Tag Archives: Threat Intelligence

Book Review: Hacked Again

Scott N. Schober’s Hacked Again has emblazoned across its cover ‘It can happen to anyone, even a cybersecurity expert.’ And so it begins, Scott is a cybersecurity expert and CEO of a hi-tech firm, in Hacked Again he takes us through his journey of being the victim of cyber crime, while along the way providing a plethora of expert and common sense advice on how to avoid finding yourself at the wrong end of cyber fraudsters.

Scott opens the book with an anecdote from his youth, opening his first bank account in a friendly local bank where people were on a first name basis, he describes the evolution of this bank and how through a series of mergers, acquisitions and takeovers it has become a modern day banking machine, impersonal and globalised. As the anecdote goes on Scott subtly drops little hints that will become relevant later.

This leads the reader seamlessly into how Scott first realised he had been hacked for the first time. One morning Scott noticed he had a number of suspicious transactions on his business account, after a little investigating it dawned on him…his account had been compromised. And so the motto on the cover proves true…‘It can happen to anyone, even a cybersecurity expert.’

As Scott looks into the compromise it begins to dawn on him, that perhaps it’s not a case of ‘it can happen to anyone even a cyber security expert’ and more a case of, ‘it can happen to anyone, especially a cybersecurity expert.’ While his business account was being investigated, Scott switched to his personal account, only to realise that was also being targeted. It was then Scott began to suspect he was being specifically targeted, that his bank credentials had been compromised and were being traded on the dark web by criminals who wanted to make an example out of the cyber security experts that make their life harder.

From here Scott describes yet another fraud his company was nearly the victim of. After receiving an order for high priced items to be sent by special delivery as soon as possible to an address in Indonesia, Scotts company dispatched the items, only to receive a call from an angry lawn mower repair company demanding to know why he had been charged for the aforementioned items that were currently winging their way to Southeast Asia.

Thanks to the timely phone call, Scott was able to put a halt to the order and recover the items. The lessons Scott learned? Well amongst other things, timely incident response is critical and if something seems to good to be true..it usually is.

Hacked Again then goes on to detail other cyber crimes involving identity theft, credit card fraud, social engineering as well as the tactics deployed by the attackers and the strategies to protect yourself from them. There are many themes that emerge as the book goes on such as who to trust, how to trust, defence in depth, password hygiene, internet browsing habits and the jarring reality of the divergence of feeling secure and actually being secure.

This book takes the reader on whirlwind tour of all manner of cyber crime, it covers malware from spyware to ransomware. Scott provides advice on how to avoid being compromised via spear phishing emails that have went from being very easy to spot with their broken English and low-res pictures to very convincing emails that look and feel the part. One of the golden nuggets buried in Hacked Again is that it not only tells you how to avoid being compromised but what to do if and when you are comprised.

The book continues to follow this blend of storytelling that is part anecdote, part ‘how to’ and part ‘how not to’. It moves swiftly and logically from one subject to the next. It is a book that does not linger on a subject long enough for it become boring or uninteresting. Instead the book flows and is a very easy to read, I was shocked when I first sat down to read Hacked Again only to realise two hours had passed in what seemed like the blink of an eye. Much of this is due to the graceful manner the author moves from one subject to the next.

The question I found myself asking when reading hacked again was ‘who is this aimed at?’, my conclusion was this is book is a must read for c-level management and medium to small business owners, as well as ICT Managers across the world. It gives an overview of the risks businesses face in today’s connected world, while providing tangible and relatable real world examples of these risks becoming real life problems.

But they are not the only people who should read this book, anyone with any kind of online presence could benefit from reading Hacked Again, that includes everyone from your grandparents to your computer science graduate buddies and yes even cyber security experts. Another group who will find this book of interest and perhaps not its obvious audience is anyone who fancies themselves as an expert in a particular field. In the latter stages of the book Scott discusses his experience as an media go to expert on cybersecuirty, this is one part of the book I found surprisingly insightful, if not entirely relevant

This books fits a niche, it is not a focused investigation into a specific topics like Brian Krebs Spam Nation, Misha Glenny’s Darkmarket or Kim Zettler’s Countdown to Zero Day, nor is it a technical tour de force like that found in a Bruce Schneier book. Hacked again just touches on those subjects, giving the reader awareness of them as examples of the darkness that is lurking out there. What this book is, is an exquisitely written warning, but not only a warning, it is a manual on what you can do to keep yourself and your business safe, and this is where its true value lies.

Hacked again is a veritable 101 the of risk of cybercrime and cyber security, an impeccable overview of the whos, the whats and the hows of information security, it gives this overview without ever slipping into hyperbolic hysteria in order to get its point across.

