Threat Hunting at Scale

Threat Hunting at Scale: Techniques & Tools to Mature Your Program

Michael Haag

Performing threat hunting at scale is no simple task. Many organizations today deal with massive volumes of data, reviewing terabytes of information on a monthly, weekly, or daily basis. Looking for new behaviors and using the data to tune and enhance capabilities is a continuous process. My last organization ingested 500+Gb of Carbon Black Response data daily in Splunk. As … Read More

Atomic Red Team Testing

Atomic Red Team Tests: Catching the Dragon by the Tail

Casey Smith, Michael Haag

Before testing your security controls, it’s extremely beneficial to understand the threat actors your organization may be facing. Nick Carr at FireEye published an excellent post a while back on how an actual adversary operates. We strongly encourage you to check it out for a solid understanding of the capabilities and behaviors exhibited by a group of attackers. We decided to … Read More

Microsoft DDE Exploit Email

Microsoft DDE Exploit Arriving in Email Accounts

Keya Horiuchi

A new Dynamic Data Exchange (DDE) exploit recently began arriving in email boxes to unsuspecting user endpoints. It masquerades as an attached invoice and leverages a Microsoft internal usability feature that allows one application to share data with another; for example, data from an Excel spreadsheet can be shared with a Word document. The weaponized DDE functionality in an attached … Read More

Allies

Cybersecurity Isn’t Always Easy and You’re Not Alone

Rick McElroy

Editor’s Note: This guest post was contributed by Rick McElroy, security strategist for Carbon Black. This article was first published on ITSPmagazine.com. Information security. We love this job. We have to. We fight upstream in a world where no one really cares; or, at least, no one cares enough to do the bare minimum. We peek behind the curtain and see … Read More

Threat Detection 1157

Lateral Movement Using WinRM and WMI

Tony Lambert

Many organizations invest millions of dollars to bolster their systems and prevent attackers from gaining entry. Much less attention is given to the concept of lateral movement within an organization. Yet we’ve seen time and time again that once an adversary breaks through the crunchy outer layer of the network, the gooey center quickly becomes trivial to move about. Stopping … Read More

Atomic Red Team Training Session

Research in Action: How to Test Your Defenses With Atomic Red Team

Casey Smith, Michael Haag

In the weeks since we launched the Atomic Red Team testing framework, we’ve been blown away (no pun intended) by the security community’s response. Yesterday we had a hands-on training session, and it was even more exciting to hear directly from teams that are beginning to use the framework to improve their detections. We had so many great questions from attendees, … Read More

Carbon Black and Splunk

Operationalizing Carbon Black Response with Splunk (Part 2): Advanced Data Analysis

Michael Haag

Data analysis (or as some call it, Threat Hunting) can be cumbersome and overwhelming at any scale. However, Splunk has the ability to greatly reduce this complexity. In the first part of our Carbon Black Response and Splunk series, we focused on retrieving your data from Carbon Black Response and getting it into Splunk. Now it’s time to take a … Read More