Emergence of Akira Ransomware Group
The Recon SOC recently worked an IR case involving the newly emerged Akira Ransomware Group. News...
Audit Active Directory Attack Paths with Bloodhound
In our experience working with SMB and enterprise IT teams, it is often unknown just how far and...
A Tribute to OpenSOC
End of an Era Recently the Recon team had to make the tough decision to take a step back from...
Recon was at CactusCon 11!
We had the absolute pleasure to attend CactusCon11 this year which is easily one of our favorite...
Another LastPass Breach and What You Should Know
As you have no doubt heard, LastPass has suffered yet another breach which makes at least 3...
Every Organization Needs Centralized Logging
Logs are on the systems, why do I need this? Because Digital Forensics & Incident Response is...
Remote Access Done Right
Do you have resources on prem? In the cloud? How about in multiple clouds? How do you access them...
Business Email Compromise & Wire Transfer Fraud
If anyone in your organization handles financial transactions, invoices, or payroll changes over...
Recon InfoSec Expands Reach And Partner Program With Channel Partner Portal Launch
Recon InfoSec, an industry-recognized leader in Managed Detection & Response, cybersecurity...
Recon InfoSec Offers Free Cybersecurity Threat Hunting Service for Critical Infrastructure Entities
With the ongoing conflict in Ukraine and U.S. sanctions against Russia continuing to build, the...
Okta + LAPSUS$ Security Incident
As many in the industry are now aware, Okta experienced a form of security breach back in January...
Recon InfoSec Receives SOC 2 Type II Certification
At Recon, we are committed to meeting the security demands of the evolving threat landscape and...
Widespread Phishing and Business Email Compromise Campaign
In this blog post we cover a widespread phishing campaign Recon recently observed targeting...
Recon's Guide to Testing for the Log4J Vulnerability using Canarytokens
This guide will walk you through using CanaryTokens.org to generate a token and how to use that...
Recon's SOAR Playbook To Detect Log4J Exploitation
The recent Log4j vulnerability (CVE-2021-44228) is unprecedented in its global scope and impact....
Scaling Enterprise Forensic Timelining
In July, Eric & Whitney gave a talk titled "Breaches Be Crazy" at the SANS DFIR Summit outlining...
OPENSOC @ DEF CON 29
It’s that time of year again - DEF CON! We were thrilled to run OpenSOC again at DEF CON this year,...
An Encounter with Ransomeware-as-a-Service: MEGAsync Analysis
Recon's SOC recently responded to an attempted ransomware and extortion attack. It had all the...
An Encounter With TA551/Shathak
The Recon incident response team recently responded to a case of business email compromise. The...
Threat Hunting - A Critical Component of High Performing SOCs
Whether your cybersecurity detection and response capabilities are in-house or managed through a...
SOC X 2021 - A Recap
We can't start a recap post without a huge THANK YOU to the community for joining us last week and...
Detecting Threats with Graylog Pipelines - Part 3
Now that we've normalized and enriched our events, let's get into the actual threat detection logic...
Detecting Threats with Graylog Pipelines - Part 2
In my previous post, I explained the fundamental purpose and use cases of pipelines in Graylog –...
Detecting Threats with Graylog Pipelines - Part 1
If you are here hoping to learn more about using Graylog for the purpose of monitoring the security...
The Training Secrets of Great Security Operations Teams
At Recon InfoSec we have the honor of working with some of the best security operations, incident...
A SecDevOps Perspective on SUNBURST
Much has already been said about the recently reported SolarWinds compromise. In this post, we are...
Endpoint Logging For The Win!
Whether you're on the Defensive or Offensive side of security, it's important to understand how...
Recon Launches SOC X
The Recon team is excited to announce the launch of SOC X™, the Professional SOC Team World...
Recon Launches Network Defense Range (NDR) Live Online
The Recon team is thrilled to announce our newest offering, NDR Live Online!
Securing Your Velociraptor Deployment
Our team are huge fans of Velociraptor. It's an incredibly powerful tool, for both DFIR and...
