|
Then they are sysadmins first and infosec people second. I do sysadmin work and I am the most infosec minded person on my team, but I do not consider myself an infosec person. You've basically just described how we have handled infosec as an industry for the past.. well ever.
Internet Explorer fucked around with this message at 18:48 on Oct 20, 2020 |
# ? Oct 20, 2020 18:45 |
|
|
# ? May 26, 2024 15:00 |
|
apseudonym posted:If the point is to build trustworthy systems "having the power to do whatever you want" is not compatible . We shouldn't just not have admin to everything we shouldn't want it. There is a point where an infosec team has so much access there is no longer separation of duty and there are infosec teams with so little access they aren't effective. RFC2324 posted:Security shouldn't be adminning anything. Y'all should be identifying issues and setting policies, then kicking down tickets to the admins to make what changes you need(or engage about why the change breaks things) I don't agree with this completely. If your security team doesn't have some level of secops functionality, you are severely hamstringing so many things. This is also how you get the wrong kind of do-nothing, clueless security personnel that this thread complains about. You want security folks with operational expertise. You want security deploying and administrating their own tools and resources where it makes sense. Talented people want to press buttons and have some level of autonomy in the infosec space.
|
# ? Oct 20, 2020 18:53 |
|
Internet Explorer posted:Then they are sysadmins first and infosec people second. I do sysadmin work and I am the most infosec minded person on my team, but I do not consider myself an infosec person. You've basically just described how we have handled infosec as an industry for the past.. well ever. So in your opinion is the actual difference in practice between an "info sec person" and a "sys-admin that just does a bunch of info sec stuff", is not violating a separation of duties concept?
|
# ? Oct 20, 2020 18:57 |
|
Defenestrategy posted:Ah! But what if your info-sec guys are your regular admins because your company cheap AF!? What then? Nobody gets admin access!
|
# ? Oct 20, 2020 19:01 |
|
RFC2324 posted:Security shouldn't be adminning anything. Y'all should be identifying issues and setting policies, then kicking down tickets to the admins to make what changes you need(or engage about why the change breaks things)
|
# ? Oct 20, 2020 19:32 |
|
Defenestrategy posted:So in your opinion is the actual difference in practice between an "info sec person" and a "sys-admin that just does a bunch of info sec stuff", is not violating a separation of duties concept? Sorry, I might be misunderstanding what you're asking. I'm not arguing against a separation of duties. It's a good thing and that's why the industry has evolved in that direction. I guess my point is that not all places are there yet and I am not surprised when small or medium businesses don't have that. There are a lot of places where security is still an afterthought and no one is really responsible for security and only security. Just like the blending of Ops / help desk / projects happens in small or medium businesses. It's not good, but it is still the reality in a lot of places.
|
# ? Oct 20, 2020 19:43 |
|
RFC2324 posted:Security shouldn't be adminning anything. Y'all should be identifying issues and setting policies, then kicking down tickets to the admins to make what changes you need(or engage about why the change breaks things) Its this. Most of security isn't glamorous, its lots of auditing and policy setting/enforcement.
|
# ? Oct 21, 2020 07:19 |
|
It's great for when you're tired of being boots on the ground. Personally I love it. The only bad thing about transitioning into security governance is it becomes harder to keep your skill/knowledge up. As is the case for any paperwork-centric job.
|
# ? Oct 21, 2020 12:56 |
|
Every now and then you get to work fun stuff. We had a website that had a library in it that got exploited and was being used to host illicit streaming. That was a fun one to fix, because we had to work with the app team to implement engineering changes to prevent reinfection. I live for that stuff. The rest of the time, its writing governance, reviewing audits, helping write security programs and implementing security policy. Even when I do red team, you get to do some fun stuff, and then you gotta write reports...
|
# ? Oct 21, 2020 23:57 |
|
CommieGIR posted:Even when I do red team, you get to do some fun stuff, and then you gotta write reports... Maybe I'm weird, but I work for a company that does external pentests/red teaming as the lead and I sometimes have a lot of fun writing the reports. Especially when I break in and just completely demolish everything. It's less fun if you don't get very far. Everyone that doesn't do pentesting/red teaming thinks it's always a blast, and sometimes there can definitely be a rush when you pop a shell, but nobody ever tells you about the time they spent 3 hours enumerating file shares looking for juicy information and coming up empty handed.
