Recon's Guide to Testing for the Log4J Vulnerability using Canarytokens

Dec 14, 2021 2:10:00 PM / by Andrew Cook posted in SecOps, Security, log4j, Canaries, InfoSec, Thinkst

This guide will walk you through using CanaryTokens.org to generate a token and how to use that token to determine if an application is vulnerable to Log4j. The generated token is a string of text that you will place in various user-controlled fields of the applications (such as search boxes, forms, and password fields). If the application is vulnerable, you will receive an email from CanaryTokens.org indicating that the application is vulnerable.

Read More

Recon's SOAR Playbook To Detect Log4J Exploitation

Dec 13, 2021 2:14:00 PM / by Andrew Cook posted in SecOps, Security, log4j, Canaries, InfoSec, Thinkst

The recent Log4j vulnerability (CVE-2021-44228) is unprecedented in its global scope and impact. This open source logging framework for Apache is found buried in everything from the Mars Helicopter to Minecraft. The exploit is as simple as getting the system to log a message containing a specific string, which can be done as easily as changing your iPhone’s name, sending a chat message, or visiting a website.

Read More

Scaling Enterprise Forensic Timelining

Oct 6, 2021 2:29:00 PM / by Eric Capuano posted in Automation, DFIR, Velociraptor, Incident Response, Forensics, Operations, SecOps, Security, SOC, Open Source

In July, Eric & Whitney gave a talk titled "Breaches Be Crazy" at the SANS DFIR Summit outlining Recon’s unique approach at scaling enterprise forensic timelining.

Read More

OPENSOC @ DEF CON 29

Aug 11, 2021 1:46:00 PM / by Kelley Wilds posted in DFIR, Incident Response, Forensics, Security, InfoSec, OpenSOC, DEFCON, Events, Training, Threat Hunting, ZeroTier

It’s that time of year again - DEF CON! We were thrilled to run OpenSOC again at DEF CON this year, even if it had to be virtual (fingers crossed we’re all in person again in 2022).

Read More

An Encounter with Ransomeware-as-a-Service: MEGAsync Analysis

Jun 21, 2021 1:54:00 PM / by Andrew Cook posted in Security, MEGAsync

Recon's SOC recently responded to an attempted ransomware and extortion attack. It had all the markings of a nightmare scenario: malicious access through the VPN, an external server in the same IP block as the Colonial Pipeline incident, Cobalt Strike flying across the environment, and a system running an unauthorized copy of MEGAsync. We attributed the attack to a Ransomware-as-a-Service (RaaS) threat group, likely DarkSide, REvil, or their affiliates.

Read More

An Encounter With TA551/Shathak

May 18, 2021 2:00:00 PM / by Andrew Cook posted in DFIR, SecOps, Security, TA551, Shathak, Python, Malware

The Recon incident response team recently responded to a case of business email compromise.  The incident spanned over seven months of potential dwell time, and included the unraveling of encrypted malware hidden in an image file. Our analysis attributed the incident to a threat group known as TA551/Shathak, known for stealing banking credentials.

Read More

Threat Hunting - A Critical Component of High Performing SOCs

Apr 23, 2021 2:03:00 PM / by Andrew Cook posted in Operations, Security, Threat Hunting

Whether your cybersecurity detection and response capabilities are in-house or managed through a partner, a prioritized approach to threat hunting is a key indicator of your security program’s maturity and effectiveness.

Read More

SOC X 2021 - A Recap

Mar 8, 2021 2:08:00 PM / by Kelley Wilds posted in SOC X, Security, SOC, InfoSec, OpenSOC, Events, NDR, Defense

We can't start a recap post without a huge THANK YOU to the community for joining us last week and making SOC X such a success!

Read More

Detecting Threats with Graylog Pipelines - Part 3

Jan 15, 2021 2:14:00 PM / by Eric Capuano posted in Incident Response, Operations, SecOps, Security, SOC, InfoSec, Threat Hunting, Monitoring, Graylog

Now that we've normalized and enriched our events, let's get into the actual threat detection logic that brings SIEM-like features to open source Graylog.

Read More

Detecting Threats with Graylog Pipelines - Part 2

Jan 4, 2021 5:01:00 PM / by Eric Capuano posted in Operations, SecOps, Security, SOC, InfoSec, Monitoring, Graylog, Logging

In my previous post, I explained the fundamental purpose and use cases of pipelines in Graylog – now let's move towards some more advanced topics.

Read More