Mapping Adversary Emulation Plans
The Center for Threat-Informed Defense at MITRE recently released their Adversary Emulation Plans...
Integrating Thinkst Canaries with TheHive
We've been big fans of the Thinkst platform for a while now. We may have mentioned them a time or...
OpenSOC @ DEF CON 28 Safe Mode
Some of you may remember our last event, Camp COVID. That was the biggest event we had ever run....
Recon Provides Range Training for Military Cyber Protection Teams During COVID-19 Lockdown
Recently, our team was asked to provide training for an operational military Cyber Protection Team...
Visualizing Geo IP Information using Python
As part of the #OpenSOC event Recon InfoSec recently conducted, we wanted to visualize where all of...
Camp COVID - A Recap
Let me first say, on behalf of the Recon team, we cannot thank the community enough for joining us...
OpenSOC: Camp COVID
Hello OpenSOC fam! First and most importantly, we hope that you and yours are healthy and happy in...
Analysis Of Exploitation: CVE-2020-10189
The Recon incident response team recently worked an intrusion case involving a ManageEngine Desktop...
Automating Detection Coverage Analysis with ATT&CK Navigator
Staying on-top of the latest adversarial methodologies means quickly adjusting to new TTPs and...
Integrating Graylog With TheHive
If you couldn't tell by now, we love Graylog. We may have mentioned them a time or two :)
Network Defense Range (NDR) Returning to BlackHat 2020
We're thrilled to be accepted back to BlackHat to run our live-fire Network Defense Range (NDR)...
Graylog and Cylance Protect Integration
TL;DR - we needed to ingest multiple sources of Cylance logs into Graylog, and this is how we did...
Brokering Other Cloud Resources Behind AWS Services
I tweeted this the other day, and had a lot of folks reach out asking for more details/a diagram of...
The Infrastructure, II
After DEF CON last year, we posted this blog about our infrastructure, which was spread between a...
OpenSOC @ DC27 - Black Badge Edition!
We never wrote up a blog post for DC27, but this excerpt from the closing ceremonies covers most of...
Automating Graylog Pipelines
Part of our job at Recon relies on fine tuning our threat signatures that make up the bulk of our...
Analysis of Exploitation: CVE-2019-3396
The Recon incident response team recently worked an intrusion case involving a Confluence web...
Locking down ZeroTier peer-to-peer networks
In a previous post, we shared our affinity for ZeroTier:
Join us for Network Defense Range Training at Black Hat 2019!
We're very excited to announce that we'll be bringing our NDR training to Black Hat this year! Come...
A Tribute to devnull
Hello, dear friends. The past few days have been extremely hard on the OpenSOC Team. We hope this...
The Infrastructure
When I joined the OpenSOC team at the beginning of this year, everything resided on 3 Intel Skull...
Blue Team Village @ DEF CON 26
Huge thanks to @BlueTeamVillage and all of the awesome projects that make up OpenSOC Blue CTF!
Geolocation via Pipelines in Graylog
To the delight of most Graylog users, geolocation is automatically built into the platform via the...
Securing G Suite
Shortly after publishing Part 1 of my G Suite DFIR blog series, I gave a talk on the topic at...
US-CERT TA18-106A for the Rest of Us!
EXECUTIVE SUMMARY US-CERT posted a new Tactical Alert (TA18-106A) based on a combined intelligence...
Meltdown and Spectre
SUMMARY A collaboration between multiple security industry and academic researchers led to the...
Build a Free Private Mesh Network for Secure DevOps
Over time and for various reasons, I've amassed quite the catalog of cloud-hosted servers. This has...
Auditing G Suite Login Activity
Often times during incident response activities, the responder is overwhelmed with data. The need...
When Browser Extensions Go Rogue
So it's a random Wednesday night and I'm studying for my GIAC GCFE exam (which I just passed...
Slacking at Security Operations
Running a Security Operations Center requires fighting a constant battle to increase analyst...
Macro Security for Enterprise Defenders
In my experience, one of those most prevalent and common threats to today’s enterprise networks...