Tag: cyber

Defense

Changing a security posture requires changing your own behaviours

I’m sure you will have had a marketing firm or some random sales person on Linkedin tell you that security should be simple and that their product will save you from all the ATPs and nation state hax0rs under the sun. However let’s get real, thats almost certainly not true and also security isnt simple or we’d all be out of jobs and everyon woulndn’t be getting owned all the time.

Getting real
I think there’s a huge honestly part that needs to occur if you are going to actually improve a companies security posture.

Leading and acting in a manner which doesn’t contradict the message

Don’t be unrealistic – absolute security doesn’t exist, if someone is talking in those terms they are probably bullshitting and are highly unlikely to be an actual practitioner

Sort out the commmon vectors, phishing and exposed insecure configurations are clearly areas to focus on but also you should assume breach and harden the inside of your networks! (too many people don’t do this)

People like efficiencies, improvements when they don’t have to be the change, chaning behaviours is really hard.

Technology costs money, I hate to break it to people but if your approach to technology management is solely on the bottom line that is going to have a significant impact not only on your business operational capabilities but from a security point of view you are likely going to be in a weak posture. Don’t get me wrong you don’t need to buy ALL the things but expertise, logging, monitoring and management tools/technical tools cost money. Don’t shoot the messenger but don’t expect the moon on the stick either (it’s just not realistic).

Cyber Criminals operate in all time zones, your staff likely use company computing assets across a range of hours and probably sometimes in the evenings and weekends. Your security operations capability needs to be able to cover this (accepting the risk entirely is a bonkers idea, at least put people on call, oh and that means paying them too!)

The biggest improvement step to me is the cultural one, it’s the change from ignoring, assuming it ‘won’t happen to me’ and when people who are in leadership and management positions stop using bad practises. Being honest and recognising security is a challenge, it’s not a project, it’s a way or running and managing technology services.

By having a strong security posture you will need far deeper knowledge of your business, it’s assets and it’s customers. This sounds like a massive business advantage to me!

Defense

Ransomware Defence: Part 2a – Persistence, Privilege Escalation and…

Recap

In Part 1 (Initial Access Defence and Checklist) we looked at ways of hardening your attack surface to defend against initial access. When it comes to ransomware there is a range of elements and variables in the kill chain that need to be successful for the outcomes to be achieved by the criminals. Here we are going to move further into the kill chain to look at further defences. Remember you need to have an “Assume Breach” mindset if you are going to be able to defend against ransomware, that being said, there is a hell of a lot of things you can do for 0 to low investment costs that provide a great ROI. Now some of this is going to be repeated guidance from part 1, that’s ok repetition is good (make sure you are covered from multiple perspectives). Ok let us get to it! Read more “Ransomware Defence: Part 2a – Persistence, Privilege Escalation and Lateral Movement”

Defense

Ransomware Defence Checklist – Part 1 : Initial Access

Defending the Realm

We keep seeing organization get hit, in some kind of a sick way I think me and some of my friends in the industry are bored with the over dramatic responses of “sophisticated” “advanced” and “unpreventable” because most times the kill chains simply are not like this. But still the onslaught keeps coming. Well I know this much, whilst I would love to deploy with the team and harden everyone’s networks that simply isn’t possible. So what we thought we would do is write something to try and spread the knowledge a bit further and hopefully have some positive impact.

Ransomware 101

It’s not just that your data will be encrypted, it will likely be exfiltrated and sold. You will likely have access sold, data sold and be extorted. The Ransomware business model is adapting to defender responses. Even if you can restore from backup they will likely try and attempt to extort. This brings a key point in this equation, the best position is to NOT get pwn3d to start with. Ok that might sound silly to say but when we look at these kill chains you might start to see the world from my perspective a little. Read more “Ransomware Defence Checklist – Part 1 : Initial Access”

Defense

Cyber Security Assesments for Normal People

Ok so you might think I’m mad with the title but bear with me!

So, the world is in an interesting place, we’ve got a pandemic, we’ve got prolific cyber crime and we have all kinds of different views on how we should tackle this problem.

Now I love a framework and there’s ton’s of them. But the truth is they are complex, detailed, nuanced and generally require a level of nerd that a lot of organistaions do not have.

