Research
Hacking Firm I-Soon Data Leak Reveals Chinese Government Hacking Capabilities
On February 16, 2024, an unidentified person/group published a significant amount of data on GitHub. The treasure trove of confidential information resulted from a breach of the China-based company iSoon, also known as Anxun, a contracted entity associated with the Chinese Ministry of Public Security (MPS). The incident is reportedly linked to Chengdu 404, a structure under the control of Chinese cyber intelligence, famously recognized as APT41.
AT&T Cybersecurity Extended Detection & Response (XDR) Validation Report
SecureIQLab tested the ability of AT&T’s Cybersecurity Extended Detection and Response (XDR) solution to manage the Threat Detection and Incident Response (TDIR) lifecycle comprehensively. Validation was completed to ensure the unification of threat data across endpoints, networks, and cloud environments. The evaluation, based on SecureIQLab’s XDR v1.0 Validation Framework, focused on the solution’s efficiency in detecting and responding to threats, reducing alert overload, and enhancing incident prioritization using analytics, machine learning, and integrated threat intelligence. The real-world performance of the XDR solution was demonstrated through deployment in a controlled, segmented environment that contained varied user permissions, aiding in the assessment of the solution’s effectiveness and its ability to minimize false positives.
Command & Control Prevention: SecureIQLab CyberRisk Comparative Security Vendor Report
SecureIQLab tested the ability of nine popular cybersecurity solutions to protect against command-and-control attacks. Testing was executed from Q3 through Q4 of 2022. Six of these solutions were Next-Generation Firewall (NGFW), on-prem & virtual appliance. These include solutions from Checkpoint, Cisco, Fortinet, and Palo Alto Networks. The remaining three solutions tested were Security Service Edge (SSE) based cloud solutions from Cisco, Palo Alto Networks, and Zscaler. All products were tested to block the command-and-control capabilities of the Cobalt Strike attack suite. The test methodology measured the block rate of the tested NGFW & SSE solutions against Cobalt Strike in multiple attack scenarios.
Understanding Prime Numbers in the Context of PKI
Secure communication and the exchange of sensitive information are essential in the current digital era. The basis for securing privacy and authenticity in online transactions, data exchange, and communication for the most part relies upon public key infrastructure (PKI).
Security Service Edge Command & Control Prevention Comparative Report
TEST PERIOD: DECEMBER 2022—DECEMBER 2022
LAST REVISION: 9 March 2023
COMMISSIONED BY: PALO ALTO NETWORKS
SecureIQLab tested the ability of Security Service Edge (SSE) products to block the command-and-control capabilities of the Cobalt Strike attack suite. Three products were tested: Palo Alto Networks Prisma Access, Cisco Umbrella, and Zscaler ZIA.
The test measured the block rate of the tested SSE solutions against Cobalt Strike in 5 attack scenarios.
Next-Generation Firewall Command & Control Prevention Comparative Report
TEST PERIOD: JULY 2022—SEPTEMBER 2022
LAST REVISION: 11/30/2022
COMMISSIONED BY: PALO ALTO NETWORKS
SecureIQLab tested the ability of next-generation firewalls to block the command-and-control capabilities of the
Cobalt Strike attack suite. Six firewalls were tested: The Checkpoint SG5100, Cisco Firepower 4110, Fortinet FG301E, Fortinet FG-VM04V, Palo Alto Networks PA-460, and Palo Alto Networks PA-VM-Flex.
The test measured the block rate of the tested firewalls against Cobalt Strike in six attack scenarios.
Reversing Sunburst’s C&C Server Implementation
The world learned about Sunburst, the backdoor implanted into SolarWinds’ Orion product via a supply chain compromise. Both high-level and low-level details on Sunburst can be found all over the internet, including in a previous post. In this paper, SecureIQLab will reverse enough details of Sunburst’s Command & Control (C&C) to construct a rough C&C server implementation. The technical reader will be able to use this information to supplement their own threat research and improve their organization’s security posture.
Publications
SecureIQLab works with enterprises, experts, and security vendors to create relevant security validation methodologies. Results from public testing are available as a complimentary service to the public.
Blog
Introduction to SecureIQLab and thoughts on the cloud security industry.
Podcast
Reining in the Cloud, is hosted by SecureIQLab and focuses on cloud security. We discuss all things cybersecurity related, with a spin in the cloud. Each month, we invite cyber security experts to engage in a wide range of cloud security topics that will leave listeners with a bit more know-how about their own cloud security knowledge. Bridging the cloud security gap one listener at a time. >>