Groundbreaking Research
Actionable Intelligence
"The adversary is 10 steps ahead of the industry because we look for solutions in the past. All the intelligence in the world won’t help you if you keep your head buried in the sand and can't act on it. We need a different paradigm for understanding new and emerging threats is needed to stay ahead of the bad guys. Solving this problem is what keeps us up at night. It's our passion and our driving force at Cylance Labs.” Ryan Permeh, CTO and Founder Meet the Brains »
Technical Blog
Uncommon Handle Analysis in IR and Forensics
May 23, 2013 | By Gary GolombWe have all seen malware reports talking about malware creating a specific mutex you can use to identify the malware. From a higher-level, how can we use attributes of mutexes and their relatives (other handles) in Incident Response and Forensic analysis?
Read MoreWordPress Under Attack
May 21, 2013 | By Aaron Bryson, Brian WallaceIn the last few weeks, Internet hacking attacks have increased and thousands of sites have already been compromised. Many security observers have seen 1,000,000s of scans of their WordPress installation on a single day in April, as noted by the Securi Blog on April 11, 2013.
Read MoreC2 Malware Targets Battle.Net Accounts
May 16, 2013 | By Jon GrossI recently came across an interesting sample being spread through Java exploits in the wild which appeared to do nothing more than download some additional credential stealing/account harvesting malware and delete a victim’s Battle.net account information.
Read MoreHow to Prevent/Detect Security Breaches with the Help of Regulators
May 13, 2013 | By Dr. Shane ShookAs security professionals we struggle with several challenges. Defining standards or meeting regulatory compliance can be one; and preventing security breaches can be another.
Read MoreGoogle's Buildings Hackable
May 6, 2013 | By Billy RiosAt Cylance, we have an ongoing project to identify vulnerable Internet facing Industrial Control Systems (ICS) at scale. Our project is far from complete, but we wanted to share a story which we think our readers might be interested in. While looking through our scan results, we came across an interesting Tridium Niagara device on the Internet.
Read MoreWhen Advanced Persistent Threats Aren't
May 1, 2013 | By Dr. Shane Shook"We've been hacked." We hear that a lot from customers. But what does it really mean? Many times, it’s not what you think. Most compromises today are not intentional "hacks" but rather are the result of users' normal activities - browsing the Internet, responding to emails, or using hardware devices (USB, mouse, keyboard, etc.) that have not been checked for malware. Even targeted attacks are not quite what they seem. Web server and services hacking via SQL injection, cross-site scripting, or "metasploits" are the methods today thanks to point-and-shoot or fire-and-forget compromise toolkits.
Read MoreUncommon Event Log Analysis for Incident Response and Forensic Investigations
April 24, 2013 | By Gary GolombThis is Part 1 in a series about a topic I refer to as Consequential Artifact Analysis. In this series, we’ll examine artifacts created after a compromise, yet not directly related to the malware itself.
Read MoreICS Dos and Don'ts
March 15, 2013 | By Billy RiosMany organizations don’t realize that they have ICS somewhere on their networks. The truth is, virtually every datacenter, modern building, and corporate campus around the world plays host to environmental controls, building entry systems, safety systems, and many other automation systems that are considered ICS.
Read MoreJapan Targeted, perhaps over Senkaku/Diaoyu Island Dispute
February 13, 2013 | By Jon GrossRecent tensions between China and Japan over disputed islands may have involved cyber attacks against Japanese targets. Cylance Labs has been tracking a series of malicious files that have been discovered in the wild. China has often denied any involvement in cyber attacks against Japan however, their tussles have long been known.We have decided to share our findings in hopes of empowering defenders to protect their systems.
Read MoreInside the Exploit: Philips XPER Vulnerability
February 5, 2013 | By Billy RiosTerry and I had a chance to speak at the S4 SCADA Security Scientific Symposium in Miami. S4 has traditionally been one of the more technical ICS/SCADA security conferences and we're always honored to speak at such prestigious events. This year, Terry and I chose to speak on the (in)security of medical devices and software. Our talk outlined some of the similarities between ICS/SCADA market and the medical industry, with a focus on the likeness in the poor security practices employed by both industries. We culminated the talk with the live demonstration of a remote, unauthenticated 0-day exploit against the Philips XPER medical device.
Read More