Uzair Afzal

What is Cyber Threat Intel? Threat intel is the information about the threats. Cyber threat intel is used to better understand, predict and adopt to the behavior of malicious actors. It plays an important role in preventing the zero-day attacks. " Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes " (NIST). Threat Intel life Cycle: Intelligence lifecycle is the process of developing raw information into finished intelligence for policymaker to use in decision making and action. CTI Life Cycle Planning and Direction Planning and direction helps in setting up the goals for the threat intel program. Priorities and requirements are defined in this phase. Collection: Collection means gathering of data to produce the finished intelligence. Data includes logs(Firewall, IPS/IDS, Endpoints), threat feeds and OSINT(reports, social media, public forums). Collection Types of Collectio

Basic Static Analysis: Let's jump into the labs of the  PMA (Practical Malware Analysis) . You can revise you basic concepts about the malware analysis from  blog . Outdated tools were used in the book So, I'll be using some latest tools which provides us the same results. Labs can be downloaded from  PMA Labs . Tools: Following tools are used throughout the  Lab-01 . PEStudio DIE (Detect it easy) Virus Total upx Lab-01: Binary Name:  Lab01-01.dll Question1: Upload the files to http://www.VirusTotal.com/ and view the reports. Does  either file match any existing antivirus signatures? Ans:  Open the file the file in  PEStudio.exe  to find out the hash of file. Figure 1 As you can see in  Figure 1  hashes are highlighted. Use any one of hash or click on the  URL  to find match for any existing antivirus signatures. You can also take help from PEStudio.exe to collect the virus total information as shown in the following figure. There are  40  antivirus detected this file as malici

Hi folks, just started the series on PMA (Practical Malware Analysis) . Being an analyst i would recommend to gain expertise on "Malware Analysis". This blog help us to quick recap the concepts of malware as well as from analysis perspective. We'll start from basic and proceed towards advance level. Introduction: Malware refers to "Malicious Binary" which is instructive by the threat actors (called as "Hackers" ) to achieve their motives. Motives can be vary like it could be data stealing, damage/destroy organization systems. Viruses Worms Trojan Spyware Adware Ransomware Aforementioned names are the malware types which is collectively called "Malware". Let's jump into the main topic of this blog without going into the details. Malware Analysis: Malware analysis is the process of understanding the working flow/behavior/malicious activity of malware. The results of the malware analysis help the analysts to detect and prevent the threats.

What is Cyber Kill Chain? The CKC is the classical model developed by Lockheed Martin. The purpose of this model is to better understand the stages an attacker must go through to conduct an attack, and also helps the security teams to stop an attack at each stage. It also helps to identify to what extent the organization is compromised. It also helps to understand the strategies used by cybercriminals and how to defend against them. Phases of Kill Chain: There are seven phases of CKC model which are described below: Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Action on objective Reconnaissance: In this phase the attacker tries to find out as much information as possible about the target like contact information and IT infrastructure of the target. There are two types of reconnaissance: Passive: Looking for publicly available information on the internet like using google, social media, whois, NSlookup, Shodan and dumpster diving. Active: gather i

RUDY Attack: It is the type of slow rate attacks. It also known as slow and low attack. It attempts to open a relatively few connections to the target server or website over a period of time, and leaves the connection as long as possible. How it works: It identifies the embedded form in the target site. After identification it sends the HTTP post request with abnormal long ‘content-type’ header field and then starts injecting the form with information, size of one byte packet at one time. This packet is not only sent in junks but at a very slow rate. So , a very long content-length field prevents the server from closing the connection. Ultimately the attacker exhausts the server connection table. Prevention Mechanisms: Server resource monitoring like memory, CPU usage, connection tables, application threads, long and open application connection or stuck application processes. Behavior analysis compares traffic and user behavior. Or if filling the form takes so much time like hours or m

  NSM: History: Todd Heberlein started NSM informally in 1988. It was the first NSM that used the network traffic as its source for generating alerts. Air Force Computer Emergency was the first organization who informally followed the NSM principles. In 1993, AFCERT with collaboration of Heberlein deployed the first version of NSM as the ASIM(Automated Security Incident Measurement). NSM: It is the best method from zero defense to some defense. By using this organization would prevent himself from being exposed or (prevent data breach). This is operated by the group of people known as CIRT(Computer incident response team). Benefits: Collect a rich amount of network derived data from different devices. CIRT analyses this data to find compromise assets. CIRT uses the NSM data to assess the cause of the incident. Does NSM Prevent Incidents? No it does not prevent incidents because breaches are inevitable. Intruders different techniques to cause the incident but by using NSM you can frustr