Sqrrl Blog

Aug 25, 2015 5:42:00 PM

Team “Blue Squirrel” Comes Out On Top At Defcon Forensics Contest

By Chris McCubbin, Director of Data Science

This month we flew out to scenic Las Vegas, Nevada to take on some of the world’s most notorious hackers (that's us!) in the annual DEFCON 23 Network Forensics Puzzle contest, organized by LMG Security. For those of you who aren’t familiar with the contest, you and your team get several encrypted files, one per round, at the start of the contest. The organizers give you the key to the first file, which typically contains pcaps or other network traces, and a simple question to answer. Your job is to use the files to answer the question. Once you are confident the team has answered the question, you text the answer to the organizers and they will text back the key to the next round if you are correct. Wild guessing is discouraged and may lead to the organizers disqualifying the team. To finish, successfully answer the question in each round.

Read More

Topics: Cyber Forensics, DefCon

Aug 13, 2015 9:18:00 AM

Cyber Incident Matrix: Insider Trading

Complexity Score: 3
Severity Score: 3
How did we get these numbers?

Incident Summary

  • What was breached: Business Wire, Marketwired and PR Newswire

  • Delivery: February 2010 - August 2015

  • The Attackers:  Attackers from US, France, Cyprus, Russia, and the Ukraine


Beginning in early 2010, a ring of hackers breached financial wire companies Business Wire, Marketwired, and PR Newswire, patiently exfiltrating press releases related to a number of Fortune 500 companies (including HP, Home Depot, and Caterpillar) before the releases were made public. After the press releases were exfiltrated, they were analyzed by traders who would buy or short stock depending on the information contained in the press releases. According to the SEC filing, the hacker-trader ring made over $100 million in insider trades over the five year period.

Read More

Topics: Data Breach, Phishing, Hacking, Insider Trading, Market Manipulation

Aug 11, 2015 8:00:00 AM

Cyber Incident Matrix: Kaspersky

Severity Score: 2
Complexity Score: 10
How did we get these numbers?

Incident Summary:

  • What was breached: Several internal R&D related Systems of Kaspersky Lab

  • Delivery: Unknown - Spring 2015

  • The Attackers:  Unnamed Nation State


On June 10th, 2015, Russia-based security firm Kaspersky Lab announced that their systems had been infiltrated by a hyper-advanced previously undiscovered form of malware known as Duqu 2.0, the next generation of the Duqu trojan, or the “cousin” of Stuxnet. According to Kaspersky Lab, they were not the only target of the attack, as Duqu 2.0 was also deployed to spy on the 2014-2015 P5+1 talks, the new Iran Nuclear talks, and a conference commemorating the 70th Anniversary of the liberation of Auschwitz-Birkenau.

Read More

Topics: Malware, Data Breach, Duqu 2.0, Indicators of Compromise

Aug 5, 2015 8:30:00 AM

A Framework for Cyber Threat Hunting Part 2: Advanced Persistent Defense

In part 1 of this series, we discussed the six categories of Indicators of Compromise (IoC) that can be used as trailheads for structured threat hunting trips. In this post, we will focus specifically on how security organizations can build intelligence-driven hunting loops to detect the Tactics, Techniques, and Procedures (TTPs) of advanced threats.

In order to hunt threats, it is important to understand the method of the attacker. The cyber kill chain is the well known framework created by Lockheed Martin to track the steps an attacker goes through to exploit, compromise, and carry out an attack against a targeted system or organization. Disrupting this process at any point in the chain prevents (or at least seriously degrades) an attacker’s ability to accomplish their mission.

Read More

Topics: Breach Detection, Cyber Hunting, Incident Response, Threat Hunting

Aug 3, 2015 11:30:00 AM

Cyber Incident Matrix: ATM Hacks

Complexity Score : 5
Severity Score : 4
How did we get these numbers?

Incident Summary

  • What was breached: Nearly 100 Banking institutions in over 30 countries

  • Delivery: 2013 (possibly earlier) - February 2015

  • The Attackers:  Allegedly Russian Hackers  


Using email attachments infected with malware sent to bank employees, hackers were able to passively collect information on banking systems across nearly 100 banks, eventually using that information to gain access to critical systems, undetected. The intruders were able to mimic staff behavior in order to learn more about system operations, then open accounts and transfer money.

Read More

Topics: Cybersecurity, Cyber Incident Matrix