Scott’s manner of storytelling is seamless, he starts off on a thread and leads you down a path until its conclusion, all the while dropping bread crumbs of advice and the lessons he has learned along the way. It’s an effective blend of storytelling and educating, at no point do you ever feel condescended by the advice being dispensed. As a security researcher myself I know how easy it is to feel patronised when receiving security advice.

In the foreword for Hacked Again, radio host Jon Leiberman describes how Scott can translate complex technical details and tech talk into understandable information. This is true, Scott does know how to effectively demystify tech talk into non-intimidating, flowing and compelling storytelling. Hacked Again is the work of man who knows his subject and the work of man who has learned the lessons of what can happen when you are the victim of cybercrime, it is the work of man who wants to pass on those lessons to the reader and this is why it is a must read.

You can find Scott on Twitter @ScottBVS as well as following the Hacked Again Twitter account at @HackedAgainBook

About Scott Schober

Buy Hacked Again from Amazon UK

Buy Hacked Again from Amazon US

Get the audiobook from Audible UK

Get the audiobook from Audible US

IPv4 Threat Intelligence – PowerShell Script

Following on from by previous post about gathering IPv4 threat intelligence automatically with Python scripts I thought I would follow it up with a PowerShell script I wrote that does something similar.

This script will work on Windows without the need for any extra installs, so it is perfect for users that only have access to Windows in the workplace.

It is often the case that security analysts and sys-admins need to grab bulk lists of IPv4 addresses from a data source, this data source can be logs, websites and intelligence feeds. Data sources such as these can contain lots of redundant data, such as domain names, time stamps etc. etc. In general removing this data can be done simply with a script and this is exactly what that script does.

I have seen a few scripts kicking about that do something similar to this, but they generally contain way more lines of code than is needed (although this does have some ASCII art of cats and dogs that really doesn’t need to be there) as well as requiring some kind of user input. This script is very tight with the code and the only user input required is dragging the input file over to the scripts directory.

This script allows you to take the data source in the form of a file and automatically convert it to a .csv of IPv4 addresses, fully de-deduped and with all redundant removed, ready to be used for whatever purpose you have in mind for it.

The Script is quite raw at the moment, so you will need to make a couple of edits to tailor it to your environment. See below for the bits that you may wish to edit:

  • Put the script in you documents folder as such $home\Documents\ipv4\
  • The file you want to run the script on will need to be dumped in the same folder
  • The ipv4_* wildcard is used to detect the input file
  • Follow this guide if you want to run the PowerShell script with a simple double click of a batch script

I have a script very similar to this that does the same thing, but grabs the input data from the web (similar to the python scripts, but in PowerShell), I will post this in the next few days.

Find the script here on GitHub

Automatically gather IPv4 Threat Intelligence

To paraphrase Sun Tzu “Know your enemy as you know yourself”. Yes I know this is used in security ad nauseam and I profusely apologise for rolling out this tired old cliché, but as is often true, within the cliché lies the truth, and Sun Tzus famous quote is no different.

Collecting threat intelligence on the enemy (or possible enemy) and feeding it into your tool set can help you watch and protect against interactions with online addresses that could pose a threat to your environment.

There are a number of online resources that provide this intelligence for free, but collecting it and formatting it into a .CSV file ready for direct import into your tools file can be cumbersome if it is not automated.

Tools such as SIEM’s can take lists of IPv4 addresses directly from a .CSV file and use them to test rules against or build reports on.

Example use cases are amongst others; IP reputation lists to flag up whenever your environment attempts to interact with IP’s with a poor reputation, IP’s known to host Malware, known c2 servers or any interaction with a TOR exit node.

To this end I have written a Python script, that will automatically grab the latest threat intel from a few sites. The script is pretty straight forward and can be easily edited to grab lists of IPv4 addresses from whatever site you want.

The tor exit node list updates quite often, it is probably better to schedule a cron job to automatically update that list, I will post a dedicated script for this and any other use cases that spring to mind in the future, as well as PowerShell scripts for Windows users that do not want to install Python.

Couple of notes on these scripts:

  • The Linux script runs on Python 2.7 as this is the version most commonly pre-installed on Linux distros.
  • The linux script uses raw_input instead of input as input contains an eval function hiding behind it which may lead to a possible code injection vulnerabilities when used in python 2.7.
  • The Windows script uses Python 3 as most windows users will need to manually install Python and it makes sense for them to use the most recent version.
  • The Windows script uses input as Python 3 does not have the same code injection vulnerability risk

Linux, Python 2.7 script. GitHub.

Windows, Python 3 script. GitHub