Monthly Archives: April 2018

Be a Conscientious Risk Manager

Whether you are a CIO or CISO in the Federal, State or Local, Education, or Commercial Business areas, you are all faced the with same challenge, whether you accept it or not. In the security risk management world, if the malicious actor wants into your network, they will figure out a way to get in. You of course still need to build a comprehensive risk governance and management plan, but that plan must be built on the premise of how you will respond, when the breach occurs.

Having spent 38 years in Information Security, the one constant that I see, is that the individuals who make it their business to steal or disrupt your data, are better funded, better trained, and have unlimited hours to execute their trade. What we hope to achieve is being a half-step behind them at worst case. There is no way to stay in step, and a step ahead is out of the question.

So what does this really mean to the conscientious risk manager. Create a strategy whereby you frequently identify the threat, and measure the risk against that threat in your as-built infrastructure. Test frequently, outside and inside, using he same tools and techniques the malicious actors use. Test user security awareness, as we know it only takes one click of a phishing email malicious link, to potentially bring down and entire enterprise. Measure, document, prioritize, and build a risk roadmap strategy to keep risk mitigation focus on those most critical exploitable areas.

Three Top Security Imperatives
Keep in mind that your top three security imperatives are: Reducing your threat exposure, enhancing your response and recovery times, and increasing security visibility. What does security visibility mean, implementing the people, process, and technology in key security areas, to give you a fighting chance to detect, and react to malicious and advanced persistent threats.

Let’s talk people, process, and technology. We all know users are the weakest link in any security chain. Not because they have sinister intent, although sometimes they do, but primarily because in today’s high-powered technical, mobile, and social world, it is commonplace for a lapse in judgment to occur. We live in a rapid–fire, high-availability, high-output world, and mistakes can and will be made. So make is less commonplace, train and educate often, and monitor closely for when that lapse in judgment occurs.

Process: Again our high-powered technical, mobile, and social world often demands we run at warp speed.  Who has time to document? Well — make the time.  Good documentation to include process, policies and standards, as well as a documented and managed configuration control process, will help keep you more secure. Every process, policy and standard document has to have an assigned owner, has to have a designated review date, and has to have an oversight or governance process. All roles and responsibilities need to be included in the documentation, and the expected outcome needs to be defined. Make the time to prepare and socialize your critical information security program documentation.

Technology: Many risk owners fall prey to purchasing every piece of security technology available, at what I like to call the security “choke points”, end-point, network, edge, gateway, etc. This is just what everyone does. However, why not use the process we discussed above — measure, document, prioritize, and build a risk roadmap strategy — as your guideline for what you purchase and deploy for technology. Ask yourself — what is so wrong with selecting and implementing a product, only after you validate how it will help you manage your documented security risk? Of course the answer to that is — nothing.

Focus on Seamless Collaboration
You have documented your risk, you have prioritized your risk roadmap, and as a result you know the very specific technology, or set of technologies, you need to implement first. Most importantly, your technology selections should focus on products that collaborate in a seamless way. In other words, your end-point, edge, network, gateway, sandbox, etc., security technologies all talk to each other. We call this approach to complete security visibility across the whole landscape, Unified Security Stack. And, don’t forget that all technology must have a people and process component as well.

Good information security risk management and risk governance does not come by accident.  It takes planning and execution. In the end, although you may not keep the bad guy out, you will be better prepared for when.

The post Be a Conscientious Risk Manager appeared first on Connected.


KWA UFUPI: Wakuu wa vitengo vya TEHAMA wamekutana kujadili changamoto na namna nzuri ya kuzitatua changamoto hizo katika vikao vilivyo kamilika Nchini Kenya.

Watunga sera na sheria mbali mbali wamekua wakifanya maamuzi ya TEHAMA bila kushirikisha wadau wa TEHAMA – Hii imekua moja ya changamoto inayo leta mkinzano wa utendaji wenye manufaa kwa wana TEHAMA maeneo mengi barani Afrika.

