DFIR – PwnDefend

Business Email Compromise Check List

As part of my Cyber SOC GitHub repo I’ve put together lots of resources to try and help people with some common cyber security tasks, applicable to CISOs through to SOC analysts.

I also want to highlight one of the most common incident types if you are an Office 365 customer is a business email compromise scenario, so I’ve put together a high level view of the steps you might want to take after a BEC event is discovered:

Defence

Business Email Compromise: Impact Assessment

If you are are a victim of unauthorised mailbox access and/or attempted fraud via mailbox compromise (BEC) then you know that one of the tasks outside of understanding how the compromise has occurred, what configurations have been tampered with, removing devices and resetting usernames/passwords (and tokens/MFA) etc. is to start to understand the data breach impact.

If someone has logged into a mailbox it’s very very unlikely that zero data has been accessed!

Leadership

What if breach communications were honest?

Armed with my trusty sidekick, this morning I thought I would see what an LLM would make if I asked it to create public comms for common cyber incidents…. for basically every scenario… it really wanted to tell everyone no data was accessed! Which is amazing, because in almost every incident I’ve seen: Data is accessed!

In a business email compromise (BEC) scenario…. the clue is in the name, it’s already a compromise of confidentiality!

Defense

Minimum Data Requirements for Investigating Email Mailbox Compromise

When a suspected email mailbox compromise is reported, initiating an investigation promptly is critical. However, to ensure the investigation is effective, certain minimum intelligence requirements must be met. This blog outlines the bare minimum data needed to start investigating a suspected email mailbox compromise, whether the intelligence comes from an internal team or a third-party source.

Education

Avoiding an infinite incident response cycle!

Incidents are a part of life, but so is understanding the scope and bounds of an incident. One subject that comes up form time to time is how to define what is and is not ‘part of the incident’. Not everyone uses the same terms, language or definitions (which is true of many things in life). But when it comes to cyber incidents on the ground, details matter, but so do decisions!

Is the role of incident response to solve all security challenges and gaps in an enterprise? Should the recovery phase mitigate all threats? should the entire business be changed due to an incident and is that the role of the response team? When do you define what is and what is not part of the response vs what is a business change project?

Hacking

Mobile Device Malware Analysis

Mobile devices present interesting challenges when it comes to:

Incident Response
Malware Analysis
Digital Forensics

Education

Some TOX Clients Leak Egress IP addresses

Some friends and I did some testing this evening with TOX clients. We wanted to take a look at PERSEC/OPSEC considerations for using TOX. I also had a sneaky suspicion that it might out of the box leak more than people would appreciate (just a hunch and you don’t know until you test right!).

So, we setup a test. In the test we had:

Uncategorized

Malicious Scheduled Tasks

A very common technique in ransomware scenarios is the deployment of Scheduled Tasks via Group Policy object.

So I thought I’d start to post some content around this. To start with I was looking locally to enable the following:

“Show me all the command lines used in scheduled tasks on Windows with PowerShell”

So I knocked up this really simple proof of concept (there are other ways to write this obvs)

Defence

Planning to defend and respond to cyber threats

Everyone has a plan until they are cyber punched in the face! Or something like that!

People seem to have this misconception that you need to “do a pentest” or some other project based activity to do “security testing” or response planning.

Let’s be real here, you really don’t. But what you do need is a few things:

Authorisation
Time
Some ideas for cyber incidents to plan for

CTF

Using CTFs for offensive and defensive training – Purple…

Pwning a legacy server on Hack the Box is good for a training exercise however what about if we want to think about how to use resrouces for red and blue. Looking at both sides of the coin when thinking about offense really should help people undesrand how to defend better. In the end of the day outside of a tiny tiny fraction of deployment types, you are going to need to be able to explain how to defend regardless of engagement type (vulnerability assessment, penetration test, purple team, red team etc.)

Getting access

I’m not going to talk through every step but here’s the commands you would need to run: