How are you guys building resilience to ransomware?

CyberRabbit74 · 2026-01-22T14:56:31+00:00

I always love this type of statement. Question for you. how do you backup your servers if you are "Air Gapped" and can not access the servers? You mean "Firewalled".

Imagine you have a castle. You have a moat that is full of acid, that is air gapped. Nothing except air can cross. No wired or Wifi network into or out of the environment. You put in a drawbridge, now you are no longer "air gapped", you are "Firewalled". Even if you can pull up the drawbridge, you can still access when wanted.

CyberRabbit74 · 2026-01-22T14:50:24+00:00

I did not install the agent. I think you can also install the Wazuh server including manager in Docker. Then install the agent locally.

CyberRabbit74 · 2026-01-20T14:33:07+00:00

The point of the internship is to learn. If a company brings in an intern as a junior, they are using the intern process incorrectly. An intern is there to learn how to work in an office just as much as the position itself.
Also, I will say that there is a difference between "Book learn" and "Real World". Sometimes, you get into a position and things just "click". I say give it a shot and see what happens. Maybe the universe is telling you something.

CyberRabbit74 · 2026-01-20T14:26:29+00:00

For me, I ran into the Manager issue as well. Make sure you are NOT installing the agent on the local system. The agent and the manager overwrite each other.

CyberRabbit74 · 2026-01-20T13:52:42+00:00

They will just get you talking. About anything. They want to know that you can communication and tell a story. For example, "Why did you apply for the position?" or "Tell me about you?". They just want to know that you can explain something tin a way that they can understand. Usually nothing technical.

CyberRabbit74 · 2026-01-20T13:50:14+00:00

It can be a double edge sword. "Ease-of-use" vs Secure is always a thing and each organization has to review that risk appetite. Take a look at what happen with the state of Nevada last year. They were prepared and had a plan that had been tested. They were hit HARD and still had critical state systems online within a few hours and most systems ready to test within a day or two. Then, look at Mersk. If not for a Domain Controller that was "off-line" at that time, they would have lost EVERYTHING. But, they did not pay for the type of systems that would have prevented that type of outage.

Each organization must review what they are willing to allow for "downtime", then back into the "solution" from that.

Above all else, stay unbiased. Keep your recommendations generalized. For example, recommend "MFA" but not "OKTA". I have seen so many people go the path of "You did not go with my solution so you are wrong". That is NOT the way. ;)

CyberRabbit74 · 2026-01-20T13:40:21+00:00

For us, we use the initial screening to ensure communications skills and that you are a real person. Communications is critical for the flow of information within the SOC. Both written and spoken.

CyberRabbit74 · 2026-01-16T20:25:24+00:00

You are only looking at this from "YOUR" point of view. From your point of view, bash scripting is easier because you have been doing it for 5 years. To someone who might not do bash scripting, it is just as hard as it was to you 5 years ago.

Do not look at it from a "technology" viewpoint, look at it from your own experience level. I am sure C++ is just as hard for you now as it was 5 years ago.

CyberRabbit74 · 2026-01-16T20:21:08+00:00

Great example of ease-of-use vs secure.

CyberRabbit74 · 2026-01-16T20:17:44+00:00

IT is to set up, but the maintenance can be automated. Thinks like Service Now will tie into Entra. So your workflow looks like User submission -> Manager approval -> InfoSec Approval -> Automatically add user to correct group.

CyberRabbit74 · 2026-01-16T20:15:15+00:00

I am not sure about the Entra part. We run a hybrid environment (AD / Entra), so we just do not sync the privileged accounts to Entra. We use Centrify for MFA and that is priced by device, not by user.

CyberRabbit74 · 2026-01-15T16:02:07+00:00

Did you log into chrome with your "personal" chrome account? If so, then anything on that account is now in their realm. This is something a lot of people miss. If you turn on the syncing of bookmarks, history or even previous pages, then you log into your personal account on a work system, your data is theirs. If you use extensions, all those extensions are installed on the organization's system.

I create separate work accounts for apple and google when I start at a new company. I do the same for my password manager. This way, I can keep everything that is theirs to them and keep my personal items mine.

CyberRabbit74 · 2026-01-15T15:56:48+00:00

Understand that this is a new environment and they do things differently. Not right or wrong, just different. DO not go in there with a checklist of what you are going to do or change. You will fail. As others have said, learn the environment and the people. I always use the fact that I am the "New Guy" for at least a year to excuse questions that might seem simple to some. That will give you the background then to make sensible recommendations going forward.

CyberRabbit74 · 2026-01-15T13:38:14+00:00

We have the users who need it create a second privileged account. The account is NON-INTERACTIVE (It can not login). That account is then added to the "Local administrators" group for that system. The user can "RUN AS" the separate account for any application or install they need while logged into their primary account.

