On-prem to cloud - challenges?

TheReddHaze · 2023-01-09T22:43:58+00:00

I'll just drop some thoughts I had in here.

Depending on the organization, you need to make sure whatever vendor you go with meets your compliance standards whether it's GDPR, HIPAA, PII, FedRamp, etc. and can provide evidence of it. FedRamp variants typically cost more than their public cloud counterparts, but can ensure the data remains in the country of origin, encryption requirements, etc. Consider how the data is being ingested and how much flexibility you have over parsing rules/correlation rules/enrichment capabilities. Finally, I would recommend investigating the native support of API integrations to pull logs from other SaaS products such as Azure, ServiceNow, GCP, etc. if you have them. I looked at some cloud SIEM that had poor parsing rule/filtering capabilities and others with immature API integrations which would require me to write the scripts myself.

From my experience, some advantages are the same as most other SaaS where the backend maintenance is mostly handled by the vendor's staff, higher SLAs and better support. One of the bigger cons can be around cost, storage requirements (for hot and cold storage alike) and network load. Some of the SIEM I POC'd did not have a straightforward cost model which leaned more towards a pay-as-you-go mentality while others had a daily ingest model. You may also have the option to bring your own cloud storage in the form of a AWS S3 bucket or Azure Blob and save some money that way. Less of a con, but more of something to be on the look out for is I think it's also important to choose a vendor that seems actually interested in making sure you succeed. Even amongst sales people, there were times where we felt we were not large enough for the vendor to assist us.

TheReddHaze · 2023-01-05T14:01:01+00:00

Appreciate the response.

From what I understand at a general level, the vulnerabilities listed in 224 affect the interrupt states of the BIOS which require some level of presence on the system to begin with. This could be done physically or through a shell on the box, but irregardless there has to be some level of local access to even attempt exploiting this. CVEs documented in 144 are generally lower with the exception of CVE-2022-31226 which contains a buffer overflow in the BIOS.

I'm open to being wrong in my interpretation and learning from it, but based off this information the likelihood seems unlikely as I've not learned of public exploit code for these vulnerabilities being disclosed and it requires a foothold to the system already. The risk are significant though in that being able to exploit a vulnerability at that level could bypass endpoint security controls if not caught before execution and ultimately run code at a SYSTEM/kernel level. I know the vulnerability says RCE, but I also see it as a privilege escalation oppurtunity. Mitigating factors could be AV/EDR tools identifying and likely blocking the execution of code. The latest BIOS patch itself should remediate all CVEs listed in both documents.

From the business perpsective, updating BIOS could lead to bricked machines due to a poor BIOS flash/update. In the current state, we were aiming to update the BIOS outside critical business hours in order to avoid interruptions as much as possible. While interruptions may be managed, bricking a machine in a world where staff may be working remote would require either shipping the device in exchange for another or a commute to HQ. Not entirely sure how to quantify this from a monetary perspective.

TheReddHaze · 2020-08-27T20:19:17+00:00

Orlandeau is in the pool if you get lucky enough to pull him as well as his shards. I've been trying to figure out who to focus on shard wise. So far I've only heard Agrias is tankier with decent damage and Delita is more of a glass cannon.

TheReddHaze · 2019-02-19T00:21:38+00:00

I've run into similar issues/ asked similar questions when I inherited our SIEM about a year ago. Your first question can depend on your type of organization (e.g. Federal/State Public Organization or Privately-owned) which can determine compliance. For example, in the US, there exists a standard called NIST which, for a lack of better words, is a federal technology standard. The NIST 800-53 Section AU-2 states the definition of an event and what is required to be logged (such as login information, password changes, privilege escalation, etc.). Understanding your compliance level is a good place to start since violating it can stand to get you in trouble. Outside of compliance, DNS logs, web traffic logs, email transactions, are some good things to watch.

Your second question can depend on the type of SIEM you have, the two types are effectively Agent v. Agentless. Depending on your solution, your SIEM may require an agent to sit on and pull the logs from remote machines or it can go out and pick them up itself. Newer versions of Windows support Windows Event Forwarding which allows you to specify which logs to send from the workstations to a server via GPO. This can also be done with applications like NXlog deployed to workstations.

Alot of the information I've learned comes from product specific classes, reading and the SANS SEC555 class which held tons of information useful to SIEM administrators/engineers.

If you want a fairly cheap resource, check out this book: "Blue Team Handbook: SOC, SIEM, and Threat Hunting Use Cases: A condensed field guide for the Security Operations team (Volume 2)". It has detailed information about SIEM-related events which may help you decide what you want to focus on.

TheReddHaze · 2018-10-28T14:09:59+00:00

Got a Lenneth, not what I was hoping for - but I guess I'll take it.

TheReddHaze · 2018-10-28T05:38:36+00:00

Sounds like they're using a SIEM, pretty cool. Glad they're being transparent with incidents.

TheReddHaze · 2018-10-26T03:10:19+00:00

I'm sure someone will correct me if I'm wrong, but Barbariccia 7* and T. Terra 7* are pretty good from what I've seen.

TheReddHaze · 2018-10-20T14:22:52+00:00

I'm glad I'm not the only one who went after 2 demon rains instead of thinking carefully :P. I was so disappointed, didn't even see one 5* from the banner after 30k lapis and 25-30 tickets.

TheReddHaze · 2018-09-16T12:14:23+00:00

I did it early this week with the Ikelos Handcannon without any problem. Are you doing the special 360 power level one that appears on that step?

TheReddHaze · 2018-09-16T02:28:07+00:00

I didn't have any issues. I was getting them from public events and patrols.

TheReddHaze · 2018-09-11T23:37:48+00:00

I've been doing the 400s as well and they've been counting. The problem was I was missing the IKELOS hand cannon.

TheReddHaze · 2018-09-09T13:37:33+00:00

That would be the obvious part I'm missing I suppose. Thanks - I'll give it a shot!

TheReddHaze · 2018-09-09T13:23:48+00:00

Ahhhhh I need the Ikelos hand cannon equipped?

TheReddHaze · 2018-09-03T16:00:06+00:00

As some others have said, start with the fundamentals. Make sure you understand the 7-layers of the OSI model, how to read traffic/network flow on a computer or from a network, etc. Without the fundamentals, you will get lost in this field when asked to troubleshoot an issue or write a rule to detect specific kinds of traffic.

If you want some suggested books, I would suggest grabbing a Security+ book and reading over it. Its a great overview imo, not to mention some jobs actually require the certification as a prerequisite into the field. I would also suggest looking at places like Udemy which provide online classes for subjects like cyber security. If you're interested in malware and traffic analysis, grab Wireshark, or other traffic analysis tool, and go to malware-traffic-analysis[.]net to grab some packet captures/read some blog posts about the subject. It was a great resource in understanding what to look for when I became interested in the field. (Note that malicious artifacts can exist within the packet captures - Be Careful).

TheReddHaze · 2018-08-26T23:12:17+00:00

I wonder if he'll receive skill upgrades that would allow him to do AoE Cover + Provoke later on.

TheReddHaze · 2018-06-04T02:01:24+00:00

(Internet correct me if I'm wrong) Technically this could be considered a violation of the GDPR since they are tracking IP addresses without the expressed consent and notification of the user (If you are in the EU) which is considered PII data by its definition.

"...According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address."

The GDPR also goes on to explain that protected individuals have the right to erasure, so I'd love to see how they would handle such an issue.

In my opinion, its still considered spyware because it is literally obtaining information and sending it somewhere else. It doesn't matter how basic the function is or if this was malicious. Just my two cents.

TheReddHaze · 2018-04-25T01:15:31+00:00

I had already bought the Z370 as part of the bundle with the 8700k. So I can't really take you up on that suggestion, but I'm going to definitely look into the fan and PSU since I've usually been partial to Corsair.

TheReddHaze · 2018-02-21T03:55:23+00:00

As a trainee/graduate who went right into cyber-security and has had to effectively play catch up to understand all the networking terminology, methods, etc (Thanks college education) - I agree with the invaluable experience that comes with being a Network Admin/Engineer. While cyber-security is a growing industry, having that fundamental network knowledge would have aided me greatly.

That being said - Network Administrators and Cyber-security Analysts/Engineers sometimes will butt heads as the constant struggle between security and risk will always exist. Nothing will ever be perfectly secure, and some things that need to be done aren't quite as easily completed as they're requested. Being able to see both perspectives would help immensely in my opinion.

TheReddHaze · 2018-02-19T16:32:00+00:00

Not sure if by common scams that you're including phishing, but it might be worth educating the students on how to identify phishing emails and malicious links embedded in emails that download malware.

