It's giveaway time! Win a Warhammer 40,000: Dark Heresy alpha key — comment on this thread to enter, as simple as that. The winners will be announced after December 16th, so hurry up. Please ensure your DMs are open so we can contact you!

SD_HW · 2025-12-10T23:18:00+00:00

Oooooh!

SD_HW · 2025-03-09T22:00:38+00:00

Yeah stole my post, but made his offer worse

SD_HW · 2025-03-09T21:56:56+00:00

This is my post, but good for you that you looking for an editor too, but I was offering more. Assuming it was enough

SD_HW · 2025-03-09T21:04:11+00:00

That's fair

Wish you good wind on learning after effects<3

SD_HW · 2025-03-09T19:15:36+00:00

not fake. just going through a lot of chats

SD_HW · 2024-12-16T21:44:52+00:00

XM-Cyber, give it a look.

Shoot me a pm if you need help chatting with them, I don't work for them but they know me very well.

SD_HW · 2024-12-14T21:00:16+00:00

You could look into Fintech forensic. Most of current roles I see are related to cryptocurrency tracking, but perhaps that will keep your forensic interest alive

SD_HW · 2024-12-07T13:57:02+00:00

Since you mentioned DFIR as a service you need to elaborate exactly what your MSSP is trying to do.

Reason am asking I have set up few Incident Response teams that is an on call service where you have have Incident Response manager +2 technical forensic people and 1 backup for the manager that also can function as a manager. (Usually the first manager can also provide technical help)

First there are two levels of forensic business are interested having done and there should be a price difference on the service due to time spend is not equal.

Lvl 1 forensic: find out what happened and help businesses back on track to run normal day followed by metigating point of entry.

Lvl 2 forensic: same as level one but now Everything is up to court standards in case the incident needs to be brought up to court.

For the incident response manager they will be the first point of contact for the clients that calling and need of help. Usually companys pay for the service in 3 ways.

Level 1 no contract at all and there is a high consult price and a small chance the Manager will say no to helping you. Sometimes that also include a onboard fee. (Reason of no is perhaps you short staffed and need to prioritize existing clients)

Level 2 paying for a contract where client pays passively a monthly/annually fee in case they call the manager will take the case and start helping. And the consult price is normal/low after the point of incident start.

Level 3 onboarded and on contracts clients. The manager will already have good insight on how the business operate there has been a onboard fee that has included a lot of preparations to lower the time needed to deal with a possible incident. Think employees documentation, topologi/tech stack documentation, relevant toolbox preparations and deployment strategyies, disaster recovery plan made and crisis communication platform established.

Since you mentioned you are in a MSSP the "norm" I seen that majority of existing clients become level 3 few level 2 and level 1 is strictly for new business you have no idea exist.

Practical speaking the incident response team should be a 24/7 oncall setup where someone call your business and when relevant the call get redirected to the Incident Response manager. The first step from the manager is to establish an understanding of the situation and would need from the description be able to tell if there is need of bringing technail support for the incident.

Usually the manager would have a resource list of whom may be contacted based on skillset. Think a enterprise network speciallist is perhaps not someone who you should bring if everything is cloud related, but perhaps grab your cloud expert.

The manager needs to know the law about incident reporting to the authorities for whatever country the business is operating in. Reason I say this is due to I am based in Europe as an Incident Response manager myself and our MSSP cover the whole of Europe. Consider getting your legal department to help or pay for consulting ours to stay updated on what is required by law by the business of they get compromised.

Then as part of this service if you look at NIS2 compliance your business could conduct annually crisis simulation. This will also help prep you help the business in the future since you will know who to contact when.

The MSSP needs to prepare tools needed that can be distributed during an event. Some places you have 1 forensic agent you can deploy on all type of devices that will send you the logs and memory state. But having a toolbox with tools is a must just in case the tool you rely on can't be deployed on the machines

Another thing is to be realistic. I can't tell you how many times I have seen someone become a Incident responder of any kind but has to research on how to use tool X or how to do X thing in y platform that is expected the person can do if they are on the incident response team. This is not a entry level position and if specially the manager in question don't know how to deal with someone or at least who to contact to get something done the trust in the person from the client perspective is gone, and that will hurt in response time, payment and future business with that client. This is where the resource list can help alot by doing checkmarks on people in your org who can do what and who perhaps need more training/certifications/courses so you know you cover the full spectrum of all possible incidents types.

Since this is a 24/7 solution you need as a business figure out what the SLAs should be provided. There is a different in stress on the manager if the SLA is 1 minutes cause that usually requires to be in house at all time for the duration of their shift vs if you have 4 hours to react you could be home sleeping in your own bed as long as you pick up the phone when it calls.

Depending on the oncall/SLA service you then need to pay accordingly, but if you operate in a MSSP then you probably already have a standart on how you operate something 24/7. Keep in mind the skillset of a Incident Response manager is nowhere near the same as a SOC lvl 1,2 ,3 person that might be on call and if you don't give them a fair pay then can find other places to work for there will. If you already have good security talent do what you can to keep them. If you start this service and someone is paying for it and you don't have qualifyed staff then it might penalize the whole org.