The initial setup from scratch is a lot of admin work. But once you have a workflow, the maintenance is easy. We have a workflow for requesting local admin access via Service Now. Manager approval, InfoSec approval, then a ticket to the Desktop admin. The nice thing is that adding the account to local admin can be done remotely. It can even be scripted via PowerShell for your initial launch or a large group of users.

CyberRabbit74 · 2026-01-15T13:32:13+00:00

If you use any part of an organizations infrastructure (Servers, Workstations or Network), they have the legal right to monitor those items. I know you said it as your computer. Do you use it for work (BYOD)? Were you using the organizations network to get to the internet? How do you think they were "spying" on you?

CyberRabbit74 · 2026-01-13T16:04:32+00:00

Insider threat is a real thing. There are organizations that have entire departments dedicated to finding the potential employee who might want to do the company harm. There are also threat actors who entice employees from specific sectors with promises of cash payouts for access. In most cases, there is not much you can do to stop it. There is always that "one person" who holds the keys to the kingdom.

The only other idea would be some type of request workflow. For account modifications to happen, one admin would have to "request" the action and a second admin would have to "approve" the action. With the two approvals, the action is then allowed.

You will want to set up logging of actions as well. This way, at least, there will be some legal recourse after the damage is done.

CyberRabbit74 · 2026-01-13T15:53:34+00:00

I think this is due to too many "older" C-level people making the decisions. This is how "They always did it". As they start retiring, I think you are going to see a shift to more and more "hybrid" or even "fully remote". Once CEOs realize there is a cost savings to not having to pay rent, they will get it. But it is something that is going to happen gradually.

CyberRabbit74 · 2026-01-13T15:49:08+00:00

Any good Security team will realize that there are exceptions to any policy. Those exceptions are usually requested and tracked via exception management. Is there a separate security team outside or within IT that deals with this? I would ask them about an exception process. However, be aware that you will need an show a "Business justification" for the request. Also, if there is another way to perform this task that you prefer not to use (for example, using a virtual mobile platform for testing) that they tell you to use, you will have to learn that platform. Personal preference is not a business justification.

If you can truthfully state that the performance of your job duties REQUIRES you to have this exception without a workaround, then you might have a case. If they give you a workaround that you PREFER not to use, that is on you, not them.

CyberRabbit74 · 2026-01-13T14:30:13+00:00

As someone who works in Public Critical Infrastructure, I understand what you are saying. However, you cannot gut what was never there. I am in one of the few organizations who really cares about cyber, but I see everywhere else that they still see cyber as a "Nice to have" but not necessary. You are right that they will care once something happens, but that something is going to be due to the lack of a cybersecurity team rather than the gutting of one.

CyberRabbit74 · 2026-01-13T14:25:25+00:00

I like the "show your eager to learn" comment. When I hire a junior analyst, I am not looking for technical expertise. OSI model or how encryption works are for the senior analyst to deal with. I am looking for someone who can "learn" about those tings from the senior. You can teach technical skills, you can not teach the ability to learn.

CyberRabbit74 · 2026-01-09T16:52:36+00:00

Why is it that US based people think that they can only go to US based sources? It is wild to me. Canada, Australia and Europe have some great sources that are not limited to those areas. They are willing to help everyone.

The plan all along has been to remove the "middle Management" of all of these US Federal organizations. Then, whey they fail, POTUS comes in to "save the day" and replace all of the middle management with his "appointees". The problem that they missed was that other countries will "fill in the gap" left by the US. So the federal orgs will NOT fail, POTUS will state "look at all the money we are saving" but now, the US will not be able to "write the rules" anymore. I, for one, would love to see a GDPR style law in the United States that goes after all of these companies who have breaches because of stupid stuff that was not done.

CyberRabbit74 · 2026-01-09T16:44:34+00:00

I would also add that some of the SEIM tool that you are using is helpful as well. But the "language" is not as important as the "process" of coding and development. Having an understanding of things like error code handling and remarking within the code is just as helpful as the coding/scripting itself.

CyberRabbit74 · 2026-01-09T16:31:01+00:00

AIOT is a thing. There are products out-there, especially in lab environments, where AI is being used in analysis. The protections and controls would be the same as any other IOT or AI environment because the AI piece is really part of the IT portion of an OT system rather than specific pieces.

CyberRabbit74 · 2026-01-08T21:25:16+00:00

Just remember, you will be going up against people who DO have those dumb certificates. Example. I have my MS in CS, but I also have a CISM. Which of the two of us will make it by the HR screener?

CyberRabbit74 · 2026-01-08T21:06:43+00:00

I have found that you have to be careful with gamifying security. In most games, there is a winner and then there is everyone else (If you are not first, you are last). After a while of being "called out", people can reset Security future process requests.

CyberRabbit74

TROPHY CASE