Your Enemy Can Be Your Best Teacher

Your Enemy Can Be Your Best Teacher

Blog | Threat Intelligence Brief

Your Enemy Can Be Your Best Teacher

 

 

This quote attributed to the Dalai Lama inspired our analysts to take a thoughtful approach to monitoring our external nodes. We wanted to answer the question – what are the top 20 ports the top 3 cyber threat actor countries are hitting? Could the targeting from countries such as China, Russia, and Iran give us some insights into what they’re trying to exploit? So, we analyzed traffic from these countries from 1 May 2020 – 30 June 2020 and evaluated over 7 million sessions to identify the top targeted ports from each of these countries.

Key Findings

Our analysis of this data found the following trends:

  1. Russian traffic tends to focus on exploiting remote computing. Ports like 3389, and ports near it, along with VNC were heavily targeted.
  2. Chinese traffic is focused on databases and their infrastructure. MSSQL (1433) was by far and away the most targeted port, but other services include REDIS.
  3. Iranian traffic had components of both Russian and Chinese targeting, but also showed significant interest in IOT devices.

Analysis

We realize that not all traffic from these countries is bad, but it is fair to acknowledge these countries do host a significant amount of cyber threats. We hope that by monitoring and observing trends from these locations, we can start to discern potential interests in targeting, as well as assess what services may be at higher risk.

 

 

Russia

During this time, we clearly see that the #1 targeted port for Russian traffic was 445. This port is notoriously associated with SMB and the EternalBlue vulnerability. Anecdotally, we consulted some pen tester, friends and discovered, EternalBlue is still quite prevalent in the wild. Research on  Shodan reveals 1.5 million hits for port 445, and that the US and Russia are the two countries showing the most occurrences of this port being open.

The next top targeted port is Telnet (23) followed by Remote Desktop Protocol (3389). However, as we look at the rest of the top 20, a clear pattern emerges. Several ports surrounding 3389 are also being targeted. Based on our findings, and our knowledge gained from our incident response practice, it appears Russian traffic may be attempting to identify cases where clever systems administrators were trying to hide RDP on non-standard ports.

However, we also see port 5900 in the top 20 as well. This port is associated with VNC (Virtual Network Computing). VNC is a well-known remote access tool, but could obviously be repurposed for malicious purposes, just like RDP.

China

When we first started watching Chinese traffic, we were surprised to see their interest in 1433, MSSQL. While it has always maintained the #1 spot, the percentage of total traffic it represents varies between 30-40% over recent weeks. Other database ports on here include REDIS (6378-6381), Mysql (3306), and the AFS-3 protocol (7001, 7002).

We also witnessed some of the same interests that Russian activity exhibited with targeting on ports like 445 and 3389.

Everything considered, Chinese activity for this period was largely focused on databases. When we consider the breaches that Chinese actors have been indicted for over the last several years (Equifax, OPM), we start to realize their strategic interest in big data can certainly be considered a sustained trend.

Iran

Iranian activity appeared to focus on a combination of targets we saw exhibited by Russian and Chinese activity, including 445 and 1433. Surprisingly, we noticed a newcomer to the top 10: namely, port 9530. This port is unassigned according to the Internet Assigned Numbers Authority (IANA), however open source research indicates a large amount of Chinese IOT components such Xiongmai firmware can be accessed via backdoors after hitting port 9530–this is a tactic sometimes referred to as “port knocking.”

On a weekly basis, we provide our clients with intelligence on active targeting campaigns that we observe in the wild. During the week of 29 June 2020, we noticed Iranian activity targeting ports 5977 and 4876. Port 4876 is associated with the Tritium CAN Bus Bridge Service, a component associated with vehicles, which typically requires physical access to exploit vulnerabilities.

Conclusion

We found this exercise to be quite eye opening. While we hypothesized that RDP would be of interest, we were surprised to see the variation in ports that Russian traffic was targeting. We also did not expect to find Iranian activity so interested in IOT devices. Chinese activity demonstrated ongoing and unwavering attention to databases that is unwavering.

