This morning before I got on with some more dull affairs of business, I saw the following:
How we (humanity) and people (including governments etc.) respond to the changing digital landscape and cyber threats that affect society and humanity as a whole is really important. It’s great to see the Australian government using an advisory board and panel structure as they look to review/renew their national cyber security strategy. I’m posting this to raise awareness as I think these things are ever so important that people in the community, industry, academia etc. give their inputs, help and support to the people charged with the incredibly complex task of developing and implementing cyber strategies at country scale! A task not so simple, hence they are calling for inputs as part of a general consultation request from people and organizations.Read more “Australia National Cyber Strategy Consultation”
A very common technique in ransomware scenarios is the deployment of Scheduled Tasks via Group Policy object.
So I thought I’d start to post some content around this. To start with I was looking locally to enable the following:
“Show me all the command lines used in scheduled tasks on Windows with PowerShell”
So I knocked up this really simple proof of concept (there are other ways to write this obvs)Read more “Malicious Scheduled Tasks”
Penetration testing, adversary simulation, red teaming, purple teaming, rainbow teaming, call if what you like, the security outcome we are working towards is:
- Improved Security Posture
- Assurance of security investments and controls
- Enablement of information sharing
- Collaboration and Understanding
- Identification of strengths and weaknesses
- Optimization and Improvement Opportunities
This is to support the organisations mission, vision, goals, and objectives. Cyber security is to support and enable the organisation’s capability to execute digital services in a safe manner.Read more “Practical Security Assurance”
Everyone has a plan until they are cyber punched in the face! Or something like that!
People seem to have this misconception that you need to “do a pentest” or some other project based activity to do “security testing” or response planning.
Let’s be real here, you really don’t. But what you do need is a few things:
- Some ideas for cyber incidents to plan for
There are tons of “products” for security awarenss training, however you might find that sitting and watching canned CBT videos isn’t your organisations thing or perhaps you want to see what other options there are available. Well for starts the UK NCSC has some free online security awarenss training (see further down the post), or you may want to actually spend time with your staff to make the learning a collaboarive experiance that drives engagement and communication. If the last one if your desired approach there are lots of ways to do this. One of which can be supported by a question based assessment, other ways include tabletop scenarios and incident simulations (i honestly would go with a blended appraoch if it was me!).
So to help people get thinking about this I’ve put together some example questions to drive the message about incident reporting, collaboration and education vs blame. So here we go, here’s some ideas for communication and some questions to get staff thinking about cyber security, sure they aren’t rocket science, but then it doesn’t need to be!Read more “Security Awareness Training Example”
Pwning a legacy server on Hack the Box is good for a training exercise however what about if we want to think about how to use resrouces for red and blue. Looking at both sides of the coin when thinking about offense really should help people undesrand how to defend better. In the end of the day outside of a tiny tiny fraction of deployment types, you are going to need to be able to explain how to defend regardless of engagement type (vulnerability assessment, penetration test, purple team, red team etc.)
I’m not going to talk through every step but here’s the commands you would need to run:Read more “Using CTFs for offensive and defensive training – Purple Teaming”
If you have a business email compromise incident and you haven’t deteced it in a timely manner your fist notification might be a bad experiance, the threat actors may have commited fraud, attemped fraud or simply launched a phishing If you have a business email compromise incident and you haven’t detected it in a timely manner your fist notification might be a bad experience, the threat actors may have committed fraud, attempted fraud, or simply launched a phishing campaign from your environment. If you are in this position, there are some steps you can take from a technical point of view to limit impact and reduce risk of a re-occurrence. This blog is a high-level view at some of the tactical and longer-term activities you can conduct.Read more “Post Business Email Compromise actions for Office 365 Users”
Nuke it from orbit, it’s the only way to be sure!
Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most people’s real world’s that’s not that simple. So, what do we do if we can’t nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)Read more “Post Compromise Active Directory Checklist”