Defense
This weeks been an interesting one, I’ve been doing quite a bit of research recently with my friend Simo from Defused defusedcyber.com. Simo has built a new emulated honeypot platform, and anyone that know’s me knows I love honeypots, deception and intel sharing to help defenders and to impose cost on the baddies! (technical terms here ok!)
Read more “Suspected Fortinet Zero Day Exploited in the Wild”
Guides
What do you do if someone says, there might be a zero day being used against your make/model of internet facing device (such as a VPN server)?
There’s always a challenge subject to the level of intelligence available about the specific scenario, the device and the way they function and the telemetry/capabilities you have.
Read more “Suspected Zero Day – What to do if you have a device that may be in scope for exploitation?”
Education
As part of my Cyber SOC GitHub repo I’ve put together lots of resources to try and help people with some common cyber security tasks, applicable to CISOs through to SOC analysts.
I also want to highlight one of the most common incident types if you are an Office 365 customer is a business email compromise scenario, so I’ve put together a high level view of the steps you might want to take after a BEC event is discovered:
Read more “Business Email Compromise Check List”
Defence
If you are are a victim of unauthorised mailbox access and/or attempted fraud via mailbox compromise (BEC) then you know that one of the tasks outside of understanding how the compromise has occurred, what configurations have been tampered with, removing devices and resetting usernames/passwords (and tokens/MFA) etc. is to start to understand the data breach impact.
If someone has logged into a mailbox it’s very very unlikely that zero data has been accessed!
Threat Intel
Motivation and a diverse network of people and capabilities can go a long way, then add in digital skills and winning steak… and you have: scattered spider!
There’s a big difference between zero day spraying the internet and planting webshells or copying someone’s open S3 bucket and say…. doxing staff, their families and attacking them and their assets in the real and digital worlds.
I think people won’t broadly grasp the effects that can be achieved (harm) when the adversary is motivated, dedicated, capable, resourced and has very little moral qualms.
There is no magic bullet to defend against an adversary like this, you need a whole of organisation defence (and to pursue even more than that!).
Read more “An evolution of threat actor”
Defense
When a suspected email mailbox compromise is reported, initiating an investigation promptly is critical. However, to ensure the investigation is effective, certain minimum intelligence requirements must be met. This blog outlines the bare minimum data needed to start investigating a suspected email mailbox compromise, whether the intelligence comes from an internal team or a third-party source.
Read more “Minimum Data Requirements for Investigating Email Mailbox Compromise”
Hacking
Mobile devices present interesting challenges when it comes to:
Defence
Everyone has a plan until they are cyber punched in the face! Or something like that!
People seem to have this misconception that you need to “do a pentest” or some other project based activity to do “security testing” or response planning.
Let’s be real here, you really don’t. But what you do need is a few things:
Defense
Nuke it from orbit, it’s the only way to be sure!
Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most people’s real world’s that’s not that simple. So, what do we do if we can’t nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)
Read more “Post Compromise Active Directory Checklist”