As attackers continually evolve their tactics, the arsenal of tools at hand for defenders needs to respond to attacker complexity while still enabling day-to-day business to happen.

When it comes to detecting malware, the arms race between attackers and defenders is certainly nothing new. The once seemingly simple battle between nuisance script kiddie worms and simple anti-virus software evolved over time into a much more complex and layered approach towards stopping powerful weapons against organizations to extort, incur damages, and steal intellectual property. For a long time now, malware-detection technologies have become more sophisticated as malware works harder than ever to gain access to a target machine and then conceal its presence as it runs.

The Uptycs Threat Intelligence team is responsible for providing a high quality, curated, and current Threat Intelligence feed to the Uptycs product. In order to deliver the threat feed, the team evaluates every single alert that is seen by our customers, and investigates the alert as feedback into the threat feed curation process. Recently we observed a malicious domain alert from a customer. The out-of-the-box alert description indicated that it belonged to the OSX/Shlayer malware family. We were quickly able to query Uptycs threat intelligence to find that the domain first appeared on February, 2019 and was reported by multiple threat intel sources. Once the threat was validated, we dove into deeper investigation to understand the threat surface and risk. This post walks through the steps and techniques we performed to analyze data that had been collected via osquery, and aggregated in Uptycs.

Threats to cyber security have been around for decades, but the sophistication and motivations of attackers have evolved. In the early days, they carried out relatively simple, insignificant attacks in an attempt to show off their programming abilities; now, sophisticated cybercriminals (sometimes sponsored by governments and companies) launch serious attacks to steal products and ideas, or other data, from digital infrastructure.

There's a big disconnect between best practice frameworks and the real-life nitty gritty. Many of these frameworks broadly approach the overarching principles that a robust security program should encompass and why these principles are important; however, they don't usually say specifically what kind of attacker behavior a defender should anticipate when building their security programs, nor do they detail how an attacker would work to thwart those vaulted best practices. Often, that's left up to the security practitioner to suss out themselves in their copious spare time.