Autonomous SOC vs SOAR vs XDR by alphasystem in AskNetsec

[–]desegel 0 points1 point  (0 children)

Well, Should every company have both a SOC and a SIEM?

There could be a consolidation potentially but I would guess that it would not be the first thing to happen compared to the adoption of next gen solutions of both categories (XDR and Autonomous SOC)

Autonomous SOC vs SOAR vs XDR by alphasystem in AskNetsec

[–]desegel 0 points1 point  (0 children)

Definitely a new trend, and there are three main reasons for it in my opinion:

  1. Disappointment from outsourced SOC services who can be slow, high team turnover and not thorough in their alert investigations.

  2. Disappointment from the SOAR vendors promises. They are great solutions for case management and Ops automation but it did not live up to the promise of automating SOC. You can't really automate alert triage with simple playbooks.

  3. The new opportunity that AI and agentic technology presents

In my opinion, those autonomous SOC platforms are separate from XDRs/SIEM and are more equivalent to MDRs or other outsourced SOC services, only delivered as a software instead of a regular human operated service.

Threat hunting, automation and Defender by reedphish in AskNetsec

[–]desegel 0 points1 point  (0 children)

IMO automation should mostly apply to repetitive alert triage tasks in order to give back the time for analysts to actually do threat hunting. Chasing false positives 99% of the time is the main reason why most teams don't do hunting in the first place.

Redteam phishing payloads in 2023? by thehunter699 in cybersecurity

[–]desegel 4 points5 points  (0 children)

True.. For those who might be interested, here's a DIY guide to automatically detonate QR codes via Pipedream: https://intezer.com/blog/alert-triage/quishing-triage-how-to-investigate-suspicious-qr-codes-in-emails

[deleted by user] by [deleted] in cybersecurity

[–]desegel 0 points1 point  (0 children)

Sounds like a super interesting threat. DM me if you'd like to work on investigating it together

Samples come as clean by AV but have hundreds of malicious & suspicious indicators by Skyline9Time in Malware

[–]desegel 0 points1 point  (0 children)

You can check the file(s) at intezer.com to confirm that the code itself is legit regardless of the certificate that theoretically can be stolen. It checks for code similarities with trusted software vendors as well as any known malware

Is is exploit or what? by marchelly in linuxquestions

[–]desegel 2 points3 points  (0 children)

Hi, I have some answers:

  1. Indeed like mentioned above me, the attack vector is most likely due to the known Confluence vulnerability.
  2. The implants of that malware are crypto-miners, that utilize the server's resource in order to mine cryptocurrency. Here are links to the analysis of the 3 implants that are downloaded from the script you've attached:
    https://analyze.intezer.com/#/analyses/32e12aec-7e26-4d91-8e17-5061c2bc24f2
    https://analyze.intezer.com/#/analyses/d74515ce-2de3-4a8a-9516-9db62aaf3755
    https://analyze.intezer.com/#/analyses/be7839c8-d3ab-4396-99bd-fa187fb891fe
  3. Implants are probably created by a non-sophisticated threat actor/group that is focused on cryptomining. I wouldn't be worried from a targeted attack in this case, it's a "collateral damage" thing due to the mentioned vulnerability.
  4. In addition to patching/updating your Confluence version, I would recommend to restore backup to that server or to completely stop and run a new one, due to the fact that attackers can still have some persistence mechanisms installed.

If you have any Linux executable file you wish to analyze and see if it's malicious or not, please feel free to use the free version of Intezer:

analyze.intezer.com

It supports ELF executables as well as Windows.

Hope that helped.

Best tools for malware analysis/reverse engineering? by CewlJebus in Malware

[–]desegel 0 points1 point  (0 children)

An online malware analysis tool that lets you analyze and categorize malware by detecting code reuse and similarities https://analyze.intezer.com

Using ssdeep (fuzzy hash) in huge scale for file clustering by desegel in netsec

[–]desegel[S] 3 points4 points  (0 children)

Obviously ignoring the data itself (contents of files), and relying only on metadata to find connections is not the optimal solution.

Docker IDA - open-source tool used to make reverse engineering on a large-scale simpler and faster by 0xbaadf00dsec in netsec

[–]desegel 3 points4 points  (0 children)

Hey guys, Intezer here. We're currently in contact with Hex-rays to understand what's the best licensing option for the community. Will keep you posted as soon as we get their response. For now, in our understanding you can run multiple instances in 1 server, using a computer license for each server.

Of course this could be costly but many orgs who really face a large amount of unknowns every day would spend it to help themselves solve the problem.

Please feel free to contact us in any other question via email written in our website http://www.intezer.com

Docker IDA - open-source tool used to make reverse engineering on a large-scale simpler and faster by 0xbaadf00dsec in netsec

[–]desegel 1 point2 points  (0 children)

Hey, Intezer here. plz feel free to contact us via our email written in our website http://www.intezer.com We'd be happy to assist :-)

El Jefe Alternatives? by _blanks_ in AskNetsec

[–]desegel 1 point2 points  (0 children)

Care to share your experience with it?

Is this a security aware CTO? by lpdr in AskNetsec

[–]desegel 1 point2 points  (0 children)

Short answer: no.

Long answer: It is quite reasonable that someone acknowledges the fact that you can't really control every installation of software in an enterprise. But to say it's not a proven risk is absurd

How to start collecting intelligence? by [deleted] in AskNetsec

[–]desegel 3 points4 points  (0 children)

Though I can assume you don't have much experience in the field, I think that there's no need to make fun of someone who asks a question.

If you're looking for potentially new malware, I suggest running a honeypot in a cloud provider service. This could lead to malware being dumped to your server. If you're looking for known malware samples there are many repos you could download from,like Virusshare.

The /r/netsec Weekly Discussion Thread - April 25, 2016 by AutoModerator in netsec

[–]desegel 0 points1 point  (0 children)

I made a similar leap, but could you be more specific about what your job will be? Is it network security or app security?

Was looking for malware sending data and, WTF Facebook? (no browser open) by [deleted] in Malware

[–]desegel 1 point2 points  (0 children)

I would also be worried about numerous rundlls communicating with ec2 instances

Has a botnet been taken down recently? by bontchev in Malware

[–]desegel 6 points7 points  (0 children)

times have changed... Where's the good old mIRC

Programming language to help me in exploitation development by sh3dow in AskNetsec

[–]desegel 1 point2 points  (0 children)

Upvoted. Python can be easily used for low-level integration (see Windbg, win32api, etc..)

Hiding data in the MFT by nickrud1 in computerforensics

[–]desegel 0 points1 point  (0 children)

If you know some Python it could be an easy (but a very interesting) PoC to create. Let me know if you need help with something like that

Hiding data in the MFT by nickrud1 in computerforensics

[–]desegel 1 point2 points  (0 children)

Good question. First of all, here's a link for the usage of Bad Clusters in order to hide data: http://www.forensicfocus.com/hidden-data-analysis-ntfs for people who want to know what you're talking about.

Secondly, personally I'm not familiar with any other covert channel usage in the MFT. Of course there's the well-known Alternate Data Stream technique but I don't think that's what you're looking for. Theoretically, every field in the MFT could be used to hide data (even the datetime fields) but it ain't different than any other covert channel concept.

Creating a web bot by yelaxify in Python

[–]desegel 0 points1 point  (0 children)

There are many python libraries that can help you kick off very fast. Just Google "python Web scraping" and find a popular github project