TLP - The Digital Forensics Podcast

Send us a text

Episode Title: "Unmasking APT40: Tactics, Challenges, and Defense Strategies"
Key Takeaways:
APT40 is a sophisticated Chinese state-sponsored cyber espionage group active since 2009.
They target various sectors including academia, aerospace, defense, healthcare, and maritime industries.
APT40 uses advanced tactics such as spear phishing, watering hole attacks, and living off the land binaries (LOLBINS).
Digital forensics faces challenges in detecting APT40 due to their use of legitimate tools and anti-forensics techniques.
Effective defense against APT40 requires a comprehensive, layered security approach.
Engaging Quotes:
"APT40 represents a significant and evolving threat in the cyber landscape. Their sophisticated attacks, large scope targets and state sponsorship make them a formidable adversary." - Clint Marsden
"Defense against groups like APT40 it is not about implementing a single solution. What matters is creating a comprehensive and layered security approach that can adapt to evolving threats." - Clint Marsden
Resources Mentioned:
MITRE ATT&CK Framework: https://attack.mitre.org/
Pyramid of Pain by David J. Bianco: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
NIST Computer Security Incident Handling Guide: https://csrc.nist.gov/pubs/sp/800/61/r2/final
Sysmon (System Monitor): https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Action Points:
Implement robust email security measures, including secure email gateways and employee training.
Keep all systems and software up-to-date to reduce vulnerabilities.
Use multi-factor authentication to protect against credential theft.
Implement network segmentation to limit lateral movement.
Deploy advanced endpoint detection and response (EDR) tools.
Conduct regular threat hunting exercises.
Implement data loss prevention (DLP) solutions.
Develop a comprehensive cloud security strategy.

Send us a text

In todays episode of TLP - Traffic Light Protocol, Clint Marsden talks about Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures.
Key Takeaways
Understanding Scattered Spider: Scattered Spider, also known as Roasted Octopus or Octo Tempest, utilizes various legitimate tools for malicious purposes.
Common Tools and Techniques: They employ tools for reconnaissance (PingCastle, ADRecon), credential dumping (Mimikatz, Lazagne), Remote access (Screen Connect, Team Viewer), and VPN (Tailscale).
Social Engineering Tactics: Their methods include impersonation, MFA fatigue (MFA bombing), and SIM swapping to gain access.
Persistence Mechanisms: They maintain access through methods like automatic account linking and adding additional MFA tokens
Defense Strategies: Implement strong identity verification, monitor for unusual activity, and educate users social engineering & smishing
Quotes
"By understanding their tactics, techniques, and procedures, or TTPs, you can better defend your network and improve its security posture."
"There's a lot of push on recognizing phishing emails and hovering over links and verifying the sender, but not enough focus on social engineering training for staff"
Action Points
Review Service Desk Processes: Ensure robust identity verification to prevent social engineering.
Monitor for Unusual Activity: Regularly audit and set up automated alerts for suspicious MFA changes or logins.
Educate Users: Conduct training on recognizing phishing and social engineering techniques.
Test Tools in a Lab: Use the mentioned tools to simulate attacks and improve defensive measures by analyzing security logs and infrastructure.
Mentioned Resources
Remote monitoring and management or RMM tools
Fleetdeck.io
Level.io
Ngrok Mitre Ref: [S0508]
Screenconnect
Splashtop
Teamviewer
Pulseway
Tactical RMM
Reconnaissance:
PingCastle - https://www.pingcastle.com/
ADRecon - https://github.com/sense-of-security/ADRecon
Advanced IP Scanner - https://www.advanced-ip-scanner.com/
Govmomi - https://github.com/vmware/govmomi
Cred dumpers:
Mimikatz - https://github.com/ParrotSec/mimikatz
Hekatomb - https://github.com/ProcessusT/HEKATOMB
Lazagne - https://github.com/AlessandroZ/LaZagne
gosecretsdump - https://github.com/C-Sto/gosecretsdump
smbpasswd.py - (as part of Impacket) - https://github.com/fortra/impacket/blob/master/examples/smbpasswd.py
LinPEAS - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS
ADFSDump - https://github.com/mandiant/ADFSDump
VPN:
Tailscale - Provides virtual private networks (VPNs) to secure network communications

