Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

AT&T Alien Labs does a tremendous job of developing and maintaining a database of observed Indicators of Compromise (IOC) that have been involved with at least one customer through the Open Threat Exchange (OTX). Containing over 70 million reference points that cover an array of attack types, techniques, and industries, OTX provides an additional resource for the AT&T Security Operations Center (SOC) analysts to utilize in the event that an unrecognized event takes place on a customer’s network. Not only can an analyst browse external Open Source Intelligence (OSINT), but there is also a repository of previously identified IOCs that can be referenced to point out any sort of pattern or commonality. SOC analysts also have the ability to add newly observed IOCs or remove ‘out of date’ indicators that are no longer a threat to the customers we serve. 

The AT&T Managed Threat Detection and Response (MTDR) SOC detected a successful connection made between a customer asset and an IOC with a known reputation via OSINT as well as OTX. Signatures provided by the OTX reveal the potential IOC associated with the ‘Cobalt Strike’ Malware Family, which could be in relation to C2 Beaconing activity involving a customer asset. Upon further investigation, it was determined that the activity was indeed malicious, however due to the location of the subnet it proved to be benign in this specific case.

Initial alarm review

Indicators of Compromise (IOC)

From the initial breakdown of the alarm, the analysts knew that a connection was ‘Allowed’ from a customer owned IP to a specific domain ‘tomatoreach[.]com’ and external IP ‘192.243.59[.]12’. The known OTX reputation of the URL and IP is what caused the alarm to trigger. The external OSINT on the two observed IOCs confirmed the suspicious reputation.

Expanded investigation

Events search

Event logs of the actual alarm do not reveal any additional IOCs or supporting information as it pertains to the activity.

Event deep dive

Upon further investigation into the involved user around the time of the event, it was determined that the user was associated with browsing an additional 20+ suspicious IOCs. Subject of these newly identified domains varies from content streaming to blog posts. Each new IOC was presented with the investigation in hopes of correlating any unrecognized activity occurring.

Response

Building the investigation

Due to the fact that the observed IOCs contain a reputation both on the OTX as well as externally, this alarm looks to be a legitimate concern for the customer. Originally, it was received with a ‘High’ severity. After additional review, the investigation was opened with a ‘Medium’ severity because there were no obvious malicious actions taking place with the involved user other than the browsing of suspicious web sites, which may not be authorized under company policy. All supporting evidence was included in the investigation, and a recommendation for remediation was also provided.

Customer interaction

Per the customer’s Incident Response Plan (IRP) a phone call was not required when this investigation was opened. Once addressed, the customer was able to confirm that what occurred was not in the scope of normal business activity. However, identifying the user and the host involved, the customer was able to establish the subnet being a “Guest” network that is authorized for personal use. MTDR’s full breakdown of user involved web traffic was valued and aided in the effortless closing of this investigation.

Read More

This directory includes laws, regulations and industry guidelines with significant security and privacy impact and requirements. Each entry includes a link to the full text of the law or regulation as well as information about what and who is covered.

CSO updates this directory, originally published on January 28, 2021, frequently as new laws and regulations are put in place.

Click on a link to skip to information and resources on that law:

Broadly applicable laws and regulations

Sarbanes-Oxley Act (SOX)
Payment Card Industry Data Security Standard (PCI DSS)
Payment Service Directive, revised (PSD2)
Gramm-Leach-Bliley Act (GLBA)
Customs-Trade Partnership Against Terrorism (C-TPAT)
Free and Secure Trade Program (FAST)
Children’s Online Privacy Protection Act (COPPA)
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule
Federal Rules of Civil Procedure (FRCP)

Industry-specific guidelines and requirements

Federal Information Security Management Act (FISMA)
North American Electric Reliability Corp. (NERC) standards
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records
Health Insurance Portability and Accountability Act (HIPAA)
The Health Information Technology for Economic and Clinical Health Act (HITECH)
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule)
H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation

US state laws

California Consumer Privacy Act (CCPA)
California Privacy Rights Act (CPRA)
Colorado Privacy Act
Connecticut Data Privacy Act (CTDPA)
Maine Act to Protect the Privacy of Online Consumer Information
Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154)
Massachusetts 201 CMR 17 (aka Mass Data Protection Law)
Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches
Nevada Personal Information Data Privacy Encryption Law NRS 603A
New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51)
New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
Oregon Consumer Information Protection Act (OCIPA) SB 684
Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council
Utah Consumer Privacy Act
Virginia — Consumer Data Protection Act (CDPA)
Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071)

International laws

Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA) — Canada
Personal Information Protection Law (PIPL) — China
Law on the Protection of Personal Data Held by Private Parties — Mexico
General Data Protection Regulation (GDPR)

Broadly applicable laws and regulations

To read this article in full, please click here

Read More

If you are as old as I am, you remember when you first had to deal with domains and Active Directory (AD). Even if you aren’t as old as I am, you still probably must deal with domains and Active Directory. If you are just starting out at a new firm, you probably know only Azure Active Directory as your building block. The reality for the rest of us is that we must patch and maintain AD. 

Active Directory has been in the security news again for yet another vulnerability that may need more actions than merely patching to properly protect your network from future attacks. The May 10, 2022, security updates include several patches relating to certificates. 

To read this article in full, please click here

Read More