Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
תוכן מסופק על ידי Mandiant. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Mandiant או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.
דומה לState of the Hack
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
We help founders make something people want.
…
continue reading
Hungry for Technology Talk? Get All You Can Eat at the Android Buffet
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Monday through Friday, Marketplace demystifies the digital economy in less than 10 minutes. We look past the hype and ask tough questions about an industry that’s constantly changing.
…
continue reading
Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.
…
continue reading
Tech Life discovers and explains the ways technology is changing our lives, wherever we are in the world. We meet the people with bright ideas for rethinking the way we work, learn and play, and get hands-on with the products they dream up. We hold tech giants to account for their huge power to affect our lives, and ask who wins, and who loses, in the technology transformation. Tech Life is your guide to a future being made, and remade, at lightning speed in front of our eyes.
…
continue reading
This feed includes all episodes of Paul's Security Weekly, Enterprise Security Weekly, Business Security Weekly, Application Security Weekly, and Security Weekly News! Your one-stop shop for all things Security Weekly!
…
continue reading
Player FM - אפליקציית פודקאסט
התחל במצב לא מקוון עם האפליקציה Player FM !
התחל במצב לא מקוון עם האפליקציה Player FM !
))
S1E04: Illuminating the Adversary
סדרה בארכיון ("עדכון לא פעיל" status)
When?
This feed was archived on February 26, 2024 18:55 (
Why? עדכון לא פעיל status. השרתים שלנו לא הצליחו לאחזר פודקאסט חוקי לזמן ממושך.
What now? You might be able to find a more up-to-date version using the search function. This series will no longer be checked for updates. If you believe this to be in error, please check if the publisher's feed link below is valid and contact support to request the feed be restored or if you have any other concerns about this.
Manage episode 290580701 series 2915100
תוכן מסופק על ידי Mandiant. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Mandiant או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.
In May we were joined by Andrew Thompson (@QW5kcmV3) of FireEye’s
Adversary Pursuit team. We explore the evolution and current state of
cloud services OAuth abuse, how we do technical intelligence &
attribution, and some war stories from the past few weeks of
responding to intrusions that matter.
“Shining a Light on OAuth Abuse”: we explore the history of OAuth
abuse in-the-wild and the uptick in third-party applications with
full, offline access to cloud service user data without the need for
credentials and bypassing two-factor authentication for 90 days. We
discuss APT28’s 2016 campaign, the May 2017 “Eugene Popov” worm, and
our red team’s use of the methods – tracing the origins back to a 2014
blog post by Andrew Cantino (@tectonic). There is an interesting
history of cloud service providers responding to this activity. Our
own Doug Bienstock (@doughsec) released the PwnAuth tool to allow
organizations to test their user awareness and ability to monitor for
this activity.
-- Shining a Light on OAuth Abuse with PwnAuth:
https://www.fireeye.com/blog/threat-research/2018/05/shining-a-light-o
n-oauth-abuse-with-pwnauth.html
-- History of OAuth social engineering attacks:
https://twitter.com/ItsReallyNick/status/926086495450095617
-- OAuth Hunting Scripts: https://github.com/dmb2168/OAuthHunting
“How FireEye Tracks Threats”: we get to know Andrew Thompson and chat
with him about how his team clusters, merges, and graduates threat
groups. We discuss modeling in the graph database and our preference
for primary source data – from Mandiant responses, Managed Defense
events, and our product telemetry data – with examples like APT10 and
how collections feed the intel picture. We discuss the tension between
IR and intelligence team members working together on engagements.
Andrew gives a few cool recent examples of illuminating adversary
infrastructure. He also says “unc groups” a few times which is new
public ground for FireEye…
“Threat Activity Round-up”: We chat about #VPNfilter and the uptick in
network device (and critical infrastructure) targeting. We give
insight into our on-going Community Protection Event for VPNfilter and
some in-the-wild intrusions. Glyer drops some knowledge on 2016
telemetry on this activity. We chat about WMI activity – WMIEXEC being
used by APT10 & APT20, WMI persistence by some targeted groups, and
the downstream push of previously sophisticated methods like
SystemUptime in WMI. We chat quickly about public reporting on the
same threat actors behind the ICS attack framework Triton now
targeting multiple safety instrumentation systems (SIS). We close with
Andrew talking about how his team finds attacker infrastructure before
it’s used.
-- VPNfilter techniques in-the-wild:
https://twitter.com/stvemillertime/status/1001114757280256001
-- History of the WMI SystemUptime method:
https://twitter.com/ItsReallyNick/status/995468901495566336
-- QUADAGENT Iranian infrastructure prior to use:
https://twitter.com/QW5kcmV3/status/999809240314376192
State of the Hack is FireEye’s monthly broadcast series, hosted by
Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that
discusses the latest in information security, cyber espionage, attack
trends, and tales from the front lines of responding to targeted
intrusions.
39 פרקים
שתפו
סדרה בארכיון ("עדכון לא פעיל" status)
When?
