education – PwnDefend

Analysing 1 Million Honeypot events with Defused Cyber Deception

A common perimeter firewall in organisations is the CISCO ASA. Back when I started in the industry we used to have CISCO PIX firewalls, the ASA was the next generation of these! Why is this important? Well its important to understand how common threat actors work, you will see from a while ago I wrote a review of the manual 2.0 by Bassterlord (a known cybercriminal), this is to help understand how attackers work, what real world cybercrime looks like so that we can enable people to help defend against these threats.

Guides

Suspected Zero Day – What to do if you…

What do you do if someone says, there might be a zero day being used against your make/model of internet facing device (such as a VPN server)?

There’s always a challenge subject to the level of intelligence available about the specific scenario, the device and the way they function and the telemetry/capabilities you have.

Education

Detecting ‘Dark Tunnels’ with Microsoft Defender using KQL

Detecting ‘Dark Tunnels’ is an important element to corporate security, much like detecting unauthorised RMM usage. But what is a dark tunnel?

according to GROK:

A dark tunnel (sometimes called a “dark pool tunnel” or simply a secure reverse tunnel in networking contexts) refers to a type of secure, outbound-only tunneling technology that allows private access to internal services, devices, or networks without exposing them to the public internet. The “dark” aspect emphasizes that the tunnel is hidden or invisible from external scanners—there’s no inbound port forwarding, firewall holes, or public IP exposure required. Instead, it relies on encrypted outbound connections from the internal resource to a cloud-based relay or peer-to-peer mesh, enabling zero-trust access (e.g., via authentication tokens or keys).
This approach is popular in DevOps, IoT, remote work, and cybersecurity for bridging on-premises or edge devices to the cloud securely, often bypassing NAT traversal issues or legacy VPN complexities.

Education

Windows Defender at my tunnel

I was doing some testing with Cloudflare tunnels this weekend and I woke up this morning to see if funny honeypot messages I had, I quickly checked if the site was online and found a cloudflare error message. This is a just an IIS instance running on a windows 11 PC (with no WIFI or Bluetooth) plugged into a test network (so if it gets pwn3d, it’s not going to impact anything important).

Breach

Ransomware kill chains are boring.. will we ever learn?

Are we stuck in a cyber world that never learns? are we doomed to suffer the same fate over and over again? Well, not if you take action, you can totally prevent events like this!

This is a fast post using an LLM to analyse the Capita redacted ICO report. Hopefully it will help people think about things and take the lessons and apply them in their own organisations.

Education

A threat to sanity – Cyber Myth: Juice Jacking

“Juice jacking” has become a modern cybersecurity myth — a catchy scare story built on a long-patched Android debugging issue and fueled by viral fear rather than facts. Despite years of warnings, there are no confirmed cases of real-world juice jacking attacks; the cost, effort, and low reward make it an impractical method for criminals. Yet the myth persists because it’s vivid, simple, and scary — everything our brains latch onto. The real danger is not the USB port at the airport, but the distraction such myths create. When people focus on imaginary threats, they waste precious attention that should go toward genuine risks like weak passwords, missing MFA, unpatched systems, and poor backups. So let’s take a bit of a deeper dive into this subject, because by it’s important to understand what to, and what not to focus on in my experience!

Leadership

Cybercrime and data theft

During an incident it’s one of the first questions people ask, what did the attacker do? Did they steal any data? How did they do it?

All of which are typically rather difficult to answer in the first, probably week of an incident (incidents vary, sometimes it’s very obvious, other times you can’t be 100% sure on some details!)

But recently I’ve been talking lots about the way organisations communicate during incidents to their customers and the public etc. I’ve been explaining that the day 0 comms of ‘no data was stolen’ followed by a ‘lots of data was stolen’ in say day zero plus five… well it doesn’t help with my my trust in the victim organisation. Which to me, seems like an odd strategy for organisations to take. They have options:

Threat Intel

The Com, 764, and Associated Groups

In evaluating capabilities for LLMs (AI) recently, I’m looking at the viability of creating more content with them. I’m explicitly calling out where I do, aside from my writing style, I’m also keen to show the pros and cons. Do LLMs replace humans? Not from my experience so far. I’ve been looking at combined physical + digital attacks recently and the associated threat classes… I’m trying to avoid the word group or gang, because collectives are slightly different and are dynamic, almost mission focused if you will.

Fiction

Getting to the coffee shop like a SPY

Chances are, no one’s actually watching you — but in a world full of cameras, phones, and digital breadcrumbs, it’s smart to know how to move with a little more privacy. Whether you’re heading to your favorite coffee shop or just want to practice slipping through the city unnoticed, this guide will help you stay low-profile without going full secret agent. It’s about blending in, being unpredictable, and keeping your personal movements personal — all without looking over your shoulder every five seconds. Staying aware doesn’t mean being paranoid — it just means being prepared (and maybe a little cooler than the average pedestrian).

Threat Intel

Defending Against Scattered Spider

Defending against different skilled threat classes is an important thing to consider when you are planning, designing and operating a business. I’ve used GROK (AI) to create an html page which has both information on the kill chains, but also looks at countermeasures. I’m experimenting lots with VIBE coding and LLM assisted content generation so hopefully this proves useful. I do feel it needs a more human touch added as well… but let’s see! life without experimentation would be dull would it not!