Mjadala ulioangazia umuhimu wa udhibiti na uangalizi wa watendaji katika sekta ya TEHAMA umeonekana kua mzuri ila umegubikwa na changamoto kadhaa kutokana na ushirikishwaji mdogo wa wadau ili kuweza kuleta mabadiliko kwenye sekta husika.

Mjadala huu umejadiliwa kufuatia kuwepo kwa sera mpya nchini Kenya itakayo rasimisha Wana TEHAMA na kuwataka watambulike kabla ya kuweza kuhudumu maeneo mbali mbali. Hili litafanana na tulicho nacho nchini Tanzania kwa wanasheria pamoja na wataalam wa maeneo mengine kadhaa.

Kinachotegemewa katika urasimishaji wa sekta ya TEHAMA na kumfanya mwana TEHAMA atambulike na kuhudumia katika sekta ya TEHAMA ni pamoja na  kupitia hatua kuu tatu ambazo ni, Kusomea – Usaili – Kupatiwa leseni ya kutoa huduma katika sekta husika.

Changamoto iliyo onekana ni pamoja na uwezekano wa kuua vipaji vya wabunifu wa TEHAMA ambao wamekua wakija na ubunifu wenye manufaa pasi na kua na ujuzi rasmi katika sekta husika.

Tumeshudia kuwepo kwa vijana walio somea fani nyingine tofauti na TEHAMA ila baadae kuja na Mifumo mizuri ya Kitehama iliyoweza kutatua changamoto mbali mbali katika maeneo yetu tofauti na wengine waliosomea fani husika na kushindwa kuwa wabunifu wa kuleta mabadiliko katika jamii zetu.

Kuna baadhi ya Mifumo tuko nayo maeneo mengi ambayo wabunifu wake hawakua na elimu ramsi katika sekta ya TEHAMA. Aidha, Swali kuu matumizi ya TEHAMA ya mekua kuna ulazima mhusika kua na elimu rasmi? Ilhali kila sekta inategemea TEHAMA na kuna uwezekano kila mwenye ujuzi wa fani yoyote akawa na uwezo wa kufanya vizuri kwenye mifumo ya TEHAMA.

GDPR (General Data Protection Regulations) Nchi za umoja wa ulaya wana mategemeo ya kuanza rasmi matumizi ya GDPR mwishoni mwa mwezi wa tano mwaka huu wa 2018 – Lengo kuu ni kulinda faragha za raia wake.

Hatua hii inaweza kuathiri maeneo mengi duniani Afrika ikiwemo kwani tumeendelea kufanya biashara na kuhudumia mataifa ya umoja wa ulaya ambapo inahusisha taarifa za wana jumuia ya ulaya kupatikana kwetu.

Mjadala mzito wa nini tutegemee pale umoja wa Ulaya watakapo anza rasmi matumizi ya GDPR katika taasisi zetu hususan za kifedha. Namna bora ya kuweza kulinda (faragha) za watumiaji mifumo ya kitehama katika taasisi zetu ili kuondokana na tunachoweza kukabiliana nacho baada ya kuanza rasmi matumizi ya GDPR barani ulaya.

CSIRT (Computer Security Incidence Response Team) – Tumekua na changamoto ya uwepo wa vitengo mahususi vya kukabiliana na matukio ya kihalifu mtandao katika taasisi na kampuni mbali mbali. Hili linatokana na uelewa mdogo juu ya umuhimu wa vitengo hivi mahsusi vyenye jukumu la kukabiliana na uhalifu mtandao.

Umuhimu wa CSIRT, namna ya kuanzisha na majukumu yake katika kila kampuni na taasisi ni mjadala nilio uongoza kuhakiki kila mmoja anafahamu hili.

Matukio ya kihalifu mtandao katika mataifa yetu yanayopelekea upotevu wa Fedha, upotevu wa taarifa, udukuzi wa mifumo na kadhalika yamekua yakijitokeza mara kwa mara yanayo acha athari kubwa kwa taasisi za serikali na binafsi maeneo mengi duniani.

