Rudolph the Redsourced Reindeer
Ho ho homepage! Christopher Glyer and Nick Carr are back for the last episode of 2019. They’re closing the year with a look at this month’s front-line espionage activity and a whole bunch of FIN intrusions! In addition to the threat round-up, they highlight some of our Mandiant consultants doing that work and a few DFIR tricks they included in a recent blog.
Shellcode. DLLy DLLy!
Christopher Glyer and Nick Carr are back with an extremely offensive episode with red teamers Evan Pena (@evan_pena2003) and Casey Erikson (@EriksocSecurity). They get right into why they use shellcode (any piece of self-contained executable code) and some of the latest shellcode execution & injection techniques that are working in-the-wild.
Between Two Steves
Christopher Glyer and Nick Carr spoke with Steven Stone and Steven Miller on their FireEye Cyber Defense Summit technical track, interesting use of PDB and rich header hashes for hunting at scale, FIN7 recent events, and other advanced practices topics.
from MATH import CYBERZ*
Christopher Glyer and Nick Carr interview Matt Berninger (@secbern) about his journey from Incident Responder to Data Scientist and how that has shaped his perspective on ML applications and issues in the industry today. This discussion provides a brief overview of Data Science fundamentals and how they apply to common cybersecurity problems. They also discuss how to navigate the deluge of ML marketing and what considerations to make before including ML in your security stack. Finally, they dive into some recent Data Science projects and explain how the FireEye Data Science team works with practitioners around the company to solve complex problems.
DerbyCon Edition with Dave Kennedy
Christopher Glyer and Nick Carr interview Dave Kennedy (@HackingDave) on his experience running DerbyCon over the years, what conferences he plans to attend next, and future plans to build and support DerbyCon Communities (DerbyCom). Red teaming in the last few years has started to get harder due to improvements in security visibility, improved security tools, and better SOC teams. They discussed how Dave's red team's @TrustedSec use security tools to baseline what their activity looks like so they can try and blend in with legitimate activity. The trend of red teams shifting away from PowerShell to C-based tools/backdoors. Finally, they discussed both new and old (but still effective) techniques recently seen in the wild that can evade detection including using py2exe and pyinstaller based backdoors/tools.
DerbyCon Edition with Nate Warfield
Christopher Glyer and Nick Carr interview Nate Warfield (@n0x08) on his experience working at Microsoft's Security Response Center (MSRC). They discuss how Nate's team manages the vulnerability reporting and fix/remediation process across Microsoft's range of products/services. And debated what makes the BlueKeep and DejaBlue vulnerabilities different from previous vulnerabilities and why this particular set of vulns took so long to have public exploit code available. Nate also shared his first-hand experience with responding to the Shadow Brokers release of exploits and thoughts on the release of the WannaCry worm.
DerbyCon Edition w/ Carlos Perez & Benjamin Delpy
In this episode, Christopher Glyer and Nick Carr interview the Darkoperator (@Carlos_Perez) and Benjamin Delpy (@gentilkiwi) on all things related to Mimikatz and Kekeo. They discuss Carlos' new class on Mimikatz, the background on why he started it, how red teamers can use the features in unique/creative ways, and how blue teamers can detect the activity. Benjamin shared the background on how he developed the tools (hint - he didn't read the kerberos RFC), some of its lesser known capabilities, like cloning near field communication (NFC) proximity badges, how kerberos golden tickets got their default 10 year lifetime, why you only really need to set the expiration to 20 minutes, and his "creative" documentation (e.g. animated GIF posted to Twitter).
APT41 - Double Dragon: The Spy Who Fragged Me
This is our APT group graduation party for APT41: Double Dragon, conducting both Chinese state-sponsored espionage activity and personal financially-motivated activity. You've read the report and on this episode, Christopher Glyer and Nick Carr go behind-the-scenes with two technical experts, Jackie O'Leary and Ray Leong, who worked for months to produce the report. We answer viewer questions and discuss sifting years of incident response data, peppered with Glyer's IR war stories, and fascinating malware and techniques analyzed by our reverse engineers in FLARE.
SotH Convos: Finding Evil in Windows 10 Compressed Memory
We are kicking-off a new segment on State of the Hack - an audio-only deep dive discussion with authors from popular technical blogs. On this episode, Christopher Glyer and Nick Carr spoke with FireEye's Blaine Stancill (@MalwareMechanic) and Omar Sardar (@osardar1) on their recent blog post, "Finding Evil in Windows 10 Compressed Memory."
You can read the full post here.
Your Payment Cards Are Our Business Cards
We interviewed one of our most tenured analysts Barry Vengerik (@barryv) on a range of viewer requested topics including: FIN7 retrospective, recent surge of Iranian threat activity, APT34 targeting organizations via LinkedIn messaging, FSB contractor leaks, APT36 USB drop attacks and some tails of recent investigations involving insider threats.
This episode brought to you by Combi Security: "Creative Red Teaming with Flexible payment options"
Ransom Acts of Flyness
Christopher and Nick kicked-off the latest episode with recent updates to the MITRE ATT&CK framework, including several techniques that they submitted. During the episode they discuss Outlook add-in persistence, renamed binaries, and the high-level increase in execution guardrails observed - all of which were added in the May update to ATT&CK. They also spoke about CARBANAK Week, gave new details on FIN7's on-going operations, broke down the new APT34 "leaks", and gave a threat research blog round-up.
Behind the ATM Heist & Other Red Team Stories
On this episode, we got right into a bunch of new in-the-wild activity! We discussed FIN6's shift to deploying enterprise ransomware, including their recent LOCKERGOGA campaigns. The recent DAYJOB/ShadowHammer supply chain compromises prompted some discussion around this trend and several hunting techniques. We covered our newly-released blog on the techniques that the attackers used to deliver the TRITON malware framework and how to hunt for them. We wanted to learn more about attacker creativity and their mindset by inviting a real-life adversary onto our show: Alyssa Rahman (@ramen0x3f) from our Red Team.
Trending 10 Years of Breach Response (RSAC #SendUsSwag)
In this latest episode, we featured FireEye, Principal Threat Analyst and M-Trends contributor, Regina Elwell to take us on a deep dive of our annual M-Trends report. We discussed how key metrics from our incident response investigations changed including dwell times, source of notification, and what industries were impacted. Additionally, we broke down some of the highlights of four threat actors we upgraded in 2018 including APT37, APT38, APT39, and APT40. Finally we discussed several takeaways from the Mandiant consulting case studies and common remediation recommendations.
We're back for season 2 and discussed reports of destructive/disruptive attacks by APT33 and DNS hijacking. We also spoke with Matthew Dunwoody and Alex Orleans about one of our favorite topics: APT29.