i've never been much for swag other than shirts and stickers but wearable blanket is a WIN 🔥

somehow @eric_capuano knew my weakness 🧐

#CTISummit

Here is my new blog post about a cool #IntrusionAnalysis game I heard about at the #sans #ctisummit called #kc7 by @KC7cyber (the bird place). This post goes into setting up the server to generate your own data. #intrusionanalysis #threatintel #cti #securityanalysis

https://cybersheepdog.wordpress.com/2023/02/03/kc7-intrusion-analysis/

The alert tells you that one artifact of Bazar has been discovered. Your first task should be finding at least one other Bazar artifact to determine if the malware has actually infected the system.

With any alert that mentions named malware, you’ve got a leg up because you can leverage everything the world already knows about the malware. But, you’ve got to do the research work! Some Googling reveals lots of published information about Bazar. For example, check out these two articles:

1. https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/
2. https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I

From these articles, you want to look for artifacts that are easy to find given the evidence sources you have available. Ideally, those artifacts are tied to events in the timeline near the event you already know about — the potential C2 traffic. For example, you could…

1. Look for C2 network traffic that matches the pattern in the article
2. Identify executions of new DLLs
3. Seek newly written registry RUN key entries

Among other things…

Not many folks in the replies actually did research on the malware, but a few did mention doing it. My response of the week goes to @thomaspatzke, who captured some of those ideas (https://infosec.exchange/@thomaspatzke/109788268480096606). Doing research is part of the job and a skill to develop. It involves identifying relevant info, synthesizing it, and knowing your evidence sources well enough to focus your efforts. You get better at it by doing it more and internalizing feedback on what works and doesn’t. Lots of analysts feel like spending time reading about malware is distracting them from the real world of looking at the evidence. Overcome that worry -- doing that reading when alerts like this come up is a core part of the work.

By the way... if you were at the #CTISummit, I did some live forecasting for this scenario 😄

Speaking of research… some folks focused on network artifacts while others focused on host artifacts. Where do you normally focus? In what circumstances might that limit you? That’s something to think about… 🚀 #InvPath #DFIR #SOCAnalyst #ThreatIntel

Here are TEN things you should know about us:

1. Our company is called The Vertex Project. We create technology for analytical teams to provide intelligence-driven insights to decision makers.

2. Synapse is a central intelligence system created to support analyst teams in every stage of the intelligence life cycle.

3. Synapse’s data store (aka “a Cortex”) is organized as a hypergraph. It’s features include scalability, key/value-based node properties, and a data model which facilitates normalization. This is open source and the easiest way to get started is this QuickStart Guide: https://lnkd.in/efq8-A4Y

4. Our commercial offering, Synapse Enterprise, is an on-premises solution that includes the Synapse UI (aka "Optic") and a large suite of integrations called Power-Ups. The license includes unlimited users and does not limit the amount of data or number of instances you deploy. We take a white-glove approach to each deployment where we're with you every step of the way from planning deployment sizes to helping to train your analysts.

5. Here's a link to request a demo instance of Synapse Enterprise including the Synapse UI and many of the Power-Ups: https://lnkd.in/egqQuMsA

6. We also created an APT1 Scavenger Hunt you can do with our demo instances. This is a great exercise for those new to CTI or teams exploring Synapse! https://lnkd.in/e36pxQeh

7. If you want to read our documentation, here’s the link: https://lnkd.in/e4zQPzab

8. We have a lot of good video content on YouTube that you should check out! https://lnkd.in/ev8Nj2FY

9. We have a great Slack community dedicated to Synapse. Anyone can join at https://v.vtx.lk/slack!

10. If you'd like to schedule a demo of the Synapse Enterprise (led by one of our analysts) for your team, first schedule a time to chat with Erica Peterson here: https://lnkd.in/ecUVeBJp

If you have any questions, feel free to ask! You can also email info@vertex.link for more information.

#CTISummit #CTI #threatintel #threatintelligence #threathunting #malwareanalysis #informationsecurity #cybersecurity #intelanalyst #dfir

I'm heading home from the SANS #CTISummit and I had such a great time. I want to thank Katie, Rick, Rebekah, and the rest of the summit team for inviting me to keynote. Also, shout out to Jennifer and her team at SANS, who always make me feel so welcome.

I heard many great questions and ideas come from folks after watching my presentation, but my fav came from someone who isn't working in the field yet. They said it made them feel like they understood how analysts work and that the process seemed doable...accessible.

Analyst work is damn hard. If I were to sum up a goal of my research, it's simplifying that complexity and making tacit knowledge more explicit. Our industry needs that to evolve, scale up+down, and face current and future threats.

As I said in the presentation...

Until you make the unconscious conscious, it will direct your life, and you will call it fate. What we do is far too important to be left up to fate.

I've got a lot more to share.

#ThreatIntel #DFIR

@chicagocyber terrific talk on Charming Kitten at SANS #ctisummit ! Many thanks! Any chance the deck will be made available? My notes need embellishing!

So this happened today. Thanks to MSTIC's KC7Cyber team for a great workshop! And thanks @likethecoins for the coin! #CTISummit

Loving day 2 of SANS #CTISummit! Storytelling and @vertexproject Synapse are like chocolate and peanut butter, two great tastes that taste great together!

Watching "Wargames" at the @sansforensics #CTISummit, in which Matthew Broderick, Aly Sheedy, and #ChatGPT almost start a global thermonuclear war.

"Why do I need malware analysis? I pay for a threat feed."

I'm dead.

Tony Lambert is telling us why.

I'm alive again.

#CTISummit

It took until after lunch for the #PyramidOfPain to show up at the SANS #ctisummit @jfslowik wins!

You don't just disseminate threat intelligence, you YEET it out there. #ctisummit @likethecoins

TIL @likethecoins doesn't disseminate CTI outputs, she "just yeets them out there" #ctisummit

One of these days, I will meet @DavidJBianco in person and hopefully get a #PyramidOfPain button (or sticker) #LifeGoal 🤪😊#ctisummit #remote

Well @chrissanders88 just kicked the #CTISummit off with a bang! Meta cognition is something we don’t spend nearly enough time on within #cti and really should be! 👏

@rickhholland @likethecoins @pdxbek Kicking off the #CTISummit. Rick says he's out of practice but it doesn't show.

New avatar for @chrissanders88 ?? #CTISummit

Just a few minutes away from the start of the @sansforensics #CTISummit, and @chrissanders88 keynote, "Deconstructing the Analyst Mindset". Can't wait!

It's #CTISummit morning! I'm giving the keynote where I'll discuss some of my research into how analysts think and work through investigations -- including some new things I haven't shared yet.

I think you can still sign up for the live stream here: https://www.sans.org/cyber-security-training-events/cyber-threat-intelligence-summit-2023/

Officially on my way to the @sansforensics #CTISummit. If you're there, say hi and pick up some #PyramidOfPain swag!