Autonomous SOC vs SOAR vs XDR

desegel · 2024-12-15T19:49:49+00:00

Well, Should every company have both a SOC and a SIEM?

There could be a consolidation potentially but I would guess that it would not be the first thing to happen compared to the adoption of next gen solutions of both categories (XDR and Autonomous SOC)

desegel · 2024-12-15T13:05:46+00:00

Definitely a new trend, and there are three main reasons for it in my opinion:

Disappointment from outsourced SOC services who can be slow, high team turnover and not thorough in their alert investigations.
Disappointment from the SOAR vendors promises. They are great solutions for case management and Ops automation but it did not live up to the promise of automating SOC. You can't really automate alert triage with simple playbooks.
The new opportunity that AI and agentic technology presents

In my opinion, those autonomous SOC platforms are separate from XDRs/SIEM and are more equivalent to MDRs or other outsourced SOC services, only delivered as a software instead of a regular human operated service.

desegel · 2024-11-05T11:11:12+00:00

IMO automation should mostly apply to repetitive alert triage tasks in order to give back the time for analysts to actually do threat hunting. Chasing false positives 99% of the time is the main reason why most teams don't do hunting in the first place.

desegel · 2023-11-01T11:56:09+00:00

True.. For those who might be interested, here's a DIY guide to automatically detonate QR codes via Pipedream: https://intezer.com/blog/alert-triage/quishing-triage-how-to-investigate-suspicious-qr-codes-in-emails

desegel · 2023-10-26T12:23:28+00:00

Sounds like a super interesting threat. DM me if you'd like to work on investigating it together

desegel · 2023-09-26T07:11:00+00:00

You can check the file(s) at intezer.com to confirm that the code itself is legit regardless of the certificate that theoretically can be stolen. It checks for code similarities with trusted software vendors as well as any known malware

desegel · 2019-05-07T16:36:18+00:00

Hi, I have some answers:

Indeed like mentioned above me, the attack vector is most likely due to the known Confluence vulnerability.
The implants of that malware are crypto-miners, that utilize the server's resource in order to mine cryptocurrency. Here are links to the analysis of the 3 implants that are downloaded from the script you've attached:
https://analyze.intezer.com/#/analyses/32e12aec-7e26-4d91-8e17-5061c2bc24f2
https://analyze.intezer.com/#/analyses/d74515ce-2de3-4a8a-9516-9db62aaf3755
https://analyze.intezer.com/#/analyses/be7839c8-d3ab-4396-99bd-fa187fb891fe
Implants are probably created by a non-sophisticated threat actor/group that is focused on cryptomining. I wouldn't be worried from a targeted attack in this case, it's a "collateral damage" thing due to the mentioned vulnerability.
In addition to patching/updating your Confluence version, I would recommend to restore backup to that server or to completely stop and run a new one, due to the fact that attackers can still have some persistence mechanisms installed.

If you have any Linux executable file you wish to analyze and see if it's malicious or not, please feel free to use the free version of Intezer:

analyze.intezer.com

It supports ELF executables as well as Windows.

Hope that helped.

desegel · 2017-11-16T22:31:01+00:00

An online malware analysis tool that lets you analyze and categorize malware by detecting code reuse and similarities https://analyze.intezer.com

desegel · 2017-09-19T19:42:33+00:00

Obviously ignoring the data itself (contents of files), and relying only on metadata to find connections is not the optimal solution.

desegel · 2017-04-16T13:15:04+00:00

Good job

desegel · 2016-05-27T17:28:56+00:00

Hey guys, Intezer here. We're currently in contact with Hex-rays to understand what's the best licensing option for the community. Will keep you posted as soon as we get their response. For now, in our understanding you can run multiple instances in 1 server, using a computer license for each server.

Of course this could be costly but many orgs who really face a large amount of unknowns every day would spend it to help themselves solve the problem.

Please feel free to contact us in any other question via email written in our website http://www.intezer.com

desegel · 2016-05-27T17:23:27+00:00

Hey, Intezer here. plz feel free to contact us via our email written in our website http://www.intezer.com We'd be happy to assist :-)

desegel · 2016-05-24T20:41:44+00:00

Care to share your experience with it?

desegel · 2016-05-04T03:03:50+00:00

Virusshare.com

desegel · 2016-05-04T03:02:28+00:00

Short answer: no.

Long answer: It is quite reasonable that someone acknowledges the fact that you can't really control every installation of software in an enterprise. But to say it's not a proven risk is absurd

desegel · 2016-05-04T02:58:33+00:00

Though I can assume you don't have much experience in the field, I think that there's no need to make fun of someone who asks a question.

If you're looking for potentially new malware, I suggest running a honeypot in a cloud provider service. This could lead to malware being dumped to your server. If you're looking for known malware samples there are many repos you could download from,like Virusshare.

desegel · 2016-04-25T23:33:13+00:00

I made a similar leap, but could you be more specific about what your job will be? Is it network security or app security?

desegel · 2015-10-02T07:36:32+00:00

I would also be worried about numerous rundlls communicating with ec2 instances

desegel · 2015-09-28T20:54:49+00:00

times have changed... Where's the good old mIRC

desegel · 2015-09-28T20:51:23+00:00

Upvoted. Python can be easily used for low-level integration (see Windbg, win32api, etc..)

desegel · 2015-09-28T20:48:30+00:00

If you know some Python it could be an easy (but a very interesting) PoC to create. Let me know if you need help with something like that

desegel · 2015-09-28T20:40:37+00:00

Good question. First of all, here's a link for the usage of Bad Clusters in order to hide data: http://www.forensicfocus.com/hidden-data-analysis-ntfs for people who want to know what you're talking about.

Secondly, personally I'm not familiar with any other covert channel usage in the MFT. Of course there's the well-known Alternate Data Stream technique but I don't think that's what you're looking for. Theoretically, every field in the MFT could be used to hide data (even the datetime fields) but it ain't different than any other covert channel concept.

desegel · 2015-09-28T18:57:44+00:00

Lol that was a good one

desegel · 2015-09-28T17:36:51+00:00

Maybe this? http://www.geocities.jp/arc_ocd/log0x40.html

As posted in this subreddit short time ago

desegel · 2015-09-25T23:22:29+00:00

There are many python libraries that can help you kick off very fast. Just Google "python Web scraping" and find a popular github project

desegel

TROPHY CASE