State of the Hack

State of the Hack is hosted by FireEye's Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that discusses the latest in information security, digital forensics, incident response, cyber espionage, APT attack trends, and tales from the front lines of significant targeted intrusions.

Watch previous editions of the State of the HackTM on the FireEye Youtube channel or listen to the recordings below.

Available on iTunes
Listen on Spotify
Get it on Google Play
State of the Hack

SEASON TWO

This is our APT group graduation party for APT41: Double Dragon, conducting both Chinese state-sponsored espionage activity and personal financially-motivated activity. You've read the report and on this episode, Christopher Glyer and Nick Carr go behind-the-scenes with two technical experts, Jackie O'Leary and Ray Leong, who worked for months to produce the report. We answer viewer questions and discuss sifting years of incident response data, peppered with Glyer's IR war stories, and fascinating malware and techniques analyzed by our reverse engineers in FLARE.

We are kicking-off a new segment on State of the Hack - an audio-only deep dive discussion with authors from popular technical blogs. On this episode, Christopher Glyer and Nick Carr spoke with FireEye's Blaine Stancill (@MalwareMechanic) and Omar Sardar (@osardar1) on their recent blog post, "Finding Evil in Windows 10 Compressed Memory."

You can read the full post here.

We interviewed one of our most tenured analysts Barry Vengerik (@barryv) on a range of viewer requested topics including: FIN7 retrospective, recent surge of Iranian threat activity, APT34 targeting organizations via LinkedIn messaging, FSB contractor leaks, APT36 USB drop attacks and some tails of recent investigations involving insider threats.

This episode brought to you by Combi Security: "Creative Red Teaming with Flexible payment options"

Christopher and Nick kicked-off the latest episode with recent updates to the MITRE ATT&CK framework, including several techniques that they submitted. During the episode they discuss Outlook add-in persistence, renamed binaries, and the high-level increase in execution guardrails observed - all of which were added in the May update to ATT&CK. They also spoke about CARBANAK Week, gave new details on FIN7's on-going operations, broke down the new APT34 "leaks", and gave a threat research blog round-up.

On this episode, we got right into a bunch of new in-the-wild activity! We discussed FIN6's shift to deploying enterprise ransomware, including their recent LOCKERGOGA campaigns. The recent DAYJOB/ShadowHammer supply chain compromises prompted some discussion around this trend and several hunting techniques. We covered our newly-released blog on the techniques that the attackers used to deliver the TRITON malware framework and how to hunt for them. We wanted to learn more about attacker creativity and their mindset by inviting a real-life adversary onto our show: Alyssa Rahman (@ramen0x3f) from our Red Team.

In this latest episode, we featured FireEye, Principal Threat Analyst and M-Trends contributor, Regina Elwell to take us on a deep dive of our annual M-Trends report. We discussed how key metrics from our incident response investigations changed including dwell times, source of notification, and what industries were impacted. Additionally, we broke down some of the highlights of four threat actors we upgraded in 2018 including APT37, APT38, APT39, and APT40. Finally we discussed several takeaways from the Mandiant consulting case studies and common remediation recommendations.

We're back for season 2 and discussed reports of destructive/disruptive attacks by APT33 and DNS hijacking. We also spoke with Matthew Dunwoody and Alex Orleans about one of our favorite topics: APT29.

SEASON ONE

In their final episode of 2018, Christopher Glyer and Nick Carr brought the holiday cheer by providing a wrap-up on interesting targeted attacker activity from the past 90 days, including CNIIHM links to TRITON ICS attacks, suspected APT29 spearphishing campaign, several recent DOJ indictments. They also highlighted some interesting techniques including DNS over HTTPS and profiling victims pre-attack using both compromised websites and Office documents.

In this episode, Christopher Glyer and Nick Carr spoke with Steven Booth, Chief Security Officer at FireEye, to discuss what’s to come in 2019, including attackers and nations attempting to emulate other threat groups, increased leveraging of legitimate services for command and control, machine learning and artificial intelligence, a decreased and more selective use of PowerShell in attacks, and much more. If you want to get into the nitty gritty of cyber security in 2019, you won’t want to miss this episode.

In this segment, we sit down with two Staff Reverse Engineers on the FLARE team, Michael Bailey (@mykill) and James “Tom” Bennett (@jtbennettjr), who were at CDS this year to discuss the results of nearly 500 total hours of analysis of the Carbanak source code we acquired.

In this segment, we welcome two core contributors to the APT38 report: Nalani Fraser, Manager of the Advanced Analysis Team, and Jackie O’Leary, Senior Analyst on the Advanced Analysis Team.

In this segment, we start with the recently announced indictments charging Russian GRU officers with international hacking and related influence and disinformation operations, then bounce to APT28, and the conversation keeps going from there.

Christopher Glyer and Nick Carr spoke with FireEye Intel Analyst, Lee Foster on how FireEye identified a suspected influence operation that appears to originate from Iran aimed at audiences in the U.S., U.K., Latin America, and the Middle East.

During our chat, Sean explained how he got started in the world of Active Directory security about a decade and a half ago when he was as an Active Directory engineer. He discussed some of the challenges he faced between then and now while traversing relatively uncharted territory.

Some of the topics covered include PowerShell, Matt’s “Subverting Sysmon” Black Hat USA 2018 talk, and the things that Matt will do in the name of a good cause.

Special Guest Katie Nickels (@likethecoins) talks about how her team processes new intel as it’s made public (she said she was really excited about our latest FIN7 blog post – thanks Katie!), and about a new ATT&CK philosophy paper MITRE recently released that describes the collaborative process of incorporating new TTPs.

We open up this episode by talking about all things FIN7, including their tools, their tactics, techniques and procedures (TTPs), and some of the ways FIN7 activity changed following arrests made as far back as January.

In this episode we were joined by Dan Perez (@MrDanPerez) of FireEye’s Adversary Pursuit team. We discussed our experiences from FireEye's Congressional roundtable on artificial intelligence, providing insight into the analysis leading up to our report on TEMP.Periscope targeting Cambodian election operations, and broke down several notable adversary methods observed during the past few weeks of responding to intrusions that matter.

In May we were joined by Andrew Thompson (@QW5kcmV3) of FireEye’s Adversary Pursuit team. We explore the evolution and current state of cloud services OAuth abuse, how we do technical intelligence & attribution, and some war stories from the past few weeks of responding to intrusions that matter.

In episode 3, we were joined by Alex Lanstein (@alex_lanstein) - one of the first employees at FireEye who hunts through product telemetry data to identify new targeted campaigns. During the RSA conference, and with so many others referencing breaches and hunting from the periphery, we thought it would be good to chat about primary source data from our on-going APT and FIN attack investigations and how to identify anomalies the way Alex does.

“Activity Round-up”: This week, we talk about new techniques being used by Iran's "MuddyWater" (TEMP.Zagros) and Vietnam's APT32. We discuss our Mandiant response efforts into large Chinese espionage campaigns that have picked up in the past year, highlighting both APT20 targeting of service providers and some fresh TEMP.Periscope activity at many clients.

Join us as we kick off our FireEye #StateOfTheHack video series. Part podcast, part happy hour hangout, but all freeform and streaming LIVE. We explain who we are and what we’re doing with this series.