Emergence of Akira Ransomware Group

May 10, 2023 12:54:20 PM / by Eric Capuano posted in Incident Response, Intel Sharing, ransomware

The Recon SOC recently worked an IR case involving the newly emerged Akira Ransomware Group. News didn't begin to break about this threat actor until May 7, 2023, but our investigation shows evidence this crew began this particular campaign in early-mid April. 

Read More

Audit Active Directory Attack Paths with Bloodhound

Apr 18, 2023 5:15:25 PM / by Eric Capuano posted in SecOps, Security, Open Source, InfoSec, Defense

In our experience working with SMB and enterprise IT teams, it is often unknown just how far and wide their Active Directory (AD) environment truly is and how many possible attack paths exist for a would-be threat actor. This is true because it's a non-trivial activity to sit down and map these environments out in a way that makes it possible to begin hardening and mitigating attack paths. 

Read More

A Tribute to OpenSOC

Mar 8, 2023 6:19:40 AM / by Eric Capuano posted in OpenSOC

End of an Era

Recently the Recon team had to make the tough decision to take a step back from running our larger OpenSOC CTF events. It was not an easy decision as we know how much impact this project has made on the information security industry since we ran the very first public event at DakotaCon in 2018. Since then, the project grew larger and further than we ever dreamed, eventually becoming a DEF CON Black Badge contest in 2019 (on the DC site, too!) and running at multiple incredible conferences across the US.

Read More

Recon was at CactusCon 11!

Feb 9, 2023 1:37:56 PM / by Eric Capuano posted in Velociraptor, Events

We had the absolute pleasure to attend CactusCon11 this year which is easily one of our favorite smaller infosec events. Not only did we run a booth this year, but 4 of our team members gave some exciting talks on a variety of topics. In addition, we ran a DFIR CTF for participants looking to test their digital forensics skills.

Read More

Another LastPass Breach and What You Should Know

Dec 23, 2022 2:36:11 PM / by Eric Capuano posted in Security, InfoSec, Defense, Cryptography, LastPass

As you have no doubt heard, LastPass has suffered yet another breach which makes at least 3 separate incidents this year alone. The latest incident appears to be a follow-up to the previous intrusion from back in August. Rather than recap the details of the breaches, this post will focus strictly on "how does this affect me/my organization" and "is LastPass still safe to use?"

Read More

Every Organization Needs Centralized Logging

Oct 18, 2022 6:03:30 PM / by Eric Capuano posted in DFIR, Incident Response, Open Source, Defense, Monitoring, Graylog, Logging, Compliance

Logs are on the systems, why do I need this?

Because Digital Forensics & Incident Response is expensive -- likely the highest billable rate among most IT/security practices.

Why? Because it is a very skilled, but meticulous and time-consuming activity and my team has done our fair share of it. Most often, the bulk of the time is spent collecting often volatile evidence from countless systems in hopes that enough of the attacker activity is still traceable. The best evidence sources are often the ones least available at the time of the investigation -- logs. Why? Because they roll over, or get deleted, etc.

If I walked into an organization that had centralized logging, I could probably cut the IR effort in half because a huge amount of the data I need is there ready to be queried. This allows me to perform deeper forensic analysis only on systems that exhibited noteworthy activity.
Read More

Remote Access Done Right

Oct 14, 2022 3:00:00 PM / by Whitney Champion posted in SecOps, Security, DevOps, Infrastructure, Cloud, SSO

Do you have resources on prem? In the cloud? How about in multiple clouds? How do you access them all, and how do you track all of those resources? How do you handle key management? Password management? User management? How do you maintain who or what has SSH and RDP access? How do you provide secure access to internal websites or even other data sources? How do you know your admins and analysts and end users are accessing them securely? How do you know who has keys sitting in their downloads folder? How do you track any of it? 

Read More

Business Email Compromise & Wire Transfer Fraud

Aug 3, 2022 7:57:28 AM / by Andrew Cook posted in fraud, wire transfer

If anyone in your organization handles financial transactions, invoices, or payroll changes over email, you're at risk of wire transfer fraud. Criminals target sophisticated social engineering attacks toward anyone that can authorize or redirect payments or financial transactions, including accountants, salespeople, payroll and HR staff, and executives. The core issue is this: email is never a trustworthy way to validate a person's identity. It is critical that your leadership and users understand this. 

Read More

Recon InfoSec Expands Reach And Partner Program With Channel Partner Portal Launch

Jun 14, 2022 11:15:00 AM / by Kelley Wilds

Recon InfoSec, an industry-recognized leader in Managed Detection & Response, cybersecurity assessments, incident response, and training, is offering its portfolio of services and capabilities through an exclusive channel partner program.


Read More

Recon InfoSec Offers Free Cybersecurity Threat Hunting Service for Critical Infrastructure Entities

May 17, 2022 11:35:00 AM / by Kelley Wilds posted in Threat Hunting, critical infrastructure

With the ongoing conflict in Ukraine and U.S. sanctions against Russia continuing to build, the need has never been greater for American infrastructure entities to protect their operations from cyber threats and attacks.

Read More
View RSS Feed