Tips & Tricks

Gathering Evidence Through Network Monitoring

In this field, we know that gathering evidence is critical to identifying the attack vector, understanding how to stop the attack quickly, and moving ongoing investigations further. One of the best ways to gather forensic evidence is through network monitoring.

Read More

Temporal Chain Normalization: The Unsung Hero of Event Correlation

When it comes to correlation capabilities, LogRhythm has you covered. With AI Engine you can perform a variety of activities, from observing a single activity to applying advanced behavior rules across multiple dimensions (entities, devices, log sources, metadata, etc.). In addition to some of the more obvious capabilities, I’m here to tell you about one not so known feature of AI Engine called Temporal Chain Normalization (TCN).

Read More

LogRhythm Challenge: Black Hat 2016

For the LogRhythm Challenge at Black Hat USA this year, we wanted to give participants the opportunity to use several different analytic skills in their attempt to beat the challenge. The goal of the challenge was to identify exfiltrated data from Swish Inc., a fictional video streaming company who was recently exposed as having data leaked to a public file sharing site. We’ll tell you how to find each of the hidden flags within the PCAP.

Read More

DPA-Powered Dashboards

With the proliferation of top-level domains, threat actors are using all sorts of DNS tricks to entice people to engage with malicious sites or to mask malicious traffic in the noise of normal traffic. So how do you sort through the noise to find abnormal top-level domains (TLDs)?

Read More

A Practical Approach to Effective Security Analytics

When discussing effective approaches to the problem of security analytics, I think it is first important to start with a clear definition of the goal of security analytics. The ultimate goal of security analytics is to deliver technology solutions that assist human security analysts in detecting, responding to and mitigating cyber threats. This simple statement hides an area of technological endeavor that is simultaneously fascinating, important and complex. While a full exploration of the many facets of security analytics is beyond the scope of this post, it is useful to discuss a high-level and general approach to security analytics to simplify the complex problem statement into more digestible pieces.

Read More

Who is Listening in on Your Network?

With the sheer volume of network traffic and the variety of applications that travel across a typical network these days, it is not surprising how easy it is to gather high-value artifacts using packet capturing software. The goal of an attacker that is using packet capturing software is to grab usernames, email addresses, passwords and other sensitive information traversing a network in plain/clear text for further exploitation.

Read More

Detecting Beaconing Malware with Network Monitor

When a computer becomes infected with malware, it will usually begin to beacon out to a command and control server. This is one of the ways that commodity malware checks in with its command and control infrastructure to await further instructions. But it can be difficult to detect this activity. The beaconing can take place at any time or frequency—from once every couple of seconds to once a week (or possibly even longer if you are dealing with an advanced adversary).

Read More

How Far Cyber Criminals Will Go to Get Your PII

Everyone who works in security deals with phishing emails to some extent—some more than others. In fact, most of us in the security industry see so many phishing attacks on a daily basis that they are not all that interesting anymore. However, every once in awhile, a scammer will actually take the time to prepare and deploy more believable campaigns and target personally identifiable information (PII) in a more persistent way.

Read More

Do You Know Your Network?

Knowing what or who is on your network at work and at home is all too important. See how I detected unauthorised application communication via NetMon Freemium.

Read More

Five Steps to Defend Against Ransomware

Understanding what happens at each phase of a ransomware attack, and knowing the IOCs to look for, increases the likelihood of being able to successfully defend against—or at least mitigate the effects of—an attack.

Read More