 

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at https://packetwatch.com/

Senior Software Engineer

Senior Software Engineer

Careers | Posted Positions

Senior Software Engineer

Senior Software Developer

Company Overview

PacketWatch is a privately-owned boutique cybersecurity consulting firm that delivers enterprise-class security services to identify, detect, and respond to cyber-threats that have circumvented traditional information security controls. Our experienced consultants, threat hunters, forensic experts, and cyber security analysts help organizations gain confidence in their security posture with assessment, managed security, and incident response services. The team uses a proprietary full-packet-capture network monitoring, analysis, and investigation platform to improve the visibility of network anomalies, enrich cases with intelligence, and resolve complex incidents quickly. 

Responsibilities

As a member of the Product Development Team, the Senior Software Engineer:

  • Work with a small team of engineers & developers, to ensure timely delivery of features and enhancements against a product roadmap while adhering to best coding practices.
  • Regularly assess current dashboard functionality, modules, and data visualizations and suggest improvements and new ways to engage with collected data.
  • Lead and engage in architectural reviews, documentation, code reviews, and peer feedback on design, integrated tools, code modules, and code efficiency.
  • Be available to provide high-level response and insight into customer issues and customer integration strategies for Sales Team and other direct customer-facing team members.
  • Contribute to technical design documents and communication of the architectural impact across functional areas, from customer-facing product to internal only facing processes/tools.
  • Develop code, contribute to product design, provide guidance regarding efficiency opportunities.
  • Comply with coding standards, application security, IP protections and assist other team members on compliance.

Requirements / Profile

The successful candidate will possess the following characteristics:

  • Strong analytical, problem solving skills, excellent verbal and written communication skills
  • Self-starter with excellent interpersonal, motivational, and facilitation skills
  • Excellent communication skills, both verbal and written. Loves to explain the technology and has a gift for concisely explaining complex topics.
  • Committed to a culture of continuous improvement.
  • Exceptional customer service skills, in addition to extensive experience working in a team-oriented, collaborative environment.
  • Ability to effectively prioritize and execute tasks on time.
  • Passionate about technology.

In addition, the successful candidate will possess the following technical skills:

  • Strong and demonstratable knowledge of multi-tenant, web application development with an emphasis on the presentation and visualization of data from large scale sources; with a minimum of 5 years development experience.
  • Strong and demonstratable experience with 3 or more of the following languages and toolsets:
    • Web development using Flutter, React, NodeJS, or Angular JS;
    • Database experience using MariaDB, PostgreSQL, Cassandra, Cockroach DB or other;
    • Experience with IDS tools such as Zeek, Suricata and/or SNORT;
    • Experience developing and deploying large scale ElasticSearch systems including experience with Kibana, Logstash, Kafka, and Beats;
    • Development experience with Java, Go, Python and Redis;
    • Familiarity with Jira/Atlassian;
    • REST API development experience;
    • Strong GIT version control skills; and/or
    • Strong Linux, Bash, Automation skills.
  • Strong and demonstratable knowledge of networking concepts including TCP/IP, TLS.
  • Familiarity with Test Driven Development practices on an agile environment.
  • Experience working with and refactoring existing code.
  • Solid understanding of application vulnerabilities and security.
  • Must be able to work in the US without sponsorship.

Location

Scottsdale, Arizona, United States

Apply

Send your resume and cover letter for this Senior Software Engineer position to careers@packetwatch.com

Cyber Security Analyst III

Cyber Security Analyst III

Careers | Posted Positions

Cyber Security Analyst III

Cyber Security Analyst III

Company Overview

PacketWatch is a privately-owned boutique cybersecurity consulting firm that delivers enterprise-class security services to identify, detect, and respond to cyber-threats that have circumvented traditional information security controls. Our experienced consultants, threat hunters, forensic experts, and cyber security analysts help organizations gain confidence in their security posture with assessment, managed security, and incident response services. The team uses a proprietary full-packet-capture network monitoring, analysis, and investigation platform to improve the visibility of network anomalies, enrich cases with intelligence, and resolve complex incidents quickly. 