Ni wajibu wa kila taasisi na kampuni kujua ina jukumu la kujilinda dhidi ya uhalifu mtandao na namna pekee ya kufikia hapo ni pamoja na kua na kitengo wahususi chenye jukumu la ulinzi mtandao pekee ambapo kitengo husika kitaweza kuhakiki usalama mtandao unakuwepo.

Aidha, kumekua na mijadala mingine mingi sana ambayo yote ilikua na lengo la kuhakiki tuna tambua namna sahihi ya kukabiliana na changamoto nyingi zinazotokana na uwepo matumizi makubwa ya mifumo ya TEHAMA yanayo rahisisha utendaji kazi katika taasisi na kampuni mbali mbali.


IN BREAF: Morocco will be hosting this year CyFy Africa where experts and practitioners from around the globe expected to discuss the future the technology holds for the Continent. CyFy Africa comes at a time when the world’s attention is centered on Africa’s rise towards becoming the next digital superpower.

Cyber Security and Global Stability, Data Security ,Securing the Future of Africa’s Mobile Market, A Normative Framework for African Cyberspace: Lessons from the AU Convention on Cybersecurity and Personal Data Protection (AUCC) are among the key agenda that will be discussed during this year event.

Other agenda are Human Rights in the Digital Age, The Future of Entertainment, Online youth investment: Successes, opportunities and challenges and Internet CapacityBuilding for Development 

I expect to join other cybersecurity expert and practitioners to address delegates during CyFy Africa 2018 event.
NEWS UPDATES: The JUTA Cyber Crime and Cyber Security Bill Pocket Book will be launched during the Lex-Informatica Annual SA Cyber Law & ICT conference 2018 in Johannesburg south Africa – The theme of the event is “Cyber Law in ICT Review”.
I’ll be joining other experts to discuss and enlightening delegates on keys issues people are facing in the world through topics like Cyber Crime, Cyber Security, Digital Forensics, Data Breach, Data Protection, Social Media Law, POPIA to mention a few.

In a few short years, African nations have already made the leap from responsive adaptation of imported technology to pioneering innovation across a host of digital service sectors such as finance, agriculture, education, and health.

The ascent of the ‘Silicon Savannah’ is evident from the emergence of hundreds of innovation hubs, technology related enterprises, and the heavy infusion of venture capital across the continent.

As the experience with the African Union Convention on Cybersecurity and Data Protection shows, the African Union (AU) allows the continent to put forth an African proposition on the digital space. Additionally, the continent has made great strides towards digital integration with the advent of the One Area Network initiative. The massive rollout of fibreoptic cables across the length and breadth of the region has catalysed the creation of scores of young tech entrepreneurs, who are eager to reap digital dividends.

Indeed, it is only a matter of time before the world’s most important innovations flow out of Africa. Structured around the broad themes of connectivity, digital inclusion, security, innovation and trade.


KWA UFUPI: TaskRabbit imekua muhanga wa uhalifu mtandao – IKEA, Imethibitisha. Hii ni katika muendelezo wa Programu tumishi (Applications) na huduma zingine za kimtandao kuingiliwa na wahalifu mtandao ambapo taarifa za watu zimejikuta katika mikono isiyo salama.
TaskRabbit iliyo anzishwa mwaka 2008 na Bi. Leah Busque iliyokua na madhumuni ya kutoa ajira zisizo rasmi kwa watu ambapo ilinunuliwa na IKEA mwaka 2017. Imekua ikitoa huduma zake kwa kujitegemea ndani ya mjumuiko wa makampuni ya nayo milikiwa na IKEA.

Program tumishi hiyo imekua ikitumiwa Zaidi na Raia wa Uingereza na maeneo mengine kujitafutia ajira zizizo rasmi kama kazi za ndani, kazi za bustani na nyinginezo ambapo wateja wa program tumishi hiyo na huduma za kimtandao zinazo shabiana na program tumishi hiyo imekua ikikusanya taarifa za watafuta ajira na wanao tafuta wakuwafanyia kazi hizo.

