This report offers research on analysis and lifecycle of an attack on critical infrastructure. It discusses command and control, internal reconnaissance, lateral movement, and targeting the ICS and SCADA infrastructure.

The Black Hat Edition of the Vectra® Attacker Behavior Industry Report provides a first-hand analysis of active and persistent attacker behaviors inside cloud, data center and enterprise environments of Vectra customers from January through June 2018.

The 2018 RSA Conference Edition of the Vectra Attacker Behavior Industry Report provides a first-hand analysis of active and persistent attacker behaviors inside cloud, data center and enterprise environments of Vectra customers from August 2017 through January 2018.

This report takes an inside look at the Cyber Security challenge for healthcare today and more specifically looks at the medical device security challenge.

This report offers deep insight into the threat actor known as Oilrig.

From the one page report, “From trade secrets to client information, legal services and law firms have an ethical and legal obligation to protect privileged data. To help you understand the common attack types and trends facing the legal industry, we’ve compiled the following observations based on real data from across our client base.”

In this research report, they uncover the Dark Side of Asia to provide you with an inside look into key trends, laws, motivations and threat actors of the increasingly threatening Asian Internet community.

This report discusses a key issue in a Malware-centric defense approach; it will leave you vulnerable to attacks that don’t leverage malware. Read on to learn more.

This report takes a look at a new global campaign targeting nuclear, defense, energy, and financial companies.

Fidelis Threat Research analysts have discovered a new version of ThreadKit, malware notorious for it’s use by the cybercrime organization known as Cobalt Group. This report will provide analysis of a recent campaign, seen October 30th , utilizing the Cobalt Group malware frameworks. Cobalt Group was believed to have suffered a hit earlier this year[1] with the reported arrest of one of its members. After the arrest, the campaigns appear to have slowed significantly however despite this, there has been continued development concerning the groups malware framework.

This report provides a summary of OverWatch’s findings from intrusion hunting during the first half (January through June) of 2018. It reviews intrusion trends during that time frame, provides insights into the current landscape of adversary tactics and delivers highlights of notable intrusions OverWatch identified. OverWatch specifically hunts for targeted adversaries. Therefore, this report’s findings cover state-sponsored and targeted eCrime intrusion activity, not all forms of attacks.

During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the first observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim’s system regardless whether macros are enabled. (McAfee product detection is covered in the Indicators of Compromise section at the end of the document.)

This blog post offers insight into the New ICS Attack Framework “Triton”

“The Turla espionage group has been targeting various institutions for many years. Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal. Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past. This blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.”

CyberX has discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously “bug” its targets – and uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”

This report reveals a campaign of reconnaissance, phishing, and malware operations that use content and domains made to mimic Chinese language news websites

APT28 sent out a document disguising itself as a flyer relating to the Cyber Conflict U.S. conference. The document contains a VBA macro that executes a new variant of Seduploader. This article analyzes the document and the reconnaissance malware inside.

Multiple Polish banks have fallen victim to malware. This post contains what information was public about the attack at the time.

Read about the threat outlook for aerospace and defense sectors as threat groups seek to gain military and economic advantages.

This report looks at China’s evolving approach to integrated strategic deterrence. Drawing on a variety of Chinese military writings, this report explores the origins of this concept, how it relates to Chinese development of counter-intervention capabilities, and how Beijing’s assessment of its external security environment influences its requirements.

From the Report, “This year’s GTIR utilizes the Center for Internet Security’s Critical Security Controls to identify controls that can be effective at each stage of the Lockheed Martin Cyber Kill Chain® (CKC) . By ensuring that controls exists for each stage of the CKC, organizations can increase their ability to disrupt attacks . We’ve dedicated an entire section and case study to a Practical Application of Security Controls to the Cyber Kill Chain.”