Responsibilities

As a senior member of the Service Delivery Team, the Cyber Security Analyst III is an expert in hunting, triaging, analyzing, and investigating potential security incidents and threats across our diverse client base. Major duties include leading complex security incidents and investigations, client onboarding activities, conducting host forensics, network forensics, log analysis, and malware triage in support of incident response investigations, utilize PacketWatch and 3rd-party endpoint detection and response technologies to conduct large-scale investigations and examine endpoint and network-based sources of evidence, recognize and codify attacker TTPs (tools, tactics, and procedures) and IOCs (indicators of compromise) for application to concurrent or future investigations; build scripts, queries or methodologies to facilitate incident investigation processes; develop and present readable yet comprehensive and accurate reports and presentations for both technical and executive audiences; and work with clients’ security and IT operations teams to implement remediation plans in response to incidents. The Cyber Security Analyst (III) works closely with other less experienced analysts to investigate complex or advanced incidents proactively and identify threats, vulnerabilities, and exploits (threat analysis, threat hunting, intrusion analysis).

Requirements / Profile

The ideal candidate will:

  • Be passionate about cyber security, finding threats, identifying new detection techniques, and providing excellent client support and satisfaction;
  • Enjoy the details of day-to-day tactical execution of threat hunting, intrusion analysis, and incident response;
  • Be a self-driven, team-oriented, and highly motivated technology professional familiar with appropriate experience in endpoint security analysis, network security monitoring (NSM), Security Incident and Event Management (SIEM) systems, next-generation security devices, forensics, and incident response;
  • Possessing deep technical knowledge and a sense of urgency, able to interact extensively with clients and partners using a confident tone and professional etiquette;
  • Able to see the big picture, understanding evolving attacker behavior and motivations, participate and manage multiple client-facing projects, and help to train/mentor other security consultants;
  • Possess sound business acumen, strong consulting skills, current technical skills and be adept in leading multiple projects under tight deadlines;
  • Take responsibility for customer satisfaction and overall success of IR/MDR services;
  • Be available, ready, and able to accept incoming calls, respond in a timely manner to client requests and security events, adhere to policies, procedures, and security best practices;
  • Document actions and effectively communicate information internally and to customers; and
  • Develop improvements for operational playbooks, tools, detection capabilities, workflows, and train and mentor fellow security engineers and security analysts.

Qualifications for Success

  • Bachelor’s Degree (or equivalent experience) with 5 or more years technical experience
  • Experience with at least three of the following:
    • Windows disk and memory forensics;
    • Network security monitoring, network traffic analysis, and log analysis;
    • OSX or Linux disk and memory forensics;
    • Static and dynamic malware analysis;
    • Thorough understanding of enterprise security controls in Active Directory/Windows environments;
    • Cloud (AWS, Azure, M365) security controls, logs, tools, and forensics; or
    • Experience building scripts, tools, or methodologies to enhance investigation processes
  • Additional Qualifications:
    • Effectively solving problems, communicating investigative findings and strategies to technical staff, executive leadership, legal counsel, and internal and external clients;
    • Effectively develop documentation and explain technical details in a concise, understandable manner;
    • Strong time management skills to balance time among multiple tasks, and lead junior staff when required; and
    • Must be able to work in the US without sponsorship

Location

Scottsdale, Arizona, United States

Apply

Send your resume and cover letter for this Cyber Security Analyst III position to careers@packetwatch.com

Cyber Security Analyst I

Cyber Security Analyst I

Careers | Posted Positions

Cyber Security Analyst I

Cyber Security Analyst I (Specialist)

Company Overview

PacketWatch is a privately-owned boutique cybersecurity consulting firm that delivers enterprise-class security services to identify, detect, and respond to cyber-threats that have circumvented traditional information security controls. Our experienced consultants, threat hunters, forensic experts, and cyber security analysts help organizations gain confidence in their security posture with assessment, managed security, and incident response services. The team uses a proprietary full-packet-capture network monitoring, analysis, and investigation platform to improve the visibility of network anomalies, enrich cases with intelligence, and resolve complex incidents quickly. 

