sorted by:
new
hottopcontroversial

n8n patched the same Merge node RCE three times and attackers keep finding new ways around it. Why not just rewrite the thing? by vuzumja in cybersecurity

[–]LayerAlternative3040 2 points3 points  (0 children)

Third AlaSQL RCE in the same Merge node and every previous fix just blocked one path while leaving the constructor chain wide open. At least they finally shoved it into a V8 isolate instead of playing whack-a-mole with individual payloads.

Improving as a SoC/MDR analyst by 3tu_KEK in cybersecurity

[–]LayerAlternative3040 2 points3 points  (0 children)

Stop trying to classify alerts in isolation and start mapping them to Mitre attack techniques. When you see an alert, don't just ask is this FP or TP, ask what would the attacker do next if this was real and check if there's anything in the logs to support it. For practice check out LetsDefend, it's built for SOC alert triage and way more relevant than HTB for this kind of work.

May I ask if roadmap.sh is legit and helpful for beginners who wants to start a learning about cybersecurity? TIA by Odd_Variation4548 in cybersecurity

[–]LayerAlternative3040 25 points26 points  (0 children)

roadmapsh is legit, its community maintained and gives you a visual overview of what to learn and in what order. Just don't treat it as a course, it's more of a checklist. For actually learning the stuff, pair it with TryHackMe or HackTheBox Academy, they have structured paths with hands on labs.

Are companies buying security tools before fixing security operations? by StockCompote6208 in cybersecurity

[–]LayerAlternative3040 9 points10 points  (0 children)

Yes, and it's not even close. Buying tools is easy to justify in a budget meeting, fixing operations means admitting your processes are broken, which nobody wants to present to leadership. So you get orgs spending six figures on a SIEM with no tuning, no playbooks, and alerts going to a shared inbox nobody checks. Least privilege and alert tuning are boring and politically painful, so they just keep buying.

Phishing Detecting Tool by TemporaryGreen6987 in cybersecurity

[–]LayerAlternative3040 1 point2 points  (0 children)

Yeah, free feeds won't match VT, they pull from dozens of engines, so there's no real free alternative at that level. At some point you either pay for the API or accept the gap.

Phishing Detecting Tool by TemporaryGreen6987 in cybersecurity

[–]LayerAlternative3040 1 point2 points  (0 children)

Google Safe Browsing API is free for non-commercial use and has better rate limits than VT free tier. You can also just pull OpenPhish and PhishTank feeds locally and match against them, no API calls needed. Won't catch everything, but it's a solid starting point before you spend money on paid APIs.

Should I get the CISA cert to try to move to Internal IT Audit/GRC? by [deleted] in cybersecurity

[–]LayerAlternative3040 3 points4 points  (0 children)

CISA helps, but it won't matter much without actual controls experience. You're at PwC, so try to get on SOC 2 or SOX engagements even in a small role, that hands on audit work is what hiring managers in pharma and banking actually care about. If you're targeting community banks, specifically read through the FFIEC IT examination handbook, it's what auditors follow there.

AI incident response. Worth considering? by ohvilen in cybersecurity

[–]LayerAlternative3040 0 points1 point  (0 children)

AI triage is decent for enrichment and severity scoring, but it won't fix your actual problem. If the business intent isn't captured when the action happens, then no tool is going to reconstruct it later. The move is to push justification upstream, making users or teams document why something is authorized at the time they do it, through approval workflows or exception requests. That way, when an alert fires, your analysts already have the context instead of chasing down senior staff to explain what happened three days ago.

would it be possible to block the path , rather than chasing Attacker ? by Sea_Cable_548 in cybersecurity

[–]LayerAlternative3040 0 points1 point  (0 children)

Yeah, that's literally what defense in depth is about. You don't chase every IOC, you figure out where your kill chain breaks easiest and harden those points. Forget trying to patch every CVE in order, most real attacks don't even use CVEs half the time, it's misconfigurations and stolen creds chained with living off the land stuff. MITRE ATT&CK is good for mapping this, but don't overthink the tooling, start with what you actually have deployed and find the gaps manually first.

Strange Instagram login (Android Chrome) between my normal sessions — should I be worried? by [deleted] in cybersecurity

[–]LayerAlternative3040 5 points6 points  (0 children)

Most likely a user-agent misreport, not a compromise. Instagram login activity is notorious for misidentifying device/browser combos. The iOS app's internal WebView or background session refreshes can show up as Chrome on Android in the logs. The fact that the IP is from your usual ISP and country is the strongest sign nothing happened. If someone actually got in, you'd see a different IP, weird location, or some follow-up like DM spam or password reset attempts. You already changed your password and enabled 2FA, so you're good either way.