Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Services
Showing posts in English
Jamie Porter | 04 Aug 2014 | 8 comments


The term live response is being heard more and more frequently but what exactly is it and how does it differ from traditional forensics.

Live response and traditional forensics have a lot in common in that they both are looking for similar artifacts on a system. The differentiator with live response is that the artifacts are being discovered on a live running system against an active adversary. With traditional forensics, images are taken of volatile memory and disks before being analyzed.  Imaging alone can take hours and then the images need to be processed and indexed to allow for keyword searches. Obtaining and processing the image can easily take a day or longer with large capacity discs. With live response there is no imaging or processing that has to occur.  . , everything is real time. This dramatically improves the response time in identifying and...

Trent Healy | 04 Aug 2014 | 7 comments


Yara is a tool that Symantec uses on incident response engagements in order to help us respond quickly and triage hosts while our security team is prepping signature updates for our affected clients. Yara is very popular tool among security researchers as it is a flexible tool for classifying and discovering malware through hunting and gathering techniques.

In a live response situation the malware we find is usually only running in memory, with little to no disk artifacts. Yara is perfect for deploying across an enterprise and scanning processes running in memory or files residing on disk. As an incident responder time is of the essence, customers are worried about losing intellectual property, the security team and or the IT team of the customer is walking on eggshells, and the need to find evil fast is of the utmost importance.

The idea is to create a yara rule based on...

Robert Shaker | 04 Aug 2014 | 0 comments


When the kids at the schools where I speak ask me what I do for a living I don't tell them I postulate about quantifying the loss of opportunities when we delay a response to an incident or malicious cyber-attack. I tell them I help the world fight cyber attackers. Just happens that this work gets me thinking about how to make us better at battling back. That's where this blog series started with a really bad couple of weeks of Friday afternoon calls from customers who had run out of options and now needed someone else to come in a help them.

In my last two posts in the series I postulated that there was a quantifiable loss of opportunities when we delay a fast reaction to an incident caused by a malicious attacker. I even came up with an equation for it: TID – TCA = ∆T = LO, Time of Incident Detected – Time to Call for Assistance = Delta Time = Lost...

Bob Burls | 04 Aug 2014 | 0 comments


Welcome to the first of a series of blog posts on Malware Evolution. Through the series we’ll be covering modern malware types including bots, denial of service attacks, Ransomware and banking Trojans. We will look at the tactics and trends that have utilised new techniques. In addition, we’ll examine the reuse of existing methodology in new ways, which attempt to thwart detection and increase malicious efficiency. The series will highlight why it is essential for us as Incident Responders to be prepared for what our adversaries are operating with.

As everyone knows, it is essential to defend against and respond readily to the inevitable network attack.  Part of our structured defence regime must be to understand the nature of a threat, its delivery mechanisms and its operational and evasion techniques.

The evolution of malware species has taken a drastically alternative...

Vince Kornacki | 04 Aug 2014 | 0 comments


Like an unsightly beer belly, default Apache logging functionality leaves a little something to be desired, especially with regard to forensic capability. So let's pump up the default Apache logging functionality and carve out a forensic six pack! For this blog post we'll be working with Apache 2.4 running on Debian Linux:

root@debian $ apache2 -v
Server version: Apache/2.4.9 (Debian)
Server built:   Jun  8 2014 10:01:34

The default Apache HTTP log format is defined within the /etc/apache2/sites-available/000-default.conf configuration file (which is symbolically linked from /etc/apache2/sites-enabled/000-default.conf), and the default Apache SSL log format is defined within the /etc/apache2/sites-available/default-ssl.conf configuration file (which is symbolically...

Robert Shaker | 04 Aug 2014 | 0 comments


In my last post in this series I introduced Time of Incident Detected (TID) – Time to Call for Assistance (TCA) = Delta Time (DT) = Lost Opportunity (LO) and defined what TID and TCA meant in this equation. In today’s post I’d like to explain Delta Time (DT).

Delta time is highly critical is determining success against an adversary. But what is the right amount of delta time? How much time can pass before the loss of opportunity to too great? As I defined, TID is when you determine that a response is needed. That doesn’t mean the same as when you know you need an incident response team; that was TCA. I didn’t feel as though this was something that I solely could opine on. I needed experts in Incident Response that could share with me their point of view on how long DT could be and how that equates to LO. Considering that it takes roughly 24 hours for an external...

Jeannie Warner | 03 Aug 2014 | 0 comments

We have decided to combine two of the blogs populated by the security analysts from various disciplines within Symantec’s Cyber Security portfolio to create a single location, with the intent to make it easy for readers to keep in touch with interesting ideas and topics. Prior to this re-organization, we had separate blogs for our Managed Security Services analysts and Cyber Readiness researchers as well as individual Symantec analyst blogs in other locations, as well as and various product-specific blogs within our Symantec Connect communities. This made for too many places to check to stay on top of relevant information coming out of the Cyber security group. It’s time for some streamlining.

So who is the Cyber Security Group? We’re a collection of security professionals that support the following security challenges:


Our objective for this change is to both introduce...

Robert Shaker | 01 Aug 2014 | 0 comments

I’ve been involved in incident response for a long time; whether as a client, consultant or working for Symantec, and have seen something that has been pretty consistent over these many years: the time between a customer experiencing an incident versus when they finally call for assistance. When I talk to our Global Partners and our Symantec Incident Response Services team, they find the same thing; they usually get a call on Friday, late afternoon, local time zone, and the client has been working the case for anywhere between a week or months. When I ask my peers about this, the thing that bothers me is that we all chuckle about it: “Oh yeah, Friday, at 3PM, that phone is going to ring.” I hear it from all of them. But it’s not funny.

When I went from owning my own IT consulting business to leading the IT department for a consulting company I was no different from my current peers. I would spend hours, days, and weeks, working an incident with my team, and, whether it was...

Tim G. | 29 Jul 2014 | 1 comment

Symantec’s Cyber Security Group has updated the intelligence available in the DeepSight Global Incidents widget on the MSS and DeepSight portal.  We have added a completely interactive environment, that will allow you to search for events by city, or by threat name this will allow you see at a glance hotspots in the threat landscape as well as search for global distributions of specific threats. 

Additionally you can expand this widget to full screen and more completely interact with the information.  There is an information button on the widget, and updates to the documentation have been made.

This Feature goes live on July 30th at 6:30AM EDT.

Attached is an FAQ which should help answer any questions regaridng this new feature.

Linda Smith Munyan | 23 Jul 2014 | 1 comment

hack.jpegThe number of data breaches rose 62 percent in 2013, according to the Symantec Internet Security Threat Report, and the tactics and techniques of cybercriminals exponentially exploded. Motives of these cyber intruders vary: financial gain, network infiltration, “hacktivism”, cyber espionage/sabotage, or just simple harassment. As this underground economy grows, so does our awareness, as more and more businesses become targets.

Symantec dives deeper into the underground economy, with a series of blogs that will shed light on the darkest mysteries of this online world. Check out Part 1 of this series ...