The Recon SOC recently worked an IR case involving the newly emerged Akira Ransomware Group. News didn't begin to break about this threat actor until May 7, 2023, but our investigation shows evidence this crew began this particular campaign in early-mid April. 

In our experience working with SMB and enterprise IT teams, it is often unknown just how far and wide their Active Directory (AD) environment truly is and how many possible attack paths exist for a would-be threat actor. This is true because it's a non-trivial activity to sit down and map these environments out in a way that makes it possible to begin hardening and mitigating attack paths. 

End of an Era

Recently the Recon team had to make the tough decision to take a step back from running our larger OpenSOC CTF events. It was not an easy decision as we know how much impact this project has made on the information security industry since we ran the very first public event at DakotaCon in 2018. Since then, the project grew larger and further than we ever dreamed, eventually becoming a DEF CON Black Badge contest in 2019 (on the DC site, too!) and running at multiple incredible conferences across the US.

We had the absolute pleasure to attend CactusCon11 this year which is easily one of our favorite smaller infosec events. Not only did we run a booth this year, but 4 of our team members gave some exciting talks on a variety of topics. In addition, we ran a DFIR CTF for participants looking to test their digital forensics skills.

As you have no doubt heard, LastPass has suffered yet another breach which makes at least 3 separate incidents this year alone. The latest incident appears to be a follow-up to the previous intrusion from back in August. Rather than recap the details of the breaches, this post will focus strictly on "how does this affect me/my organization" and "is LastPass still safe to use?"

As many in the industry are now aware, Okta experienced a form of security breach back in January which the wider industry was unaware of until screenshots obtained by the LAPSUS$ group were posted on Twitter on March 21st, at 10:15pm CDT.

At Recon, we are committed to meeting the security demands of the evolving threat landscape and exceeding the expectations of our customers. We follow best practices, up to and including closely following Google's BeyondCorp approach to "Zero Trust" for our entire infrastructure. Our security philosophy is, "we must always be the most secure part of any organization that we may ever work with." This has enabled us to be a strong, trusted advisor and service provider to our customers and channel partners.

In July, Eric & Whitney gave a talk titled "Breaches Be Crazy" at the SANS DFIR Summit outlining Recon’s unique approach at scaling enterprise forensic timelining.

Now that we've normalized and enriched our events, let's get into the actual threat detection logic that brings SIEM-like features to open source Graylog.