Right Time, Right Quote

Posted Monday, 11 December 2017

Due to my Twitter profile, I was lucky enough to get on the radar of a journalist who reached out me to ask what I knew about Troy Hunt. That ended up in the New York Times, which was sort of an amazing moment as it’s the New York Times! Now to be fair it was actually an Associate Press article which was scooped up. I’ll take it as a win. Here is the article in all Troy’s glory: https://www.nytimes.com/aponline/2017/12/05/us/ap-us-youve-been-hacked-researcher.html


The same week ended up dropping another pretty epic quote on the Doppleganger Attacks for SC Magazine. https://www.scmagazineuk.com/market-leading-security-products-broken-by-doppelganging-attack/article/712522/ This “style of attack” is the early stages of file-less malware. I always write a fair amount of background and research for these requests so here is the entire submission:


“Process memory is such a popular attack vector, because traditional and even more advanced Anti-malware solutions are generally focused on file based attacks – not process “hijacks”. When I think about the attack surface it makes sense to spawn or hide in an existing process on an end point – that’s something very hard to see. A new binary downloaded onto an end-endpoint which then makes an outbound network call to some place sketchy, that is pretty easy to detect. Process hijacks where the malicious code is inserted directly into the memory of an existing running program is a deadly attack that can sit in memory on machines that don’t reboot very often (like servers). This is the now infamous “file-less malware” recently seen talked about by vendors and InfoSec press.


Why this attack vector? Well maybe we can blame the Australians in part. The DSD advocate that Application White Listing (included in the modern Windows Operating systems called “App Locker”) is the most effective security control #1 on their list of 35. Clearly, it may be super effective in stopping unauthorized Trojan’s and payloads from running on end points, so pushing code into memory with an exploit, maybe a cybercriminal response to the increasing popularity of a “white list” malware technique.”


This week also saw SolarWindsMSP dropping some more excellent content on “Onboarding clients for GDPR” https://www.solarwindsmsp.com/blog/building-gdpr-services-why-onboarding-or-re-onboarding-critical and I would be re-miss in not mentioning Trianz’s efforts to get the word out on Patch Management especially given the recent research from Fortinet: Fortinet’s findings (Q2 2017) show that 90 per cent of outfits were hacked with vulnerabilities that could have been sorted out with a patch three years ago, while 60 per cent of companies had vulnerabilities that are over a decade in the wild. Check out Trianz’s campaign here:  https://goo.gl/KukqUQ and follow them on twitter https://twitter.com/trianz


I’ve got a pretty cool, peer reviewed article on hunting an APT group and some quotes on the cybercrime economy in the Sunday Times coming soon. Also, mad props to Eric Anthony (follow him on Twitter here: https://twitter.com/EricAnthonyMSP for resurrecting some old video on Patch Management: https://www.youtube.com/watch?v=th8iA15xXBI That sweater was probably left to die at Bar Napoli.

Till next time then,

Phat Hobbit

%d bloggers like this: