Blog

Latest News From Blog

Image Other

Android Malware: Infection & Spread

The Impact of Android MalwareCybercriminals who want to get into your Android device only have to do one thing to make that happen: Convince you to download a game. In mid-2017, a type of malware known as a trojan virus hid in plain sight in the form of a game called ''Colourblock'' on the Google Play Store. Unknowingly, more than 50,000 people downloaded what they thought was a game, but was really malware (short for malicious software).Malware can spread through Android devices in a number of ways.Android, malware, infection, virus, trojan, spread, impactThe trojan, called Dvmap, made it possible for cybercriminals to monitor devices on which it had been installed and even put new applications, or software programs, on the phone. And, it worked because the masterminds behind it first uploaded a clean version of the app to the Play Store, before subbing in the malicious version.You may be asking yourself, ''Why isn't this lesson about both iOS AND Android malware?'' Well, the answer is hidden in the example you just read. The Google Play Store ecosystem has fewer security measures in place when developers are introducing their apps to the public. This is unlike Apple's App Store, which has more rigid controls in place. Add to that Android consumers' ability to install apps downloaded from the internet, and you have an environment ripe for cyber attacks. Now, that's not to say that malware is unheard of on Apple devices, but the focal point of this lesson is malware and Android phones.What is Android Malware?Android malware is really no different than the different types of malware you may be familiar with on desktop or laptop computers. It's simply targeted at Android devices. Mobile malware is any type of malicious software or code designed to harm a user's device, such as trojans, adware, ransomware, spyware, viruses, or phishing apps.Where does it come from? A host of places! As we've already discussed, third-party app stores, where users go to download new games, for example, hide malware inside different types of apps. An Android user, unlike an Apple user, may also do what's known as sideloading an app. This does require the device owner to change security permission, usually labeled 'unknown sources. Users can then download content directly from the internet onto their device, or via their computer, bypassing the Play Store altogether.And, of course, there are a host of traditional places malware can come from, including malicious downloads in emails, visiting suspicious websites, or clicking links from unknown senders. Once malware invades your Android's space, it can do all types of things, from the mischievous to the downright fraudulent, including showing you ads continually or stealing and selling your sensitive data.How Android Malware SpreadsJust a few years ago, experts believed that a majority of the malware present in the mobile space was targeted specifically at Android devices. Why? The looser controls on Androids make it more likely cybercriminals can gain access. Here are a few ways that malware can spread on an Android device. See if you recognize any of these.

Read More
Image Other

Knowledge Objects in Splunk.

Knowledge objects are various sets of classifications and constructs that structure Splunk's data enrichment structure. They're how Splunk organizes meaning and stores it in a very reusable form, so you'll be able to share efforts and devolve on the ideas of others. Fields, searches, and reports are all samples of knowledge objects.A collection of information objects that address a selected use case is named an app. Knowledge objects that service other apps in how are called add-ons. You'll be able to develop apps and add-ons for your own use, and you'll also find apps and add-ons created by Splunk and other users on Splunkbase, so you must not reinvent the wheel. Splunk architect certification has a thorough understanding of Splunk Deployment Methodology and best practices for planning, data collection, and sizing for a distributed deployment and is able to manage and troubleshoot a standard distributed deployment with indexer and search head clustering.Splunk also offers full-scale solutions, which are apps and add-ons that address advanced use cases for whole business areas and industries: Splunk.com > Solutions.Knowledge object: A user-defined block of logic that permits you to leverage your information in specific ways to infer meaning from your data. Knowledge objects are the units Splunk uses to interpret, classify, enrich, normalize, and model data. You'll create, edit, save and share knowledge objects.Splunk apps: a group of information objects that address specific use cases. Splunk apps run in Splunk Web, and you access them from the house page or the Apps menu. A Splunk app can include elements like a custom UI with dashboards, reports, and custom search commands. They don't seem to be computer code sort of a telephone app, so don't fret, you must not be a coder.Splunk add-ons: a kind of app that has specific capabilities to other apps, like getting data in, mapping data, or providing saved searches and macros to be used by one or more apps. Add-ons don't contain a full UI, and infrequently provide some custom configurations or data inputs. An add-on may be a reusable component that supports other apps across a variety of various use cases.

Read More
Image Network Security

Virtual Private Networks: Boosted The Business Security To The Next Level

In this technologically advanced world where everything is online, safety and security are things that can’t be overlooked.Be it using the latest technologies, tools, accessories, digital platforms, or social media, dealing with any online business, using networks, or taking internet connections, safety has become essential in every segment.And this is where many of you have come across VPNs, Virtual Private Networks.Virtual Private Network is the opportunity to establish a protected network connection while using public networks. It is a kind of barrier or a protection shield that disguises the online identity making it difficult for third parties to track your activities and opt for data breaching. It has been reported that the VPN industry is expected to reach $31.1 billion this year, increasing its popularity to its peak.VPN tends to avoid cyber threats, and data breaches have been avoided at a more significant level which is why more than 31% of all internet users rely on VPN services.VPN is directly correlated to the internet. As we know, it is hard to imagine a world without the internet. Everything around us needs internet connectivity to run. Therefore to make internet usage more secure and safe, VPN comes into play. And the primary use of VPN is by businesses who want to stay ahead of the competition and don’t let them know their loopholes.Businesses across the globe make sure to keep their customer, work, and data stacked and private, protecting them from predators. VPN, in that case, helps them to secure their systems.Let’s dig more to know more about how VPN is boosting businesses to the next level.How Does a VPN Work?When it comes to working with a VPN, then a “Virtual Private Network” is a kind of network that hides the IP address by allowing the network redirection through a specially configured remote server run by a VPN host.When you surf anything online using a VPN, the server becomes the source of the data which means the data is going through the server. And, with this, third parties or other internet service providers cannot see the data being analyzed, surfed, or stored. The VPN becomes the source and protects your information or activity from breaching by another party who try to hack you.And the popularity of VPNs can be visualized by a report that states some 54% of all desktop VPN users and 57% of mobile VPN users use the service to protect their devices on public Wi-Fi, making them the best among all.Benefits of Having a VPN NetworkAccording to a report given by Data Prot, 26% of internet users have used a VPN at least once, making it a desirable trend for the upcoming future. Now, after you are well aware of the VPN network and know they will help protect your business on another level.It would help if you planned to adopt it for your businesses to stay compatible in the modern world. But still, if you are pondering over the thought of VPN, here are some advantages to the lookout.Secure EncryptionWhatever the data comes in to read it, you need encryption. Without encryption, it is impossible to read the data, and it will take millions of years for a system to decipher code in the event of a brute-force attack. But when you install the VPN network, you can hide your online activities done on a public network.Nullify Your WhereaboutsVPN comes into play when they act as proxies on the internet. Yes, because the demographic locations that need to be analyzed by third parties can be avoided. As with VPN servers on your side, your location can be disguised easily as the servers do not store logs.And as it is not storing the logs, it will not record the behavior of the user and prevent its passage to other parties who are trying to find your location while using the internet.Access to Regional ContentThere is some content or information that is not easily accessed from everywhere. Thereby, in that case, VPN servers come into play. Such servers help in location spoofing, where you can change your location. Regional web content is not always accessible from everywhere.It is reported that VPN provides access to around 23 percent of restricted sites.Some services and websites contain content that can only be accessed from limited parts of the world. And with a VPN, you can increase the regional area to check the content and access it from anywhere at any time.VPN and its Banning ScenarioVPN has come out to be a progressive option for the business industry in boosting their security. The businesses that were not considering the security within their systems have reconsidered it after the VPN launch. But if we talk about the current scenario, then a country like India is looking to ban VPNs.Yes, In August, a parliamentary committee in the country was held giving the suggestion that all the home ministries should ban the usage of recommended virtual private networks (VPN). With the banning idea, a lot of challenges and problems are on the way for businesses, and people are not able to digest them.As the business industry is likely to face challenges in the coming future as they are being benefitted the most through this technology amid the pandemic. Therefore, the business does not want a banned scenario at all.However, there is a reason why parliament is stating VPN banning as they find it less secure to transfer data through a VPN. According to them, the VPN server would likely give opportunities to criminals to remain anonymous online, helping them to gain important information which they will use for illegal purposes.CK the content and access it from anywhere at any time.

Read More
Image Other

Can Docker containers replace VMs for bug bounty hunters and penetration testers?

I recently had the opportunity to build out a penetration testing service offering from the ground up, and I took this opportunity to question each aspect of what makes up a penetration testing engagement to find areas that could be improved or overhauled based on my own experience and the experiences of others in the field.Dedicating some time to this was a great experience and is a thought process that I hope every penetration tester and technical professional takes the time to go through. One of the more interesting parts of the work we do is to look introspectively into the value that we offer, and how we can maximize our value. Refining how we go about things is a great way to provide greater value.There were many things to consider, and we may talk about some of those things in the future, but the aspect of penetration testing I want to talk about today is the infrastructure we use to conduct a penetration test.What do we need from our infrastructure?Penetration testers and bug bounty hunters typically use an environment separate from their BAU environment to conduct their testing. The main reasons for this include:The tooling we use for security testing is specialised and very different from the software we use day-to-day.We need to isolate the data collected throughout an engagement to protect sensitive information about our clients and targets.We need to run scripts and tools that we would not be comfortable with running in an environment that has access to other sensitive files and resources.We want to allocate dedicated computing resources for testing so we are not confined to the computational power of our workstations.We need to allow long-running tasks and listeners to operate without interruption caused by our day-to-day movements.We need to allocate a static IP address or IP range from which all traffic originates, so our clients can be aware of where testing traffic is coming from and perform any allow-listing that needs to occur.These factors largely apply to all types of security testing; however, the way we achieve these needs may differ depending on the type of test. For example, the tools we need for wireless network testing are very different from the tools we need to test a client’s external network footprint.I specialize in web application security testing, so this post will focus on the infrastructure used for this type of engagement. You may have different needs and approaches if you do other forms of security testing.What are some limitations of using VMs for our testing environment?I am all for trying out new tools and techniques to find better ways of doing the work that we do, but before we throw out tried-and-tested approaches, we need to be aware of the strengths and limitations of existing approaches to warrant the research and upskilling that is necessitated by adopting a different approach.What I mean by this is: Why don’t we just use VMs?I understand that I am not speaking for all security professionals, but my experience talking with people in infosec and watching what others do online suggests that virtualization is the most common way we achieve the requirements listed above.We spin up Kali or another Linux distribution in a VM, and we can either do that locally on our workstation, on a dedicated server on-premises, in a data center or in the cloud.When following this approach, there are a few limitations and considerations that came to mind that made me think it was worthwhile exploring other options:Maintaining a hardened SOE is a painLike any operating system we use, the operating system we use for testing needs to be hardened. One approach to hardening the OS used by each of our security testers is to maintain a single Standard Operating Environment (SOE) so that each of our testers can use a common hardened image.This is an important but time-intensive process, and every hour spent updating or rebuilding an SOE is time that could be better spent hacking, upskilling or building out tooling.Standard VMs make custom configuration difficultOn top of the effort that goes into updating and maintaining an SOE, there is all the effort that is spent by the testing team to start using the new SOE. There is significantly more time that is lost in this stage, as the effort is multiplied for each tester that needs to go through this process, rather than the individual or small team of people in charge of maintaining the SOE.The issue here is that, while we may follow similar base methodologies, each tester has their own set of tools and configurations that they feel most comfortable using to be productive and get the job done. This means that each time a new SOE is pushed out, the tester needs to download the image, set up a new VM, then download and set up all their favorite tooling all over again.A seasoned security professional might script this process or utilize some build tooling to make it a little faster, but I know I find this a little dull and laborious.New technologies are available that could be viable alternativesThere are a number of technologies that have become widely adopted by software developers and operations teams that may be suitable for what we need. More organizations are moving their computing into the cloud, and the pervasiveness of DevOps and web technologies in the software development space has bought Docker, Kubernetes, serverless computing, CI/CD pipelines, and many other technologies into widespread adoption.At this point, it seems sensible to reevaluate whether VMs are the optimal way to manage penetration testing infrastructure.

