Whilst conducting security testing and assurance activities, I went looking to show logon events in Office 365. My first query was on IdentityEvents, this led to a view of a multi month attack by a threat actor/s against a tenent, followed by exploring the rabbit hole of logs and computer systems. This blog summarises some of the methods and findings when considering threat hunting and authentication defences for Office 365. (bear with me I am tired so this might need a bit of a tune up later!)Read more “Defending Against Direct Authentication Attacks in Microsoft Office 365”
When it comes to digital technology, we have to consider many things.
Availability, Confidentiality, and Integrity are good building blocks for considerations. We can probably split this into two major views to start with:
- What does a typical consumer care about?
- What security and privacy considerations could be made?
A typical consumer may be about:
- WIFI Coverage
- Ease of Use
- Ease of Support/Troubleshooting
- What happens if it breaks?
- Can I stop my kids messing with it? (Probably not so why bother)
|MITRE||CVE – CVE-2022-26809 (mitre.org)|
|Impact||Remote Code Execution (RCE)|
|Exploit in the wild||Currently not observed|
|Difficulty to Exploit (if PoC available)||Very Low|
|Network Position||TCP/IP Routable or Network Adjacent|
|Authentication Required to Exploit||No|
|Affected||Windows Client/Server OS|
|Typical Service Ports||TCP 135,139,445|
|Vendor Patch Available||Yes|
|Exploitable in Default OOB (out of the box) configuration||Unknown|
|Exploitable Client/Server||Believed to be client and server side exploitable|
Ok this is not a small subject areas and it’s not a HOW TO guide but it should at least give you some ideas for tools to deploy and areas to check that are abused by Ransomware gangs and ATPs etc. Thanks to people who contributed!
This is not everything but it’s some common low hanging weaknesses:Read more “Rapid Active Directory Hardening Checklist”
Go and run this on the connection servers:
It’s crude so also look for the modified timestamps, recent unexpected blast service restarts and if you have process logging go and check for suspicious child processes over the period. Once you have checked, run a backup, then if they aren’t patched, patch the servers! (i know patching isn’t as simple as just patch!)Read more “Log4Shell exploitation and hunting on VMware Horizon (CVE-2021-44228)”
If you have a business email compromise incident and you haven’t deteced it in a timely manner your fist notification might be a bad experiance, the threat actors may have commited fraud, attemped fraud or simply launched a phishing If you have a business email compromise incident and you haven’t detected it in a timely manner your fist notification might be a bad experience, the threat actors may have committed fraud, attempted fraud, or simply launched a phishing campaign from your environment. If you are in this position, there are some steps you can take from a technical point of view to limit impact and reduce risk of a re-occurrence. This blog is a high-level view at some of the tactical and longer-term activities you can conduct.Read more “Post Business Email Compromise actions for Office 365 Users”
This is part of a series I’m writing which is focusing on some of the core fundamentals of why cyber security is a business issue, why business leadership should care and invest in a good security posture and I’m looking at common security threats and ways you can combat these. Read more “I’m the CEO why do I care about phishing threats?”
First and foremost, I’m going to start by saying if I include any cliché quotes it’s probably in an ironic context or used to show how they aren’t practically useful. Why are we here? Well, based on the title, it’s because you are either a CEO/MD or you are in a leadership position and want to learn a little more about cyber security.
I’m sure you have read the news, I’m sure you have seen vendor adverts explaining something like:
- Zero Trust
- The Security Skills Gap
- How phishing can be solved through security awareness training (pro tip: it can’t)
And I’m sure someone on your LinkedIn feed you have seen people exclaim all kinds of crazy things like:
- TLS Weaknesses Lead to Ransomware
- Security is Simple (it, I’m afraid, is not)
- Managed Security Service Providers ensure security
“Security education and awareness darling, it’s all the rage! It’s simply to hot right now.” Ok stop, let’s take a minute to get some context. It’s the year 2021, organisations are taking a battering round the globe from cyber criminals who are deploying ransomware, extortion, and fraud via a range of methods but one you can’t not have heard of is phishing.
In this post today, I’m going to look at realities of initial access, phishing and some questions I think people should be asking themselves about the idea of phishing their own userbase. I try and look at this from multiple perspectives because I think it’s a complex subject. Let’s start with initial access methods!
Common Patterns of Access
If we look at the world of technology and cyber security, you will see logs of references to frameworks and language that is enough to send even the committed to sleep! However, let’s abstract from our TTPs, our MITRE ATT&CK frameworks and our “threat actors” and let’s talk in normal English. Read more “Phishing your own people – path to eroding trust or a useful tool?”