S2E13: Rudolph the Redsourced Reindeer

Ho ho homepage! Christopher Glyer and Nick Carr are back for the last
episode of 2019. They’re closing the year with a look at this month’s
front-line espionage activity and a whole bunch of FIN intrusions! In
addition to the threat round-up, they highlight some of our Mandiant
consultants doing that work and a few DFIR tricks they included in a
recent blog:
https://www.fireeye.com/blog/threat-research/2019/12/tips-and-tricks-t
o-analyze-data-with-microsoft-excel.html. As a special bonus, Santa
dropped off a slide clicker for the show so Nick and Christopher
decide to go deep on their recent presentation at #CYBERWARCON on “red
sourcing.” An episode sure to make them friends on infosec twitter for
sure! The presentation was a 10 minute #threatintel lightning talk,
but embracing the Christmas spirit, the gang tries to navigate a
sensitive area of current debate by spending more time on red sourcing
& providing some evidence and observations on APT groups moving to
publicly released post-compromise tooling; some potential motivations;
and then question whether any tool can ever be fully controlled (e.g.
Delpy/MIMIKATZ evil maid scenario, recent Turla coopting APT34 access
& tools). Because RULER.HOMEPAGE was touched on in the talk, they
expand a bit further on this and highlight the recent blog that Nick
co-authored on how attackers (like UNC1194) can conduct intrusions
from just a single registry key. They also question whether the
technique’s usage via Outlook installed Office 365’s Click-to-Run is
technically CVE-2017-11774 or not. I guess we need another episode
with MSRC! They end the year with some spicy predictions for 2020.
You’ll see. Thanks for watching and listening this year!

This episode was sponsored by bad decisions and office holiday parties
- and especially both.