Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Services
Showing posts in English
Matt Sherman | 04 Dec 2014 | 0 comments

Ransomware threats such as CryptoLocker or CryptoWall are becoming more prevalent in enterprises. The purpose of these threats is quite simple; they are attempting to extort money from their victims with promises of restoring encrypted data.

We have seen a sharp rise in requests from customers with respect to Ransomware and it’s important to understand these risks, what to do, not to do and how to best prevent yourself from becoming a victim.

  • My data’s been encrypted by Ransomware, what now?

    • Do not pay the ransom!

      • Paying the ransom may seem like a realistic response, but it is only encouraging and funding these attackers. Even if the ransom were paid, what guarantees do you have that you will actually regain access to your files? Remember that these are the same aggressors that are holding your files hostage in the first place.

      • Remove the impacted system from the network...

Vince Kornacki | 19 Nov 2014 | 0 comments

If you're familiar with web application penetration testing and SQL injection then the classic SQL injection exploit string should ring a bell:


This exploit string is utilized by attackers to modify the structure of a dynamic SQL query executed by the target web application. For example, consider the following Java code snippet that executes a SQL query against a backend MySQL database in order to search for albums by a specified artist. The code constructs a dynamic SQL query including unvalidated user input:


This query will match all database table rows where the artist name matches the unvalidated "artist" parameter supplied by the user. A typical search would result in a SQL query that looks something like this (user input is displayed in red):


Vince Kornacki | 05 Nov 2014 | 0 comments

Like big brother Apache, default Tomcat logging leaves a little something to be desired, especially in regard to forensics. And you know what they say: When Tomcat forensic logging is away, the hackers will play! Well fine, maybe nobody ever said that, but you get the point. In any case, let's play cat and mouse with those wily hackers and bolster default Tomcat logging! For this blog post we'll be working with Tomcat 7.0.56 running on Debian Linux:

root@debian $ /usr/share/tomcat7/bin/ | grep "Server version"
Server version: Apache Tomcat/7.0.56 (Debian)...
Bob Burls | 13 Oct 2014 | 0 comments

Welcome to the second in our series of blog posts on malware evolution and its impact on Incident Response. In our first installment we focused on how modern malware has evolved and why it is essential for us as Incident Responders to be prepared for what our adversaries are operating with. We considered some examples and discussed attacker’s motivations behind malware payloads and the impact on victims.

Today’s topic is dedicated entirely to bot-related matters, where we will examine botnet infrastructure. Botnets are considered by some to be the Internet offender’s weapon of choice. Before we delve directly into the computer criminal’s cyber-arsenal, it is important to understand what bots and botnets are and how they work. The subject of bots opens up a whole new glossary of terms and abbreviations, which we will describe and demystify.

A bot is, in simple terms, an...

Samir_Kapuria | 26 Sep 2014 | 1 comment

Last month, I had the privilege of visiting Sydney Australia to open our newly expanded office and Security Operations Center (SOC). I arrived in Sydney early in the morning and as I approached the hotel, I got my first glimpse of Sydney Harbor and was happily surprised to see a skyscraper boasting the Symantec logo high above other buildings. The “Symantec House” is home to our expanded office and Security Operations Center (SOC) and is located right in the heart of the beautiful and bustling habour town of Sydney near the popular center -  “The Rocks”. 

After enjoying morning tea, the Parliamentary Secretary to the Minister of Communications, Paul Fletcher, alongside Symantec’s Adrian Jones, unveiled our new Kent Street office where the SOC is the...

Bob Burls | 24 Sep 2014 | 0 comments

In order to optimise the success and operation of a franchising model, which could be an organization with affiliate or agent offices, we recommend there should be IT security standards set that the franchisee adheres to. Whilst generic standards and criteria are usually set out as contractual obligations, for example, livery and uniforms, operating hours, employee’s terms and conditions, codes of conduct and business interaction between franchise and the parent organisation, some standards are not so apparent or perhaps never even specified.

Take, for example, the computer infrastructure used to operate a franchise’s Point of Sale (POS) systems. It is often the case that we see a franchise model that is succeeding in profits but putting the parent company at risk due to a shortfall in the management and security of the franchise’s IT infrastructure. Sometimes systems are not standardised, centrally managed, kept up to date with end-point protection, or even utilising...

Jamie Porter | 11 Sep 2014 | 6 comments

The examination of prefetch files is commonly done during live response.  They are easy to grab, quick to analyze and can provide useful information when investigating malicious activity.

Here is what information we can glean from the prefetch:

  • When a malicious file was executed

  • Where it was launched from

  • How many times it has been run

  • What DLLs were used by the malicious code

  • Name and location of the malicious file (even if deleted)

  • Timeline of attack activity

  • General suspicious activity

Let’s start with an overview of prefetch.

Prefetching was first seen in Windows XP and is used to speed up the operating system and application startup.  Here is how Microsoft defines it: “Each time you turn on your computer, Windows keeps track of the way your computer starts and which programs you commonly open. Windows saves this...

Clint M. Sand | 05 Aug 2014 | 1 comment


The term incident response means a lot of things to a lot of people. Historically, words like “unpleasant” or “chaotic” come to mind when thinking about the last time many organizations responded to the suspicion of a compromise by external attackers. Today, for most organizations incident response is a part of their security program but is still primarily a reactive premise centered on a plan or policy document that describes how they should handle such an event.

How do you ensure your incident response plan is optimized to handle the demands of an escalating threat landscape? Is a plan enough?

I recently spent some time talking with the Incident Response experts on my team, our partners, and about 80 customers in CISO roundtable events over the past few months. A clear answer surfaced.

An incident response plan is...

Matt Sherman | 04 Aug 2014 | 4 comments


I have a calendar alert goes off at 9:30 AM to “Reach out to Layer 8”, which is a little project I devised for myself. When the reminder fires, I open a file called “Friends.txt” that contains several people’s names, departments and phone numbers. I select a name from list and give them a call. This is usually a quick chat. I try to keep the conversation below 15 minutes, and we generally discuss overlap in our roles or projects that we have in common or new projects that the other might not have visibility in to. I end the call by saying something to the effect of “If you see anything weird, let me know”.  This is how I know the status of my Layer 8 sensor array.

I am willing to say that you have these types of contacts in most of the departments in your organization and that you have worked security events with these contacts in the past. I would also say 15 min’s of chat...

Vince Kornacki | 04 Aug 2014 | 0 comments


In the previous installment we examined default Apache logging. Now let's pump up the default Apache combined log format in order to supercharge forensic capability! We'll utilize the mod_log_config "LogFormat" directive in order to define the "enhanced" log format within the /etc/apache2/apache2.conf configuration file:

LogFormat "%{%a %m/%d/%Y @ %I:%M:%S.}t%{msec_frac}t %{%p %Z}t %h (%{X-Forwarded-For}i) > %v:%p \"%r\" %I %D %>s %b %k %L \"%{Referer}i\" \"%{User-Agent}i\" %u %{User}C %{SessionTracker}C" enhanced

Note that mod_log_config is statically compiled into Apache. A sample Apache enhanced log format entry looks a little something...