Sqrrl Blog

Aug 25, 2015 5:42:00 PM

Team “Blue Squirrel” Comes Out On Top At Defcon Forensics Contest

By Chris McCubbin, Director of Data Science

This month we flew out to scenic Las Vegas, Nevada to take on some of the world’s most notorious hackers (that's us!) in the annual DEFCON 23 Network Forensics Puzzle contest, organized by LMG Security. For those of you who aren’t familiar with the contest, you and your team get several encrypted files, one per round, at the start of the contest. The organizers give you the key to the first file, which typically contains pcaps or other network traces, and a simple question to answer. Your job is to use the files to answer the question. Once you are confident the team has answered the question, you text the answer to the organizers and they will text back the key to the next round if you are correct. Wild guessing is discouraged and may lead to the organizers disqualifying the team. To finish, successfully answer the question in each round.

Read More

Topics: Cyber Forensics, DefCon

Aug 13, 2015 9:18:00 AM

Cyber Incident Matrix: Insider Trading

Complexity Score: 3
Severity Score: 3
How did we get these numbers?

Incident Summary

  • What was breached: Business Wire, Marketwired and PR Newswire

  • Delivery: February 2010 - August 2015

  • The Attackers:  Attackers from US, France, Cyprus, Russia, and the Ukraine

Overview:

Beginning in early 2010, a ring of hackers breached financial wire companies Business Wire, Marketwired, and PR Newswire, patiently exfiltrating press releases related to a number of Fortune 500 companies (including HP, Home Depot, and Caterpillar) before the releases were made public. After the press releases were exfiltrated, they were analyzed by traders who would buy or short stock depending on the information contained in the press releases. According to the SEC filing, the hacker-trader ring made over $100 million in insider trades over the five year period.

Read More

Topics: Data Breach, Phishing, Hacking, Insider Trading, Market Manipulation

Aug 11, 2015 8:00:00 AM

Cyber Incident Matrix: Kaspersky

Severity Score: 2
Complexity Score: 10
How did we get these numbers?

Incident Summary:

  • What was breached: Several internal R&D related Systems of Kaspersky Lab

  • Delivery: Unknown - Spring 2015

  • The Attackers:  Unnamed Nation State

Overview:

On June 10th, 2015, Russia-based security firm Kaspersky Lab announced that their systems had been infiltrated by a hyper-advanced previously undiscovered form of malware known as Duqu 2.0, the next generation of the Duqu trojan, or the “cousin” of Stuxnet. According to Kaspersky Lab, they were not the only target of the attack, as Duqu 2.0 was also deployed to spy on the 2014-2015 P5+1 talks, the new Iran Nuclear talks, and a conference commemorating the 70th Anniversary of the liberation of Auschwitz-Birkenau.

Read More

Topics: Malware, Data Breach, Duqu 2.0, Indicators of Compromise

Aug 5, 2015 8:30:00 AM

A Framework for Cyber Threat Hunting Part 2: Advanced Persistent Defense

In part 1 of this series, we discussed the six categories of Indicators of Compromise (IoC) that can be used as trailheads for structured threat hunting trips. In this post, we will focus specifically on how security organizations can build intelligence-driven hunting loops to detect the Tactics, Techniques, and Procedures (TTPs) of advanced threats.

In order to hunt threats, it is important to understand the method of the attacker. The cyber kill chain is the well known framework created by Lockheed Martin to track the steps an attacker goes through to exploit, compromise, and carry out an attack against a targeted system or organization. Disrupting this process at any point in the chain prevents (or at least seriously degrades) an attacker’s ability to accomplish their mission.

Read More

Topics: Breach Detection, Cyber Hunting, Incident Response, Threat Hunting

Aug 3, 2015 11:30:00 AM

Cyber Incident Matrix: ATM Hacks

Complexity Score : 5
Severity Score : 4
How did we get these numbers?

Incident Summary

  • What was breached: Nearly 100 Banking institutions in over 30 countries

  • Delivery: 2013 (possibly earlier) - February 2015

  • The Attackers:  Allegedly Russian Hackers  

Overview:

Using email attachments infected with malware sent to bank employees, hackers were able to passively collect information on banking systems across nearly 100 banks, eventually using that information to gain access to critical systems, undetected. The intruders were able to mimic staff behavior in order to learn more about system operations, then open accounts and transfer money.

