State of the Hack

The Defender's Advantage Podcast

If you are here looking for State of the Hack, we invite you to visit the feed of Mandiant’s new podcast, The Defender’s Advantage Podcast: https://www.buzzsprout.com/1762840   The new show launches this week with the same great content you've come to expect from us and even more. Host Luke McNamara anchors our Threat Trends series, chatting with Mandiant intel analysts, consultants, and researchers, as well as external practitioners and leaders in cyber security, all through a threat-focus...

S4E07: IIV Drippin: Overcoming Your Zero Day Hangover

Zero Days got you down? There sure has been a lot of high impact zero days impacting edge appliances in 2021, from Microsoft Exchange, Pulse Secure, and SonicWall. In this episode, we're joined by Josh Fleischer, the Managed Defense investigator who uncovered three zero days in SonicWall Email Security, to discuss detection and investigation of a zero day, as well as what vendors and customers can do to better to prepare for zero day attacks.

S4E06: Extortion, Ransoms & the Wonderful Life of Red Teams

In today's threat landscape, data theft and extortion go hand in hand with ransomware. In this episode of State of the Hack, we'll talk about how data theft plays a role in modern day ransomware incidents, how attackers carry out data theft, and how we simulate data theft during our Red Team assessments so clients can test their detective capabilities.

S4E05: The Wonderful World of Web Shells

An oft-undiscussed tactic, web shells are a popular way for threat actors of all flavors to gain initial footholds, move laterally, and maintain persistence in a stealthy manner. Austin and Doug discuss a popular exploit that has been observed in the wild leading to web shells and what infosec practitioners can do to protect against this class of malware.

S4E04: Apex Predators: Inside OpSec Strategy

This episode discusses the idea of operational security ("OPSEC") from an attacker's perspective. OPSEC relates to how an attacker or red team might try to make their activities stealthier to avoid detection. During this episode, Evan Pena and Julian Pileggi talk about the various ways the Mandiant Red Team carries out their operational security during an adversary simulation exercise, and interesting techniques they see attackers using that have a high level of operational security.

S4E03: Azure Got Run Over by a Refresh Token

Join us for our holiday episode as we search for silver bells and silver linings in our move to The Cloud! The cast sits down with Dirk-Jan Mollema to talk Azure AD and Primary Refresh Tokens; and what savvy defenders can do to secure their own cloud credentials.

S4E02: Weaponizing Office Documents with VBA Purging

Malicious Office document’s module streams that contain source code, but no P-code are more likely to evade YARA rules and AV detection. This evasion technique is called VBA purging; which is different than the observed VBA stomping technique. In this episode we will discuss what VBA purging is, the difference between purging and stomping, the consequences of this technique, and a new tool created by Mandiant’s Red Team called OfficePurge.

S4E01: KEGTAP-ing Out: Don't be a One Trickbot Pony

State of the Hack is back! Featuring new hosts Doug Bienstock (@doughsec), Austin Baker (@bakedsec), Julian Pileggi (@x64_Julian), and Evan Pena (@evan_pena2003) and new content. Doug and Austin kick things off and dive into a recent flood of phishing campaigns associated with KEGTAP aka BazaaLoader. They discuss some interesting toolmarks of the KEGTAP attack chain and why it is so dangerous.

S3E2: Hacking Tracking Pix & Macro Stomping Tricks

On today's show, Nick Carr and Christopher Glyer break down the anatomy of a really cool pre-attack technique - tracking pixels - and how it can inform more restrictive & evasive payloads in the next stage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) to explore one such evasive method seen in-the-wild: Macro Stomping. And we close the show by deep-diving with Matt Bromiley (@_bromiley) on critical vulnerability we've been responding to most in 2020 - and what we've seen sever...

1101- S3E1:Spotlight Iran - from Cain & Abel to full SANDSPY

S3E1: Spotlight Iran - from Cain & Abel to full SANDSPY

In response to increased U.S.-Iran tensions stemming from the recent death of Quds Force leader Qasem Soleimani by U.S. forces and concerns of potential retaliatory cyber attacks, we're bringing the latest from our front-line experts on all things Iran. Christopher Glyer and Nick Carr are joined by Sarah Jones (@sj94356) and Andrew Thompson (@QW5kcmV3) to provide a glimpse into Iran-nexus threat groups - including APT33, APT34, APT35, APT39, and TEMP.Zagros - as well as the freshest actionab...

