Analysis Of Exploitation: CVE-2020-10189

Mar 25, 2020 1:39:00 PM / by Luke Rusten posted in DFIR, Incident Response, Forensics, SecOps, InfoSec, Defense, Malware, Exploit, CVE-2020-10189, Intel Sharing, Zoho, Vulnerability, ManageEngine

The Recon incident response team recently worked an intrusion case involving a ManageEngine Desktop Central server that was affected by CVE-2020-10189.

Read More

Automating Detection Coverage Analysis with ATT&CK Navigator

Feb 13, 2020 1:52:00 PM / by Brian Greunke posted in Automation, DFIR, SecOps, Security, Threat Hunting, Defense, Graylog, Continuous Integration, MITRE ATT&CK

Staying on-top of the latest adversarial methodologies means quickly adjusting to new TTPs and requires a thorough and constant understanding of your own detection capabilities. Given a rapidly changing, dynamic environment, this level of attention can't be a manual process, it requires the magic of automation.

Read More

Integrating Graylog With TheHive

Jan 31, 2020 2:11:00 PM / by Whitney Champion posted in Automation, DFIR, Incident Response, SecOps, Security, Defense, Python, Graylog, DevOps, TheHive, Cortex, API

If you couldn't tell by now, we love Graylog. We may have mentioned them a time or two :)

Read More

Network Defense Range (NDR) Returning to BlackHat 2020

Jan 26, 2020 2:26:00 PM / by Eric Capuano posted in Incident Response, InfoSec, Training, Threat Hunting, NDR, Defense, BlackHat

We're thrilled to be accepted back to BlackHat to run our live-fire Network Defense Range (NDR) course again this year! We received overwhelmingly positive feedback from last year's attendees and we have even bigger plans this year.

Read More

Graylog and Cylance Protect Integration

Dec 23, 2019 2:37:00 PM / by Whitney Champion posted in Operations, SecOps, Security, Graylog, Logging, DevOps, API, Cylance

TL;DR - we needed to ingest multiple sources of Cylance logs into Graylog, and this is how we did it.

Read More

Brokering Other Cloud Resources Behind AWS Services

Nov 21, 2019 2:43:00 PM / by Whitney Champion posted in DFIR, Operations, SecOps, Security, ZeroTier, DevOps, AWS, Cognito, Identity Aware Proxy, Cloud

I tweeted this the other day, and had a lot of folks reach out asking for more details/a diagram of this setup.

Read More

The Infrastructure, II

Oct 17, 2019 2:48:00 PM / by Whitney Champion posted in OpenSOC, DEFCON, Events, Infrastructure

After DEF CON last year, we posted this blog about our infrastructure, which was spread between a handful of Intel NUCs, and AWS. It was epic. It was shiny and new. We loved it.

Read More

OpenSOC @ DC27 - Black Badge Edition!

Aug 31, 2019 2:53:00 PM / by Eric Capuano posted in OpenSOC, DEFCON, Events, BlackBadge, BlueTeamVillage

We never wrote up a blog post for DC27, but this excerpt from the closing ceremonies covers most of what we would've written.

Read More

Automating Graylog Pipelines

Jun 18, 2019 3:02:00 PM / by Whitney Champion posted in Automation, DFIR, SecOps, Security, Python, Graylog, Continuous Integration, DevOps, Ansible

Part of our job at Recon relies on fine tuning our threat signatures that make up the bulk of our pipeline rules in our Graylog environment.

Read More

Analysis of Exploitation: CVE-2019-3396

May 20, 2019 3:22:00 PM / by Eric Capuano posted in DFIR, Incident Response, Forensics, Security, Malware, Exploit, Intel Sharing, Vulnerability

The Recon incident response team recently worked an intrusion case involving a Confluence web application server that was affected by CVE-2019-3396.

Read More
View RSS Feed