Send us a text

In this episode of Traffic Light Protocol, Clint Marsden is joined by Jonathan Thompson, a developer and AI enthusiast currently studying at Macquarie University.
Together, they dive into how artificial intelligence (AI) is transforming the cybersecurity landscape and discuss Jon’s insights into AI’s potential applications in digital forensics, incident response, and everyday IT operations.
The conversation touches on ethical considerations, potential job impacts, and how AI can be harnessed to streamline tasks like log analysis, bug detection, and threat identification.
Daniel Kahneman - Thinking Fast and Slow
https://amzn.to/47Cpfjo
The pyramid of pain by David J Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

Send us a text

In this episode of Traffic Light Protocol, we sit down with Myles, a cybersecurity veteran with over 15 years of Cyber experience and background as a Combat Engineer in the Army. Myles brings his unique perspective on integrating automation and cloud technologies into cybersecurity infrastructure deployment (Used specifically when deploying Velciraptor- an advanced open-source endpoint monitoring, digital forensic and cyber response platform).
We delve into his journey from the military to his current role in deploying and managing advanced cloud infrastructure using docker containers and kubernetes orchestration platforms.
Quotes from Myles:

• "My time in the Army taught me the value of precision and strategy, which I now apply to cybersecurity."
• "Cloud environments offer flexibility, but they also demand a new level of vigilance and control."
• "With containerization, we’re not just deploying applications; we're creating a more secure and manageable environment."

Key takeaways:
Strategic Integration: Integrating automation and cloud technologies can significantly enhance both the efficiency and effectiveness of cybersecurity practices.

• Proactive Security Measures: Shifting from reactive to proactive security strategies is essential for staying ahead of emerging threats.
• Cloud Security Fundamentals: Understanding the fundamentals of containerization and orchestration is crucial for maintaining a secure cloud environment.
• Efficiency Through Automation: Automation not only speeds up response times but also reduces the likelihood of human error in security processes.
• Vigilance in Cloud Environments: While cloud technologies offer numerous benefits, they also introduce new security challenges that require continuous vigilance and adaptation.
• Role of Military Experience: Insights gained from military experience can offer valuable perspectives on discipline, strategy, and precision in cybersecurity practices.
• Future Trends: Keeping up with trends in automation and cloud security will be key to adapting to future cybersecurity challenges.

Links and resources:
Contact Myles
Website: MylesAgnew.com
Github: https://github.com/mylesagnew
ASD threat intel:
https://www.asd.gov.au/about/what-we-do/cyber-security
Tools:
Cuckoo Sandbox- https://github.com/cuckoosandbox
Wordfence - Available in Wordpress plugins
WPS Scan (on Kali Linux) for scanning your own Wordpress site for vulnerabilities
Yara Signator: https://github.com/fxb-cocacoding/yara-signator

Send us a text

Quotes:
"Phishing targets the human element, the 'wetware,' often the weakest link in any security chain." - Clint Marsden
"Phishing isn't just about poorly spelled emails anymore; it's about sophisticated campaigns that even cyber-aware individuals can fall victim to." - Clint Marsden
"Effective defense against phishing involves not just technology but ongoing education and a culture of security awareness." - Clint Marsden
Key Takeaways:

• Phishing attacks continue to evolve and remain a significant cybersecurity threat despite advances in technology.
• Attackers leverage sophisticated techniques including AI and social engineering to exploit human psychology.
• Effective defense strategies involve a multi-layered approach including user education, advanced email gateway technologies, and stringent access controls.

Action Points:

1. Implement ongoing and evolving user education programs to enhance awareness of phishing tactics.
2. Ensure email gateways are configured with DKIM, SPF, and DMARC protocols, and ensure the SEG is tuned appropriately to filter out malicious emails
3. Follow the Essential 8 guidelines, focusing on restricting Microsoft Office macros and restricting admin privileges. If you've got the capacity, go straight into application control.
4. Implement multi-factor authentication (MFA) across all public-facing and internal systems to add an additional layer of security against phishing attempts.

Links and references:
Mitre ATT&CK - Phishing
https://attack.mitre.org/techniques/T1566/
ASD Essential 8:
https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
IDN Homograph attacks:
https://shahjerry33.medium.com/idn-homograph-attack-reborn-of-the-rare-case-99fa1e342352
Phishing Landscape 2023 by Interisle Consulting and APWG:
https://www.interisle.net/PhishingLandscape2023.pdf
Anti Phishing Working Group:
https://apwg.org/trendsreports/