Detecting Recon and Scanning Activity in AWS: A Crash Course

With the increasing transitions of various infrastructures into the cloud, blue teams can be left with a huge blind spot when it comes to finding various nefarious activities within cloud environments. Combine this with the rapid and instant deployment of services or instances, and things can get sticky fairly quick. In this post, I will go over four AWS-specific detections you can use to monitor potentially malicious activity within your AWS environment using Splunk, and our risk-based ShadowHawk platform.

Read More
Automating FireDrill AdSim Configuration with InfernoAuger

In this post, we will be looking at a tool we have developed to automate many of the components of the popular adversary simulation tool, FireDrill. FireDrill is an application that is designed and developed by the company AttackIQ; more information can be found here. FireDrill provides a library of configurable attacks to help determine if your controls can either stop or detect them. These configured “scenarios” are placed into “assessments” which are simply a collection of configured tests. There are times where an assessment may need to be re-created, which was the main reason for the creation of our tool. It has since, however, evolved into so much more.

Read More
Risk Gifts, An Early Present

Earlier this year we gave a talk on an effort we call ShadowHawk. It is, at the core, an abstracted layer between detections and alerts and is using a risk score and risk objects to communicate between the two. This post covers some of the macros under the hood.

Read More
Curing Alert Fatigue Through Suppression and Fidelity

A few of us at my organization were luckily enough to attend DerbyCon last week. This was my first time at the conference and it was amazing. I was able to meet some fellow infosec community members including @HackingDave as well as attend some great talks. One of the talks we attended was by @subtee and @kwm called "Blue Team Keeping Tempo with Offense". This talk really hit home for me. In our organization, our team has both red teamers as well as blue teamers who partner to improve our security posture. This was a fundamental aspect of their talk and something we value as a security threat team.

In order to "keep up with offense", Casey and Keith spoke heavily on where blue teams tend to break down. This captured my ear as a blue teamer trying to gain an advantage. One of their main discussion points was that we as blue teamers tend to end up with too many alerts, too much noise, and too many false positives. It got me thinking about how we have tackled this problem in our organization and I thought it would be useful to share our strategy with others.

Read More

In this post we will touch upon automated scoring for Dark Falcon. A big part of the Dark Falcon effort as we previously discussed is centered around the MITRE ATT&CK framework. We have identified the fact that ATT&CK utilizes tactics that an adversary may use in their desire to compromise a network. Thinking about this logically, we understood that we need to be able to perform realistic tests against our infrastructure and in turn we would be able to determine our readiness to detect and defend against these tests. Lastly, we asked ourselves how can we do this in a fully automated way so humans can keep doing human things and not waste time doing something a computer can easily do.

Read More
Eric GroceComment
Knowing Your Battle Space - Part 4

This post in the series starts looking at an extended view of the rich data you have available in Dark Falcon. We are constantly finding new ways of interacting with the ATT&CK tactic and there ratings in our environment. What we cover in this article is just a beginning to what is possible and we are excited to hear from others on what they are doing. As always this code is in the DarkFalcon GitHub repo,

Read More