the beginning of something larger.
CISA Releases New Alert on Post-Compromise Threat Activity in Microsoft Cloud Environments and Tools to Help Detect This Activity - Follow on actions by the SolarWinds hackers accessing Microsoft 365/Azure environments.
Six Stages of Dealing with a Global Security Incident - A case study on the SolarWindows compromise that looks at what security teams can do to handle security incidents and compromises.
DevSecOps
Dockerfile Best Practices - a GitHub repository with a Dockerfile as well as a breakdown of some best practices for securing Docker deployments.
Top 5 'Need to Know' Coding Defects for DevSecOps - A look at 5 most common coding defects that developers face and how they can be addressed using static code analysis.
Malware, Campaigns and TTPs
Malware uses WiFi BSSID for Victim Identification - Interesting take on how to determine whether or not you are attacking the right victim - check the WiFi BSSID, and then match it to an open source WiFi information aggregator to find the physical location of your target.
Cobalt Strike and Metasploit accounted for a quarter of all malware C&C servers in 2020 - Another constant reminder that being able to detect, block and respond to the most common tools used by Pentesters, amateur hackers, and even the Advanced Persistent Threats will pay dividends in the long run.
Malicious Software Infrastructure Easier to Get and Deploy Than Ever - A brief overview of some of the commonly observed opensource/leaked tools being leverage by threat actors, as well as a prediction about the up-and-coming tools to be on the lookout for this year.
Operation ‘Kremlin’ - A breakdown of the Operation Kremlin by ClearSky. An analysis of the TTPs used by the threat actors and some of the indicators that can be used for detection.
Linux malware authors use Ezuri Golang crypter for zero detection - A look at the Ezuri crypter (open source on GitHub) and its use to evade anti-virus products. Given that it runs in memory, and decrypts in memory, its difficult to detect.
Russian hackers selling program in darknet that bypasses spam protection - A tool that bypasses spam protection being sold/rented on the darknet, however, the tool requires hackers to already have access to the victims account.
The C2 Matrix - A matrix designed to help figure out the best C2 for your threat emulation needs. A great breakdown of C2 frameworks you might encounter and need to detect or triage.
RE and Malware Analysis
Building a Custom Malware Analysis Lab Environment - Small writeup on how to build out a malware analysis lab. While one person's take on what tools and systems to use, it's a great place for beginners looking to get into the malware analysis game.
Reverse Engineering Tutorials - A lengthy writeup about how to begin reverse engineering. There is not only a GitBook site, but also an e-book (MOBI) and a PDF for download.
Malvuln - SKETCHY WEBSITE, but they do have quite a few samples of malware. The interesting part is that the website is dedicated to finding security vulnerabilities within malware itself. Hackers hacking hackers??
Tools
Panther SIEM - A SIEM written in Python which uses "rules" (Python functions) allowing you to design and implement your own alerting and detection logic. Panther already has built in support for a lot of the major logs from cloud platforms and traditional security tools.
Introducting PcapMonkey - PcapMonkey is a hybrid Zeek-Suricata-ElasticSearch platform for analyzing PCAPs. There is also a beta for Windows Event Logs in the works.
Government & Cybersecurity
Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations - Best Practice: Don't use old standards. NSA's guidance on how to detect and find outdated protocols, and then replace them.
U.S. Department of State Approves New Cyberspace Security Bureau - A new bureau coming to the U.S. Governemnt focused on Cybersecurity. Certainly an interesting entity to watch in the future as its integrates with the other government entities.
OSINT
Self-Reflection Time: The OSINT Collection Risk Framework - What does Open Source Intelligence (OSINT) reveal about your company? A look at leveraging OSINT information in order to better evaluate the risk the information poses to your company, and how defenders can leverage it to better protect the company.
Miscellaneous
The Disclose.io Project Data - A GitHub repository containing some information related to bug bounties in a machine-readable format. Also includes a list for a Computer Emergency Response Teams (CERTs).
DevBooks - A great resource if you are looking for books related to professional development as a developer. The lists both paid for and free books. If you have a book, you can also recommend it to have it added to the site.