blue team – Page 6

Ransomware + Mega = Mega Cyber Pain

Did you ever read about ransomware actors? They often use mega upload to exfiltrate data! So I figured, why would we not detect this with MDE?

I mean sure we should probably block this with a custom indicator using Web Content Filtering and sure it would probably get blocked by Protective DNS but let’s say for whatever reason you don’t have those in place, let’s look at a really simple query to find mega connections in MDE:

Defence

Threat hunting with some funny results!

You never know what you will find when you go hunting! So here’s a quick tale of an explore I did using Advanced Hunting!

I went hunting here in Advanced Hunting:

Threat Intel

Simulating Human Operated Discovery

Did you want to check out some of your detections? This isn’t everything of course but it’s a simple batch file to simulate a range of enumeration techniques used by actors like CONTI or LOCKBIT affiliates/operators:

Uncategorized

Hunting for New Group Policies Where Scheduled Tasks are…

A common way to deploy an encryption routine used in Ransomware scenarios is to create a scheduled task to launch a cyptor exe. This is commonly deployed via a Group Policy Object (GPO).

So I wanted to look at how with Microsoft Defender for Endpoint (MDE) we could detect this both on domain controllers but also on CLIENT devices (MEMBER SERVERS/PCs)

Strategy

When forming a strategy you must realise for starts that people view the word strategy differently. However, the general view is STRATEGY AS A PLAN. Without a PLAN a strategy is a DREAM.

The plan must be supported by a rang of factors, it must also be managed. It should be something which helps you go from where you are (CURRENT STATE) to where you want to be (FUTURE STATE) and should have a roadmap (TRANSITION PLAN/ROADMP) of how you will get there.

When we talk about can I see your strategy, you will need to have it documented, a strategy without a document isn’t a strategy that can be shared and communicated. As to what “THE STRATEGY” document must be… well there is no such thing as a MUST, but there’s some component that are largely and widely recognised to be useful.

News

Royal Mail Cyber Incident

According to the Belfast Telegraph:

Royal Mail operations hub in Mallusk hit by ‘cyber attack’ as printer spurts out ransom demands – BelfastTelegraph.co.uk

The Incident is reported by them as “RANSOMWARE” and features Lockbit (Lockbit is RaaS, they recently (end of 2022 lost their ransomware payload builder) so the use of Lockbit software and the fact Lockbit is RaaS means this doesn’t prove attribution). (Attribution is hard, for most people what matters is their own network security posture, rather than who pwn3d royal mail)

Threat Intel

Royal Mail Cyber Attack! What should you do?

breaking news: Royal mails international tracking services are down and have been for > 24 hours:

The ICO have been contacted! The NCSC and NCA have been contacted! What should you do?

Defense

Defending Against Direct Authentication Attacks in Microsoft Office 365

Whilst conducting security testing and assurance activities, I went looking to show logon events in Office 365. My first query was on IdentityEvents, this led to a view of a multi month attack by a threat actor/s against a tenent, followed by exploring the rabbit hole of logs and computer systems. This blog summarises some of the methods and findings when considering threat hunting and authentication defences for Office 365. (bear with me I am tired so this might need a bit of a tune up later!)

Leadership

The Cyber Acid Test

I’ve been working with all kinds of different organisations over the years, and I keep running into similar scenarios. The current state of the majority of organisations security postures are simply (as a broad-brush statement) far riskier than they need to be.

Conversely there are a range of common challenges I find in almost every org:

Threat Intel

LastPass Breach – The danger of metadata

When an organisation suffers a data breach it’s usually bad. When an organisation that stores 25 million people’s passwords that’s really bad.

There are multiple risks here at play.

Firstly, when we give people our data, it’s our risk and our choice. I’m ok with that, I chose to give lastPass my data.

My vault data might be gone, but I have a strong master password, how we interpreted the theft of the basically cryptographic materials is a bit like when we full disk encrypt a drive.

If you lose a laptop that’s got FDE do you report this as a data loss to the ICO? Or do you say, it’s encrypted so actually I haven’t lost the data per say, I’ve just lost a random (ish) bunch of 0s an 1s so I don’t count that as an incident? I’m not here to be judge or jury.