In Incident Response we often get called in to customer engagements
after an incident has occurred (yeah, I know, that is why it is called
Response). Unfortunately, not all organisations we work with have
centralised log collection … or if they do, t...
To round out our series explaining how to use the indicators from ASD &
NSA's report for detecting web shells (Detect and prevent web shell
malware | Cyber.gov.au ) with NetWitness, let's take a look at the
endpoint focused indicators. If you missed ...
Following on from my last post that focused on analysing web server logs
, this time we are going to look at the network based indicators...
IntroductionThe Australian Signals Directorate (ASD) & US National
Security Agency (NSA) have jointly released a useful guide for detecting
and preventing web shell malware. If you haven't seen it yet, you can
find it here:Detect and prevent web shel...
IntroductionHaving recently moved into the IR team – where I now have to
actually do stuff as opposed to just talking about stuff in technical
sales – I have found that the best way to get up to speed with detecting
attacker behaviours is to run the ...
Hi JonWe'll get in to some methods for detecting web shells using data
from NetWitness Network soon!In the meantime, the default setting for
the http_lua network parser is to register the components of the URI
(hostname, directory, filename, extrensi...
The joy of Logs!So maybe we need info from another source. If you have
DNS logs with the request and response (or even better NW Network
capture of DNS queries) from the Proxy we could tie the ip.dst (in NW
Network, the response to the DNS query woul...
Using a feed to tag sessions with extra meta for context is a great idea
overall, but I don't think it answers your initial question of how to
link the event from the firewall with the corresponding event from the
proxy server. Using the feed mechani...
There is documentation at the end of the Security Configuration guide
available here (in Appendix A): Security Configuration Guide for Version
11.2 From the field – it does work: We have created a self-signed
certificate and a key using the below, op...