Risk Gifts, An Early Present

Earlier this year we gave a talk on an effort we call ShadowHawk. It is, at the core, an abstracted layer between detections and alerts and is using a risk score and risk objects to communicate between the two. This post covers some of the macros under the hood.

Read More
Curing Alert Fatigue Through Suppression and Fidelity

A few of us at my organization were luckily enough to attend DerbyCon last week. This was my first time at the conference and it was amazing. I was able to meet some fellow infosec community members including @HackingDave as well as attend some great talks. One of the talks we attended was by @subtee and @kwm called "Blue Team Keeping Tempo with Offense". This talk really hit home for me. In our organization, our team has both red teamers as well as blue teamers who partner to improve our security posture. This was a fundamental aspect of their talk and something we value as a security threat team.

In order to "keep up with offense", Casey and Keith spoke heavily on where blue teams tend to break down. This captured my ear as a blue teamer trying to gain an advantage. One of their main discussion points was that we as blue teamers tend to end up with too many alerts, too much noise, and too many false positives. It got me thinking about how we have tackled this problem in our organization and I thought it would be useful to share our strategy with others.

Read More

In this post we will touch upon automated scoring for Dark Falcon. A big part of the Dark Falcon effort as we previously discussed is centered around the MITRE ATT&CK framework. We have identified the fact that ATT&CK utilizes tactics that an adversary may use in their desire to compromise a network. Thinking about this logically, we understood that we need to be able to perform realistic tests against our infrastructure and in turn we would be able to determine our readiness to detect and defend against these tests. Lastly, we asked ourselves how can we do this in a fully automated way so humans can keep doing human things and not waste time doing something a computer can easily do.

Read More
Eric GroceComment
Knowing Your Battle Space - Part 4

This post in the series starts looking at an extended view of the rich data you have available in Dark Falcon. We are constantly finding new ways of interacting with the ATT&CK tactic and there ratings in our environment. What we cover in this article is just a beginning to what is possible and we are excited to hear from others on what they are doing. As always this code is in the DarkFalcon GitHub repo, https://github.com/security-storm/DarkFalcon

Read More
Knowing Your Battle Space - Part 1

As defenders, there are many times our priorities are being determined by forces outside of our control. We are being guided by urgent projects, never ending vulnerabilities, sensational headlines, and over promised technologies. Meanwhile, real attackers continue to try to exploit our IT infrastructure and our End Users. The sophistication level of an average attack on the enterprise environment is increasing by the day and the average burnout of a defender is increasing by the minute. At some point, you start asking yourself are we always just suppose to lose?

Read More