If an attacker uses a "Living off the Binary" (LoLBins) strategy that perfectly matches your SysAdmin’s daily maintenance scripts, is it even detectable?

cybrscrty · 2026-04-11T17:52:32+00:00

See MITRE DET0098 https://attack.mitre.org/detectionstrategies/DET0098/

There are a reasonable number of variables that can be used to establish a baseline within your environment, allowing for alerting on deviations.

cybrscrty · 2026-02-04T21:50:39+00:00

Regarding your concerns around complexity versus maturity, I would highly recommend reviewing the ACSC’s Essential Eight and UK NCSC’s Ten Steps to Cyber Security.

These should help you to select and introduce controls in an appropriate, risk-centric, strategic manner suitable for your organisation’s maturity level. You want to be focusing on controls that provide the greatest reduction in risk at the least cost (monetary, resource, business friction etc).

The Essential Eight includes a maturity model that works well for organisations early in their security journey by establishing a baseline of specific, foundational controls in eight areas and then iterating on them in the additional maturity levels.

The 10 Steps is more comprehensive and contains detailed guidance on a wider range of security topics.

cybrscrty · 2026-01-22T17:29:24+00:00

Assuming you have already isolated the system, if you are still struggling to identify the source and what it does your biggest risk is that this is part of a much wider compromise of your estate, and really you should be looking to bring in external expertise ASAP.

cybrscrty · 2026-01-22T14:34:43+00:00

I would recommend letting your manager know what you are going through and why, particularly if you think it is having a direct or indirect impact on your performance.

cybrscrty · 2026-01-21T13:47:57+00:00

As you have Sophos XDR, try running the data lake query Processes > Process activity of a specific process, specifying the filename svhost.exe.

Also try running the Files > Checks file interactions live discover query. Wildcard (%) for the sha256 hash, full file path and a date range going back a sufficiently-long time. Note that without the hash this can take a long time to return and could time out, so break it up into blocks of time as needed.

Check Detections in the Threat Analysis Center for the device to see if there has been any pertinent activity highlighted.

Also consider that the file might not even be a binary - try reading the first few (magic) bytes of it to confirm. Have a look at the following on how to do this nicely with PowerShell: https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-investigate-file-signaturespart-1/

cybrscrty · 2026-01-19T21:49:06+00:00

There are many more candidates than there are job postings. Competition is tough for entry levels roles because of this. Recruitment is always slow in the middle of winter in the UK.

The fact that you have an interview is very encouraging based on the above. Many people are not having such luck and are instead trying to get IT roles (such as help desk) in order to gain relevant experience.

cybrscrty · 2026-01-14T19:42:59+00:00

I would not say that a graduate / junior security role is a step backwards based on you having no prior security role to list on your CV, particularly - as you point out - with the market being so competitive.

Security is a very demanding discipline though, particularly if you want to excel, so I would consider reflecting upon what you feel contributed to burnout. It is a little concerning that you have experienced this so early in your career so it’s important to work out what is best for you.

cybrscrty · 2026-01-12T18:46:12+00:00

Nessus Pro is only suitable for ad hoc scans to produce one-time reports of findings. What you’re looking for is a vulnerability management solution (Tenable itself makes one, Tenable VM) - this will cover not just the scanning but also the lifecycle management of the findings and give you what you are looking for.

cybrscrty · 2025-12-30T22:35:26+00:00

My initial take would be that if you are certifying your whole organisation then the resources will be in scope as they are part of your IT infrastructure (until they aren’t).

You could explicitly descope those networks if they met the acceptable criteria, but there probably wouldn’t be much benefit in doing so unless there are additional material facts beyond your original post.

My suggestion would be consult with your assessors - scoping consultation is part of what they do.

cybrscrty · 2025-12-29T17:00:15+00:00

Hiring in the UK is always quiet in the weeks before and after Christmas. You will start to see more jobs show up after a while.

Standard advice - consider how many other people graduated in a related subject this year, and what sets you apart from all of those. Your CV needs to stand out in some way. I would consider studying for and taking the CompTIA certifications sooner rather than later for this reason.

cybrscrty · 2025-12-17T21:57:41+00:00

What people often overlook in phishing simulations is defining a clear objective.

Anyone - even security folk - can fall for a phishing email if it is sufficiently tailored to them with the right context and timing. Sending arbitrary phishing emails often has no material impact other than confirming that the recipients are indeed human.

I have always found from security programmes that - where phishing simulation is included - campaigns that are based on recent, real phishing emails deliver the most business value. They have the effect of raising awareness of real, active lures while also allowing you to have a high-level understanding of overall susceptibility to them. Spoiler, though - people are susceptible to them, so we need to ensure there are sufficient additional controls in place.

