INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Increased Number of Configuration File Scans
Published: 2023-05-03
Last Updated: 2023-05-03 06:37:52 UTC
by Xavier Mertens (Version: 1)
Today, automation is a crucial point for many organizations. In cloud environments, in containers, many apps are deployed automatically, for example, to face a sudden peak of activity or to reduce costs. Automation means that everything must be pre-configured: specifications of the applications but also critical information to interact with the hosting platform (credentials, API keys, secret keys, …)
Such information is often stored in environment files. The best example is probably the “.env’ file used by Docker. Such files contain credentials in key-value format for services. They should be stored locally and not be uploaded to code repositories. The verb “should” is the problem. Many developers include .env files in online repositories and, when the application is deployed, they become publicly available!
Of course, bots are looking for such files. I detected a recent peak of activity in my logs:
Read the full entry:
https://isc.sans.edu/diary/Increased+Number+of+Configuration+File+Scans/29806/
Quick IOC Scan With Docker
Published: 2023-04-28
Last Updated: 2023-04-28 10:27:38 UTC
by Xavier Mertens (Version: 1)
When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki, the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. The tool has many interesting YARA rules, but you can always add your own to increase the detection capabilities.
Loki is delivered as a package with an executable for the Windows environment but is being developed in Python. Therefore, why not create a Docker image ready to scan your pieces of evidence?
Read the full entry:
https://isc.sans.edu/diary/Quick+IOC+Scan+With+Docker/29788/
SANS.edu Research Journal: Volume 3
Published: 2023-04-27
Last Updated: 2023-04-27 15:39:04 UTC
by Johannes Ullrich (Version: 1)
One of my privileges as dean of research for the SANS.edu college is the ability to work with some of our graduate students as they complete their research projects. More recently, I have also been lucky to advise many of our undergraduate students as they participate in our Internet Storm Center internship. You may have seen me highlight some of the work done by our students as part of diaries or as part of the daily podcast. At times, I could interview some of our students for some episodes.
Yesterday, SANS.edu released the third volume of our research journal, summarizing the best papers completed by students over the last year. Each student is assigned a member of our research committee to assist them as they conduct the research. Thanks to this research committee, our writing center, and all the other resources assisting our students in creating this fantastic work. To be included in the journal, papers must be graded with an "A."
When selecting research topics, students are asked to investigate solutions to current, relevant problems. Papers not only present the solution but also prove that the solution works. Our students are asked to conduct experiments to test solutions and to show how they apply to the problem they are supposed to address.
In line with our "SANS promise," the research papers, just like any SANS class, should provide you with information you can apply "the next day at work." This year, we are also highlighting some of the work of our undergraduate interns.
The SANS.edu college research journal is available for download here: https://www.sans.edu/cyber-security-research.
Read the full entry:
https://isc.sans.edu/diary/SANSedu+Research+Journal+Volume+3/29784/