Read More

Topics: Cybersecurity, Cyber Incident Matrix

Jul 23, 2015 4:37:00 PM

A Framework for Cyber Threat Hunting Part 1: The Pyramid of Pain

While rule-based detection engines are a strong foundation for any security organization, cyber threat hunting is a vital capability for security organizations to have in order to detect unknown advanced threats. Hunting goes beyond rule-based detection approaches and focuses on proactively detecting and investigating threats. Cyber hunting “trips” are categorized into three types:

Read More

Topics: Cybersecurity, Breach Detection, Cyber Hunting, Linked data analysis, Threat Detection

Jul 22, 2015 8:30:00 AM

Cyber Incident Matrix: Anthem

Complexity Score: 4
Severity Score: 5
How did we get these numbers?

Incident Summary

  • What was breached: Anthem customer profile database

  • Delivery: April 2014 - February 2015

  • The Attackers:  No formal incrimination, Chinese government is suspected

Overview:

On February 4th, 2015, Anthem Inc., formerly known as Wellpoint, announced that it had discovered a breach of its customer information database that resulted in the loss of 37.7 million records containing email addresses, home addresses, and Social Security numbers. After several weeks of forensic analysis, that number increased to 78.8 million affected records. While the formal FBI investigation has not concluded, it has been speculated that the Chinese government perpetrated the attack.

Read More

Topics: Cybersecurity, Data Breach, Cyber Incident Matrix, Healthcare Breach

Jul 16, 2015 9:30:00 AM

Cyber Incident Matrix: IRS Breach

Severity Score: 3
Complexity Score: 4
How did we get these numbers?

Incident Summary

  • What was breached: IRS Database of Taxpayer Information

  • Delivery: February-May, 2015

  • The Attackers:  Undisclosed “sophisticated enemies” originating in Russia

Overview:

On May 26th, 2015, the United States Internal Revenue Service (IRS) announced that the personal information of over 100,000 American taxpayers was stolen from “Get Transcript,” a service provided by the IRS that allowed taxpayers to get a transcript of their past tax activities. These transcripts were then used to file fraudulent tax returns in the name of the victims. Currently, the culprit is unknown to the public, though the IRS has indicated the attackers were Russian in origin.

Read More

Topics: Cybersecurity, Breach Detection, Data Breach

Jul 14, 2015 9:45:00 AM

Cyber Incident Matrix: OPM Breach

Severity Score: 6
Complexity Score: 6
How did we get these numbers?

Incident Summary

  • What was breached: The United States Office of Personnel Management (OPM). System specific breaches were not disclosed.

  • Delivery: March 2014 (possibly earlier) - April 2015

  • The Attackers:  Chinese state sponsered hackers (alleged)

Overview:

In April of this year, the US Office of Personnel Management (OPM) became aware of an intrusion in a personnel file database while working to upgrade its security infrastructure. As investigations continued, the OPM discovered that a second breach had occurred in which a variety of sensitive data on both former and current federal employees had been compromised and exfiltrated using credentials associated with an investigative contractor, KeyPoint Government solutions. Before being detected, the invaders had made off with personal information such as sexual history, drug use, friends, roommates, and more. The second breach was far more significant, raising the number of affected individuals to over 21 million.

Read More

Topics: Cybersecurity, OPM, Data Breach

Jul 9, 2015 8:00:00 AM

Introducing the Sqrrl Cyber Incident Matrix

A Sqrrl blog series focused on Data Breaches

Data Breaches are in the news again and again these days. Between the IRS, OPM, Target, Lastpass, and countless other private and public organizations, data and networks of all varieties are prime targets for both external attackers and internal infiltrators. Our newsfeeds, inboxes, and conversations are all saturated with people asking how and why these incidents occur. Over the past 12 months, cybersecurity issues have centered themselves more prominently at the center of public debate than they ever have been in the past. The rate at which private data is being compromised weekly is as alarming as it is impressive.

Today, we’re launching the Sqrrl Cyber Incident Matrix because we believe that there is a need for a place that collects, catalogues, and breaks down these incidents concisely, and in a manner that is easy to understand. Our goal is to take a look at data breaches in the news, rate them based on their severity and complexity, and analyze the known aspects of each breach. We’re not here to make wild theories; the purpose behind this blog is to collect the known facts about a breach and try to build a contextual narrative of how different breaches relate to each other.

Read More

Topics: Cybersecurity, Breach Detection, Outlier Detection, Data Breach, Incident Response