Until two weeks ago, thousands of Microsoft Exchange servers were under attack unknown to anyone. Since Microsoft and other researchers uncovered this severe cyber offensive against various U.S. institutions, organizations have been scrambling to patch the vulnerabilities used in the attack, understand the extent of potential damage, and ensure protection for next time (and there will be a next time). In this blog post, we'll explain how to do exactly that.Read More
HAFNIUM Exchange attack - detecting and mitigating with ThreatSTOP TI
The Microsoft Exchange attack leveraging multiple zero-days has by some accounts been one of the most wide-spread and potentially damaging hacks in history, orchestrated by a group Microsoft has named HAFNIUM. Malicious network activity related to the attack was first detected in January but the full nature and extent of the attack was publicly disclosed only on March 2nd. Active exploitation started around February 26th, primarily targeting U.S. entities.Read More
The latest headliner in cybersecurity news is the recently disclosed compromise of FireEye, The US Government, and many others that was brought about by a backdoor discovered in a widely installed set of network tools from Solarwinds.
What we know so far reveals a sophisticated, long term, and well-funded campaign that was likely backed by a nation's resources rather than some run-of-the-mill cyber criminal enterprise.Read More
One of the key problems in threat intelligence is curating whitelists of infrastructure and domains that should never be blocked. Just recently, a government CERT distributed lists of IoCs that included private IP addresses that just are not useful for analysts and hunt teams. At best, it creates wasted time and effort. At worst, key infrastructure is blocked and there is business impact and/or loss of revenue.Read More
One of the chief problems in cybersecurity is the inherent reactivity of most forms of defense. An attack has to be observed, analyzed and reverse-engineered. THEN, protection can be developed. This means attackers are successful, and inside environments, for a period of time before the attack is noticed, before the indicators for that attack can be extracted, and before a policy can be disseminated to stop it.
There has been a wide variety of research in recent years around this problem. How to speed up the cycle to recognize attacks and to potentially get out in front of attackers to block them before the attacks start. Both my own PhD research and other researchers have noticed that one attribute that is overwhelmingly an indicator of maliciousness in DNS is “newness,” that is to say, the newer a domain is, the more likely that it is bad. More importantly, when a domain is new and otherwise benign, it is rarely in meaningful use except by the organization that’s setting up whatever will go there.Read More