In our experience working with SMB and enterprise IT teams, it is often unknown just how far and wide their Active Directory (AD) environment truly is and how many possible attack paths exist for a would-be threat actor. This is true because it's a non-trivial activity to sit down and map these environments out in a way that makes it possible to begin hardening and mitigating attack paths.
Audit Active Directory Attack Paths with Bloodhound
Apr 18, 2023 5:15:25 PM / by Eric Capuano posted in SecOps, Security, Open Source, InfoSec, Defense
Another LastPass Breach and What You Should Know
Dec 23, 2022 2:36:11 PM / by Eric Capuano posted in Security, InfoSec, Defense, Cryptography, LastPass
As you have no doubt heard, LastPass has suffered yet another breach which makes at least 3 separate incidents this year alone. The latest incident appears to be a follow-up to the previous intrusion from back in August. Rather than recap the details of the breaches, this post will focus strictly on "how does this affect me/my organization" and "is LastPass still safe to use?"
Remote Access Done Right
Oct 14, 2022 3:00:00 PM / by Whitney Champion posted in SecOps, Security, DevOps, Infrastructure, Cloud, SSO
Do you have resources on prem? In the cloud? How about in multiple clouds? How do you access them all, and how do you track all of those resources? How do you handle key management? Password management? User management? How do you maintain who or what has SSH and RDP access? How do you provide secure access to internal websites or even other data sources? How do you know your admins and analysts and end users are accessing them securely? How do you know who has keys sitting in their downloads folder? How do you track any of it?
Recon's Guide to Testing for the Log4J Vulnerability using Canarytokens
Dec 14, 2021 2:10:00 PM / by Andrew Cook posted in SecOps, Security, log4j, Canaries, InfoSec, Thinkst
This guide will walk you through using CanaryTokens.org to generate a token and how to use that token to determine if an application is vulnerable to Log4j. The generated token is a string of text that you will place in various user-controlled fields of the applications (such as search boxes, forms, and password fields). If the application is vulnerable, you will receive an email from CanaryTokens.org indicating that the application is vulnerable.
Recon's SOAR Playbook To Detect Log4J Exploitation
Dec 13, 2021 2:14:00 PM / by Andrew Cook posted in SecOps, Security, log4j, Canaries, InfoSec, Thinkst
The recent Log4j vulnerability (CVE-2021-44228) is unprecedented in its global scope and impact. This open source logging framework for Apache is found buried in everything from the Mars Helicopter to Minecraft. The exploit is as simple as getting the system to log a message containing a specific string, which can be done as easily as changing your iPhone’s name, sending a chat message, or visiting a website.
Scaling Enterprise Forensic Timelining
Oct 6, 2021 2:29:00 PM / by Eric Capuano posted in Automation, DFIR, Velociraptor, Incident Response, Forensics, Operations, SecOps, Security, SOC, Open Source
In July, Eric & Whitney gave a talk titled "Breaches Be Crazy" at the SANS DFIR Summit outlining Recon’s unique approach at scaling enterprise forensic timelining.
OPENSOC @ DEF CON 29
Aug 11, 2021 1:46:00 PM / by Kelley Wilds posted in DFIR, Incident Response, Forensics, Security, InfoSec, OpenSOC, DEFCON, Events, Training, Threat Hunting, ZeroTier
It’s that time of year again - DEF CON! We were thrilled to run OpenSOC again at DEF CON this year, even if it had to be virtual (fingers crossed we’re all in person again in 2022).
An Encounter with Ransomeware-as-a-Service: MEGAsync Analysis
Jun 21, 2021 1:54:00 PM / by Andrew Cook posted in Security, MEGAsync
Recon's SOC recently responded to an attempted ransomware and extortion attack. It had all the markings of a nightmare scenario: malicious access through the VPN, an external server in the same IP block as the Colonial Pipeline incident, Cobalt Strike flying across the environment, and a system running an unauthorized copy of MEGAsync. We attributed the attack to a Ransomware-as-a-Service (RaaS) threat group, likely DarkSide, REvil, or their affiliates.
An Encounter With TA551/Shathak
May 18, 2021 2:00:00 PM / by Andrew Cook posted in DFIR, SecOps, Security, TA551, Shathak, Python, Malware
The Recon incident response team recently responded to a case of business email compromise. The incident spanned over seven months of potential dwell time, and included the unraveling of encrypted malware hidden in an image file. Our analysis attributed the incident to a threat group known as TA551/Shathak, known for stealing banking credentials.
Threat Hunting - A Critical Component of High Performing SOCs
Apr 23, 2021 2:03:00 PM / by Andrew Cook posted in Operations, Security, Threat Hunting
Whether your cybersecurity detection and response capabilities are in-house or managed through a partner, a prioritized approach to threat hunting is a key indicator of your security program’s maturity and effectiveness.