The Recon incident response team recently responded to a case of business email compromise. The incident spanned over seven months of potential dwell time, and included the unraveling of encrypted malware hidden in an image file. Our analysis attributed the incident to a threat group known as TA551/Shathak, known for stealing banking credentials.
An Encounter With TA551/Shathak
May 18, 2021 2:00:00 PM / by Andrew Cook posted in DFIR, SecOps, Security, TA551, Shathak, Python, Malware
Integrating Thinkst Canaries with TheHive
Sep 16, 2020 11:33:00 AM / by Whitney Champion posted in Automation, DFIR, Incident Response, Forensics, SecOps, Canaries, InfoSec, Thinkst, Training, Python, TheHive, Cortex
We've been big fans of the Thinkst platform for a while now. We may have mentioned them a time or two :) Like many others, we get a lot of mileage out of their Canaries and Canary Tokens.
Visualizing Geo IP Information using Python
Apr 17, 2020 1:11:00 PM / by Brian Greunke posted in Automation, Python, BlackHat
As part of the #OpenSOC event Recon InfoSec recently conducted, we wanted to visualize where all of our participants were coming from. We had several data points to work from, and there are plenty of open tools available, so it is just a matter of cobbling those items together to create a sweet, sweet map.
Integrating Graylog With TheHive
Jan 31, 2020 2:11:00 PM / by Whitney Champion posted in Automation, DFIR, Incident Response, SecOps, Security, Defense, Python, Graylog, DevOps, TheHive, Cortex, API
If you couldn't tell by now, we love Graylog. We may have mentioned them a time or two :)
Automating Graylog Pipelines
Jun 18, 2019 3:02:00 PM / by Whitney Champion posted in Automation, DFIR, SecOps, Security, Python, Graylog, Continuous Integration, DevOps, Ansible
Part of our job at Recon relies on fine tuning our threat signatures that make up the bulk of our pipeline rules in our Graylog environment.