S2E13: Rudolph the Redsourced Reindeer

Ho ho homepage! Christopher Glyer and Nick Carr are back for the last episode of 2019. They’re closing the year with a look at this month’s front-line espionage activity and a whole bunch of FIN intrusions! In addition to the threat round-up, they highlight some of our Mandiant consultants doing that work and a few DFIR tricks they included in a recent blog: https://www.fireeye.com/blog/threat-research/2019/12/tips-and-tricks-t o-analyze-data-with-microsoft-excel.html. As a special bonus, Sa...

S2E12: Shellcode. DLLy DLLy!

Christopher Glyer and Nick Carr are back with an extremely offensive episode with red teamers Evan Pena (@evan_pena2003) and Casey Erikson (@EriksocSecurity). They get right into why they use shellcode (any piece of self-contained executable code) and some of the latest shellcode execution & injection techniques that are working in-the-wild. In previous episodes, the gang has discussed attackers - both authorized and unauthorized - shift away from PowerShell and scripting-based tooling to C...

S2E11: Between Two Steves

Christopher Glyer and Nick Carr sit down with the top two Steves from Advanced Practices: Steve Stone (@stonepwn3000) and Steve Miller (@stvemillertime) to talk about the front-line technical stories and research presented at the 2019 #FireEyeSummit. With team members embedded on every investigation, they dissect the key takeaways from the past year’s responses and trends in tracking the groups and techniques that matter. They cover the behind-the-scenes of recent FIN7 events* and put that ...

S2E10: from MATH import CYBERZ*

Christopher Glyer and Nick Carr interview Matt Berninger (@secbern) about his journey from Incident Responder to Data Scientist and how that has shaped his perspective on ML applications and issues in the industry today. This discussion provides a brief overview of Data Science fundamentals and how they apply to common cybersecurity problems. They also discuss how to navigate the deluge of ML marketing and what considerations to make before including ML in your security stack. Finally, they...

S2E09: DerbyCon Edition with Dave Kennedy

Christopher Glyer and Nick Carr interview Dave Kennedy (@HackingDave) on his experience running DerbyCon over the years, what conferences he plans to attend next, and future plans to build and support DerbyCon Communities (DerbyCom). Red teaming in the last few years has started to get harder due to improvements in security visibility, improved security tools, and better SOC teams. They discussed how Dave's red team's @TrustedSec use security tools to baseline what their activity looks like ...

S2E08: DerbyCon Edition with Nate Warfield

Christopher Glyer and Nick Carr interview Nate Warfield (@n0x08) on his experience working at Microsoft's Security Response Center (MSRC). They discuss how Nate's team manages the vulnerability reporting and fix/remediation process across Microsoft's range of products/services. And debated what makes the BlueKeep and DejaBlue vulnerabilities different from previous vulnerabilities and why this particular set of vulns took so long to have public exploit code available. Nate also shared his fi...

S2E07: DerbyCon Edition w/ Carlos Perez & Benjamin Delpy

In this episode, Christopher Glyer and Nick Carr interview the Darkoperator (@Carlos_Perez) and Benjamin Delpy (@gentilkiwi) on all things related to Mimikatz and Kekeo. They discuss Carlos' new class on Mimikatz, the background on why he started it, how red teamers can use the features in unique/creative ways, and how blue teamers can detect the activity. Benjamin shared the background on how he developed the tools (hint - he didn't read the kerberos RFC), some of its lesser known capabilit...

S2E06: APT41 - Double Dragon: The Spy Who Fragged Me

This is our APT group graduation party for APT41: Double Dragon, conducting both Chinese state-sponsored espionage activity and personal financially-motivated activity. You've read the report* and on this episode, Christopher Glyer and Nick Carr go behind-the-scenes with two technical experts, Jackie O'Leary and Ray Leong, who worked for months to produce the report. We answer viewer questions and discuss sifting years of incident response data, peppered with Glyer's IR war stories, and fasc...

