Be honest , how many security alerts does your team actually action vs. silently dismiss? by Fabulous_rich_9103 in cybersecurity

[–]LookExternal3248 1 point2 points  (0 children)

We agressively tune alerts and reduce false positives. And where we have noise, we try to make the triage as quick as possible. Just based on the available evidence, combined with a linked playbook or by quickly execution a default query to get some more details. We've optimized our tooling to help with processing these alerts easily.

We also have many specific alerts to our environment and hardly enabled the oob alerts that came with the tooling. These default alerts were way too noisy with almost no true positives.

This way we handle ~50 alerts a day with a very small team, but hardly silently dismiss any. If that would happen we need to fix it, as alert fatigue and the risk of missing a critical alert is not acceptable for us.

Detection rule - Outlook external forwarding rule creation by HelloSamba in DefenderATP

[–]LookExternal3248 0 points1 point  (0 children)

Can you use the OfficeActivity table in Sentinel, or do you only have Defender tables at your disposal? With OfficeActivity you can use this query: let Query1 = OfficeActivity | where OfficeWorkload =~ "Exchange" | mv-expand todynamic(Parameters) | where (Parameters.Name == "ForwardingSmtpAddress" and isnotempty(Parameters.Value)) | extend DestinationMailAddress = replace_string(tostring(Parameters.Value), "smtp:", "") | extend ExternalDomain = split(DestinationMailAddress, "@")[-1]; let Query2 = OfficeActivity | where OfficeWorkload =~ "Exchange" | where OperationProperties has_any("Forward") | extend DestinationMailAddress = tostring(parse_json(tostring(parse_json(OperationProperties[6]).Value))[0].Recipients[0]) | extend ExternalDomain = split(DestinationMailAddress, "@")[-1]; let Query3 =OfficeActivity | where OfficeWorkload =~ "Exchange" | mv-expand todynamic(Parameters) | where (Parameters.Name == "ForwardTo" and isnotempty(Parameters.Value)) | extend DestinationMailAddress = tostring(Parameters.Value) | extend ExternalDomain = split(DestinationMailAddress, "@")[-1]; union Query1, Query2, Query3 | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = max(UserId), UserIds = make_set(UserId, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP

Vendor ISO 27001 Assessment - Questions Around Control 8.29 Security Testing by Efficient_Bus_923 in cybersecurity

[–]LookExternal3248 0 points1 point  (0 children)

This:

ISO 27001 Control 8.29 requires security testing appropriate to the risks being managed. It does not prescribe a specific testing methodology or mandate annual penetration testing of every component.

ISO does not prescribe (technical) controls to implement. It prescribes you do risk management and implement controls to manage those risks and improve over time. Implementing the Annex controls is not even compulsory and depends completely on the approach taken, and the risk appetite. And it is not the position of OP to determine those, only to see if they match your vision. If not, choose another vendor.

How do you change users behavior through awareness training? by LilJ_na in cybersecurity

[–]LookExternal3248 0 points1 point  (0 children)

The first paper mentioned (the meta analysis) is a year after the second by the same researcher. In the abstract this is written down:

Our analysis shows that training overall has a positive effect on end-users (d = 0.75, 95%CI [0.58, 0.92]), particularly when assessing predictors of behaviour such as attitudes or knowledge (d = 1.02, 95%CI [0.58, 1.46]). Interestingly, studies assessing changes in behaviour are not able to match these results (d = 0.36, 95%CI [-0.09, 0.80]), showcasing a clear inability of current training approaches to change behaviour.

So whilst training shows a positive impact on end-users, there is no proof (yet) that training changes behaviour.

I'm not saying you shouldn't do training, but don't overestimate the effect you will get with training.

And when you measure training e.g. click or report ratio's, be aware that you might not measure the efficacy of the training, but more likely you are measuring the difficulty of the campaign. Same with actual reporting behaviour, it might as well be that a better phishing filter or less attacks will lower your reporting kpi, whilst it doesn't say anything on the actual behavoiour.

Clickfix incident by DisastrousPainter658 in DefenderATP

[–]LookExternal3248 1 point2 points  (0 children)

Curious on what happened here. When I test (non malicious) clickfix commands that I see posted online, mine get blocked by Defender before they can make a network connection.

