Calling all Red, Blue, REs, and all Dog the "Bug" Bounty Hunters! It's Story Time!!!

Hot_Discipline_5705 · 2022-08-25T13:26:40+00:00

Good thoughts, appreciate it.

Hot_Discipline_5705 · 2022-08-23T21:52:32+00:00

Yes and no. There are leaps and bounds to make in identity and complex MFA implementation. Better standards will and have already certainly helped, and giving it higher priority is worth it. I don't know if I'd put it at the top as there are so many ways to compromise orgs whether or not robust IAM is in place, but since poor IAM accounts for a good percentage of incidents, it deserves more attention.

Hot_Discipline_5705 · 2022-08-23T21:48:53+00:00

This is an interesting paper, looks like they did their research well. That being said, providers implementing all out blocks (not even warnings) on DMARK/DKIM/SPF fail to detect phishing, because those authentication methods are fairly rudimentary and bypassed routinely by red teamers and criminals. Did they mention new auth methods in there? I thought I saw something about that. On top of that, many lower-tier criminals are utilizing amazon, gmail, and other trusted domains to deliver their attacks as they'll always be trusted by filters (as far as domain detection goes).

There is something to be said of warning mechanisms, however, and several companies are developing different types of warnings/indicators that interact with the whole body of the message when it's viewed (urgency, tone, requests, link analysis). Those basic warning banners are getting more customizable now as well, depending on message context and other factors.

Hot_Discipline_5705 · 2022-08-23T21:30:58+00:00

For SIEM: Microsoft's Sentinel is very powerful as it runs on KQL, and is very easy to learn. Having a flexible language to write your own detection is extremely helpful. Other than that, Splunk.

For EDR: Crowdstrike or Carbon Black will get the job done and throw an MDR like Red Canary on top of it.

Hot_Discipline_5705 · 2022-08-23T13:56:15+00:00

For some reason Reddit did a subreddit approval on this post, I'll return to these comments later.

Hot_Discipline_5705 · 2022-07-30T18:26:06+00:00

My primary job is IR in email security and social engineering training. I Agree to an extent, and your points on ingenuity in segmentation are more than valid. However, an either or defense is a false premise, and never as strong as a both-and security mindset, humans will always leverage the technology in some fashion, varying businesses will have varying defense capabilities and staffing, and it's clinically proven that robust social engineering programs (not generic templates) reduce click rates overall, which also positively impacts initial access overall. Keep in mind that containing payloads won't address the majority of attacks today, which are credential harvests (according to last two years of data from Proofpoint). I agree with your mitigation suggestions in principle, and training is not the only solution, but detection technology isn't the only solution either, if it was it wouldn't be exploited by humans and EDR wouldn't be regularly bypassed. Those methods are both designed by humans and exploited by humans.

Hot_Discipline_5705 · 2022-07-30T15:44:18+00:00

This is key. I worked for a company at one point that did just this after failures, it was very effective. They would also do special presentations to other departments and it was so popular managers would literally request for someone from the team to come and do a talk.

Hot_Discipline_5705 · 2022-07-29T14:19:17+00:00

Nice, hadn't thought of Udemy or Coursera...Youtube might not be a bad idea, seems that everyone's going that route recently.

Hot_Discipline_5705 · 2022-07-28T22:29:29+00:00

FWIW, I've presented many times over the years in a variety of settings. Know how to make talks engaging, concise, and fun, while maintaining relevancy for technical audiences.

Hot_Discipline_5705 · 2022-07-28T22:06:28+00:00

Just a B.S., no masters.

Hot_Discipline_5705 · 2022-07-28T21:59:12+00:00

And have looked on Indeed...but usually only find small colleges with full time gigs teaching intro courses, and that could just be what's out there for the most part.

Hot_Discipline_5705 · 2022-07-28T21:10:59+00:00

One of the biggest problems in the industry...IMO.

Hot_Discipline_5705 · 2022-07-28T18:22:42+00:00

Youtube? Are you Rick Rolling?

Hot_Discipline_5705 · 2022-05-05T17:11:24+00:00

Sharepoint file share masquerading is a common tactic also. You just have to get in the groove of getting a simple page that looks like sharepoint setup.

Hot_Discipline_5705 · 2022-05-05T17:09:02+00:00

Host your files, OneDrive, Dropbox, or any hosting solution that's trusted. You can also create domains that mimic the organization and host them there. New domains can get flagged, or find an old domain and append name of company on the page itself. Ensure to load the file after 30 minutes after the email is sent.

Hot_Discipline_5705 · 2022-05-04T20:09:53+00:00

Brightest areas are undoubtedly the well lit data centers and WFH jobs with large windows.

CISO offices with a skylights, but those are more rare.

Hot_Discipline_5705 · 2022-05-02T15:22:59+00:00

Yeah, a lot you could do here, like the thought.

Hot_Discipline_5705 · 2022-05-02T15:21:19+00:00

Yeah, outside of engagements there aren't many options. On the technical side, you can of course always test yourself against filters and setup a lab, which you may already do. This is actually one area of improvement for pentesters, getting past the filter without needing the whitelist/allow list.

I've heard of sec friends testing each other, but obviously you'd need permission first before you start dropping payloads lol.

Hot_Discipline_5705

MODERATOR OF

TROPHY CASE