March 13, 2012 | Jaime Blasco

Targeted attacks against Tibet organizations

We recently detected several targeted attacks against Tibetan activist organizations including the Central Tibet Administration and International Campaign for Tibet, among others. We believe these attacks originate from the same group of Chinese hackers that launched the ‘Nitro’ attacks against chemical and defense companies late last year and are aimed at both spying on and stealing sensitive information about these…

February 25, 2012 | Conrad Constantine

Got a Question for the labs guys? Come Heckle us at RSA Booth 717 and Bsides

So once  again, the time to drink from the firehouse is upon us: RSA Conference 2012 and BSides San Francisco are a few short days away. This year is looking like it will be an event on monstrous proportions: 2011 was an exceptionally busy year for things of significance in the Infosec world and there’s no shortage of hot topics to…

Get the latest security news in your inbox.

Subscribe via Email

February 25, 2012 | Conrad Constantine

If It's Stupid and it works, It's not Stupid!

One of my favorite ways to explain threat-modelling to people outside the field,  starts with a little humor: A martial arts instructor is teaching a new class; wanting to impress them with his flashy techniques, he picks upon the frailest-looking new student and instructs them to attack him… ..the student, who has never been in an actual fight before, comes…

February 22, 2012 | Dominique Karg

AlienVault Open Threat Exchange (AV-OTX) released!

We’re proud to announce the immediate availability of the first phase of our threat exchange platform. You can check the marketing text on the AlienVault main site. We’ll be releasing more detail on the inner workings as we go on, or if you can’t wait, just upgrade your OSSIM installation and have a look…

February 22, 2012 | Dominique Karg

Introducing the Alienvault Labs

We’re proud to present the new Alienvault Labs. This portal should unify research and development efforts made around the Alienvault SIEM and other security areas. For the launch we’ve reposted Jaime Blasco’s and DK’s complete blogs, along with some presentations and open source code. There’s more code to come and we’ve got some special…

February 14, 2012 | Jaime Blasco

Some APT C&C traffic Snort rules

Commandfive did a great job and published a research document that describes some APT C&C communication protocols http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf used on the SK Communications hack and other recent attacks. We have written some snort rules to detect the protocols described on the analysis. We have tested some of them with…

February 1, 2012 | Alberto Ortega

Detecting malware domains by syntax heuristics

An important challenge we face when feeding our Open Source IP Reputation System is to differentiate between real threats and false positives. However, nothing in the universe is black or white. Each IP in the database has a reliability value from 1 to 10. That’s because in some special scenarios, an IP can be good and bad at the same…

January 19, 2012 | Conrad Constantine

New Garage Tool: ClearCutter

I’ve just finished committing the first alpha release of ClearCutter to the Alienvault-Garage repository on GoogleCode. It’s a tool born of necessity, for anyone whose spent a good amount of time on those ‘SIEM pre-processing’ tasks, neck-deep in sed, grep,awk, uniq. Clearcutter (because it ‘clears a forest of logs’) is my work-in-progress combination tool for all those…

January 12, 2012 | Jaime Blasco

Sykipot variant hijacks DOD and Windows smart cards

Defenses of any sort, virtual or physical, are a means of forcing your attacker to attack you on your terms, not theirs. As we build more elaborate defenses within information security, we force our attacker’s hand. For instance, in many cases, implementing multi-factor authentication systems just forces the attacker to go after that system directly to achieve their…

December 20, 2011 | Jaime Blasco

Are the Sykipot’s authors obsessed with next generation US drones?

For several weeks there has been a great deal of talk about the “undeclared global cyber war”. There have been accusations that China is stealing almost anything they choose and that they have a “shopping list” that gives priority to key industries like: Clean energy industry Biotechnology Semiconductors Information technology Aerospace technology Medical technology This month, Lockheed Martin raised the…

December 12, 2011 | Jaime Blasco

Another Sykipot sample likely targeting US federal agencies

Last week Adobe issued an advisory on a zero-day vulnerability  (CVE-2011-2462) that has been being used in targeted attacks, probably defense contractors. The payload used is Sykipot, a know malware that has connections with several targeted attacks/0days during the past. During the analysis of this attack, I’ve found a new sample with a fresh command and control…

December 6, 2011 | Conrad Constantine

Easy entry to SIEM Correlation Rules with Policy Validation

“We’d love to do log correlation, but we just don’t know where to start!” If I had a dollar for every time I’ve heard this expressed, I’d ... have enough to buy everyone in the company a round of drinks.. Start with what you know For most organizations, the amount of…

Watch a Demo ›
Get Price Free Trial