Responsibilities

As a customer-facing member of the Service Delivery Team, the Cyber Security Analyst I (Specialist) will perform initial triage, investigation and escalations; investigate alerts and alarms to provide details for incident response team;  serve as an initial point of contact for investigation and remediation; assess vulnerability and threat data from a variety of sources to provide actionable intelligence to internal consumers; implement countermeasures and maintain and enhance the defenses for internal information systems and resources; front line of defense for internal and clients’ assets with clear vision and situational awareness in a persistent, dynamic, and highly complex threat environment.

In addition, the Cyber Security Analyst I (Specialist) will:

  • Utilize PacketWatch and third-party endpoint detection and response technologies to investigate, assess and remediate endpoint and network-based threats;
  • Utilize related security automation and orchestration tools communicate security events and incidents to the applicable Incident Response Team personnel and/or management and recommend security actions according to daily checklists;
  • Perform initial investigations on mixed Linux, Mac and Microsoft Windows environments, including network devices, databases, web services, and enterprise applications;
  • Coordinate with internal infrastructure support teams to maintain/trouble shoot security tools and monitoring integrity;
  • Provide front-line support for PacketWatch MDR and IR clients as required;
  • Working as part of a larger dynamic team in a contributive, supportive and respectful manner.
  • Document actions taken, observed IOCs, maintain metrics and proper reporting of observations.

Requirements / Profile

The ideal candidate will be passionate about cyber security, assessing threats, detecting adversary tactics and techniques, and providing excellent client support and satisfaction. He or she will enjoy the details of day-to-day tactical execution of monitoring, intrusion analysis and incident response. He or she must be a self-driven, team oriented, and highly motivated technology professional familiar with some experience in endpoint security analysis, network security monitoring (NSM), Security Incident and Event Management (SIEM) systems, next generation security devices, forensics, and/or incident response.

The successful candidate will possess the following required skills/attributes:

  • Possessing a core understanding of security concepts and techniques; demonstrated knowledge of networking (TCP/IP, topology, and security), operating systems (Windows/Mac/Linux), and web technologies (IIS, Apache);
  • Demonstrated ability to collect, read and interpret system data, including, but not limited to, security event logs, system logs, and firewall logs;
  • Grasps and applies new information quickly and handles complex assignments; communicates well; demonstrates initiative on assignments, demonstrating problem solving skills; exercises independent judgment and professionally executes projects with little direction; and
  • Ability to work weekends, holidays, or non-traditional schedules as needed. Must be able to work in the US without sponsorship.

Qualifications for Success

  • Hands-on administrative experience with major operating systems (Windows, OSX, Linux);
  • Traditional network monitoring experience (packet/protocol analysis);
  • Foundational experience in any of the following areas including: hardware, networking, authentication, architecture, protocols, file systems and operating systems, Intrusion Detection/Intrusion Prevention Systems (IDS/IPS), network security monitoring (NSM), SIEM, endpoint detection and response systems, vulnerability management, incident response, and investigations and remediation;
  • Relevant Industry certifications (e.g. CISSP, GSEC, GCIH or Sec+, MSCE, CCNA, CWNA and/or Net+);
  • Knowledge of trouble isolation, log analysis, data and event correlation and analysis;
  • Competence with scripting languages and technologies (PowerShell. Python, Ruby, Java);
  • Effectively develop documentation and explain technical details in a concise, understandable manner; and
  • Strong time management skills to balance time among multiple tasks.

Location

Scottsdale, Arizona, United States

Apply

Send your resume and cover letter for this Cyber Security Analyst I (Specialist) position to careers@packetwatch.com