ThreatFix
  • Home
  • Tools
  • Home
  • Tools

Insider Threat Overview

10/31/2018

2 Comments

 
Author: Adam Blake
Instead of doing Wikipedia-esque overview of what Insider Threat is and how much it costs industry every year, I am going to assume you can infer what it is and acknowledge that there are likely pissed off and oblivious people in your workplace that can negatively affect the company. 

Insider threat can express itself in many forms: willfully malicious and due to poor business practices and security standards.  In my experience, it is always: easy to catch stupid actions, difficult to catch malicious, and impossible to save the company from its workers 100% of the time.  This is not unique to insider threat or computers of course as there are still people who will let their kid jump in the gorilla enclosure at the zoo, but it is our mission to make that as difficult as possible and attempt to address the risk before the user sits on the zoo fence and pulls out the selfie stick.  ​​

​More after the break...

Read More
2 Comments

Fun with Insider Threat: Flight Risk

3/18/2016

3 Comments

 

Motivations– Fantastic Insiders and How to Find Them

Welcome back to Fun with Insider Threat. Continuing with our look into Insider Threat, let's venture into the world of Flight Risk. Unlike other types of Insider Threat, Flight Risk candidates rarely have ill will towards the company they are leaving.  Most often, the motives are to retrieve all data they worked on or believe to be beneficial at their next job.  All companies, to varying degrees, claim that any work product produced on company assets or during work hours are sole property of the employer, but when leaving work the average employee does not consider this.  This seems to be especially prevalent in creative roles such as a graphic designer, for example, is judged based on the quality of their portfolio, and extracting examples of their art is pivotal to finding a new job or iterating on current work product.  
Picture
Flight Risk candidates also are generally less technical than malicious insiders as they just want their work product out of the environment and accessible after they leave the job.  This makes them very noisy exfiltrators, often repeatedly getting blocked and attempting to modify methods and variables to avoid the filters.  This can manifest in a single email with multiple large attachments being sent home, incrementally getting sneakier by changing the destination, subject line, file names, file size, or format when using email.  Often, there will be a change in medium from email, for example, which is usually the first method as it is readily available, to USB storage device writes, to website or online mail uploads, and will end with printing documents, which will not be blocked.  This pattern changes in complexity and volume but generally will either result in physical security breaches such as printing, copying work onto paper or taking pictures with a cell phone.  Occasionally this can escalate to Control Avoidance, which we will cover after the break.

Read More
3 Comments

Fun With Insider Threat: We Backtracked the Call.  It’s Coming from Inside the House.

3/10/2016

0 Comments

 

​Who is an Insider: Clear and Present Dangers

​Welcome to Fun with Insider Threat, the goal of these articles are to give a periodic view into my opinions/experience on the world of Insider Threat detection.  This is the introductory segment which gives an outline of what Insider Threat is, common behavior tropes, and a glimpse into the detection methods.  
​​Insider threats can be defined as any agent within the environment employed or under contract with a company ex-filtrating, tampering, or destroying assets and/or data.  A vast majority of cyber security and audit products and techniques focus on keeping outside and unauthorized sources from accessing internal resources, but much less effort is dedicated to identity behavior patterns, motives, opportunities, and techniques through which a trusted employee might utilize to commit the same catastrophic actions. There are three traditional ways to leave a company: quit, get fired, or die.  We are going to focus on the first way, as it is the most common, unless you are the Pope, or a politician.  Summarized below are the major sources and motivations of insiders, in my experience.
Picture

Read More
0 Comments

Review: Advanced Digital Forensics and Incident Response (SANS FOR508) Course and GCFA Certification

2/15/2016

1 Comment

 
As someone in the cyber/digital forensics community, I always looked at forensics training programs partially as a waste of time and (lots of) money (caveat: for someone already knowledgeable in the field). However, after some convincing from colleagues, I decided to give one a shot in December 2015. The class I participated in was SANS FOR508 (Advanced Digital Forensics and Incident Response) in Washington D.C. In addition, I signed up for the GCFA (Certified Forensic Analyst), taken in January 2016. Here are some of my thoughts now that I've gone through both of them.
SANS GIAC GCFA
Positives
  • Good lecture flow/structure
  • Decent content
Negatives
  • Too focused on some very specific or outdated tools (The Sleuth Kit)
  • Provided workbook was less training and more "fill-in-the-blank"
Things To Improve
  • Focus more on concepts and less on specific tool use
  • Expand on the workbook exercises to explain results to a user