Mjadala wa wanausalama mtandao umeeleza taarifa binafsi nyingi za wateja zimekua zikikusanywa na sasa zimeingia mikononi mwa wahalifu mtandao. Prorgram tumishi pamoja na tovuti zimefungwa kwa muda kufuatia tukio hili.

Kamishna wa mawasiliano wa uingereza aamekiri kua na taarifa juu ya tukio hilo na ameeleza wanalifatilia kwa karibu. Aidha, TaskRabbit hadi sasa imekaidi kutoa ufafanuzi wa uhalisia wa tukio husika huku ikikadiriwa udukuzi umeathiri kwa kiasi kikubwa na huwenda umedumu kwa muda.

Kampuni imeeleza inafanya uchunguzi wa kina kufuatia tukio hilo huku ikewataka wateja wake kubadili maneno siri (Nywila) na kuahidi kutoa taarifa zaidi baada ya uchunguzi kukamilika juu ya athari Zaidi sanjari na kuwahakikishia wateja wake walioshindwa kufanya kazi zao kutokana na hitlafu zilizopelekea kufungwa kwa muda kwa huduma watapatiwa fidia.


WAMILIKI WA PROGRAM TUMISHI: Kumekua na msisitizo mkubwa kwa wanaotoa huduma za mitandao ikiwa ni pamoja na program tumishi kutakiwa kuhaki wanajipanga kulinda taarifa za wateja wao kabla ya kuanza kutoa huduma.

Aidha, Kutokana na wimbi kubwa la wahalifu mtandao kuingiza tarikishi zisizo salama kwenye program tumishi bila ya wamiliki kua na ufahamu – Tumetoa muongozo mpya wa kuhakiki wamiliki wanalinda wateja/ watumiaji na endapo itatokea wahalifu mtandao wakadhuru wakuwajibishwa awe ni mmiliki.

Itakumbukwa tukio la Uber ambapo mamilioni ya taarifa za watumiaji wa program tumishi hiyo maarufu kwa kutafutia watu usafiri ilijikuta matatani baada ya kutoa mwanya wa wahalifu mtandao kuingiza tarikishi zisizo salama zilizo pelekea mamilioni ya Taarifa kuingia mikononi mwa wahalifu mtandao.

WATUMIAJI WA PROGRAM TUMISHI: Awali ya yote kila mtumiaji wa program tumishi yoyote anatakiwa kutambua anajukumu la kutambua faragha yake inalindwa vipi na program tumishi husika.

Kumekua na nahatua mbali mbali ambazo tumekua tukizichukua kuhaki taarifa binafsi za watu zinakua salama lakini pia ni jukumu la mtumiaji kufuata maelekezo tunayo yatoa.

-         Kabla ya kupakua na kuijumuisha program tumishi katika simu yako, mahitaji yanakuwepo? Na ulazima wakua nayo unakuwepo?
-         Unaifahamu vizuri progam tumishi uitumiayo? Hususan inachochukua kutoka kwako kabla ya kukupatia huduma?
-         Unatoa ruhusa wa taarifa chache pekee kuenda kwenye program tumishi au unaipatia taarifa nyingi zaidi zinazo hatarisha faragha yako?
-         Unatumia Nyila madhubuti na kibadilisha mara kwa mara kujilinda binafsi?

Pamoja na jitihada kubwa ambazo tumeendelea kuzichukua – Changamoto kubwa imekua watumiaji wamekua na uelewa mdogo wa namna ya kujilinda binafsi inayo pelekea matukio ya faragha za watu kuingia mashakani kutokana na kuendelea kukua kwa uhalifu mtandao maeneo mengi duniani.

Solving Ad-hoc Problems with Hex-Rays API


IDA Pro is the de facto standard when it comes to binary reverse engineering. Besides being a great disassembler and debugger, it is possible to extend it and include a powerful decompiler by purchasing an additional license from Hex-Rays. The ability to switch between disassembled and decompiled code can greatly reduce the analysis time.

The decompiler (from now on referred to as Hex-Rays) has been around for a long time and has achieved a good level of maturity. However, there seems to be a lack of a concise and complete resources regarding this topic (tutorials or otherwise). In this blog, we aim to close that gap by showcasing examples where scripting Hex-Rays goes a long way.