|
# ? Oct 22, 2020 20:39 |
|
siggy2021 posted:Maybe I'm weird, but I work for a company that does external pentests/red teaming as the lead and I sometimes have a lot of fun writing the reports. Especially when I break in and just completely demolish everything. It's less fun if you don't get very far. I know this is probably a constantly asked question but how did you break into that world professionally? I’m currently not super technical but in the process of learning and it seems like everyone takes a very different path. L
|
# ? Oct 22, 2020 22:29 |
|
siggy2021 posted:Maybe I'm weird, but I work for a company that does external pentests/red teaming as the lead and I sometimes have a lot of fun writing the reports. Especially when I break in and just completely demolish everything. It's less fun if you don't get very far. Story of my life. Its more fun to write the report if you get a good compromise.
|
# ? Oct 22, 2020 23:22 |
|
What's the go-to enterprise secrets management solution these days? Infosec team needs a place to store secrets that isn't a shared keepass on a fileshare. I'm thinking of solutioning something like a Hashi Vault instance but I'm not sure if that's just trying to plug a square peg into a round hole.
|
# ? Oct 22, 2020 23:48 |
|
Not Thycotic
|
# ? Oct 22, 2020 23:55 |
|
AWS, Azure, and GCP have good solutions if you use their stuff. My team really likes Hashi's stuff though, so I'd explore that first.
|
# ? Oct 23, 2020 00:31 |
|
I've setup Passbolt for clients in the past that couldnt/wouldnt spend: https://www.passbolt.com/
|
# ? Oct 23, 2020 00:55 |
|
SpaceSDoorGunner posted:I know this is probably a constantly asked question but how did you break into that world professionally? You didn't ask me, but I started touching computers because academic jobs had no security and I wasn't likely to go tenure-track without eating poo poo for a while. So I was a web dev, until I kept owning the company's app with an SRE buddy. We asked them to pay for our OSCP and they did. Then they asked us to start the security team, so we did. I don't do red team stuff professionally any more, but that was a big part of that first infosec job because nobody would fix anything without a gnarly PoC. I'd been doing hacker kid poo poo and ctfs and stuff since like high school, though.
|
# ? Oct 23, 2020 01:09 |
|
Martytoof posted:What's the go-to enterprise secrets management solution these days? Infosec team needs a place to store secrets that isn't a shared keepass on a fileshare. I'm thinking of solutioning something like a Hashi Vault instance but I'm not sure if that's just trying to plug a square peg into a round hole. Pleasant Solutions makes an enterprise-friendly multi-user front end for Keepass that has an API. It works and isn't terrible. I've never used Vault, though, so I can't speak to it.
|
# ? Oct 23, 2020 01:28 |
|
SpaceSDoorGunner posted:I know this is probably a constantly asked question but how did you break into that world professionally? I’m currently not super technical but in the process of learning and it seems like everyone takes a very different path. L To be 100% honest, I fell into it through connections. I had been working jack of all trades IT for a while, was going down a networking path, got interested in security and started messing around with hack the box and what not. I applied for a networking engineer consulting position with a recruiter, and it turned out that position was taken. The recruiter had another job, and it turned out to be with a consulting company that the company I worked with had done business with so I already knew one of the owners. I got connected with their guy who did the security side of things, and he invited me to do some CTF's with them. I was apparently pretty good at it, and we started hanging out at security conferences together. He eventually left the company, not because he didn't like the place, but because he had a really good opportunity. He suggested me as his replacement, and it all just kind of worked itself out. I dealt with some major imposter syndrome, but it's been a year and while it still crops up I've made it this far, lead several pentests, and have had a generally good response from clients. It also helps that I have at least some technical expertise, can actually write fairly well, and can be put in front of clients and lead meetings with them. tl;dr I got real lucky and stumbled into it. Networking is the only reason I'm here. Edit: oh I was also pursuing the OSCP before I officially started, but ramped it into full gear once I found out it might be a possibility. I nailed it first try after going from basically no knowledge to passing in about 6 months. It was an absurd amount of work.
|
# ? Oct 23, 2020 02:32 |
|
Ive had a few interviews for IT security roles now and one of the things that has come up a few times is MITRE and writing reports based on MITRE. I've been honest every time that I've never done any formal incident write ups based on any sort of framework. Every place I've worked has been more of a panic and wildly speculate while foaming out the mouth sort of employer. So I am trying to train myself in this area now. Does anyone have any recommendations on reading, YouTube, etc that do a good job going over formal incident response? So far I've just been reading up whatever I can find online and trying to find some decent videos on it. Also is MITRE attack that widely used?
