Detecting Home Network Issues with Network Monitor
I’ve been running a test Network Monitoring (NetMon) Mini device at home for the past few weeks and, up until recently, I didn’t notice anything “unexpected” on my home network. Figure 1: Miniature NetMon Home Appliance (Click on images to…
Read MoreNovember 8, 2016
Building Resilience in Critical Infrastructure
Disrupting Critical Infrastructure: A Potential New Form of Warfare It’s National Cyber Security Awareness Month, and the theme for the final week is “Building Resilience in Critical Infrastructure.” So why is this a focus for the National Cyber Security Alliance?…
Read MoreOctober 27, 2016
How to Build a Miniature Network Monitor Device
Posted by: LogRhythm Labs
Collaboration between Greg Foss, Kjell Hedstrom, Dan Schatz-Miller, Michael Swisher, and Craig Cogdill LogRhythm NetMon is a powerful forensics tool that allows organizations to capture, analyze, and alert on network data. Traditionally, NetMon is deployed on a blade server within…
Read MoreOctober 6, 2016
LogRhythm Challenge: Black Hat 2016
Posted by: LogRhythm Labs
Collaboration between, Greg Foss, Nathaniel “Q” Quist, and Michael “Swish” Swisher For the LogRhythm Challenge at Black Hat USA this year, we wanted to give participants the opportunity to use several different analytic skills in their attempt to beat the…
Read MoreSeptember 20, 2016
Who is Listening in on Your Network?
The Threat of Data Exfiltration with Packet Capture Software With the sheer volume of network traffic and the variety of applications that travel across a typical network these days, it is not surprising how easy it is to gather high-value…
Read MoreJuly 28, 2016
Detecting Beaconing Malware with Network Monitor
The Difficulty in Detecting Beaconing Malware When it comes to threat detection, you’re taking great measures to protect your organization. Yet threats, such as malware, keep getting in despite the network monitoring tools and enterprise threat detection solutions you have…
Read MoreJuly 26, 2016
How Far Cyber Criminals Will Go to Get Your PII
Notice: LogRhythm always recommends using a sandbox or other “safe” method when testing or investigating known malicious sites. Phishing for Personally Identifiable Information (PII) Everyone who works in security deals with phishing emails to some extent—some more than others. In…
Read MoreJuly 21, 2016
Five Steps to Defend Against Ransomware
Over the past three years, ransomware has jumped into the spotlight of the cyberthreat landscape. Until recently, most ransomware attacks were simply opportunistic and mostly affected individual users’ or small businesses’ computers. The ransom demands have commonly been the equivalent…
Read MoreJuly 15, 2016
SMS Alerting Via SmartResponse
The Problem Security analysts can’t always dedicate their time to monitoring the security operations center (SOC), nor do they always check the alerts that they receive via email, due to various reasons. Also, some alerts are simply more important than…
Read MoreApril 21, 2016
The State of Ransomware: How to Prepare for an Attack
Posted by: LogRhythm Labs
This blog is co-authored by LogRhythm Labs Incident Response Engineer Nathaniel “Q” Quist and Threat Intelligence Engineer Matt Willems. Ransomware is currently one of the most widespread and highest-publicized threats on the Internet. Over the last few years, we’ve seen…
Read MoreMarch 28, 2016
Harnessing Your SIEM for Cyberthreat Intelligence
Posted by: Matt Willems
In the world of cybersecurity, cyberthreat intelligence (CTI) burst on to the scene in a big way in 2015. Everyone wants useful data and analytical tools for next-gen cybersecurity in order to detect and respond to threats faster. The industry…
Read MoreMarch 8, 2016
7 Significant Insights from the CyberEdge Cyberthreat Defense Report
Today, CyberEdge released their third installment of the Cyberthreat Defense Report in order to gain an understanding and provide awareness of how IT security teams defend against threats. The report analyzes the current state of cyber security, including the perceptions…
Read MoreFebruary 10, 2016
Monitoring Digitally Signed PowerShell
Posted by: Andrew Hollister
The Challenge Microsoft Windows PowerShell is a powerful scripting environment. The PowerShell execution polices are provided in order to let you determine the conditions under which scripts may be run. The default option is “Restricted,” which doesn’t allow any scripts…
Read MoreFebruary 3, 2016
SANS "Find Evil" Digital Forensics Use Case for Windows
Posted by: Andrew Hollister
In 2014, SANS published a Digital Forensics poster called “Know Abnormal…Find Evil.” This resource delves into the differences between normal and abnormal behavior—and what you might look for or ignore in a digital forensics investigation. The Challenge Using this reference…
Read MoreJanuary 12, 2016
Detecting Rogue Svchost Processes
Posted by: Andrew Hollister
The Challenge Malware authors may attempt to hide their processes “in plain sight” by calling them the same name as some common Windows processes. Very commonly, “svchost.exe” has been used for this purpose. It is difficult to catch this by…
Read MoreJanuary 8, 2016
Agent SmartResponse Host Checking
Posted by: Andrew Hollister
The Problem How can you find out if a SmartResponse™ plug-in using PowerShell will run on a specific System Monitor Agent host? Also, with what user context will the SmartResponse plug-ins execute? Windows PowerShell execution policies let you determine the…
Read MoreJanuary 6, 2016
A Deeper View into the Threat Landscape
The threat landscape hasn’t really changed, except for a few minor adjustments. We are still seeing nation state threat actors, financial crime groups, hactivism (though that has been receiving less press lately), terrorist organizations and commodity threats (e.g., CryptoLocker). The…
Read MoreJanuary 4, 2016
Detecting the Juniper Netscreen OS Backdoor
Posted by: Andrew Hollister
##The Challenge Juniper issued an advisory on December 18th indicating that they had discovered unauthorized code in some versions of the ScreenOS software that powers their Netscreen firewalls. The advisory covers two issues: One was a backdoor in the VPN…
Read MoreDecember 29, 2015