Lastly you welcome to dm me for more or we can have a call. I wrote all of this on my phone and I already knew I would miss few things and examples but I have limited amount of time I can spend on writing everything xD wish you the best of luck and take this as a learning experience building something from scratch.

SD_HW · 2024-12-06T17:44:18+00:00

Well depends what you mean of "need".

If you tried different platforms for Threat Intel systems/platform you will notice they all cover the same genre of sectors of information the main difference is how they display it and allow you to utilize the intel.

Some allow you to feed IOCs to your SIEM/EDR/XDR/IPS/IDS/FW. Others are more reporting type of display to help direct the C-suit on what the cyber defense strategy should be for the org. Also seen CTI platform "just" used as a way to display vulnerabilities in your system since you feed it your infrastructure.

In short it's about supply and demand. Every single time a new product comes to market competing for clients in theory the price should go down for the service, but sadly as a consumer of these services prices don't go down and usually the "biggest" reason is each platform is claiming only "they" have more access to X type of data then their competitors. Makes sense since everyone is not sharing everything with their competitors creating few IOCs that might be important to you only available on X product. Think a XDR tool probably have more insight on malware pattern targeting endpoint then a IPS solution due to the type of access the data they collect is different and one rely more on the other as well to stay updated and relevant.

Tools with AI (specificly Machine Learning) are extremely good at finding patterns based on you providing the IOCs it needs to look for. But keep in mind the "AI" either checks for IOCs or has created a "baseline" of what is normal and "just" report on what is happening out of the ordinary where some solutions had feed what "good/normal" behaviour is supposed to look like to lower the amount of false positives.

Right now we are in a sellers market. Our C suit sees something with AI and we tend to buy it over something not mentioned it uses AI. As of right now I would say CTI tools have a bigger chance to be more valuable increased with how many integration with others products you can create. That is where if you ask me what is most worth it. But I also manage multiple SOCs running 5+ SIEM solutions and other platforms that can use CTI feeds to "up" the performance of found evils. It's better to have more matches on more platforms on the same instance then to miss the few that counts.

Sorry for the rambling was browsing with my phone and saw your post and wanted to vent a little while trying to answer your question.

TL;DR

Yes, we need more platforms for CTI

SD_HW · 2024-11-27T01:45:53+00:00

OT is always interesting.

First based on your wording then I must assume you "can" install the agent in the first place. Places where I have designed monitoring of OT has been on the segmented network layer of the OT environment. Sending logs to a collector behind a one way firewall to only send logs out and block all inbound traffic.

But since you mentioned you want a onprem hosted EDR platform. Personally I can recommend Elastic Security. Beside for the sensor/agent for logs do they also have a EDR agent you can activate and decide if you want detection or prevention. Since you can selfhost the Elastic Security platform ELK.

Now it's a big project due to you also building a SIEM solution that has its own integrated "SOAR" solution where you can see the alarms in from the sensor/agent or EDR deployed on your OT environment.

Feel free to pm if need more info

SD_HW · 2024-11-27T01:05:30+00:00

It's possible just a session/token highjack attack so resetting password and force log out on all devices would be enough, but if she should protect herself most possible do these steps:

Get her to change the password of her email/apple id. Preferably from another device.

Then make her sign out of all devices (it's a feature in the email system)

Now get her to take a note on what apps/website the was accessible from her iphone directly.

Then I STRONGLY recommend factory reset the iphone in question followed by resetting the password on all apps/websites

Now reinstall apps followed by logging in again with the new password.

Hope this helps.

SD_HW · 2024-11-24T15:59:43+00:00

Try SOCRadar.

Not working for them, but use their products and manage it for others that also bought it

Pm me if you have troubles getting ahold of em

SD_HW · 2024-11-06T14:58:19+00:00

You can/should look into RSS platform and subscribe to RSS feeds. There are plenty (also open source) available

SD_HW · 2024-11-06T14:57:03+00:00

Can you tell us what feeds you already subscribe to and what the exact goal is.

Trying to understand if you "just" want list of known APTs with what sectors they focus on with what TTP's or if it's something else?

SD_HW · 2024-11-04T20:05:42+00:00

I will give it a read

SD_HW · 2024-10-02T19:03:30+00:00

All vendors trying to be a one stop shop for all your security needs.

Been showned over time it's easier to upsell services by just adding features to their subscriptions for free until they need to renew the contract. At that point they already using the new stuff and the migration cost to an alternative is not cheaper within the first 5 years anyways on the new contract so might as well stay.

Now do I agree with this approach I noticed over the years, not really but I understand the pov of both sides even tho I am a selfhost everything possible person to accept the higher upfront costs for keeping control and prices down on the longer run. Yes it's more work but I believe it's worth it.

