Detecting Rogue Svchost Processes
Posted by: Andrew Hollister
The Challenge Malware authors may attempt to hide their processes “in plain sight” by calling them the same name as some common Windows processes. Very commonly, “svchost.exe” has been used for this purpose. It is difficult to catch this by…
Read MoreJanuary 8, 2016
LogRhythm Precision Search: An Unstructured Journey
According to Wikipedia, unstructured data (or unstructured information) refers to information that either does not have a pre-defined data model or is not organized in a pre-defined manner. Unstructured information is typically text-heavy, but it may also contain data such…
Read MoreJanuary 6, 2016
Agent SmartResponse Host Checking
Posted by: Andrew Hollister
The Problem How can you find out if a SmartResponse™ plug-in using PowerShell will run on a specific System Monitor Agent host? Also, with what user context will the SmartResponse plug-ins execute? Windows PowerShell execution policies let you determine the…
Read MoreJanuary 6, 2016
A Deeper View into the Threat Landscape
The threat landscape hasn’t really changed, except for a few minor adjustments. We are still seeing nation state threat actors, financial crime groups, hactivism (though that has been receiving less press lately), terrorist organizations and commodity threats (e.g., CryptoLocker). The…
Read MoreJanuary 4, 2016
Striking the Balance Between Machine and Human Analysis in Your SIEM Environment
As technology advances, the threat landscape is also advancing. With thousands of touch points in any given network, cyber criminals are effectively exploiting weak points on an almost daily basis. Prevention-centric strategies are no longer efficient for organizations, and they…
Read MoreDecember 30, 2015
Detecting the Juniper Netscreen OS Backdoor
Posted by: Andrew Hollister
##The Challenge Juniper issued an advisory on December 18th indicating that they had discovered unauthorized code in some versions of the ScreenOS software that powers their Netscreen firewalls. The advisory covers two issues: One was a backdoor in the VPN…
Read MoreDecember 29, 2015