BLOG

Get the Latest News and Press Releases

Uber Releases V1.1 of Orbit: A Python Package to Perform Bayesian Time-Series Analysis and Forecasting

Last year, the Uber team introduced Orbit, a Bayesian time series modeling user interface which is simple to use, adaptable, interoperable, and high-performing (fast computation). Orbit uses probabilistic programming languages (PPL) for posterior approximation. So far, it is the only tool that enables simple model specification and analysis without being restricted to a small number of models.

Uber Team has recently released version 1.1 of Orbit, which includes changes in the syntax of calling models, the new classes design, and the KTR (Kernel Time-varying Regression) model. Continue Reading

Github: https://github.com/uber/orbit

submitted by /u/techsucker
[link] [comments]

What is Reddit’s tech stack to handle big data?

I know Reddit uses Cassandra and PostgreSQL to store data, what other tools does it use for processing and analytics?

submitted by /u/BinodBoppa
[link] [comments]

IC-117968-D5B7

The complainant has requested from University Hospital Southampton NHS Foundation Trust (the Trust) information about the cost of translation services over a five year period and the total budget for other items for the organisation over the same timeframe. The Trust stated that it did not hold information regarding the first part of the request and it refused to provide information regarding the second part of the request because it considered it to be publicly available information under section 21 of the FOIA. Some months later the Trust provided information in response to the first part of the request. The Commissioner’s decision is that the Trust has breached sections 1 and 10 of the FOIA because it did not provide information to which the complainant was entitled within the legislative timeframe of 20 working days. The Commissioner does not require the Trust to take any further steps.

IC-98120-T0P1

The complainant requested from the Foreign, Commonwealth and Development Office (FCDO) information relating to the correspondence between the Secretary of State and the Prince of Wales during a specific time period. The FCDO refused to confirm or deny whether it held information within the scope of the request, citing section 12(2) (cost limits) of the FOIA.The Commissioner’s decision is that the FCDO was entitled to refuse to comply with the request in accordance with section 12(2) of the FOIA. He also finds that the FCDO met its obligations under 16(1) of the FOIA to offer advice and assistance. The Commissioner does not require the FCDO to take any steps.

How to Make the Attack Lifecycle Actionable with Intelligence

The Cyber Attack Lifecycle and Cyber Kill Chain are time and again used as the primary reference for understanding how a cyber attack happens from the perspective of an adversary. However, just leveraging them as educational reference documents doesn’t tap into their true power—guides to enabling defensive and proactive action against attackers.

When getting into cybersecurity one of the very first things to learn is the concepts and steps associated with the lifecycle of a cyber attack. Today there are probably a million youtube videos and thousands of blogs on every step and what it all means but they usually all actually point back to a couple resources created long ago. While some of the new lifecycles on the block may be compelling, if you were to ask an analyst today where to get started in understanding a cyber attack they will likely point you towards one of two places, the Cyber Kill Chain and the Cyber Attack Lifecycle. 

 

Cyber Attack Kill Chain

Cyber Attack Lifecycle

 

I’m sure there’s room for a lengthy debate around which model is better at depicting how attackers operate, but at the end of the day, both do a good job showing how cyber attacks are carried out. While these phases are important to learn and memorize, a security analyst needs to be able to monitor, detect, and investigate what the attacker is doing throughout the phases when it comes to their own networks. It’s one thing to learn the phases and understand how the adversary navigates all the way to “mission complete” or “actions on objectives,” but it’s another thing to use elements of the various phases of these models to understand collection and analysis gaps—or how to hunt for indicators of attacker activity in your network.

This is where threat intelligence comes in. The kill chain and attack lifecycle models are more than just learning or reference tools. They provide security analysts a source of truth that can be used to guide collection, proactive hunting for indicators, monitoring and alerting on potentially malicious activity in the early phases.

When talking about threat intelligence, I’m not just talking about free threat feeds or machine generated indicators which are often stale; I’m talking about intelligence that incorporates a full-scale human and machine approach so there is actionable coverage across every phase of the lifecycle.

Let’s take a deeper look at what the attacker is doing throughout these phases and how intelligence can help you detect, remediate, and report on the activity throughout the entire lifecycle. Disclaimer for all of the kill chain lovers out there: I’m sorry, but I’m going to use the cyber attack lifecycle to explain this concept but rest assured, the same applies to the kill chain as well.

In the attack lifecycle early phases:

 

What’s the attacker doing in these phases?

  • Identifying, assessing, and selecting their target through OSINT research and analysis of low hanging fruit versus more impactful targets
  • Identifying ways into the target network. Examining if methods like phishing, exploitable vulnerabilities, leveraging credentials, etc. could work
  • Exploiting vulnerabilities or using credentials to gain access to target network
  • Establishing a foothold or creating a method to maintain persistent access to the target network once inside

What does real-time and contextualized intelligence uncover in these phases?

  • Vulnerability data including pre-NVD, Proof of Concept (PoC) code, and active exploits in the wild
  • Dark web mentions and stolen credentials
  • Third party data to understand vendor infrastructure risk
  • New domain and certificate registrations

What can analysts be doing to identify activity in these phases?

  • Setting up tailored, useful alerts that don’t just produce noise but enable action
  • Proactively monitoring threat actors and groups of interest
  • Searching indicators of known malware, malicious tools, and high priority technical threats
  • Monitoring for vulnerabilities in your tech stack

In the later phases of the attack lifecycle all the way to completion:

 

What’s the attacker doing in these phases?