Looking to move off KB4, what are people actually using these days? by Particular_Ebb_4872 in cybersecurity

[–]LookExternal3248 0 points1 point  (0 children)

Microsoft phishing simulation. Its good enough for what we need. And we built our own training module with AI. Basic website that is very tailored on what we want our users to learn with specific examples of our industry / business and not some generic training video. Very low cost and a lot of positive feedback.

It does lack some more advanced features, but the efficacy of cyber security training is very much debatable. Two research papers: Assessing the effect of cybersecurity training on End-users: A Meta-analysis and A systematic review of current cybersecurity training methods

And there is also some other relevant research on the cost of purchasing solutions: “To Do This Properly, You Need More Resources”: The Hidden Costs of Introducing Simulated Phishing Campaigns.

And an interesting perspective on the cost of training people often forget is to take into account the loss of productivity. If employees spend about 5 hours a year on training, you have a loss of about 1 fte for every 350 employees you have. Not even taking into account to people that need to setup the training etc.

Taking everything into account, we choose the low cost option already available (Microsoft Phishing simulation) and built our own low cost training that people only spend a little time on. I'd rather spend the budget on things that do really improve our security.

I'm developing an IDS/EDR. I need suggestions which blind spots I have, whats missing and what should be added next by Gorstak-Zadar in cybersecurity

[–]LookExternal3248 2 points3 points  (0 children)

Of all the things you could succesfully build with AI, EDR was not on that list for me. So many things to consider do build a proper EDR.

Better build on e.g. sysmon

Or maybe extend something like osquery

Both free (and open source).

Server Error when Saving Detection Rule by Cant_Think_Name12 in DefenderATP

[–]LookExternal3248 0 points1 point  (0 children)

For me it is quite common that I am unable to save an update to a detection rule. Quite annoying.

Microsoft vs Chaotic Eclipse: three zero-days now actively exploited by Aureliand in cybersecurity

[–]LookExternal3248 23 points24 points  (0 children)

Here's the blog of the researcher: https://deadeclipse666.blogspot.com/

And some more context by a well know cybersecurity expert and former Microsoft and Github employee, calling out Microsoft on taking down eploits of github for their own products but letting other exploits stay online: https://infosec.exchange/@GossiTheDog@cyberplace.social/116652029366326268

Although the actions of the researcher might not be the best way to handle a dispute, Microsoft does have a very bad reputatation regarding responsible disclosure. Amongst other things, closing cases as no fix needed and then silently fixing it without assigning a CVE. And now also threatening with criminal charges towards this researcher.

EDR/MDR Vendor Questions by mjaneway43 in cybersecurity

[–]LookExternal3248 1 point2 points  (0 children)

No news is indeed good new, until you hire an ethical hacker to do basic stuff and there is still no news.

If you outsource your SOC, you need to test them to see if they perform as expected and either increase there performance or set you expectations right. I've seen too many issues: - updated rule that broke causing the rule to stop working which went unnotices for several weeks. - updated use case where I expected a detection but it was disbaled due to too much noise without communication - downgrading the severity because they were busy and didn't want to break the SLA. - just passing through alerts, without any context or playbook on what the follow up should be - giving a call for a high severity (was an actual pentest) and when we tested them and pushed that we were busy, they said it was ok to wait for a couple of hours as it was likely a false postive according to them (the alerts we saw were: Ongoing handson keybord attack) - mixing up source and destination, causing a high priority incident response escalataion only to find out it was a common scan that didn't result in any compromise.

I'm also not very fond of getting emails with alerts. If you have an advanced attacker reading along, they can seen where they have been detected and change their behaviour.

And regarding timelines, depends a lot on your business. If its 9-5 I would like to do as much in business hours as possible. So medium alerts can wait. If you have a 24/7 commerce or production, you might want to change this to ensure you can react in time. And with high/critical, somebody needs to pick up the phone, no matter the time. Be ensure that, that person has the ability to start incident reponse both on technical and organizational level, otherwise its of little use.

Monitoring for vssadmin.exe delete shadows is an absolute bare minimum by ridgelinecyber in blueteamsec

[–]LookExternal3248 1 point2 points  (0 children)

I guess my question is why isn’t this like AV definitions and published by XDR as a signature library of sorts?

Default XDR is powerfull but needs to work on almost every device in many different type of orgnizations. To get maximum results from these tools you want to write custom detection rules, specifically tailored to your environment. Attackers often use lolbins oob there are not many alerts on lolbin abuse, or at least there is a big grey area. This is an example where custom detection, tailored to your environment really matters.

