Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Efd0HAvoOzrPDvO0L1h7YFs5Xi88YvsudWcJsVUmQAQ=

So it's that time of year again when all of IT,  or at least the lucky ones, desend on Vegas and learn all about the best in Big Data, Storage, and Cloud.  Next week the RSA team will be there onsite.  As well as discussions and demos around the latest in security, will be the highlights around the EMC Federation.  This combination of EMC, VMware, RSA, and Pivotal will show solutions and ideas on how the EMC family works together.

There are also special activities for community members.  There will be a special EMC Community Network pod near the Social Lounge along with some games and prizes for those who are good hunters.  A Community Party as well, so Check out the EMC World vPass for more information.

See you there.


Come back here for a review and leave your own thoughts around the highlights of the conference...

Another great find.  As pointed out by Rui.A too!

The RSA Incident Response (RSA IR) team has developed an in-depth report called Emerging
Threat Profile: Shell_Crew
, where they detail the TTPs used by an adversary
that we have dubbed “Shell_Crew.” The Shell_Crew report is based on RSA IR’s
multiple incident response engagements involving a group of advanced threat
actors whose objective is to gain access, stay entrenched and ultimately steal
as much data and intellectual property as possible. 


It appears that Shell_Crew has persisted in enterprises of
varying sizes for years without being detected – updating or replacing existing
malicious backdoors and continuing to map the enterprise while installing Web
shells and poisoning existing web pages. These tenacious approaches make it
difficult for an under resourced internal security team to detect and remediate
the actions of this adversary.


The report is now live at,
and a blog detailing the threat is also now live on Speaking of Security


A few of the highlights include:

  • Prevalent use of Web shells to maintain low level
    persistence in spite of determined remediation efforts;
  • Altering or poisoning existing legitimate web pages
    maintained by an organization;
  • Occasional use of Web application framework exploits to
    achieve initial entry versus standard spearfishing attacks;
  • Lateral movement and compromise of Digital Code Signing
    Certificate infrastructure;
  • Abuse of Code Signing infrastructure to validly sign custom
    backdoor malware;
  • Exploiting systems using different SETHC.exe methods
    accessible via Remote Desktop Protocol (RDP);
  • Long history of IP/DNS telemetry allowing for historical
    research and link analysis;
  • Placement of malicious proxy tools introduced into the
    environment on Windows server based proxies to bypass proxy logging;
  • Extensive use of time/date stomping of malicious files to
    hinder forensic analysis; and
  • Malware leveraging compromised credentials to bypass
    authentication NTLM proxies (proxy aware).


Check out the full report.  Feel free to add thoughts and comments!

A new version of RSA Security Analytics has been released
and is now available to customers.
Version 10.3, follows on the heels of the 10.2 version released earlier
this year, and includes a number of significant enhancements.


The most significant change was the addition of two
additional modules.  Added to the lineup
is the new Security Analytics Archiver, and the Security Analytics Event Stream
Analysis module.


The ARCHIVER provides long term storage, Indexes, and
compresses log data. It is available in different sized increments based on
amount of device data and length of time.
The archiving storage is optimized for long term data retention through
compression and supports forensic analysis, and compliance reporting.


EVENT STREAM ANALYSIS module processes large volumes of
disparate event data along with network packet metadata.  It brings meaning through correlation and
real time alerting of security and packet data flowing through your enterprise.


Additional updates to the 10.3 release include:



  • Support for SNMPv3
  • Improved performance on reporting and
  • Enhanced MS Windows collection
  • User configurable event filtering
  • New Rule Builder to enable customer defined
    correlation rules
  • …and more!


Congratulations to the product team for continuing to evolve
and improve RSA Security Analytics with a great list of updates!  For more details on this new release, see the
RSA Security Analytics Website.

Filter Blog

By date: By tag: