Network-Defense

Like everyone else I’ve been following the tragic war in Ukraine and mourning the loss of life and humanitarian crisis. Professionally as an analyst in the threat intelligence and computer network defense world I’ve been considering what this war and spillover means for defending networks, especially as organizations like CISA keep putting out bulletins regarding threats of Russian nexus adversaries. In situations with this level of uncertainty it’s entirely natural that our intelligence customers, whether that’s the most junior SOC analyst or executive like the CISO, keep asking what it means, what we can do, where the threats are, etc....

Victim Sites & Technology So all of those things were term or bits about generalized grid operations. What about the actual victim in this case. What was the equipment affected? Where was it? Ukrenergo According to Reuters: Kovalchuk said the outage amounted to 200 megawatts of capacity, equivalent to about a fifth of the capital’s energy consumption at night. There’s an interesting piece of data. 1/5 night capacity means one gigawatt (1000 megawatts) of total consumption at night....

Source: Public Domain Pictures In the first post of the CRASH OVERRIDE Chronicles I outlined my plan for reviewing Dragos’ CRASHOVERRIDE report in order to build an understanding of the ICS threat landscape, key technologies, and ultimately one of the major actors involved. This second installment is a run through of the whole report calling out areas I need to focus on learning & investigating. The first step was simple: Read the report....

I’ve been lucky and had a really wide variety of experiences in information security throughout my career. Government & non-government. Vendor & practitioner. Finance & dotcom. I’ve seen a lot of stuff. It’s to the point that I get even more excited about the stuff I’ve never done. One of those moments happened a few weeks ago when the Dragos team released their Crash Override report. Full Disclosure: I know a few of the folks over at Dragos and consider them friends but friends that value good, even critical, analysis....

Here’s a familiar scenario: A new threat is being whispered about. Maybe your office has someone with special access of some kind and they’re being a bit more secret squirrely than usual. The mailing lists you’re on are a buzz about a new piece of malware or vendor code name. You keep hearing about a paid only report that tells all. APT 46: EMPEROR PENGUIN is coming! When your boss asks about EMPEROR PENGUIN you have to say you don’t know much… but you’ve heard they’re very good, very advanced, well funded, with great opsec… obviously a serious threat aimed at hard targets (which your organization obviously is)....