‘Motive – Opportunity – Impunity’ cycle shapes the cybersecurity threat landscape for years
Motive – Opportunity – Impunity: without breaking this cycle in the global private and public sectors cooperation, thereβll be no end to cybercrime nor to politically motivated hacks. Motive Money. Thatβs whatβs directly behind the majority of cyber attacks today. Another much less frequent but very dangerous motive is politics with state actors seeking influenceContinue reading “‘Motive – Opportunity – Impunity’ cycle shapes the cybersecurity threat landscape for years”
Super timeline initial triage with Jupyter and Pandas
While Pandas may not care much about time then incident responders should. Timeline creation and analysis are the core activities of many deep dive digital forensics investigations. Run log2timeline/plaso on logs and other common evidence data and you’ll get a nice csv file with parsed events together with their associated time. This allows to correlateContinue reading “Super timeline initial triage with Jupyter and Pandas”
Analyzing binaries in place with Velociraptor and CAPA
Velociraptor aims to provide the “last step” in the process of digital forensic investigations, security monitoring and threat hunting.Β CAPA detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is aContinue reading “Analyzing binaries in place with Velociraptor and CAPA”
Threat hunting with Microsoft Defender β Valid Accounts
In the previous post I explained how to hunt for exact same scenario using CrowdStrike. I thought it’d be fun to see how would it look like with Microsoft Defender for Endpoint using its Advanced Hunting module and the Kusto query language.
Threat hunting with CrowdStrike β Valid Accounts
Techniques of interest: https://attack.mitre.org/techniques/T1078/ https://attack.mitre.org/techniques/T1021/ |_ Remote Services: Remote Desktop Protocol |_ Remote Services: SMB/Windows Admin Shares Hypothesis: If a Threat Actor (TA) would successfully employ the above-mentioned sub-techniques of T1021 then in Windows Active Directory environment it should demonstrate itself by Windows logon events with types 3 and 10 being generated on target machines. If we were able to identify any single userContinue reading “Threat hunting with CrowdStrike β Valid Accounts”
How to make smart investments in cybersecurity
Developing and prioritizing investment needs is not an easy task for most of the CISOs out there. Most of them face strong budgeting constraints and need to extensively justify every penny they request. Some will only get significant spending approved after their organization experienced a significant breach. This article aims to provide a noninclusive listContinue reading “How to make smart investments in cybersecurity”
Loading…
Something went wrong. Please refresh the page and/or try again.
About Me
Expert, manager, engineer, consultant, architect, traveler. Trying to keep up π₯
Nowadays in security monitoring, incident response, threat hunting, EDR and more. Always willing to learn. Opinions are my own.
Cybersecurity is a race between awareness and a breach.
That would be me
Network location does not imply trust.
NIST SP 800-207
