Like everyone else I’ve been following the tragic war in Ukraine and mourning the loss of life and humanitarian crisis. Professionally as an analyst in the threat intelligence and computer network defense world I’ve been considering what this war and spillover means for defending networks, especially as organizations like CISA keep putting out bulletins regarding threats of Russian nexus adversaries. ...
Victim Sites & Technology So all of those things were term or bits about generalized grid operations. What about the actual victim in this case. What was the equipment affected? Where was it? Ukrenergo According to Reuters: Kovalchuk said the outage amounted to 200 megawatts of capacity, equivalent to about a fifth of the capital’s energy consumption at night. There’s an interesting piece of data. 1/5 night capacity means one gigawatt (1000 megawatts) of total consumption at night. This got me wondering what the usual ratio of night vs day consumption is. A little Googling got me to eia.gov’s article Demand for energy changes through the day. I’m doing some loose math but: ...
Source: Public Domain Pictures In the first post of the CRASH OVERRIDE Chronicles I outlined my plan for reviewing Dragos’ CRASHOVERRIDE report in order to build an understanding of the ICS threat landscape, key technologies, and ultimately one of the major actors involved. This second installment is a run through of the whole report calling out areas I need to focus on learning & investigating. The first step was simple: Read the report. The second step was also simple: Read the report again; this time with a critical eye. The first read through is for familiarity. The second read through is not simply to read but to pick out key phrases, items to focus on, and to look for bias and things I want to verify or follow up on. In addition, just for you dear reader, I took notes to call out positives and negatives I think make a difference in intelligence products. ...
I’ve been lucky and had a really wide variety of experiences in information security throughout my career. Government & non-government. Vendor & practitioner. Finance & dotcom. I’ve seen a lot of stuff. It’s to the point that I get even more excited about the stuff I’ve never done. One of those moments happened a few weeks ago when the Dragos team released their Crash Override report. Full Disclosure: I know a few of the folks over at Dragos and consider them friends but friends that value good, even critical, analysis. ...
Here’s a familiar scenario: A new threat is being whispered about. Maybe your office has someone with special access of some kind and they’re being a bit more secret squirrely than usual. The mailing lists you’re on are a buzz about a new piece of malware or vendor code name. You keep hearing about a paid only report that tells all. APT 46: EMPEROR PENGUIN is coming! When your boss asks about EMPEROR PENGUIN you have to say you don’t know much… but you’ve heard they’re very good, very advanced, well funded, with great opsec… obviously a serious threat aimed at hard targets (which your organization obviously is). More data starts trickling out. A blog post here and a malware report there. Someone you know on Twitter or a mailing list is sharing their experience fighting off EP infections and then a PR post disclosing an EP breach, discussing how advanced and effective they were, bragging about the high end consultant team necessary to fight them off. ...
Source: Screenshot Go into a tech interview, especially one for operations or security, and you’re more than likely going to get an interview question like this: “What happens when you put a URL in the address bar of a browser and hit enter?” I’ve been on both ends of this question, asked it and answered it. I’d like to look at what the answer is (or at least one answer), why it’s good, why it’s bad, and what could be better. ...
Kremlin from the River. Source: Wikipedia. Here it is. After weeks of wondering if and how the United States Government might respond the United States White House, State Dept, Treasury, and US-CERT have released information on and sanctions against the Russian government’s efforts to influence the United States elections. I offer all this without too much analysis given I’ve just seen it myself and expect it will take a long time to digest. ...
From the New York Times: “Review: ‘Hamilton,’ Young Rebels Changing History and Theater” Give it a second, I’ll explain the Hamilton reference to DFIR, but for now let me share one of my favorite songs. Aaron Burr thinks Alexander Hamilton is a brash aggressive brute and believes Hamilton thinks him slow and unwilling to make a decision. Burr then sings this song to explain his true goals: Wait for It by the cast of Hamilton. ...
One thing I constantly harp on while talking to people beginning in the security community is the importance of learning to code. I think it is awful that we have so many security professionals cannot write a line of code. It’s useful for automating common tasks, gathering & manipulating data, almost anything you can imagine. I think everyone should learn some coding and Python is the best place to start. ...
I admit it… I’m a fanboy. A straight up osquery fanboy. Oh… what is osquery you ask? Good question there sport. osquery allows you to easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. That’s how Facebook describes it. I’d say osquery is the most effective way available to monitor an OSX or Linux host for security. But that’s just me. Still not bad no matter which definition you prefer. ...