May 3The Conti Leaks emphasize the need for detection based on threat behaviorsHow threat actors can reuse techniques and behavioral threat detections help To understand and help identify specific security activities of interest, single indicators of compromise (IOCs) are vital. However, since it’s a singular part of a larger narrative they fall short of providing organizations with reliable, scalable and maintainable defense…Conti6 min read
Apr 21, 2021Reduce Log Ingestion SOC Fatigue: A Detection-First ApproachAssessment and prioritization of your SOC feeds can help reduce cost & ensure quality Effective breach detection and threat hunting in the SOC depends on collecting many logs and alerts from a wide variety of infrastructure and applications, including clients and servers, networks, email and clouds, and the wide variety…Soc4 min read
Mar 18, 2021Detect APTs, like HAFNIUM, on Day 0Within the recent weeks security professionals have been scrounging their infrastructures, and the internet, for any HAFNIUM-related indicator of compromise but this is all very retroactive work and tends to lead to more tedious efforts when you don’t have the right detection framework in place. Let’s recap the sequence of…Hafnium5 min read
Mar 9, 2021Fast-breaking attacks wearing you down … Sunburst, RansomExx, Hafnium, and whatever is next? Agility in your detection engineering process will be your savior.SOC practitioners know that the threat landscape is as complex and fast-breaking as it has ever been, and attackers are increasingly more well-funded than ever, and therefore the best thing we, as protectors, have going for us is the concept of agility in our processes. Specifically, what that means is…Cybersecurity2 min read
Feb 18, 2021Detecting Dependency Confusion: Supply-Chain Compromise VectorThe recent exposure of SolarWinds showed us how a determined adversary could leverage a trusted source in order to gain access to an organization. While there is still much to learn from SolarWinds, we should not ignore how other areas of trust could be used against an organization. …Solarwinds5 min read
Feb 5, 2021Detecting the Exploitation of “Baron SamEdit” (CVE-2021–3156)Detecting the Exploitation of “Baron SamEdit” (CVE-2021–3156) A recent heap-based buffer overflow vulnerability (CVE-2021–3156) in sudo was discovered with a high CVSS score of 7.8 dubbed “Baron SamEdit”. The proper exploitation of the Baron allows for any unprivileged local user to immediately escalate to root without additional authentication and affects the following sudo versions: Legacy versions of…Cybersecurity4 min read
Jan 8, 2021SolarWinds Supply Chain Compromise — Is it possible to detect?The cybersecurity world has been spinning with the suggested reports that APT29, Russia’s elite hacking intelligence arm, has been able to successfully infiltrate the software development lifecycle (SDLC) of SolarWinds, an IT management company, to distribute a malicious backdoor to over 18,000 of their customers. Impacted organizations include both public…Solarwinds11 min read
Dec 7, 2020The Pervasive Problem of Inferior Detection in your SOC!Enterprise security operations centers (SOC) have existed for the sole purpose of detecting and responding to threats to an enterprise — external or insider. In the cybersecurity realm, the protectors have never been ahead of the adversaries, and more often than not, have fallen significantly behind and have struggled to…Cybersecurity6 min read
Oct 20, 2020No-code in the SOC!The traditional SOC is essentially controlled, in most cases, by a SIEM, e.g., Splunk. The language and inner workings of the SIEM are of paramount importance to the SOC team, and often, hiring decisions are made based on proficiency with the existing SIEM and other SOC tools. …Cybersecurity4 min read
Sep 7, 2020The Emergence of Security-Oriented Silos: A Perspective on Gartner’s 2020 Security & Risk Trends — Part 2 (of 2)As a follow up to the part 1 posting of this topic, and the XDR topic posted by our CTO, let’s discuss how we must deal with the decentralization of security operations yet the need for a unified view of the state of security and ways to secure the enterprise. …Cybersecurity3 min read