SotH Convos: Finding Evil in Windows 10 Compressed Memory

We are kicking-off a new segment on State of the Hack - an audio-only deep dive discussion with authors from popular technical blogs. On this episode, Christopher Glyer and Nick Carr spoke with FireEye's Blaine Stancill (@MalwareMechanic) and Omar Sardar (@osardar1) on their recent blog post, "Finding Evil in Windows 10 Compressed Memory." You can read the full post here: https://feye.io/33dzIQD

S2E05: Your Payment Cards Are Our Business Cards

We interviewed one of our most tenured analysts Barry Vengerik (@barryv) on a range of viewer requested topics including: FIN7 retrospective, recent surge of Iranian threat activity, APT34 targeting organizations via LinkedIn messaging, FSB contractor leaks, APT36 USB drop attacks and some tails of recent investigations involving insider threats. This episode brought to you by Combi Security: "Creative Red Teaming with Flexible payment options"

S2E04: Ransom Acts of Flyness

Christopher and Nick kicked-off the latest episode with recent updates to the MITRE ATT&CK framework, including several techniques that they submitted. During the episode they discuss Outlook add-in persistence, renamed binaries, and the high-level increase in execution guardrails observed - all of which were added in the May update to ATT&CK. They then spoke about CARBANAK Week; including how FireEye found the CARBANAK source code and the process behind releasing it. They also give a few ne...

S2E03: Behind the ATM Heist & Other Red Team Stories

On this episode, we got right into a bunch of new in-the-wild activity! We discussed FIN6's shift to deploying enterprise ransomware, including their recent LOCKERGOGA campaigns. The recent DAYJOB/ShadowHammer supply chain compromises prompted some discussion around this trend and several hunting techniques. We covered our newly-released blog on the techniques that the attackers used to deliver the TRITON malware framework and how to hunt for them - as well as some background on our on-going...

S2E02: Trending 10 Years of Breach Response (RSAC #SendUsSwag)

In this latest episode, we featured FireEye, Principal Threat Analyst and M-Trends contributor, Regina Elwell to take us on a deep dive of our annual M-Trends report. We discussed how key metrics from our incident response investigations changed including dwell times, source of notification, and what industries were impacted. Additionally, we broke down some of the highlights of four threat actors we upgraded in 2018 including APT37, APT38, APT39, and APT40. Finally we discussed the M-trends...

S2E01: #NoEasyBreach REVISITED

We're back for season 2 and discussed reports of destructive/disruptive attacks by APT33 and DNS hijacking. We also spoke with Matthew Dunwoody and Alex Orleans about one of our favorite topics: APT29.

S1E09: Holiday APT Spectacular

In their final episode of 2018, Christopher Glyer and Nick Carr brought the holiday cheer by providing a wrap-up on interesting targeted attacker activity from the past 90 days, including CNIIHM links to TRITON ICS attacks, suspected APT29 spearphishing campaign, several recent DOJ indictments. They also highlighted some interesting techniques including DNS over HTTPS and profiling victims pre-attack using both compromised websites and Office documents.

S1E08: Facing Forward: Cyber Security in 2019 and Beyond

In this episode, Christopher Glyer and Nick Carr spoke with Steven Booth, Chief Security Officer at FireEye, to discuss what’s to come in 2019, including attackers and nations attempting to emulate other threat groups, increased leveraging of legitimate services for command and control, machine learning and artificial intelligence, a decreased and more selective use of PowerShell in attacks, and much more. If you want to get into the nitty gritty of cyber security in 2019, you won’t want to ...

S1E07.3: Special Edition: FLARE vs. Carbanak

In this segment, we sit down with two Staff Reverse Engineers on the FLARE team, Michael Bailey (@mykill) and James “Tom” Bennett (@jtbennettjr), who were at CDS this year to discuss the results of nearly 500 total hours of analysis of the Carbanak source code we acquired. This included 100,000 lines of Carbanak source code and dozens of binaries. We deep dive into how FLARE conducts that kind of analysis and what it’s taught us about FIN7 and the other groups that use Carbanak. Among other ...

S1E07.2: Special Edition: Upgrading to APT38

FireEye recently released details on a particularly aggressive threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. We refer to this group as APT38. In this segment, we welcome two core contributors to the APT38 report: Nalani Fraser, Manager of the Advanced Analysis Team, and Jackie O’Leary, Senior Analyst on the Advanced Analysis Team. As soon as Nalani and Jackie joined us, we wa...

S1E07.1: Special Edition: Understanding the GRU Indictments

We had the chance to pick the brains of John Hultquist (@JohnHultquist), Director of Threat Intelligence, and Ben Read (@bread08), Senior Manager of Cyber-espionage Analysis. John and Ben provide a lot of media color and discuss geopolitical ramifications of complex technical reports by translating the news into lay terms. In this segment, we start with the recently announced indictments charging Russian GRU officers with international hacking and related influence and disinformation operati...