  • Escalating their privileges through various means like kerberoasting or passing the hash
  • Gathering and using additional credentials to perform lateral movement and privilege escalation to establish further access
  • Dropping additional tools to facilitate additional access or capabilities
  • Identifying, collecting, and exfiltrating data of interest

How can threat intelligence augment our defensive approach in these stages? 

  • Tailored detection rulesets such as YARA, Sigma, and Snort 
  • Network traffic analysis data to provide evidence of C2 traffic from malware and malicious tools, possible data exfiltration and more
  • Known and suspected Command & Control (C2) server feeds
  • Finished intelligence reporting on attacker TTPs and how to detect them
  • Endpoint data
  • Passive & active network scans

What can analysts be doing to identify activity in these phases?

  • Leveraging finished intelligence such as human-generated threat hunting packages with detection rulesets to proactively hunt for indicators
  • Conducting deep research on ongoing campaigns to identify new indicators and understand the severity of the threat
  • Compiling internal intelligence reports to brief leadership and cross-functional teams
  • Testing and validating security controls once detection rulesets are in place

So while understanding the attack lifecycle in depth is great as a baseline, it doesn’t give you much more than an education on how an attack happens. It becomes a much more valuable tool when you can use it to enable defensive and proactive action across all phases. But there are a lot of questions that come up like how do you get all those data sources? Where do you start when it comes to things you or your analysts could be doing for each phase? Once I have the intelligence how do I make sense of it?

The good news here is that, we can help…with all of it. While there are other cyber threat feeds and data providers out there, Recorded Future is able to collect, process, and disseminate real-time intelligence that sheds a light on all phases of the attack lifecycle. On top of the unmatched scope and quantity of machine generated intelligence, there is a dedicated team of intelligence experts within the Insikt Group writing detailed reports and enabling analysts to take action through their tailored hunting packages with included detection rulesets. To give you an idea, here’s some ways that Recorded Future’s intelligence can help you across the attack lifecycle phases:

Machine Generated Intelligence:

  • Typosquat detection and alerting
  • Identifying malicious and vulnerable applications
  • Domain and certificate registration monitoring and alerting
  • Monitoring the dark web for mentions of your brand and leaked credentials
  • Recorded Future-validated technical links between indicators
  • Identification of pre-NVD vulnerabilities, proof of concept code, and active exploits in the wild
  • Third party monitoring for potentially vulnerable vendors, subsidiaries, and partners

Human Generated Intelligence & Guidance:

  • In-depth finished intelligence reports highlighting adversary & TTP trends
  • Human-generated validated links between entities in product
  • Custom Priority Intelligence Requirement (PIR) and adversary prioritization workshops through dedicated intelligence consultants
  • Tailored hunting packages with detection rulesets included
  • On-demand analyst support for ad hoc report creation, requests for information, and scheduled reporting 

If you want to learn more about this concept and how Recorded Future helps, be sure to register for a two part attack lifecycle webinar series. This will give you a better sense of the different phases of an attack lifecycle, and give you the opportunity to learn from intelligence analysts about real-world examples of methods attackers use across the phases so you can identify and remediate attacks!

Register for part one here and part two here.

The post How to Make the Attack Lifecycle Actionable with Intelligence appeared first on Recorded Future.

FIN7 Uses Flash Drives to Spread Remote Access Trojan

Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report. 

Executive Summary

Recorded Future analysts continue to monitor the activities of the FIN7 group as they adapt and expand their cybercrime operations. Gemini has conducted a more in-depth investigation into these types of attack after a Gemini source provided analysts with a file sketch_jul31a.ino, which was linked to FIN7’s BadUSB attacks. The file had the extension (.INO), indicating it contained the source code for an Arduino “sketch” (the Arduino term for a program). BleepingComputer also recently released a public report on FIN7’s use of the “BadUSB” attack method, outlining the activity around this type of attack. 

The Arduino platform provides a common set of software utilities and libraries for constructing programs to run on platform-compatible microcontrollers. The platform uses a simplified version of the C++ programming language and provides foundational libraries, an integrated development environment for constructing the sketch, a compiler, and a means of uploading the compiled sketch to a device with a compatible microcontroller. In the Arduino ecosystem, the microcontroller executes the compiled sketch, making it operating system (OS) agnostic.

Hackers have leveraged the Arduino platform to create trojanized USB devices that emulate keyboards and inject keystrokes. In most cases, the sketches on these trojanized devices connect to a malicious actor’s file repository, download additional software, and install it on the victim system. In March 2020, security analysts from Trustwave SpiderLabs reported that FIN7 targeted a US company by sending one of its employees a USB device trojanized with keystroke injection malware.

Key Findings

  • FIN7 used an Arduino sketch file called “sketch_jul31a.ino” to install malware on USB devices as part of BadUSB attacks.
  • FIN7 uses the trojanized USB devices to ultimately load the IceBot Remote Access Trojan (RAT), resulting in FIN7 gaining unauthorized remote access to systems within victims’ networks.
  • We identified 9 IP addresses that host FIN7’s malicious payloads and 3 FIN7 command-and-control (C2) servers, one of which contains a control panel for managing infected systems. The control panel displayed a list of systems infected with the IceBot RAT and pertinent information about each installation.

Editor’s Note: This post was an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.

The post FIN7 Uses Flash Drives to Spread Remote Access Trojan appeared first on Recorded Future.

Scroll to top