Blog

Thought Leadership

Our experts share with you.

See All Articles

Microsoft Office Vulnerability Lets Attackers Install Malware Without User Interaction

A new vulnerability in Microsoft Office has surfaced. The vulnerability is a memory corruption issue that resides in all versions of Microsoft...

Posted on November 15, 2017
Oct 12

Bridging the Cyber Security Culture Clash

Why Derbycon is So Good for the Security Community

I had a chance to go to DerbyCon for the first time this year. I was amazed at how great it was and a lot of fun of course, but there was more to it than that. I’ve been to many regional conferences, as well as Def Con, Black Hat, RSA and even Gartner security conferences, but DerbyCon was altogether different and felt like there was a higher benefit that I couldn’t put my finger on.

read more →
May 12

WannaCry: Mass Ransomware Worm Capabilities Campaign - What to do.

UPDATE 5/18/2017 10:40AM ET: A new tool was released from Adrien Guinet that can decrypt WannaCry impacted systems. This only works on Windows XP due to using proper cryptography libraries. In Windows XP, it's possible to search the wcry.exe memory and does not erase the prime numbers used to generate the key. Link here to download.

read more →
Oct 12

Reliably Detecting Pass the Hash Through Event Log Analysis

At BDS we have the unique ability to pull large subsets of data in order to identify abnormal patterns in environments. With our BDS Vision product, the endpoint is one of the easiest ways for us to identify compromises within an organization and we continue to add better detection capabilities every day. One of the many features we have within Vision is the ability to detect Pass the Hash (PtH) through multiple methods. I recently presented one of the methods we use for Pass the Hash detection at this year’s GrrCon. The point of this detection is not to focus on a tool, but rather the behavior of a specific indicator within a network and patterns that are abnormal.

read more →
Jan 21

New Tool Release: GoatRider - OTX, Artillery, and Alexa lookups

During incident response practices, you may need to look up very quickly some abnormal activity. While using feeds such as Artillery and OTX is far from a bulletproof method - these feeds can quickly help identify known C2 or malicious IPs or hostnames. The purpose of GoatRider is to make it simple to look through multiple sources quickly and determine if theres anything abnormal from a hostname or IP address list.

read more →
Dec 14

Tool Update: Auto-OSSEC + MSI Builder

Defend. Protect. Secure.

read more →
Oct 05

Tool Release: Auto-OSSEC - automated OSSEC deployment

We often get customers that prefer to use OSSEC as an endpoint detection, FIM agent. Regardless of what SIEM is in place, a lot of them have OSSEC integration. Alienvault in particular also has the ability to fully integrate and control OSSEC agents. Regardless if you are using OSSEC on a SIEM, standalone, or another method - the biggest pain for mass deployment in an organization is the ability to automatically provision agents. The way OSSEC works is by first installing OSSEC as a server, then deploying the agents. The agents require a key from the server in order to pair appropriately to the server to transmit logs.

read more →
May 12

Mick Douglas joins the BDS Family!

Binary Defense Systems (BDS) is happy to announce that Mick Douglas (@bettersafetynet) is joining the team. Mick is coming in as the Practice Lead for Incident Response (DFIR) team. Mick currently teaches the SANS SEC504 and SEC550 courses and brings additional capabilities to the BDS team. Mick is going to be closely helping with DFIR as well as better detection capabilities from attackers within BDS customers and product lines. Additionally Mick will be responsible for special projects and general defensive ninja stuff.

read more →
Feb 10

Anthem Phishing Schemes - Beware

BDS has been actively monitoring multiple phishing campaigns utilizing the Anthem breach as a pretext for attack. The primary motivation from the fraudsters is to obtain social-security numbers and credit card information from the victims that enter the information in on the website. When investigating the website there was no malicious software, exploits, or downloaders identified just the information around stealing personal information.

read more →
Feb 10

Artillery 1.4 Released - New major features

Binary Defense Systems (BDS) is proud to announce the release of Artillery version 1.4. This version adds several new features. The first is the ability to hook into multiple threat intelligence feeds and incorporate that into the normal banlist threat intelligence feeds from Artillery. The inspiration came from Deep Impact (@DeepImpactIO) and a blog post written here: http://www.deepimpact.io/blog/splunkandfreeopen-sourcethreatintelligencefeeds. With Artillery, there are new configuration options available that allow you to specify multiple source feeds outside of Artillery's threat intelligence feeds. In order to enable these feeds, edit the Artillery config and change the option to ON (which is default now):

read more →
Feb 09

Active Phishing Campaign with PowerShell Injection

Sending phishing emails with attachments is nothing new however there has been a significant decline in the threshold of these attacks that focus on attachment exploitation due to heavy SMTP content filtering. Most of the attacks have focused on malicious links and websites. A common phishing campaign uses delayed or returned packages from USPS/FedEx/UPS in order to entice victims to click a link (very old campaign). We've seen some pretty horrible attempts in the past for example sending zip files with exe's and PDF downloaders.

read more →