This feed was archived on February 26, 2024 18:55 (
Why? עדכון לא פעיל status. השרתים שלנו לא הצליחו לאחזר פודקאסט חוקי לזמן ממושך.
What now? You might be able to find a more up-to-date version using the search function. This series will no longer be checked for updates. If you believe this to be in error, please check if the publisher's feed link below is valid and contact support to request the feed be restored or if you have any other concerns about this.
Manage episode 290580701 series 2915100
תוכן מסופק על ידי Mandiant. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Mandiant או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.
In May we were joined by Andrew Thompson (@QW5kcmV3) of FireEye’s
Adversary Pursuit team. We explore the evolution and current state of
cloud services OAuth abuse, how we do technical intelligence &
attribution, and some war stories from the past few weeks of
responding to intrusions that matter.
“Shining a Light on OAuth Abuse”: we explore the history of OAuth
abuse in-the-wild and the uptick in third-party applications with
full, offline access to cloud service user data without the need for
credentials and bypassing two-factor authentication for 90 days. We
discuss APT28’s 2016 campaign, the May 2017 “Eugene Popov” worm, and
our red team’s use of the methods – tracing the origins back to a 2014
blog post by Andrew Cantino (@tectonic). There is an interesting
history of cloud service providers responding to this activity. Our
own Doug Bienstock (@doughsec) released the PwnAuth tool to allow
organizations to test their user awareness and ability to monitor for
this activity.
-- Shining a Light on OAuth Abuse with PwnAuth:
https://www.fireeye.com/blog/threat-research/2018/05/shining-a-light-o
n-oauth-abuse-with-pwnauth.html
-- History of OAuth social engineering attacks:
https://twitter.com/ItsReallyNick/status/926086495450095617
-- OAuth Hunting Scripts: https://github.com/dmb2168/OAuthHunting
“How FireEye Tracks Threats”: we get to know Andrew Thompson and chat
with him about how his team clusters, merges, and graduates threat
groups. We discuss modeling in the graph database and our preference
for primary source data – from Mandiant responses, Managed Defense
events, and our product telemetry data – with examples like APT10 and
how collections feed the intel picture. We discuss the tension between
IR and intelligence team members working together on engagements.
Andrew gives a few cool recent examples of illuminating adversary
infrastructure. He also says “unc groups” a few times which is new
public ground for FireEye…
“Threat Activity Round-up”: We chat about #VPNfilter and the uptick in
network device (and critical infrastructure) targeting. We give
insight into our on-going Community Protection Event for VPNfilter and
some in-the-wild intrusions. Glyer drops some knowledge on 2016
telemetry on this activity. We chat about WMI activity – WMIEXEC being
used by APT10 & APT20, WMI persistence by some targeted groups, and
the downstream push of previously sophisticated methods like
SystemUptime in WMI. We chat quickly about public reporting on the
same threat actors behind the ICS attack framework Triton now
targeting multiple safety instrumentation systems (SIS). We close with
Andrew talking about how his team finds attacker infrastructure before
it’s used.
-- VPNfilter techniques in-the-wild:
https://twitter.com/stvemillertime/status/1001114757280256001
-- History of the WMI SystemUptime method:
https://twitter.com/ItsReallyNick/status/995468901495566336
-- QUADAGENT Iranian infrastructure prior to use:
https://twitter.com/QW5kcmV3/status/999809240314376192
State of the Hack is FireEye’s monthly broadcast series, hosted by
Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), that
discusses the latest in information security, cyber espionage, attack
trends, and tales from the front lines of responding to targeted
intrusions.
39 פרקים
כל הפרקים
×
ברוכים הבאים אל Player FM!
Player FM סורק את האינטרנט עבור פודקאסטים באיכות גבוהה בשבילכם כדי שתהנו מהם כרגע. זה יישום הפודקאסט הטוב ביותר והוא עובד על אנדרואיד, iPhone ואינטרנט. הירשמו לסנכרון מנויים במכשירים שונים.
דומה לState of the Hack
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
We help founders make something people want.
…
continue reading
Hungry for Technology Talk? Get All You Can Eat at the Android Buffet
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Monday through Friday, Marketplace demystifies the digital economy in less than 10 minutes. We look past the hype and ask tough questions about an industry that’s constantly changing.
…
continue reading
Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.
…
continue reading
Tech Life discovers and explains the ways technology is changing our lives, wherever we are in the world. We meet the people with bright ideas for rethinking the way we work, learn and play, and get hands-on with the products they dream up. We hold tech giants to account for their huge power to affect our lives, and ask who wins, and who loses, in the technology transformation. Tech Life is your guide to a future being made, and remade, at lightning speed in front of our eyes.
…
continue reading
This feed includes all episodes of Paul's Security Weekly, Enterprise Security Weekly, Business Security Weekly, Application Security Weekly, and Security Weekly News! Your one-stop shop for all things Security Weekly!
…
continue reading
Player FM - אפליקציית פודקאסט
התחל במצב לא מקוון עם האפליקציה Player FM !
התחל במצב לא מקוון עם האפליקציה Player FM !
