Introduction
Well readers, it has been three months since I wrote a top blog post…post….and I missed you! Our team hasn’t been lollygagging. Instead we have been writing blogs that we hope will offer you support in your role as a blue teamer. We salute your efforts, they certainly have not gone unnoticed!
In case this is you first quarterly wrap up blog, or you need a quick reminder, this series is meant to highlight our most popular (defined by most-read) blog posts over the past quarter. This way, if you are unable to keep up with our non-stop stream of blog posts, you can navigate to these posts and quickly see which posts your peers found valuable or interesting. You can find all of these wrap up blogs in our “Top Blogs” category on our website. This post includes a combination of research conducted by our very own Chad Anderson (aka @piffey) and various educational resources. I included a few additional resources that aren’t categorized as blogs that you might find useful:
- SANS 2021 Threat Hunting Survey
Enjoy the most recent SANS Survey report, cosponsored by DomainTools, to better understand the impact of COVID-19 on threat hunting, the modern hunter’s toolbox, and benefits of threat hunting. This paper covers:- The impact of COVID-19 on threat hunting
- Threat hunting teams and maturity levels
- What is included in a modern threat hunter’s toolbox
- Benefits of threat hunting
- Barriers to success
- What today’s threat hunting teams look like
- DNS, Whois, and Passive DNS Cheat Sheet
This cheat sheet summarizes key takeaways from the Valuable Datasets blog series (which is also linked below). Its content includes the record type, observation, and potential indication for a host of DNS and Whois records.
And now for the blogs themselves. For more timely and relevant threat intel, you may enjoy our Twitter handle, @SecuritySnacks, which is managed by the DomainTools Security Research Team, as well as our weekly podcast, Breaking Badness. Lastly, be sure to tune into our monthly training series, Indicators Over Cocktails. This training not only includes fun beverages, but you’ll walk through a timely investigation with the engaging Tim Helming.
Catch Up On Your Infosecurity Reading
- The Most Prolific Ransomware Families: A Defenders GuideRansomware dominates the news cycle, but with an ever-growing number of variants and the botnets behind them it’s easy for defenders to lose track of their relationships. In this article, DomainTools researchers provide a look at the three most prolific (by victim) ransomware families and the current loaders they use.
- CovidLock Update: Deeper Analysis of Coronavirus Android RansomwareThe DomainTools Security Research Team, in the course of monitoring newly registered Coronavirus and COVID labeled domain names, discovered a website luring users into downloading an Android application under the guise of a COVID-19 heat map. Analysis on the application showed that the APK contained ransomware. SSL certificates of the malicious domain (coronavirusapp[.]site) link the site to another domain (dating4sex[.]us) which is also serving the malicious application. The linked site has registration information pointing to an individual in Morocco.
- Valuable Datasets to Analyze Network Infrastructure | Part 1The purpose of this blog series is to highlight a number of datasets proven by experienced IR teams to be valuable when analyzing network infrastructure. Throughout this series, I’ll provide some context as to why the datasets exist, how they interact with your own internal threat intelligence, and their key strengths and limitations. I feel a bit like a Southwest Airlines flight attendant when I say “we know you have many choices when it comes to selecting your threat intelligence, and we thank you for choosing [enter dataset here] for your investigations!”, but in reality, many folks like yourself are juggling a multitude of internal and external intel, so I hope this blog highlights some tools that exist in your proverbial toolbox, and can help identify when they are valuable to pull off your “threat intelligence pegboard.” This way when you look at the aforementioned scenarios, you have confidence that you didn’t miss the signal.
- Maximizing Your Defense with Windows DNS LoggingThe aim of this post is to introduce you to log collection on the Microsoft Windows platform. It starts with an illustration of a Windows source-only log deployment, followed by a collection of chosen fields from log samples and a brief description of these sources. The last part ison audit logging, as it holds an important role in ensuring infrastructure defense.
- A Brief Comparison of Reverse Image Searching PlatformsThis will be another of a hopefully long series of practical OSINT blog posts from the Security Research team here at DomainTools. This blog briefly compares the reverse image search capabilities of some major image search engines: Google, Yandex, Bing, and TinEye. Hopefully you’re familiar with these search engines already but if not, this post is a good crash course for the kind of results you can expect from each.
- Tools To Quickly Extract Indicators of CompromiseBack in 2009, Mike Cloppert published a series on threat intelligence and the cyber kill chain. In this piece, Mike classified three types of indicators: atomic, computed, and behavioral. A year or so later, Mandiant used the term “Indicators of Compromise” in their M-Trends report, and days later, Matt Fraizer of Mandiant published the blog Combat the APT by Sharing Indicators of Compromise. These indicators can provide helpful insight. A barrier to using IoCs, however, is grabbing relevant indicators out of external reports such as vendor research reports (which are typically PDFs), or blogs (plain text/HTML) so you and your team can take action. In this blog, brush up on indicators of compromise, their relationship to your internal threat intelligence, and tools to help you quickly extract them from PDFs and plain text.
- American Rescue Plan Act Lures in the WildDomainTools researchers discovered a cluster of credential harvesting sites masquerading as American Rescue Plan Act signup sites for those looking to receive their federal aid. Through historical WHOIS information and OSINT techniques DomainTools attributed this campaign to a Nigerian web development firm GoldenWaves Innovations. In this article, DomainTools researchers will walk through the techniques and methods used to enumerate these websites and associated attribution with medium-high confidence.
What’s To Come
We will continue to work hard for all of you throughout the course of the quarter. Additionally, we will be sure to keep you apprised of recent security research, product enhancements, technical topics, industry news, and much more. If there are any topics you would be interested in reading about on our blog or covering in our weekly podcast, Breaking Badness, please feel free to tweet us at @DomainTools.