You are viewing 'toolkit'

ELMO for Incident Response

Find out how ELMO can assist with a live incident response situation

John Moran

February 02, 2017 - Posted by John Moran to Security Insight

In most incident response situations, it is necessary to collect some form of volatile data. While disk forensics continue to play a role in incident response, we know that the tactics of today’s adversaries require different methods from incident responders. One of those tactics is live forensics to capture volatile data.

Much like traditional “dead box” forensics, most investigators will agree that no single tool can meet the needs of every investigation. Instead, investigators commonly use multiple tools to gather information based on the needs of the investigation. Some examples are memory acquisition, running processes, network connections and open file handles.

Running these tools in a Windows environment is most often achieved by scripting multiple tools through the use of a batch file. This achieves several goals. First, it allows the investigator to execute a single file, which will run multiple tools. Second, it ensures that all tools are... read more >

Incident Response Tools

You are only as good as your toolset!

David Biser

August 31, 2016 - Posted by David Biser to Security Insight

In my last blog I asked the question, “Have you ever tried to chop down a tree with a fork?” and told you about an incident response process that was made difficult by the lack of adequate tools. This is a common problem in the field of incident response and security as a whole, and shouldn’t exist. Unfortunately, however, many system administrators, network administrators and help desk personnel assume they can handle an incident, when in reality it is far more complex than they are aware.

A basic introduction to incident response is beyond the scope of this blog, but I do want to introduce the reader to the “Order of Volatility.” This is a common methodology that is taught across the security spectrum. It provides the responder with the ability to gather evidence from the more volatile to the less. This is extremely important when responding to breaches or malware infections. So, let us review the... read more >

Black Energy Malware is Back...and Still Evolving

Danika Blessman

January 18, 2016 - Posted by Danika Blessman to Threat Intelligence

Industrial Control Systems

Black Energy (BE) malware is back in the news as of early January 2016. This time it is being blamed for contributing to a power outage on December 23, 2015 in Ukraine, which left nearly half the populace in the Ivano-Frankivsk region without power for several hours.

Discovered in 2007, BE was originally designed as a distributed-denial-of-service (DDoS) toolkit but has since evolved to its current state, supporting a multitude of plug-ins. The newest features of the BE malware include:

  • KillDisk, a destructive data-wiping utility capable of destroying an estimated 4000 file types, including registry files. This function could render the host unbootable, and depending on the infected host, could have dire consequences. Based on the malware’s typical target set of Industrial Control Systems (ICS), an infected host could prove to be disastrous, not to mention expensive.
  • Researchers also identified a previously unknown Secure Shell (SSH) backdoor...
read more >

The XcodeGhost in the Machine

Hacked Apple toolset delivers thousands of infected apps

Bob Bybee

September 28, 2015 - Posted by Bob Bybee to Security Insight

Xcode Files

“Trust no one,” goes the mantra of a great 1990s TV show, The X-Files.

Some things, however, we nearly always trust. A carpenter trusts that his hammer will drive a nail, and if it doesn’t, the reason is usually obvious. All craftsmen have to trust their tools, because we don’t have the time to build our own hammers and ladders. Yet for software developers, this means trusting very complex tools we can’t easily validate.

The most important software tool is a compiler, often part of an integrated development environment (IDE) with a debugger and other tools. These tools are like a genie, translating a programmer’s wishes (source code) into something that does his bidding (binary machine code). But sometimes the genie is a bit of a devil. I’ve personally found compiler bugs, cases where it didn’t translate my source code accurately. My own... read more >

Physical Security Assessment

Traditional and Nontraditional Tools and Techniques

Brent White

December 23, 2014 - Posted by Brent White to Security Insight

physical security

This blog was co-written by Solutionary Security Consulting Services consultants Brent White and Tim Roberts.

So, you’ve gotten past the front door by piggybacking, were granted access to the elevator by the receptionist, and then find yourself standing in front of another restricted area. The next step is to find a way to trigger the motion sensor from the other side of the door so that it will open for you. What would you do?

Physical Security Assessments are an essential part of a security program. If an attacker is able to gain physical access to your building and equipment, they essentially have “the keys to the kingdom.”

This blog was written to provide an overview of some tactics that assessors... read more >

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)