The ICEBRG Blog

Network Forensic Analysis in an Encrypted World

  • Tags:
  • bsides
  • network security
  • research
  • talks

ICEBRG attended a set of information security conferences in Las Vegas, including Black Hat USA, BSidesLV and DEFCON. At BSidesLV, one of our founders (William Peteroy) and principal security engineers (Justin Warner) presented research and methodologies for performing network forensic analysis of encrypted communications streams. Thanks to everyone who attended the talk and special thanks to the folks who stayed and asked questions or were part of the hallway conversations that followed! For those of you who couldn’t make it, please feel free to view the talk in its entirety via the link above or check out the brief summary below.

Footprints of FIN7: Tracking Actor Patterns (IOCs)

August 9, 2017

By: Spencer Walden, Alex Sirr, Dan Caselden
  • Tags:
  • FIN7
  • network security

In our initial two-part blog series on FIN7 we covered network activity patterns, payloads, and defensive best practices. FIN7 is a financially-motivated threat actor targeting large organizations that process payment card data or have a significant point of sale environment. In part 1, we documented FIN7 command and control and lateral movement behaviors that historically contained detectable patterns that defenders should deploy. In part 2, we covered specific operational tools and tactics. In this blog, we are sharing additional ongoing research into this actor group, their initial access methods, targeting, and infrastructure for the purposes of providing an extensive indicator set to network defenders. We have collected and analyzed over 60 initial access payloads since early 2017. ICEBRG hopes these IOCs will aid defenders by enabling detection and prevention of known bad phishing lures. More importantly, ICEBRG hopes that this indicator set will empower intel teams and researchers to continue tracking the group as their TTPs evolve to stay ahead of detection capabilities.

Footprints of FIN7: Tracking Actor Patterns (Part 2)

July 20, 2017

By: Justin Warner, Stephen Hinck
  • Tags:
  • FIN7
  • Threat Research

This is part two of a blog series detailing ICEBRG’s engagements with FIN7 throughout early 2017. Part one of this series focused the network communications and tradecraft involved with FIN7, specifically addressing how patterns in the C2 protocol allowed for ICEBRG to gain a deeper understanding of adversary TTPs. In this post, we will break out one of the ways in which FIN7 profits from their victims - compromise of point-of-sale (POS) environments and theft of cardholder data.

Footprints of FIN7: Tracking Actor Patterns (Part 1)

July 25, 2017

By: Justin Warner, Stephen Hinck
  • Tags:
  • FIN7
  • Threat Research

The 2017 Verizon DBIR Report states that 73% of breaches in 2016 were financially motivated and span a number of different industries and financial targets. Since 2015, a financially motivated threat group known as FIN7 (also referred to as the Carbanak Group) has emerged from the shadows and has been highlighted in a number of different incidents. This group is a moderately sophisticated and persistent adversary that has targeted various industries.

We are ICEBRG

July 11, 2017

By: William Peteroy
  • Tags:
  • about icebrg

Welcome to the ICEBRG blog, where you can find the latest news and information on what we’re working on and what we’re excited about. To start things off, we wanted to provide a brief introduction of who we are and why we do what we do.