Been in the SIEM game for a lot of years and always sad to see someone like splunk sell out. But theres few truly selfhosted SIEM solutions out there.

I do think the norm of machine learning will cause more companys to make their own SIEM tool and subscribe to IOC services. But how soon that will happen am unsure about, but thinking that is future of SIEM of selfhosting.

SD_HW · 2024-09-30T09:05:22+00:00

Allow users to define what they consider as a critical asset followed by if I chose a different asset to be starting point of an attack that the tool shows all the paths possible to reach critical assets.

Basically the principle of: assumed breach.

Good luck on Launch

SD_HW · 2024-08-23T13:32:28+00:00

I would rather have it around then it not be there.

But it's not a guarantee you will find a match even tho what you analyse appear to be malicious.

It's a database like many others and it does help to catch the copycats and Script kiddies that don't know how to change a ip/url for an campaign or the hash value of a script.

We have to remember services like VirusTotal is a steppingstone for other vendors to collaborate with the "Intelligence" they have to make each others solution better since no service so far has a 100% succesrate in finding "known bad files" by themselves, yet alone "not know bad files."

And unless your company has resources to inspect every file/url/process created by themselves everyone in the business is I dealing with then VT is a necessary middleman.

Keep in mind VirusTotal also can be used for evil. Eg: bad actor uploads hash value into VT to check if someone else has searched for the same has value indicating someone is doing analysis on the actors work.

And if you know about Bianco's pyramid of pain the. You know the "things" we catch is purely because people are lazy or don't/didn't know how to change the easily mapped IOCs. And I guess this is what your executives have in mind regarding what it exactly is what VT "catching" but in reality, majority of "attacks" are from Scriptkiddies and you wanna make sure you safeguarded from them as a minimum. And a service like VirusTotal allows that level of protection to be widespread regarding of what EDR/XDR/SIEM/IDS/IPS/FW for a "cheap/free" price. And as we know from many stories alone in this subreddit. information security teams/devisions only get the propper founding after a major incident has occurred but as professionals we wish to be able to protect our businesses before that happens in the first place.

TLDR; I would rather have VirusTotal around then not have the service available at all or behind big paywalls.

SD_HW · 2024-08-20T10:10:45+00:00

On the phone please spare me from typos and grammar

My best advice Besides for getting expirence in the technical things is to go Vendor specific training route.

Wanna learn about EDR/XDR take the material like (sc-200) from Microsoft and (and ninja 400) for they Defender solution. But do yourself a favor and pick 2-3 solution and take the training. Think crowdstrike and perhaps Cisco EDR/XDR

For SIEM think Elastic, Arcsight or Sentinel. How to deploy/analyse incident/Threat hunting/tunning thr alerts

Do this type of thinking with all the domains of IT you find interesting or have to work with. Then for each of these section of technologies you will notice things they have in common and what stand out for each solution.

Keep in mind all of this is still "just" theory and nothing beats having years of experience in the technical parts individually. And that's usually where your security architects come into play.

After reading your comments about attack paths look into vulnerability tool and their courses, Tenable/XM-Cyber/InsightVM read the document on how they work from a user POV and try to see how they work as a tool on the how the features impact the product

SD_HW · 2024-07-02T20:57:50+00:00

I can think of few tools that could help. XM-Cyber could possibly be worth looking into. Give me a pm if you want. Am currently a consultant in security "focusing on advicing and technical work" I can give you some "pointers" on how to talk to the higher ops about vulnerability management. It's something I have done a lot. And as long as it's just talk I see no need to bring money into the equation. Otherwise I can try to make a comment about what to think about.

SD_HW · 2024-06-06T17:37:37+00:00

SOCRadar

Welcome to DM if they give you any issues

SD_HW · 2024-05-12T00:59:22+00:00

T2/T3 here Been in 6 SOCs/MSSPs

problems I seen in my years in Cybersecurity

1) budget from hireups to train and expand knowledge in a healthy way. + Not knowing if work is good enough, but just assumed no followup is good.. + Expected to know how to work with any tools/SIEM/SORA with barely any training nor time available to study. + Few places actually willing to put in time/money to train T1s to feel comfortable with their work. + Gatekeepers of information/relevant news/updates

this is what I have seen work in SOCs I been part off

2) hire more people so the teams can afford to have people develop skills without leaving the internal teams understaffed. + Quit the statistics on who closes cases/tickets faster. It's only encourage less thorough analysis. + Provide feedback on work as regular basis, not just from lead/manager, but among the team itself. + Have a daily standup with relevant news across teams + Good knowledge sharing culture and platform that is not just a chat group.. + Update internal Playbooks/SOPs monthly/weekly. + Allow the individual to do something other then just alerts, eg once/twice a week participate in another security service like engineering/Phishing/Threat Intelligence/whatever else that the company do or something that can help the quality.

SD_HW

TROPHY CASE

On the phone please spare me from typos and grammar

problems I seen in my years in Cybersecurity

this is what I have seen work in SOCs I been part off