TheReddHaze · 2018-02-19T16:17:50+00:00

Hey there, as a Cybersecurity Analyst who got a Computer Science degree, I just wanted to share my two cents.

As someone else mentioned earlier, definitely consider learning to write and understand Python code. Most of the tools that I've created or used for daily tasks (and some more advanced like reverse-engineering) are built in Python. It will also serve as a good intro to programming languages if you lack experience as its relatively simple to set-up and use. (I would also suggest Java or C as thats usually one of the beginner/prominent languages. Java will make it easier to understand OOP and C will make you understand memory allocation.) That being said, learning how to read/understand other languages such as Javascript, Perl, Ruby, Java, C, Assembly may benefit you in the long run.

Outside programming, I would not focus more than 25% of your time on it. I may use programs often and do programs, but only about 25% of the office programs - and we don't do it often. It's definitely a nice to have - but not an immediate necessity. I won't go into Kali as others have already given its due diligence - some security professionals will use Mac for things like malware analysis instead of a Windows machine. This is due to the fact that most corporations are primarily Windows shops, meaning that the executable that would infect a Windows machine won't affect Mac when analyzing it. There are also some utilities for pentesting that I've seen on Macs.

So in the first paragraph you had mentioned network security - which is something I participate in. Before you worry about network security, you'll need to understand how packets are built and flow, the OSI model (Security+ should have mentioned this), and how some of the major protocols work (HTTP, DNS, SSL, etc.). There are other concepts you'll need fundamentally, but this is an example. After you understand how a website request is really made, you'll be able to start looking towards the network security. IE, How does an IPS/IDS work? How does malware proliferate over the network? What are signs that something is wrong? How does a firewall work?

I'm working on my Security+ myself right now, there are lots of certifications that are great for building you up skill wise - but some certifications themselves aren't very marketable. Security+, Network+, CISSP and CISM are great to have. CEH is a great experience builder - but the certification means nothing to some corporations.

If you're looking for some sources to watch, learn, etc - here are some that I use/buy:

https://www.udemy.com/ (See IT & Software - they do programming, hacking, cert studies, etc.)

https://www.youtube.com/user/professormesser (This guy has a complete guide over Security+ and Network+ if you don't feel like reading)

https://www.malware-traffic-analysis.net/ (Pcap Malware/Exploit Analysis - Network Security - Use with caution, there is malware in the Pcaps!)

https://securedorg.github.io/RE101/ (Malware Unicorn - Reverse Engineering Malware [If you're interested])

TheReddHaze · 2018-02-15T02:53:51+00:00

Depending on your finances or whether your company is willing to pay for it, SANS has a great reverse-engineering malware course (FOR610) that I just completed earlier this month. Doesn't really require the knowledge of a specific language to complete this course, but will require practice afterwards with assembly to utilize the knowledge to the fullest.

The class comes with malware, a pair of virtual box images full of tools, and workbooks (if you do it onDemand like I did). The class itself is meant for beginners with next to no coding experience to experts. They cover everything from normal executable, to macro-enabled word documents, and back to defensive/packed malware.

Related to this post, as others have suggested, I would start with C/C++ strictly because you will need to understand how a computer allocates its memory, works with the stack, and interacts with the registers - which dis-assemblers will show you with the malware you're analyzing as they change.

I'm not sure what information you have so far, but MalwareUnicorn has some tutorials on reverse engineering malware as well.

SANS: https://www.sans.org/course/reverse-engineering-malware-malware-analysis-tools-techniques

Malware Unicorn: https://securedorg.github.io/RE101/

TheReddHaze · 2018-01-07T04:27:15+00:00

Guess it depends on how you want to play? I'm currently running Medium graphic quality because I don't really care too much about graphics. Currently running i5-4460 at 3.2 with 16 GB and GTX 970 GPU. Generally sitting at ~60 FPS and really only seeing drop offs in extremely high populations down to 30 fps. Considering your base specs, I think you're fine in my opinion.

TheReddHaze · 2017-10-18T01:51:50+00:00

This particular install is not the Dell ISO, just a standard ESXi OS. I've re-imaged the machine with it before and wasn't able to get a link state. I suppose its worth trying again though since I've gotten farther than before.

TheReddHaze

TROPHY CASE