How to Understand Your Attacker’s Mindset

In this post we’ll try to develop an understanding of a typical attacker’s mindset and then show you how companies like yours can use this knowledge to enhance their security posture. Before we dive in, however, let’s ask a basic question: What is a cyber attacker?

A cyber attacker can be any entity — an individual, a group of individuals, a company, etc. — that tries to harm another entity via their cyber infrastructure. Attackers are often portrayed as ruthless entities that go to great lengths and use elaborate resources to attack state-of-the-art company defenses. Defending companies and individuals frequently view these entities as advanced attackers that challenge themselves by trying to break through fortified security controls by attacking them head on. That may be true in a few cases, but most attackers — especially the most seasoned (i.e., the smartest and most successful) — will try to find the path of least resistance and will also try to use the smallest number of resources when attacking. In other words, they use brains rather than brute force to achieve the biggest gain with the least effort. Let’s explore this in more detail below.
Read more “How to Understand Your Attacker’s Mindset”

Detecting Unsafe Data Deserialization With Threat Stack

UPDATED — January 22, 2019
The Threat Stack SOC is aware of the recent disclosure of a breach of the PHP Extension and Application Repository (PEAR). Details of the breach have not been disclosed publicly, and we have no special knowledge of the breach. However, attacks against code repositories and injection of malicious code into third-party application dependencies help to underscore the importance of behavioral detection methods to identify and mitigate the exploitation of insecure PHP deployments. We will update this blog as appropriate pending additional public information on the PEAR breach.

UPDATED — February 1, 2019
Several weeks after the original publication of this blog, the PHP Extension and Application Repository (PEAR) disclosed a breach of its website, which led to the compromise of go-pear.phar. While Threat Stack has no inside or special knowledge of the breach at PEAR, based on publicly available information, we have confirmed that the Threat Stack Cloud Security Platform and Cloud SecOps Program can detect and mitigate an attack leveraging this injected PHP code.

It appears the attackers in this incident leveraged the research Sam Thomas presented at Black Hat 2018, which we discussed in this blog post. Based on publicly available information, the attackers appeared to be performing the first step in the attack chain by attempting to deliver injected phar files into a target environment. It is possible this attack was part of a poison well tactic targeting a specific or multiple organizations known to use PEAR and this file.

Insecure data deserialization first made its way into OWASP’s 2017 Top 10 list by way of community feedback. In the history of application security, that makes it a relatively new vulnerability that can be harder to detect due to the way it uses popular code libraries that are commonly used in web development.

The Threat Stack Cloud SecOps Program℠ exists not only to monitor customer environments and investigate alerts, but also to work with customers to help them improve their security postures. Occasionally, here in the SecOps Program’s security operations center (SOC), we get questions about the detection capability of the Threat Stack Cloud Security Platform®, and whether it is capable of detecting new and advanced attack vectors. (Our system uses behavioral detection, which is an extremely robust methodology for detecting new and old attack techniques.)

In this post, I’ll walk through how my colleagues and I in the SOC addressed an inquiry regarding a specific insecure deserialization exploit seen in the wild. Read more “Detecting Unsafe Data Deserialization With Threat Stack”