News
Another day in the life o’cyber! There’s probably new exploits, new vulnerabilities, new updates and industry changes galore but here’s some highlights from the day!
Read more “Cyber News Today”
Threat Intel
breaking news: Royal mails international tracking services are down and have been for > 24 hours:
The ICO have been contacted! The NCSC and NCA have been contacted! What should you do?
Read more “Royal Mail Cyber Attack! What should you do?”
Education
Clearly this is for penetration testing, not for evil! So if you have to pentest Office 365 you might want to be attacking the authentication services. This will be aligned to the tenant you are testing, as always make sure you have authorisation.
Deploy to your favourite LINUX instance or WSL etc.
Read more “Password Spraying Office 365”
Hacking
I’m not going to talk about these… yet… and there’s duplicates because I think it’s useful to see where they can be used in different scenarios. Expect this list to grow!
Read more “Office 365/Azure Pentest Tools”
Guides
Penetration testing, adversary simulation, red teaming, purple teaming, rainbow teaming, call if what you like, the security outcome we are working towards is:
This is to support the organisations mission, vision, goals, and objectives. Cyber security is to support and enable the organisation’s capability to execute digital services in a safe manner.
Read more “Practical Security Assurance”
Defense
Whilst conducting security testing and assurance activities, I went looking to show logon events in Office 365. My first query was on IdentityEvents, this led to a view of a multi month attack by a threat actor/s against a tenent, followed by exploring the rabbit hole of logs and computer systems. This blog summarises some of the methods and findings when considering threat hunting and authentication defences for Office 365. (bear with me I am tired so this might need a bit of a tune up later!)
Read more “Defending Against Direct Authentication Attacks in Microsoft Office 365”
Leadership
I’ve been working with all kinds of different organisations over the years, and I keep running into similar scenarios. The current state of the majority of organisations security postures are simply (as a broad-brush statement) far riskier than they need to be.
Conversely there are a range of common challenges I find in almost every org:
Read more “The Cyber Acid Test”
Leadership
Can you lose maybe 25 million peoples vaults and still claim to be a secure secret management company? Does that even fly? Does it matter that you lose all the metadata (IP access logs), URLs and vast amounts of other metdata but don’t worry ~5 fields are encrypted so as long as your master password is never cracked… yawn…
Threat Intel
When an organisation suffers a data breach it’s usually bad. When an organisation that stores 25 million people’s passwords that’s really bad.
There are multiple risks here at play.
Firstly, when we give people our data, it’s our risk and our choice. I’m ok with that, I chose to give lastPass my data.
My vault data might be gone, but I have a strong master password, how we interpreted the theft of the basically cryptographic materials is a bit like when we full disk encrypt a drive.
If you lose a laptop that’s got FDE do you report this as a data loss to the ICO? Or do you say, it’s encrypted so actually I haven’t lost the data per say, I’ve just lost a random (ish) bunch of 0s an 1s so I don’t count that as an incident? I’m not here to be judge or jury.
Read more “LastPass Breach – The danger of metadata”
Defence
Everyone has a plan until they are cyber punched in the face! Or something like that!
People seem to have this misconception that you need to “do a pentest” or some other project based activity to do “security testing” or response planning.
Let’s be real here, you really don’t. But what you do need is a few things: