blue team – Page 6

Hunting for New Group Policies Where Scheduled Tasks are…

A common way to deploy an encryption routine used in Ransomware scenarios is to create a scheduled task to launch a cyptor exe. This is commonly deployed via a Group Policy Object (GPO).

So I wanted to look at how with Microsoft Defender for Endpoint (MDE) we could detect this both on domain controllers but also on CLIENT devices (MEMBER SERVERS/PCs)

Strategy

When forming a strategy you must realise for starts that people view the word strategy differently. However, the general view is STRATEGY AS A PLAN. Without a PLAN a strategy is a DREAM.

The plan must be supported by a rang of factors, it must also be managed. It should be something which helps you go from where you are (CURRENT STATE) to where you want to be (FUTURE STATE) and should have a roadmap (TRANSITION PLAN/ROADMP) of how you will get there.

When we talk about can I see your strategy, you will need to have it documented, a strategy without a document isn’t a strategy that can be shared and communicated. As to what “THE STRATEGY” document must be… well there is no such thing as a MUST, but there’s some component that are largely and widely recognised to be useful.

News

Royal Mail Cyber Incident

According to the Belfast Telegraph:

Royal Mail operations hub in Mallusk hit by ‘cyber attack’ as printer spurts out ransom demands – BelfastTelegraph.co.uk

The Incident is reported by them as “RANSOMWARE” and features Lockbit (Lockbit is RaaS, they recently (end of 2022 lost their ransomware payload builder) so the use of Lockbit software and the fact Lockbit is RaaS means this doesn’t prove attribution). (Attribution is hard, for most people what matters is their own network security posture, rather than who pwn3d royal mail)

Threat Intel

Royal Mail Cyber Attack! What should you do?

breaking news: Royal mails international tracking services are down and have been for > 24 hours:

The ICO have been contacted! The NCSC and NCA have been contacted! What should you do?

Defense

Defending Against Direct Authentication Attacks in Microsoft Office 365

Whilst conducting security testing and assurance activities, I went looking to show logon events in Office 365. My first query was on IdentityEvents, this led to a view of a multi month attack by a threat actor/s against a tenent, followed by exploring the rabbit hole of logs and computer systems. This blog summarises some of the methods and findings when considering threat hunting and authentication defences for Office 365. (bear with me I am tired so this might need a bit of a tune up later!)

Leadership

The Cyber Acid Test

I’ve been working with all kinds of different organisations over the years, and I keep running into similar scenarios. The current state of the majority of organisations security postures are simply (as a broad-brush statement) far riskier than they need to be.

Conversely there are a range of common challenges I find in almost every org:

Threat Intel

LastPass Breach – The danger of metadata

When an organisation suffers a data breach it’s usually bad. When an organisation that stores 25 million people’s passwords that’s really bad.

There are multiple risks here at play.

Firstly, when we give people our data, it’s our risk and our choice. I’m ok with that, I chose to give lastPass my data.

My vault data might be gone, but I have a strong master password, how we interpreted the theft of the basically cryptographic materials is a bit like when we full disk encrypt a drive.

If you lose a laptop that’s got FDE do you report this as a data loss to the ICO? Or do you say, it’s encrypted so actually I haven’t lost the data per say, I’ve just lost a random (ish) bunch of 0s an 1s so I don’t count that as an incident? I’m not here to be judge or jury.

Defence

Planning to defend and respond to cyber threats

Everyone has a plan until they are cyber punched in the face! Or something like that!

People seem to have this misconception that you need to “do a pentest” or some other project based activity to do “security testing” or response planning.

Let’s be real here, you really don’t. But what you do need is a few things:

Authorisation
Time
Some ideas for cyber incidents to plan for

Education

Enterprise Technology Generalisations

I’ve waked around one of two organisations, across a load of verticals and well I see people post things online about common technology generalisations and frankly it sometimes leaves me wondering what networks they have been in, but also am I just on another planet? So, I thought I would jot down some notes on common tech I see in orgs during my business travels but also on in the ciberz! It’s not a list of everything I see, it’s just what appears in my head as quite bloody common.

Leadership

How to not lose your job as a CISO

A mRr3b00t Adventure

Join me on an adventure of rambling and exploring the idea that you can in fact not lose the security leadership game! This blog is WIP, it’s just my brain wondering around the question of: can we win the in the face of a seemingly insurmountable force? What do we do as a security leader to protect ourselves and the organisation? How do we start?