Overview of a Decompiler

In order to understand how the decompiler works, it’s helpful to first review the normal compilation process.

Compilation and decompilation center around the concept of an Abstract Syntax Tree (AST). In essence, a compiler takes the source code, splits it into tokens according to a grammar, then these tokens are grouped into logical expressions. In this phase of the compilation process, referred to as parsing, the code structure is represented as a complex object, the AST. From the AST, the compiler will produce assembly code for the specified platform.

A decompiler takes the opposite route. From the given assembly code, it works back to produce an AST, and from this to produce pseudocode.

From all the intermediate steps between code and assembly, we are stressing the AST so much because most of the time you will spend using the Hex-Rays API, you will actually be reading and/or modifying the Abstract Syntax Tree (or ctree in Hex-Rays terminology).

Items, Expressions and Statements

Now we know that Hex-Rays’s ctree is a tree-like data structure. The nodes of this tree are either of type cinsn_t or cexpr_t. We will define these in a moment, but for now it is important to know that both derive from a very basic type, namely the citem_t type, as seen in the following code snippet:

Therefore, all nodes in the ctree will have the op property, which indicates the node type (variable, number, logical expression, etc.).

The type of op (ctype_t) is an enumeration where all constants are named either cit_<xyz> (for statements) or cot_<xyz> (for expressions). Keep this in mind, as it will be very important. A quick way to inspect all ctype_t constants and their values is to execute the following code snippet:

This produces the following output:

Let’s dive a bit deeper and explain the two types of nodes: expressions and statements.

It is useful to think about expressions as the “the little logical elements” of your code. They range from simple types such as variables, strings or numerical constants, to small code constructs (assignments, comparisons, additions, logical operations, array indexing, etc.).

These are of type cexpr_t, a large structure containing several members. The members that can be accessed depend on its op value. For example, the member n to obtain the numeric value only makes sense when dealing with constants.

On the other side, we have statements. These correlate roughly to language keywords (if, for, do, while, return, etc.) Most of them are related to control flow and can be thought as “the big picture elements” of your code.

Recapitulating, we have seen how the decompiler exposes this tree-like structure (the ctree), which consists of two types of nodes: expressions and statements. In order to extract information from or modify the decompiled code, we have to interact with the ctree nodes via methods dependent on the node type. However, the following question arises: “How do we reach the nodes?”

This is done via a class exposed by Hex-Rays: the tree visitor (ctree_visitor_t). This class has two virtual methods, visit_insn and visit_expr, that are executed when a statement or expression is found while traversing the ctree. We can create our own visitor classes by inheriting from this one and overloading the corresponding methods.

Example Scripts

In this section, we will use the Hex-Rays API to solve two real-world problems:

  • Identify calls to GetProcAddress to dynamically resolve Windows APIs, assigning the resulting address to a global variable.
  • Display assignments related to stack strings as characters instead of numbers, for easier readability.


The first example we will walk through is how to automatically handle renaming global variables that have been dynamically resolved at run time. This is a common technique malware uses to hide its capabilities from static analysis tools. An example of dynamically resolving global variables using GetProcAddress is shown in Figure 1.

Figure 1: Dynamic API resolution using GetProcAddress

There are several ways to rename the global variables, with the simplest being manual copy and paste. However, this task is very repetitive and can be scripted using the Hex-Rays API.

In order to write any Hex-Rays script, it is important to first visualize the ctree. The Hex-Rays SDK includes a sample, sample5, which can be used to view the current function’s ctree. The amount of data shown in a ctree for a function can be overwhelming. A modified version of the sample was used to produce a picture of a sub-ctree for the function shown in Figure 1. The sub-ctree for the single expression: 'dword_1000B2D8 = (int)GetProcAdress(v0, "CreateThread");' is shown in Figure 2.

Figure 2: Sub-ctree for GetProcAddress assignment

With knowledge of the sub-ctree in use, we can write a script to automatically rename all the global variables that are being assigned using this method.

The code to automatically rename all the local variables is shown in Figure 3. The code works by traversing the ctree looking for calls to the GetProcAddress function. Once found, the code takes the name of the function being resolved and finds the global variable that is being set. The code then uses the IDA MakeName API to rename the address to the correct function.

Figure 3: Function renaming global variables

After the script has been executed, we can see in Figure 4 that all the global variables have been renamed to the appropriate function name.

Figure 4: Global variables renamed

Stack Strings

Our next example is a typical issue when dealing with malware: stack strings. This is a technique aimed to make the analysis harder by using arrays of characters instead of strings in the code. An example can be seen in Figure 5; the malware stores each character’s ASCII value in the stack and then references it in the call to sprintf. At a first glance, it’s very difficult to say what is the meaning of this string (unless of course, you know the ASCII table by heart).

Figure 5: Hex-Rays decompiler output. Stack strings are difficult to read.

Our script will modify these assignments to something more readable. The important part of our code is the ctree visitor mentioned earlier, which is shown in Figure 6.

Figure 6: Custom ctree visitor

The logic implemented here is pretty straightforward. We define our subclass of a ctree visitor (line 1) and override its visit_expr method. This will only kick in when an assignment is found (line 9). Another condition to be met is that the left side of the assignment is a variable and the right side a number (line 15). Moreover, the numeric value must be in the readable ASCII range (lines 20 and 21).

Once this kind of expression is found, we will change the type of the right side from a number to a string (lines 26 to 31), and replace its numerical value by the corresponding ASCII character (line 32).

The modified pseudocode after running this script is shown in Figure 7.

Figure 7: Assigned values shown as characters

You can find the complete scripts in our FLARE GitHub repository under decompiler scripts


These two admittedly simple examples should be able to give you an idea of the power of IDA’s decompiler API. In this post we have covered the foundations of all decompiler scripts: the ctree object, a structure composed by expressions and statements representing every element of the code as well the relationships between them. By creating a custom visitor we have shown how to traverse the tree and read or modify the code elements, therefore analyzing or modifying the pseudocode.

Hopefully, this post will motivate you to start writing your own scripts. This is only the beginning!

Do you want to learn more about these tools and techniques from FLARE? Then you should take one of our Black Hat classes in Las Vegas this summer! Our offerings include Malware Analysis Crash Course, macOS Malware for Reverse Engineers, and Malware Analysis Master Class.


Although written in 2009, one of the best references is still the original article on the Hex-Rays blog.

M-Trends 2018

What have incident responders observed and learned from cyber attacks in 2017? Just as in prior years, we have continued to see the cyber security threat landscape evolve. Over the past twelve months we have observed a number of new trends and changes to attacks, but we have also seen how certain trends and predictions from the past have been confirmed or even reconfirmed.

Our 9th edition of M-Trends draws upon the findings of one year of incident response investigations across the globe. This data provides us with insights into the evolution of nation-state sponsored threat actors, new threat groups, and new trends and attacker techniques we have observed during our investigations. We also compare this data to past observations from prior M-Trends reports and continue our tradition of reporting on key metrics and their development over time.

Some of the topics we cover in the 2018 M-Trends report include:

  • How the global median time from compromise to internal discovery has dropped from 80 days in 2016 to 57.5 in 2017.
  • The increase of attacks originating from threat actors sponsored by Iran.
  • Metrics about attacks that have retargeted or even recompromised prior victim organizations, a topic we previously discussed in our 2013 edition of M-Trends.
  • The widening cyber security skills gap and the rising demand for skilled personnel capable of meeting the challenges posed by today’s more sophisticated threat actors.
  • Frequently observed areas of weaknesses in security programs and their relation to security incidents.
  • Observations and lessons we have learned from our red teaming exercises about the effectiveness and gaps of common security controls.

By sharing this report with the security community, we continue our tradition of providing security professionals with insights and knowledge gained from recent breaches. We hope that you find this report useful in your work to strengthen your security posture and defend against the ever evolving threats.