Vulnerabilities: Everybody’s Got One!

In this post, Leigh Metcalf describes how she pulled data from the malvuln project to explore recent vulnerabilities in both malware and non-malware to study the differences.

Read More

June 16, 2021 • By Leigh Metcalf

In CERT/CC Vulnerabilities

CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security

Art Manion, Eric Hatleback, Allen Householder, Jonathan Spring, and Laurie Tyzenhaus, recently submitted comments to the National Institute of Standards and Technology (NIST), which is seeking positions related to executive …

Read More

June 1, 2021 • By Jonathan Spring

In CERT/CC Vulnerabilities

Cat and Mouse in the Age of .NET

Penetration testers have long exploited the PowerShell scripting language to gain a foothold in systems and execute an attack. Eventually, changes in the PowerShell landscape caused the toolsets to shift …

Read More

November 19, 2020 • By Brandon Marzik

In CERT/CC Vulnerabilities

Adversarial ML Threat Matrix: Adversarial Tactics, Techniques, and Common Knowledge of Machine Learning

My colleagues, Nathan VanHoudnos, April Galyardt, Allen Householder, and I would like you to know that today Microsoft and MITRE are releasing their Adversarial Machine Learning Threat Matrix. This is …

Read More

October 22, 2020 • By Jonathan Spring

In CERT/CC Vulnerabilities

Three Places to Start in Defending Against Ransomware

This blog post, the second of three dealing with ransomware and defending against it, covers three initial efforts that will make it more difficult for attackers and less costly to …

Read More

October 12, 2020 • By Tim Shimeall

In CERT/CC Vulnerabilities

Ransomware as a Service (RaaS) Threats

This blog post explores the economics behind why ransomware remains a top tool for cybercrime and presents the current active ransomware variants that utilize ransomware as a service (RaaS), a …

Read More

October 5, 2020 • By Marisa Midler

In CERT/CC Vulnerabilities

Snake Ransomware Analysis Updates

In January 2020, Sentinel Labs published two reports on Snake (also known as Ekans) ransomware.[1][2] The Snake ransomware gained attention due to its ability to terminate specific industrial control system …

Read More

March 23, 2020 • By Kyle O'Meara

In CERT/CC Vulnerabilities

Bridging the Gap Between Research and Practice

A fundamental goal for a federally funded research and development center (FFRDC) is to bridge the gap between research and practice for government customers....

Read More

March 23, 2020 • By Leigh Metcalf

In CERT/CC Vulnerabilities

Security Automation Begins at the Source Code

Hi, this is Vijay Sarvepalli, Information Security Architect in the CERT Division. On what seemed like a normal day at our vulnerability coordination center, one of my colleagues asked me....

Read More

March 11, 2020 • By Vijay Sarvepalli

In CERT/CC Vulnerabilities

Comments on NIST IR 8269: A Taxonomy and Terminology of Adversarial Machine Learning

The U.S. National Institute of Standards and Technology (NIST) recently held a public comment period on their draft report on proposed taxonomy and terminology of Adversarial Machine Learning (AML)....

Read More

February 13, 2020 • By Jonathan Spring

In CERT/CC Vulnerabilities