The Storm

Searching the Searches

In this brief Splunk search review we wanted to cover how to leverage web proxy logs to break down what users are searching.

Situational AwarenessContra_BlueTeamApril 5, 2018Comment

Potential Malicious User Agents

In this brief Splunk tip for defenders we are going to talk web proxy logs and analyzing user agent strings. We will identify some common ones and show a search you can modify to fit your needs.

Situational Awareness, Threat HuntingContra_BlueTeamOctober 2, 2017Comment

Knowing Your Battle Space - Part 4

This post in the series starts looking at an extended view of the rich data you have available in Dark Falcon. We are constantly finding new ways of interacting with the ATT&CK tactic and there ratings in our environment. What we cover in this article is just a beginning to what is possible and we are excited to hear from others on what they are doing. As always this code is in the DarkFalcon GitHub repo, https://github.com/security-storm/DarkFalcon

Situational AwarenessContra_BlueTeamSeptember 21, 2017Comment

Knowing Your Battle Space - Part 2

In this post we will cover a lot of the connections between the MITRE ATT&CK framework to how we created a maturity model from it and help visualize our environment. Our topics for this discussion:

Scoring based on multiple decision points
Mapping Specific Security Controls to Tactics
Visualizing results for decision makers

Situational AwarenessContra_BlueTeamSeptember 15, 2017 Comment

Knowing Your Battle Space - Part 1

As defenders, there are many times our priorities are being determined by forces outside of our control. We are being guided by urgent projects, never ending vulnerabilities, sensational headlines, and over promised technologies. Meanwhile, real attackers continue to try to exploit our IT infrastructure and our End Users. The sophistication level of an average attack on the enterprise environment is increasing by the day and the average burnout of a defender is increasing by the minute. At some point, you start asking yourself are we always just suppose to lose?

Threat Hunting, Situational AwarenessEric GroceSeptember 14, 2017 Comment

BLASTIN AND CASTIN - PART 4

This last post in our phishing series walks through a real phishing campaign to really show the power behind this solution both in the ability to identify and remediate malicious emails quickly and efficiently.

Situational Awareness, Threat Response, Threat HuntingCupcakeNinja007September 6, 2017Comment

Blastin and Castin - Part 1

Over a 4 part series of posts we hope to outline what worked for us in reducing our infections as a result of phishing from 40% to less than 5% without any end user interaction. We know this sounds ridiculous but hang in there and you will see how a bit of creativity and grit can get similar results for you.

Part 1 is all about making email logs useful to enable our hunting efforts.

Situational AwarenessContra_BlueTeamAugust 1, 2017Comment