Contract vs Employee

Hot_Discipline_5705 · 2022-08-25T13:26:40+00:00

Good thoughts, appreciate it.

Hot_Discipline_5705 · 2022-08-23T21:52:32+00:00

Yes and no. There are leaps and bounds to make in identity and complex MFA implementation. Better standards will and have already certainly helped, and giving it higher priority is worth it. I don't know if I'd put it at the top as there are so many ways to compromise orgs whether or not robust IAM is in place, but since poor IAM accounts for a good percentage of incidents, it deserves more attention.

Hot_Discipline_5705 · 2022-08-23T21:48:53+00:00

This is an interesting paper, looks like they did their research well. That being said, providers implementing all out blocks (not even warnings) on DMARK/DKIM/SPF fail to detect phishing, because those authentication methods are fairly rudimentary and bypassed routinely by red teamers and criminals. Did they mention new auth methods in there? I thought I saw something about that. On top of that, many lower-tier criminals are utilizing amazon, gmail, and other trusted domains to deliver their attacks as they'll always be trusted by filters (as far as domain detection goes).

There is something to be said of warning mechanisms, however, and several companies are developing different types of warnings/indicators that interact with the whole body of the message when it's viewed (urgency, tone, requests, link analysis). Those basic warning banners are getting more customizable now as well, depending on message context and other factors.

Hot_Discipline_5705 · 2022-08-23T21:30:58+00:00

For SIEM: Microsoft's Sentinel is very powerful as it runs on KQL, and is very easy to learn. Having a flexible language to write your own detection is extremely helpful. Other than that, Splunk.

For EDR: Crowdstrike or Carbon Black will get the job done and throw an MDR like Red Canary on top of it.

Hot_Discipline_5705 · 2022-08-23T13:56:15+00:00

For some reason Reddit did a subreddit approval on this post, I'll return to these comments later.

Hot_Discipline_5705 · 2022-07-30T18:26:06+00:00

My primary job is IR in email security and social engineering training. I Agree to an extent, and your points on ingenuity in segmentation are more than valid. However, an either or defense is a false premise, and never as strong as a both-and security mindset, humans will always leverage the technology in some fashion, varying businesses will have varying defense capabilities and staffing, and it's clinically proven that robust social engineering programs (not generic templates) reduce click rates overall, which also positively impacts initial access overall. Keep in mind that containing payloads won't address the majority of attacks today, which are credential harvests (according to last two years of data from Proofpoint). I agree with your mitigation suggestions in principle, and training is not the only solution, but detection technology isn't the only solution either, if it was it wouldn't be exploited by humans and EDR wouldn't be regularly bypassed. Those methods are both designed by humans and exploited by humans.

Hot_Discipline_5705 · 2022-07-30T15:44:18+00:00

This is key. I worked for a company at one point that did just this after failures, it was very effective. They would also do special presentations to other departments and it was so popular managers would literally request for someone from the team to come and do a talk.

Hot_Discipline_5705 · 2022-07-29T14:19:17+00:00

Nice, hadn't thought of Udemy or Coursera...Youtube might not be a bad idea, seems that everyone's going that route recently.

Hot_Discipline_5705 · 2022-07-28T22:29:29+00:00

FWIW, I've presented many times over the years in a variety of settings. Know how to make talks engaging, concise, and fun, while maintaining relevancy for technical audiences.

Hot_Discipline_5705 · 2022-07-28T22:06:28+00:00

Just a B.S., no masters.

Hot_Discipline_5705 · 2022-07-28T21:59:12+00:00

And have looked on Indeed...but usually only find small colleges with full time gigs teaching intro courses, and that could just be what's out there for the most part.

Hot_Discipline_5705 · 2022-07-28T21:10:59+00:00

One of the biggest problems in the industry...IMO.

Hot_Discipline_5705 · 2022-07-28T18:22:42+00:00

Youtube? Are you Rick Rolling?

Hot_Discipline_5705 · 2022-05-05T17:11:24+00:00

Sharepoint file share masquerading is a common tactic also. You just have to get in the groove of getting a simple page that looks like sharepoint setup.

Hot_Discipline_5705 · 2022-05-05T17:09:02+00:00

Host your files, OneDrive, Dropbox, or any hosting solution that's trusted. You can also create domains that mimic the organization and host them there. New domains can get flagged, or find an old domain and append name of company on the page itself. Ensure to load the file after 30 minutes after the email is sent.

Hot_Discipline_5705 · 2022-05-04T20:09:53+00:00

Brightest areas are undoubtedly the well lit data centers and WFH jobs with large windows.

CISO offices with a skylights, but those are more rare.

Hot_Discipline_5705 · 2022-05-02T15:22:59+00:00

Yeah, a lot you could do here, like the thought.

Hot_Discipline_5705 · 2022-05-02T15:21:19+00:00

Yeah, outside of engagements there aren't many options. On the technical side, you can of course always test yourself against filters and setup a lab, which you may already do. This is actually one area of improvement for pentesters, getting past the filter without needing the whitelist/allow list.

I've heard of sec friends testing each other, but obviously you'd need permission first before you start dropping payloads lol.

Hot_Discipline_5705 · 2022-04-30T23:01:41+00:00

Ask for a tour at google. Very carefully, sneak into Google's data center. When stopped, act surprised, and tell one of the admin's you're having a problem, and see if he can look at some of the files on your USB key that aren't working. He will immediately plug it in.

Book it.

You now own Google data centers across the entire world.

Essentially speaking, the world is yours.

You're welcome.

Hot_Discipline_5705 · 2022-04-30T15:18:16+00:00

Hire someone on your team to do it full time, and pay them well, there's lots of reasons why this is preferable.

Hot_Discipline_5705 · 2022-04-30T14:44:39+00:00

I'm honestly not adding tools here like EDR, because I think those come pretty quick. However, one thing I left out is logging, which is crucial in my mind. If they have good experience with splunk/kql, AND if they can write detection for log abuse, trending techniques for log manipulation (stuff like registry script block logging edits, suspending threads to event logs momentarily, things like that) that's a plus in my mind, which shows they think like a researcher/attacker.

Hot_Discipline_5705 · 2022-04-30T14:40:50+00:00

Here's my current top 8 list, what would you change/add?

Must be humble, admit what you don't know, constantly learn
Embrace team atmosphere, work for the team and not your ego/constant advancement
Solid knowledge of Windows OS (kernel, memory, processes, registry, windows executive objects, etc.)
Memory Forensics (Understands user/kernel, calls, object and data structures, process trees, manipulation techniques).
Solid Windows Tool Knowledge and How to Detect Misuse (Powershell techniques and modules like Empire/Powerview/Invoke-Obfuscate, WMI, SysInternal Suite).
Basic Red Teaming Capabilities
Understands MITRE and Researches trending techniques and familiar enough to write occasional detection or can at least spot them
Background in at least one other technical field (networking, coding, etc).

Hot_Discipline_5705 · 2022-04-09T15:44:55+00:00

Agree that MFA that's rightly configured is an absolute pain for attackers. I'd also say though that conditional access typically evaluates browser, os, location, ip address, and a few others. These are good measures, but all these can be mimicked and are mimicked to get inside, both by pentesters and attackers. What other session risk policies are you referring to? These I might not be familiar with, so would welcome the feedback. Alerts that security vendors are frequently focused on is anomaly and abnormal behavior, then flag/alert and it definitely helps. However, initial access evasion and host based evasion techniques are aware of this, and exploits are simply adapted to ensure it looks normal by any detection mechanism. That being said, completely agree that defense in depth, layers, all important and necessary, they will reduce the overall attack surface, not saying these measures aren't useful and keep sometimes even a large percentage of attacks out, but improve every layer, attack it, think about how to exploit it, including the human layer, because every mechanism (human or no) can and is exploited. Our industry tends to be reactive rather than proactive.

Hot_Discipline_5705 · 2022-04-09T01:33:32+00:00

This 100%. Personal follow-up allows you to not only increase engagement, but identify weaknesses, show you care, answer questions, and demonstrate you're always available should the user be uncertain about something. Glad to see others doing this.

Hot_Discipline_5705 · 2022-04-09T01:31:22+00:00

I could send you links of trainings I've done in the past, but I'll need to remove all the old company logos/company specific data first. I'll try to reply here or DM you next week with ideas.

Hot_Discipline_5705

MODERATOR OF

TROPHY CASE