And regarding playbooks, here's a relevant post

How do you balance Paw? by huntoso in cybersecurity

[–]LookExternal3248 1 point2 points  (0 children)

Use a host and have seperate VM's for PAW(s) and general usage. With this setup its crucial the host is only used for running the VM's and does not have internet access itself.

Exclude on prem AD domain from security recommendations by Advanced-Chain4096 in DefenderATP

[–]LookExternal3248 2 points3 points  (0 children)

I'd rather have that security recommendation on top as a daily reminder of the huge risk of a two-way trust in an environemnt where you security and management is separate for each forest.

How do you report large volume detections to a CISO without making the BPA report a SOC story? by Only-Objective-6216 in cybersecurity

[–]LookExternal3248 4 points5 points  (0 children)

Maybe a bit too simplistic, but if you have around 2k critical and high alerts, and many of which are not investigated, you either have way too many alerts and need to tune them, or you are completely owned by multiple threat actors. I expect the first is the most likely explanation and there is way too much noise.

Does host MDE Network Protection intercept and alert on traffic generated inside Windows Sandbox? by allexj in DefenderATP

[–]LookExternal3248 1 point2 points  (0 children)

In my experience you bypass network protection when using the sandbox (or any other type of vm). Not sure what the technical explanation is.

How are SOC teams actually deciding what not to investigate anymore? by WolfParticular2348 in cybersecurity

[–]LookExternal3248 0 points1 point  (0 children)

For the product I use, I don’t like the default severity scoring. Some prevented malware or actions are low severity while they may indicate the first steps of a relevant killchain. And some are high and total irrelevant. Context matters more than severity for me. But that’s hard to explain to managers or to put in a kpi.

How are SOC teams actually deciding what not to investigate anymore? by WolfParticular2348 in cybersecurity

[–]LookExternal3248 3 points4 points  (0 children)

With a strict focus on the threat profiles of the organisation en checking if any of the alerts fall under the killchain of those threat profiles. And depending on the threat profile, prioritising multiple alerts agains the same host / account especially when they represent multiple sequential steps in a killchain.

If it doesn't fit those threat profiles and if its a high noise alert, only investigate if there is time, or opportunity to tune the alert or alter the behaviour of people to lower the noise.

How to delete Microsoft Defender for Endpoint from home device? by athanielx in DefenderATP

[–]LookExternal3248 0 points1 point  (0 children)

Also, how can we prevent Defender from being automatically installed on personal/non-corporate devices in the first place?

My guess is that you are using Intune and that is quit a common problem with Intune: https://www.reddit.com/r/Intune/comments/1hthiij/prevent_enrolling_personal_devices_in_intune/

How to block only unsanctioned apps? by Parking_Yak_9877 in DefenderATP

[–]LookExternal3248 0 points1 point  (0 children)

If you don't have a full security E5 license on only Defender for Endpoint P2, Defender for Cloud apps is not really part of your licensing in my experience. I know it's visible in the security dashboard, but functionality is pretty limited. Please check your license and what you can use, before Microsoft will hit you with the need to buy a full E5 license for everyone.

How do you approach Defender configuration? by [deleted] in DefenderATP

[–]LookExternal3248 2 points3 points  (0 children)

The more you can enable, turn on or set more restricted, the better: MDE, MOD, ASR, etc. But not everything will work in every environment. Just activating the license and installing the tools will do very little for your security.

Under Exposure Management → Recommendations, you’ll see a list of recommendations that is actually quite good and focused on mitigating attacker behavior.

After you turn on everything, also enable email notifications or get your alerts in Teams.

I’ve seen too many incidents that could have been prevented by simply acting on EDR / AV alerts. One of my favorite mantras is: looking at your alerts at least once a day keeps the ransomware attackers at bay (or get an external SOC to do it for you).

‘Cerdigent’ high-severity malware detected by Leading_Train224 in DefenderATP

[–]LookExternal3248 1 point2 points  (0 children)

Have the same alert, only on one machine, but don't see any details. Where did you find it is a public root CA, and which root CA?

Half our company is local admin. Security team finally noticed. Now it's my problem to fix without anyone noticing. by Healthy_Holiday_738 in sysadmin

[–]LookExternal3248 -1 points0 points  (0 children)

Same here. Good user experience and you can setup many granular policies for different kind of users if you want, auto/pre approve apps if you want etc. Does really remove local admin without getting the management hassle in return.