Read More
1 Comment

Tool: Brightness Monitor

1/3/2016

0 Comments

 
Picture

BrightnessMonitor is a Windows application (developed in C#) built to manually or automatically adjust your monitor's brightness. The following are features of the BrightnessMonitor application:
  • Allows user to modify brightness on a scale from 1 to 100 (1 = Dimmest, 100 = Brightest).
  • Allows user to set two preset brightnesses, based on time of day. I broke it up based on Day and Night, but it functions as two simple presets). These presets allow the user to select the time of change, brightness upon change, and the ability to gradually shift from the current brightness to the preset brightness (over a 90 second period making it easier on the eyes).
  • Allows user to set the application as a startup application, setting your brightness on Windows boot.
  • Allows user to keep application in the Windows tray, to prevent it from showing on your taskbar.
  • Allows user to reset to defaults.

Download:
​ThreatFix: BrightnessMonitor
Github: BrightnessMonitor
Picture

Read More
0 Comments

Tool: ExtractIOC

12/23/2015

4 Comments

 
Picture

​ExtractIOC is a Windows application built to provide assistance to cyber threat intelligence analysts. This application allows a user to import one or more IoC (Indicator of Compromise) reports and export a sorted list or report of user-specified IoC types. For example, if a user has a large list of IoC (IP and email addresses, domains, and MD5 hashes), they can specify which IoC type they want to export, export it as a flat text file or comma separated (CSV) file, implement security brackets (e.g., google[.]com instead of google.com), and filter out IoC through a user specified whitelist.

Download:
​ThreatFix: ExtractIOC
Github: ExtractIOC
Picture

Read More
4 Comments

Tool: Simple Windows Keylogger

10/23/2015

0 Comments

 
Picture

​This is the completed Simple Windows Keylogger found in the tutorial I posted.  This keylogger performs two main functions: ​
  1. Tracks user keystroke input and saves that input to local file (file path defined by user).  The local file can also be uploaded to DropBox every X seconds.
  2. Creates a Windows registry Runkey, executing the script on startup.
It's important to note that I'm not responsible for what you use this keylogger for. Use it to educate yourself on keyloggers, Python, and other things that don't involve snooping on the unsuspecting.
Download:
​ThreatFix: Simple Windows Keylogger
Github: Simple Windows Keylogger

Simple Windows Keylogger

Picture
0 Comments

Developing A Windows Keylogger Using Python

10/14/2015

1 Comment

 
​This post is a tutorial on how to develop a keylogger for Windows using Python. A ​​keylogger is an application used to capture keystrokes from an unsuspecting user.  I'll walk you through the steps of building your own keylogger (with ability to store a file locally or upload it to Dropbox) and explain the steps along the way so you too can start experimenting with Python. In addition, I'll just post the script because I know that's what some of you want.
​The following will be broken down into three parts:
  • Setting up your Python environment
  • Developing the Python script
  • Script execution

ThreatFix

Picture

​
​Windows Keylogger


Read More
1 Comment

Tool: ThreatStego

6/7/2015

1 Comment

 
The ThreatStego tool is now available!  This tool was developed to provide a simple example on how steganography works.  ThreatStego allows a user to hide text inside of an image.  The image can be password protected to prevent someone from revealing your secret text, but also works just as well without one.  Along with that functionality, the tool also allows a user to reveal text hidden using this application.  
Check it out here!
ThreatStego
Picture
1 Comment

Tool Update!

4/26/2015

1 Comment

 
Hi.  If you like Windows Prefetch tools, I think you should check out the tools section.  We've recently added a Prefetch Parser that will be able to parse all the fun data out of a prefetch file.

Check it out HERE.
1 Comment

    Posts

    October 2018
    March 2016
    February 2016
    January 2016
    December 2015
    October 2015
    June 2015
    April 2015

    Picture
    Picture
    Picture
Powered by Create your own unique website with customizable templates.