Illusive Labs Blog

Covering cybersecurity from a technical perspective, focusing on deceptions,
threat trends, incident response, advanced attacks and new technologies.

For open source tools published by the Illusive Labs team, visit our GitHub page.

Improving Cyber Investigation Outcomes through Better Visualization of Historic Process Execution Events

Posted by Tom Kahana on Jan 30, 2018 10:07:07 AM

Incident response investigation usually involves the collection and analysis of a vast amount of evidence, including analysis of processes being executed. Looking at their timing and their ancestors provides researchers an initial understanding of what happened on the machine being investigated.

Read More


Windows Console Command History: Valuable Evidence for Live Response Investigation

Posted by Tom Sela on Jan 11, 2018 8:01:49 AM

Note:  This blog is an updated version of a piece originally published in the March 2017 edition of eForensics Magazine

As a security researcher and part-time Incident Response (IR) analyst, I know that fine details are of paramount importance. The role requires ongoing research to understand an attacker’s actions on compromised machines. A typical research process requires examining hundreds, or even thousands, of artifacts to find the needle in the haystack.

Read More


Phishing the Phishers: Using Attackers’ Own Tools to Combat APT-style attacks

Posted by Dolev Ben Shushan on Dec 28, 2017 6:49:04 AM

As a deceptions researcher, part of my job is to design deceptions against attackers by manipulating or reverse-engineering the common toolkits attackers use. Deceptions are pieces of false information that are planted across the organization and appear as real, relevant information to the attacker. For example, browser deceptions — pieces of information specifically planted in browser history, saved forms, etc. — can be created to lure malicious hackers and insiders to deceptive web servers. In this article, we will show how phishing can be used to catch attackers and how phishing kits can be used for defensive purposes.

Read More


A Deception Researcher’s Take-Aways from the 2017 Black Hat Arsenal

Posted by Dolev Ben Shushan on Aug 23, 2017 7:00:00 AM

Most people in cybersecurity are familiar with the Black Hat conference. But whether you know about Black Hat Arsenal depends on how involved you are in the bits and bytes of information security. Some regard Arsenal as one of the best features of the conference. According to the web site, Arsenal allows “independent researchers and the open source community [to] showcase their latest open-source tools and products” in a relaxed, demo-style setting.

Read More


Stay up to date!