Read More
Image Network Security

The Importance of Endpoint Security

To put it simply, endpoint security protects the commonly used digital devices mentioned above (smartphones, laptops, and desktop computers) from weaknesses from within the software that could lead to hackers, viruses, and malware entering into a system’s internal data storage where sensitive information is kept and accessing it for nefarious purposes.What is an Endpoint?Almost everybody has one, but they might not know what it is. Think about the digital devices that you use on a daily basis. A desktop computer? Probably. A tablet or laptop computer? Most likely. A smartphone or mobile device? Definitely. These devices are what is referred to in the network security space as endpoints.“Endpoints serve as points of access to an enterprise network and create points of entry that can be exploited by malicious actors,” (Forcepoint.com). Laptops, smartphones, and desktops are used widely by both consumers and businesses alike. But, for businesses having a level of protection from hackers looking to gain access to sensitive information about their customers and the company itself is of top priority.Why Endpoint Security is ImportantEffective endpoint security is a must for modern enterprises—locking all doors on your corporate house isn’t a matter of choice anymore. Data is the lifeblood of business, and protecting it is paramount to organizational success. With the shift towards mobility, security must now occur at all points within a network. Centralized security systems prove ineffective in today’s dispersed landscape. Jose-Miguel Maldonado, VP of Business Ops & Security at Rubica, explains, “People are outside the corporate security structure and today’s attacks are extremely sophisticated. Traditional solutions like on-premise firewalls and anti-virus just aren’t enough anymore”. As organizations grow, so do the endpoints and the cost of protection. However, the cost of not securing your network can be far greater in terms of data loss, regulatory fines, and reputational damage. On-premise Endpoint SecurityThis option is based on securing all network endpoints from a solution hosted and maintained on in-house servers. All costs fall on the user—this includes the space, electricity, cooling, and staff. On-premise software usually requires a large initial investment and can involve lengthy installation. For these reasons, it may not be the best choice for budget-conscious organizations seeking faster solutions.  Cloud-based Endpoint SecurityThis option involves securing all network endpoints from a solution hosted and maintained on cloud vendor servers. Often referred to as “endpoint protection,” this solution provides a cost-effective, agile option that can be up and running in minutes. Cloud-based solutions offer numerous advantages, starting with access to vendor databases and monitoring that provides rapid threat response. Additionally, for a reasonable monthly fee, users get automatic data backups, quicker patching even for remote devices, and remote system control.Types of Endpoint SecurityEndpoint security engages specific practices to block threats and secure your network. Here are some to keep in mind:Endpoint encryption: Involves the coding and scrambling of data, making it indecipherable without a key. Encryption is the last and possibly the most important security layer because it protects the data even if it falls into the wrong hands.Forensic analysis: Works in conjunction with EDR by monitoring all endpoint activity and creating a digital footprint of all incidents. All information and evidence surrounding an attack—what happened, who’s responsible, and the resulting consequences—is collected and analyzed to prevent future incidents. IoT protection: Many IoT devices sorely lack adequate security upon installation. What can your organization do to lock down IoT devices? Start by installing an EDR system to manage, monitor, and scan for vulnerabilities. Be sure to remove outdated devices, install next-gen solutions, monitor all app and device access, encrypt communications, and segment your network to isolate problems.Email gateways: E-mail is the most common way for criminals to attack networks, so email gateway software is critical today. Safe emails continue through the system, while potential threats go to quarantine. All email gateways should include virus and malware blocking, content filtering, and email archiving.Quarantine protection: This is the practice of separating dangerous files to prevent harm to devices and networks. Rapidly isolating dangerous files is essential to endpoint security, and quarantining also allows valuable files to be cleaned rather than discarded. As mentioned earlier, with the rise of remote work opportunities more endpoint devices are being used to complete work tasks. While convenient to use on the go and at any time, endpoint devices present a variety of avenues for outside threats to enter into a business network and compromise important data of the company, its employees, and customers.

Read More
Image Other

A day as an MDR analyst

What is an MDR analyst?Managed Detection and Response (MDR) entails the outsourcing of cybersecurity to a third party for the purpose of protecting an organization where time and scope would otherwise not allow. An MDR team would step in to manage the security and safety of the organization. This is often done by utilizing a mix of automated, reactive, and proactive responses to threats, including threat intelligence, 24/7 monitoring, and incident response – all carried out by a team of experienced security analysts.Day in the lifeEvery MDR team manages its day-to-day operations differently, but having efficient planning is key when analyzing different types of data from multiple international companies with hundreds or thousands of users and devices.On a day-to-day basis, we utilize a mix of Extended Detection and Response (XDR) and Security Information and Event Management (SIEM). The mix of XDR's holistic, SaaS-based vendor-specific security implementations allows for deep and narrow threat response and Siem's broader scale makes the two work hand-in-hand for a holistic approach to mitigation, protection, and remediation.Our SIEM solution helps the analyst coming on shift by generating incidents based on log data and detection rules, alerting them if something worth investigating occurs. As part of daily life, we examine these incidents and examine potentially malicious or suspicious activity to determine if it’s benign, false positive, true positive, and so on.Finding false negatives is also important, which is done through proactive threat hunting and tweaking the existing analytics rules we’ve developed. For me personally, this is a big part of my day-to-day as I work closely with the detection indexes we use, letting me practice my KQL and improve my understanding of database and log management. Once one of my (or another analyst’s) detection rule triggers, we open and investigate the incident, remediating and blocking the risk as needed.If the shift leaves time for it, after customers' needs have been tended to, there’s usually time to work on improving our environment via an Agile Continuous Service Improvement. This is more specifically handled through planning cards, which can range from programming tasks, reviewing analytics rules, crafting detection indexes, building logic applications or playbooks – or anything that needs doing, really. This also enables the opportunity to develop within the field of your choosing, be it forensics, red teaming, blue teaming, or some specific XDR or SIEM solution.Relatedly, the shift often ends or begins with some banter or chatting with coworkers, where people share knowledge and help one another with potential blockers, or we discuss new CVEs and development in different fields or tech.Critical IncidentsWhile the critical incidents hopefully don’t occur just as one has stepped off shift, once the alarm is run, it’s all hands on deck.People who aren’t on shift hop on at least to get the updates and details regarding the situation and to hear from incident leads. Sometimes other teams within Onevinn are pulled in to operate within their areas of expertise, such as mobile or application security, act as incident leads, or keep open communication with the customer.After that, we follow a priority schema – assuming it’s a cyber-attack, assets may need to be secured, or attackers need to be removed from the network. We analysts work methodically, asking for help as needed and contributing to the securing of the customer’s infrastructure. The work itself can be challenging, but with the combined knowledge and experience of our seniors, we’re able to learn at a remarkable pace without the stress of imminent failure affecting the quality of the work. In fact, despite the risk of long hours or overtime work, the first time I personally joined in during a big incident in my time as a part-timer, the first thing I heard was a cheerful conversation. Maintaining focus and positivity throughout critical incidents is key, and for that, we have one of the best teams I’ve ever seen.

Read More