- It requires being thorough.
- It required documenting things.
- It requires conducting training and drills.
- It adds what can be viewed as additional effort/cost to the primary goals (sell widgets/services/time)
- It involves weird and wonderful ways of abusing functionality that is not always apparent or expected, thus to the typical consumers/user of a service, the idea that it might be abused actually seems very unlikely (to a criminal or security pro, the idea it will be abused seems far more likely based on threat intelligence etc.)
Whilst every marketing person will talk about the latest and greatest tech innovation and product, how much does that reflect the reality of technology deployed in the world? Everyone is running Windows 11 and Windows Server 2022 right?! They also don’t use computers, because everything is cloud and mobile first right! and security, well everyone has that down as well! Great… let’s just go and check those statements out… oh wait…. no maybe err.. let’s take a look with our friends at shodan.ioRead more “Technology in the Wild”
You never know what you will find when you go hunting! So here’s a quick tale of an explore I did using Advanced Hunting!
I went hunting here in Advanced Hunting:Read more “Threat hunting with some funny results!”
Did you want to check out some of your detections? This isn’t everything of course but it’s a simple batch file to simulate a range of enumeration techniques used by actors like CONTI or LOCKBIT affiliates/operators:Read more “Simulating Human Operated Discovery”
A common way to deploy an encryption routine used in Ransomware scenarios is to create a scheduled task to launch a cyptor exe. This is commonly deployed via a Group Policy Object (GPO).
So I wanted to look at how with Microsoft Defender for Endpoint (MDE) we could detect this both on domain controllers but also on CLIENT devices (MEMBER SERVERS/PCs)Read more “Hunting for New Group Policies Where Scheduled Tasks are used”
If you are having fun today with Defender ASR deleting lnk files then you will see the MS Script has a v1.1 which looks to VSS to see if it can restore shortcuts from shadow copies, so whilst here I thought I’d note down a few different ways to list the Volume Shadow Copies.
You will need admin rights for these to work:Read more “Volume Shadow Copy”
If you work in marketing you are probably walking around telling everyone that we all live in a ZERO trust era, that PASSWORDS are DEAD! Ransomware is DEAD and AI is the FUTURE and we should be doing that NOW!
Meanwhile back on CYBER PLANET EARTH, most organisation do NOT have or need AI, they use passwords and well they passwords they use are shockingly bad! Howe do I know this? I do password audits and security testing, but I also look at breach data! (and we have other people publish password audit reports etc.)Read more “It’s 2023 and people’s passwords are still really really bad!”
Anyone that knows me, knows I love maturity assessments and tools (I’ve built a few, and run LOADS more) so this morning when I saw this on LinkedIn I had to start to get some understanding! I’ve not even had a cup of tea, but let’s see what this looks like!Read more “Cloud Adoption Security Review”
Currently I’d list some of the major challenges we face as a civilisation as the following (clearly not exhaustive etc.)
- The general population largely don’t understand cyber
- Lots of people think there is nothing they can really do
- People have shockingly bad personal cyber security
- A large number of organisations have shockingly poor cyber security postures
- People’s passwords are often ridiculously weak
- People re-use passwords all the time
- People seem to believe we have “magic nation state cyber shields”
- Organisation’s largely do not invest adequately in cyber security
According to the Belfast Telegraph:
The Incident is reported by them as “RANSOMWARE” and features Lockbit (Lockbit is RaaS, they recently (end of 2022 lost their ransomware payload builder) so the use of Lockbit software and the fact Lockbit is RaaS means this doesn’t prove attribution). (Attribution is hard, for most people what matters is their own network security posture, rather than who pwn3d royal mail)Read more “Royal Mail Cyber Incident”