With the increasing transitions of various infrastructures into the cloud, blue teams can be left with a huge blind spot when it comes to finding various nefarious activities within cloud environments. Combine this with the rapid and instant deployment of services or instances, and things can get sticky fairly quick. In this post, I will go over four AWS-specific detections you can use to monitor potentially malicious activity within your AWS environment using Splunk, and our risk-based ShadowHawk platform.
Read MoreIn this post, we will be looking at a tool we have developed to automate many of the components of the popular adversary simulation tool, FireDrill. FireDrill is an application that is designed and developed by the company AttackIQ; more information can be found here. FireDrill provides a library of configurable attacks to help determine if your controls can either stop or detect them. These configured “scenarios” are placed into “assessments” which are simply a collection of configured tests. There are times where an assessment may need to be re-created, which was the main reason for the creation of our tool. It has since, however, evolved into so much more.
Read MoreEarlier this year we gave a talk on an effort we call ShadowHawk. It is, at the core, an abstracted layer between detections and alerts and is using a risk score and risk objects to communicate between the two. This post covers some of the macros under the hood.
Read MoreIn this brief Splunk search review we wanted to cover how to leverage web proxy logs to break down what users are searching.
Read MoreOne of the growing attacks we have seen has been Remote Desktop brute forcing, MITRE ATT&CK technique T1076(link https://attack.mitre.org/wiki/Technique/T1076), especially if you have laptops that connect directly to the internet when not at your office. We know what you are thinking…people still connect without a network firewall?...YES.
Read MoreIn this brief Splunk tip for defenders we are going to talk web proxy logs and analyzing user agent strings. We will identify some common ones and show a search you can modify to fit your needs.
Read MoreA few of us at my organization were luckily enough to attend DerbyCon last week. This was my first time at the conference and it was amazing. I was able to meet some fellow infosec community members including @HackingDave as well as attend some great talks. One of the talks we attended was by @subtee and @kwm called "Blue Team Keeping Tempo with Offense". This talk really hit home for me. In our organization, our team has both red teamers as well as blue teamers who partner to improve our security posture. This was a fundamental aspect of their talk and something we value as a security threat team.
In order to "keep up with offense", Casey and Keith spoke heavily on where blue teams tend to break down. This captured my ear as a blue teamer trying to gain an advantage. One of their main discussion points was that we as blue teamers tend to end up with too many alerts, too much noise, and too many false positives. It got me thinking about how we have tackled this problem in our organization and I thought it would be useful to share our strategy with others.
Read MoreIn this post we will touch upon automated scoring for Dark Falcon. A big part of the Dark Falcon effort as we previously discussed is centered around the MITRE ATT&CK framework. We have identified the fact that ATT&CK utilizes tactics that an adversary may use in their desire to compromise a network. Thinking about this logically, we understood that we need to be able to perform realistic tests against our infrastructure and in turn we would be able to determine our readiness to detect and defend against these tests. Lastly, we asked ourselves how can we do this in a fully automated way so humans can keep doing human things and not waste time doing something a computer can easily do.
Read MoreIn the final post of this series we wanted to explore two extensions in DarkFalcon that has really helped leadership with planning, and our goal is to make it easier to prioritize and fund controls with the limitations we all face.
Read MoreThis post in the series starts looking at an extended view of the rich data you have available in Dark Falcon. We are constantly finding new ways of interacting with the ATT&CK tactic and there ratings in our environment. What we cover in this article is just a beginning to what is possible and we are excited to hear from others on what they are doing. As always this code is in the DarkFalcon GitHub repo, https://github.com/security-storm/DarkFalcon
Read More