Posts

The next gen future of EDR: XDR (Extended detection and response)

Image
What is XDR (Extended detection and response) We all know the prominence of EDR solutions. However the latest technology to enter the space is now: extended detection and response (XDR) which is the result of evolution from endpoint detection and response (EDR). XDR can be considered as the upgraded EDR but with further unified capabilities with other security tools as well to provide combined security analysis visibility, highly efficient detection, and a vastly improved correlation, investigation, and response.   Background and reason for developing XDR: EDR served as the baby steps towards the journey of XDR. In every way, EDR solutions did help to provide effective endpoint detection and response integrating a number of threat detection solutions. However, on the bigger picture, the question still remained about the security team’s challenges around the best possible way to leverage combined capabilities around analytics platforms, security information, and event management (SIEM)

Dark side ransomware on colonial pipeline network

Image
We all know about the recent ransomware attack on Colonial pipeline. With regard to this, let us try to understand what happened exactly: About the firm: The largest refined products pipeline in the US, it is involved in transporting over 100 million gallons of fuel across their corridors. The recent ransomware attack against colonial pipeline's networks led to an emergency declaration in 17 states and the district of Columbia across 5,500 miles of fuel pipeline Let’s understand about Darkside ransomware Darkside is a relatively new ransomware strain that made its first appearance in August 2020. It follows RaaS (ransomware-as-a-service) model. It follows a double extortion trend like: 1.       Threat actors encrypt the user’s data 2.       Exfiltrate the data and threaten to make it public if the ransom demand is not paid. Their ransom demand ranges between $200,000 to $2,000,000. Let’s now understand how the attack vector of this: 1.       Downloading the rans

A leaf out of Digital Forensics adventures- Part 1

Image
What is digital forensics? A specialized branch of forensic science that works to recover and investigate digital devices in the world of cybercrime. The aim of this work is to identify, preserve, analyze, and document digital evidence in order to present it to the relevant law authorities as and when required. Who is a Digital forensics investigator?  A person who has a mindset to discover evidence and trace back the storyline to solve the case. It can range from discovering:  • How attackers gained access to the network- or the point of breach • Lateral movement on the network- or affected systems discovery • Information stolen or backdoors planted- Corporate Espionage  • Recover data that were attempted for deletion, damage as well as manipulation. Let’s now analyze the different phases across a digital forensics investigation: Phases: 1. First-line incident response The focal point right after a suspected breach /security incident is known as the first response. These ini

Incident response handling for ransomware

Image
Welcome readers back to my blog. Today we will have a run-through in terms of performing incident response on ransomware breaches. Ransomware as we all know is becoming an increasing menace the world over, many firms keep getting compromised one way or another due to this specialized attack. The most critical factor in handling incident response would range around how effective firms do tackle such incidents. TL; DR: Validate the attack Gather the incident response team Analyze the incident and perform a thorough investigation  Contain the incident Eradicate the malware and its traces Perform post-incident analysis and monitoring Perform a post mortem analysis and prepare the lessons learned  In this part, let’s focus majorly on validation, analysis, containment phases.  Let’s take a look as a refresher for how best to handle such incidents (and also others similar in nature)  1.    Initial Triaging a.      Start with the aim to limit the infection, measures include such as: switching

Digital twins technology with IoT

Image
  What is digital twin? Digital twin is increasingly becoming popular since 2018, as the virtual replicas of physical assets. Simply said, this buzz word refers to a technology that helps carry out features like device simulation during development, ingestion of real-world data about a physical object or system as inputs and producing the outputs or simulations based on those inputs helping scientists and IT professionals run simulations before actual devices are built and deployed. Digital twin technology has now moved to multiple industries and vastly merging in the Internet of Things, artificial intelligence and data analytics helping augment deployments for peak efficiency and create other what-if scenarios. Via simulation of real object and its interactions with its surroundings, this technology helps provide a more accurate representation of the shape an object than a physical replica. The power of digital twins can be extended to virtually any technology such as cloud co

Researching the difference between SIEM and SOAR

Image
A great matter of debate and confusion I have always seen is the line of difference between SOAR and SIEM along with fact that if you have one, do you still need the other or in conjunction. In order to understand the clarity, let us analyze the details and the concept behind both one by one: 1.       Understanding SIEM SIEM is the abbreviation for the technology platforms which stands for security information and event management used to collect and store security data. This can be related to simple examples including firewalls, intrusion detection systems/ prevention systems etc. This technically helps to aggregate and correlate all of this gathered data by help in analyze date wth focused analytics and machine learning software. 2.       Understanding SOAR SOAR on the other hand is the collective technology involving Security orchestration, automation and response (SOAR), that is intended to help imbibe security operations with the pillars of efficiency and consisten

Demystifying Zero trust architecture

Image
1.     Introduction to zero trust: A more and more raging buzz word in the world of information security, Zero Trust Architecture refers to the “defense in depth” approach of implementing security concepts removing the process of automatically trusting actors and devices integrated in network. Zero trust architecture provides a thorough end to end approach to enterprise resource and data security controls interwoven around identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure. Zero trust leads to ultimately verifying every single component trying to connect to the system before granting access. Relying on fine grained methods such as micro-segmentation and granular perimeter enforcement based on users, zero trust helps to control security over controls such as trusting a user, machine or application for gaining access to a part of the enterprise network. Zero Trust leverage