In 2020 during the pandemic I decided to try and write something to simplify this position, whilst I didn’t want to be too narrow, I wanted to try and capture the breadth of cyber security that is relevent to the general purpose organistaion. I came up with a set of 140 questions which I believe are a good take on things to consider and ask when conducting a security review at a high level. (yes 140 questions is a high level view, this stuff is complex as hell at the detailed end of things, and the devil is in the detail).

Read more “Cyber Security Assesments for Normal People”
Guides

Secure Service Design: Practical Solution Architecture

The truth shall set you free

I’ve worked in technology a long time now (relatively for me). It’s now over 20 years professionally and when I was a kid, I used to remove malware from small business’s etc. I’ve travelled to some funky places and done some cool things, but I learn new things every day. I do however come across some repeating patterns in my adventures as a consultant. There is a hidden truth that many are scared to admit…

Most organisations are not very good at service design, let alone secure service design!

Ok so there it is, I hope that this blog doesn’t age very well, but I’m 20 years in and I chat with my dad about his past life in the corporate world and we both see the same things being repeated. So, what can we do about it? Well sharing is caring, so here’s some things to think about when planning and designing a new service. I’m going to focus on the technology and security aspects, clearly, I am not saying ignore the business and value alignment but for the purposes of this post I’m assuming that the functional service capabilities and alignment are in effect. I’m also assuming that business case is solid because you know, without £ it’s a bit hard to create an operate a service (that’s a whole new post!). Read more “Secure Service Design: Practical Solution Architecture”

CTF

mRr3b00t Learns to play HTB again!

I rarely get a chance to play HTB these days 🙁 but today I thought i’d get back on it.. then I had a three hour battle with a graphics driver and Vmware Workstation so that basically ruined that idea…. but I thouht I’d try and remember how to CTF again.. and boy do you get slow fast! Well to try and help people and myself I’ve started to write down some notes to get my mind back into the CTF world of HTB!

Setup & Scope

Ok this is the setup phase. Let’s grab the details

  • Take note of the machine name
    • Remember most boxes are called .htb or .htb.local
    • There’s not an “internet” dns inside the arena so you need to update hosts files
  • Take note of the box author
    • This is useful for OSINT
  • Take note of the IP
    • This is your scope
  • Take note of the OS version
  • Get you digital notebook ready
Read more “mRr3b00t Learns to play HTB again!”
Defense

Cyber Defence is Hard

Introduction

If you read a book about management theory or specifically cyber security management you will find lots of frameworks, methods, formulas, models etc. None of them really let you know how insanely hard it can be to defend a moving target where regardless of how many controls you have, all it takes it someone doing something which may seem bonkers to you but perfectly reasonable for them. Their objective is to do business in an efficient manner, your objective is to protect the business in an efficient manner. Fundamentally these two things are not at odds, but there are a lot of human factors that come into play on top of some serious technical challenges. Read more “Cyber Defence is Hard”

Defense

Modern Workspace: PowerShell OAuth Error

Create PowerShell Session is failed using OAuth

When connecting to Exchange online (there was a reason I needed to do this) I had the following error:

I did some googling that luckily someone has already posted how to fix this:

https://www.vansurksum.com/2021/03/11/create-powershell-session-is-failed-using-oauth-when-using-the-exchange-online-v2-powershell-module/

It turns out WINRM’s ability to use BASIC client authentication is disabled as part of the standard Windows 10 hardening baseline deployed via Intune.

To fix these we need to re-enable BASIC client side WINRM authentication. Read more “Modern Workspace: PowerShell OAuth Error”

Guides

Becoming a Cyber Criminal (Pro) – Basic External Attacks

This is an experiment to combine a near real time thread on twitter and a blog… I have no idea if this will work. The premise is, we are conducting a adversary simulation against a target and want to see how this translates into a ‘plain language’ blog/story about how these things work. (I’ve also not included sales/scoping/documentaiton and clearly not all of this is in real time) but it is real!

The Fundamental Steps

Ok so first thing is first – the criminal part is a joke! We are here to help people. What we are going to do however is consider the general cyber threat landscape, look at the organisation from an ‘external threat actor’ perspective and then see what we can map out from an attack surface point of view.

Read more “Becoming a Cyber Criminal (Pro) – Basic External Attacks”