S1E07: Iranian Influence Operation

Christopher Glyer and Nick Carr spoke with FireEye Intel Analyst, Lee Foster on how FireEye identified a suspected influence operation that appears to originate from Iran aimed at audiences in the U.S., U.K., Latin America, and the Middle East. During their conversation they spoke about how the operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests. ...

S1E06.3: Special Black Hat Edition: Sean Metcalf

“Special Guest Sean Metcalf (@Pyrotek)”: Sean Metcalf is a trailblazer in the InfoSec field who is most well-known for his expertise in Active Directory security. He’s given talks on the topic at several security conferences, including Black Hat USA, DEF CON, DerbyCon and BSides. Fun fact about Sean: he is one of roughly 100 Microsoft Certified Masters (MCMs) in Directory Services in the world. Active Directory security plays a huge part in his current role as Founder and Chief Technology Of...

S1E06.2: Special Black Hat Edition: Matt Graeber

“Special Guest Matt Graeber (@mattifestation)”: Early in Matt Graeber’s professional life he was a rock climbing instructor, but then he joined the Navy and that decision kicked off his journey into the wonderful world of InfoSec. Matt is now a security Researcher at SpecterOps, a company that provides adversary-focused solutions to help organizations better defend themselves against the types of attacks we see every day. At SpecterOps, Matt specializes in reverse engineering and advancement...

S1E06.1: Special Black Hat Edition: Katie Nickels

“Special Guest Katie Nickels (@likethecoins)”: Katie Nickels attended a liberal arts school and intended to get into journalism, but instead she took on a researcher role and the rest is history. Now Katie is the Lead Cyber Security Engineer at MITRE. MITRE is a not-for-profit that operates federally funded research and development centers (FFRDC) responsible for R&D that helps the U.S. government. Katie specializes in cyber threat intelligence and how it can improve network defenses. Part o...

S1E06: Black Hat USA 2018 Edition

“FIN7”: It’s a matter of “when, not if” for organizations and breaches, and the same goes for criminals and getting caught. The U.S. District Attorney’s Office for the Western District of Washington recently unsealed indictments and announced the arrests of three leaders in a criminal organization we have tracked since 2015 as FIN7. Referred to by many vendors as “Carbanak Group” (although we don’t attribute all usage of the CARBANAK backdoor with the group), FIN7 is well-known for the techn...

S1E05: Down Periscope

In this episode we were joined by Dan Perez (@MrDanPerez) of FireEye’s Adversary Pursuit team. We discussed our experiences from FireEye's Congressional roundtable on artificial intelligence, providing insight into the analysis leading up to our report on TEMP.Periscope targeting Cambodian election operations, and broke down several notable adversary methods observed during the past few weeks of responding to intrusions that matter.

S1E04: Illuminating the Adversary

In May we were joined by Andrew Thompson (@QW5kcmV3) of FireEye’s Adversary Pursuit team. We explore the evolution and current state of cloud services OAuth abuse, how we do technical intelligence & attribution, and some war stories from the past few weeks of responding to intrusions that matter. “Shining a Light on OAuth Abuse”: we explore the history of OAuth abuse in-the-wild and the uptick in third-party applications with full, offline access to cloud service user data without the need ...

S1E03: Hunting Targeted Attackers @ Scale, Live-ish from RSA

In episode 3, we were joined by Alex Lanstein (@alex_lanstein) - one of the first employees at FireEye who hunts through product telemetry data to identify new targeted campaigns. During the RSA conference, and with so many others referencing breaches and hunting from the periphery, we thought it would be good to chat about primary source data from our on-going APT and FIN attack investigations and how to identify anomalies the way Alex does. We live streamed this episode from the RSA Confe...

S1E02: Cafe Bohannon

“Activity Round-up”: This week, we talk about new techniques being used by Iran's "MuddyWater" (TEMP.Zagros) and Vietnam's APT32. We discuss our Mandiant response efforts into large Chinese espionage campaigns that have picked up in the past year, highlighting both APT20 targeting of service providers and some fresh TEMP.Periscope activity at many clients. “What to Expect When You’re Resetting”: We describe several approaches and challenges with mid-breach enterprise password resets - and t...

S1E01: State of the FIRST

FireEye Chief Security Architect, Christopher Glyer and Senior Manager, Security Consulting and Incident Response, Nick Carr share their thoughts on the Olympics, APT37 and FireEye's latest freeware offerings. You can catch the web series live each month on @FireEye: https://twitter.com/fireeye