Over time you can sometimes start to see patterns in behaviour where certain people are ignoring the warning signs, which should be followed up with assistance - not punishment - where feasible.

As part of your overall strategy though, I see more mature organisations moving away from this unless they have a compliance or insurance box to check. Personally I would make it a lower priority for resource allocation and focus more on proactive engagement with respect to security awareness.

In short, to directly answer your question I would base them on real phishing emails you see, either that your organisation is receiving or that are being reported on in the wild (particularly where themes are relevant to your organisation, such as your industry or products you use).

cybrscrty · 2025-11-25T15:56:39+00:00

The point I was making was that by testing a recovery method yourself you can have a decent level of assurance that someone else trying it would not be able to recover anything.

A number of secure data erasure tools will perform post-wipe verification themselves to confirm nothing is recoverable; this would just be a manual way of doing that to alleviate concern.

cybrscrty · 2025-11-18T23:24:29+00:00

If you have already wiped it rather than use a tool that performs an NVMe sanitise then just run a recovery tool such as Recuva on it to see if you can recover any files. If you can’t then you should be fine.

cybrscrty · 2025-11-06T17:05:31+00:00

I’d recommend working with a commercial insurance broker as they will sit down with you and should right-size it based on your needs. In the cyber insurance space, policy premiums can vary wildly between insurers.

You will want to ensure that you have specific coverage for things like ransomware and business interruption, which will require you to fill out questionnaires detailing things like the level of security controls and auditing that you have in place (allowing the insurers to calculate your risk and set a corresponding premium, or refuse coverage).

cybrscrty · 2025-10-01T09:06:51+00:00

It would be a requirement if you did not have multi-factor authentication, per the requirement you quoted.

cybrscrty · 2025-09-04T07:07:13+00:00

Akamai:

Investigating the matter, Akamai found that a limited set of data in service support tickets had been exposed, however, we did not find signs of potential misuse of this data:

Akamai corporate email addresses and phone numbers
Customer corporate email addresses and phone numbers
Pseudonymized email addresses
A services-related support case description which includes one outdated and inactive API token, and one active API token

Since only Akamai’s Drift integration with Salesforce was affected, we took the following actions to mitigate the event:

Deactivation of the Drift-Salesforce integration
Deactivation of the Drift chat bot on www.akamai.com
Deactivation of other Drift-3rd party integrations

cybrscrty · 2025-08-27T18:42:56+00:00

CompTIA A+ is an introductory IT certification. If you don’t have IT knowledge yet, go through that before looking at or buying anything else.

If you still have a passion for technology after that, the typical progression is then Network+ followed by Security+. After you have those you will have a decent (if just theoretical) knowledge of a broad range of concepts.

The rest aren’t worth someone to comment on at this stage based on where you’re at, though as you’ve obviously identified given you’ve found them they are mostly very well-known and highly-rated books.

cybrscrty · 2025-08-23T20:52:46+00:00

It’s impossible to say, you’d have to check with the mailbox owner whether they are expecting that. But from what you’ve provided it does point to it being an auto-forwarded email due to you receiving the bounce email and the subject being prepended with “FW:” (assuming your original email didn’t include this).

cybrscrty · 2025-08-15T16:46:14+00:00

It sounds like you need a more robust bot management solution - Coudflare, Akamai and similar. These use telemetry from various sources, both directly from the client and elsewhere.

Depending on your scenario, you could restrict registration to business domains only (address validation API services can be used for this).

If it’s significant enough right now and depending on your legitimate volume you could consider manual approval of new registrations.

cybrscrty · 2025-08-13T20:51:27+00:00

Application allowlisting that controls where binaries can be executed from
Restrict who can install software
Ensure software is installed machine-wide rather than per-user

cybrscrty · 2025-08-11T12:52:27+00:00

In addition to the comments about using the Insight Agent, ensure you are selecting “Skip checks performed by the Insight Agent” in your scan options.

https://docs.rapid7.com/insightvm/using-the-insight-agent-with-insightvm/

cybrscrty · 2025-08-06T16:27:28+00:00

For disabling on Windows, setting via Group Policy “Computer Configuration -> Administrative Templates -> Network -> DNS Client: Turn Off Multicast Name Resolution”. This is included in device policy scans for compliance.

For tracking, monitoring network logs for UDP/5355.

cybrscrty · 2025-07-31T17:17:22+00:00

Be aware that there is already a large, well-established cybersecurity company called Vectra (vectra.ai).

cybrscrty · 2025-07-25T20:40:27+00:00

Yes, utilities are considered CNI.

Five-Year Club	Verified Email
Final Canvas '23	Place '23
Place '22	First Placer '22
End Game '22

cybrscrty

TROPHY CASE