|
# ? Oct 28, 2020 18:47 |
|
BaseballPCHiker posted:Also is MITRE attack that widely used? MITRE isn't an attack, it's a knowledge base and framework for analyzing attacks. https://attack.mitre.org/ [Edit: My day... the are RED things on this REPORT this is CRITICAL]
|
# ? Oct 28, 2020 18:54 |
|
Internet Explorer posted:MITRE isn't an attack, it's a knowledge base and framework for analyzing attacks. https://attack.mitre.org/ Sorry should've been more specific MITRE ATT&CK. I guess how widely used is it? Is this a widespread standard or did I just happen to interview at the two places that use it?
|
# ? Oct 28, 2020 18:59 |
|
Internet Explorer posted:MITRE isn't an attack, it's a knowledge base and framework for analyzing attacks. https://attack.mitre.org/ From the context I think it's clear he knows what it is, even if he didn't spell it att&ck™
|
# ? Oct 28, 2020 19:02 |
|
BaseballPCHiker posted:Sorry should've been more specific MITRE ATT&CK. My bad. Your post wasn't unclear, I just misread it. I don't work in infosec but my feeling is that it's fairly widespread. Microsoft Ignite has had some interesting presentations on incident response. Check this year and last. If I find them I'll edit them in here. [edit: boy, they've really made it difficult to find old Ignite content] Internet Explorer fucked around with this message at 19:08 on Oct 28, 2020 |
# ? Oct 28, 2020 19:03 |
|
BaseballPCHiker posted:Sorry should've been more specific MITRE ATT&CK. It's gaining more and more traction in the industry and honestly it's not bad as far as using it to classify attacker behavior.
|
# ? Oct 28, 2020 21:42 |
|
https://twitter.com/briankrebs/status/1321554013226209287
|
# ? Oct 28, 2020 22:19 |
|
BaseballPCHiker posted:
this is quickly becoming The Way to communicate with your security/devops/c suite it's a great way to concretely qualify attack chains / vulns, and it's not too hard for non-security people to pick it up as readers/consumers pretty quick idk why my impression about att&ck is so much more enthusiastically positive -- I do work with ABCs a bit, so I guess that just means that the world where "security" is pronounced "cyber" has adopted this quite rapidly Potato Salad fucked around with this message at 23:23 on Oct 28, 2020 |
# ? Oct 28, 2020 23:21 |
|
Thanks for the info. Watching some YouTube presentations on it now and I like what I see to my untrained eyes so far. Seems like a really good way to show we identified X issue, detected with Y, and will mitigate with Z.
|
# ? Oct 29, 2020 00:06 |
|
So what does MITRE ATT&CK actually entail. I went on the website and it just looks a easier to comprehend vulnerability wiki?
|
# ? Oct 29, 2020 03:06 |
|
As a beginner it's super useful since it lays out a modular process. Processes are frequently the thing that nobody actually teaches in easily accessible ways.
|
# ? Oct 29, 2020 03:30 |
|
On a related note: Therapy patients blackmailed for cash after clinic data breach quote:Many patients of a large psychotherapy clinic in Finland have been contacted individually by a blackmailer, after their data was stolen.
|
# ? Oct 29, 2020 03:50 |
|
|
# ? Oct 29, 2020 13:33 |
|
Kerning Chameleon posted:On a related note: This is going to happen much, much more
|
# ? Oct 29, 2020 14:47 |
A unnumbered center-justified list should be punished with etherjacking.
|
|
# ? Oct 29, 2020 14:58 |
|
Brought to you by Brian Krebs! https://twitter.com/GossiTheDog/status/1321666478979096576?s=20 CommieGIR fucked around with this message at 15:03 on Oct 29, 2020 |
# ? Oct 29, 2020 15:01 |
|
CommieGIR posted:Brought to you by Brian Krebs!
|
# ? Oct 29, 2020 18:09 |
|
Krebs is a dick and has doxxed people for disagreeing with him
|
# ? Oct 29, 2020 18:12 |
|
wyoak posted:is being brought to me by Brian Krebs bad? Considering he "broke protocol" and announced this to the world while relevant parties were trying to get a handle on it without giving away to the threat actor that they knew? Yea. And the doxxing, as mentioned.
|
# ? Oct 29, 2020 18:16 |
|
wyoak posted:is being brought to me by Brian Krebs bad? Brian Krebs is an ex Windows Admin who plays security and regularly says poo poo that is based on little evidence. He's a pariah in the Infosec community, especially because he doesn't take criticism well. Kinda like Kevin Mitnick but Kevin does actually know a lot of things, even though he sold his soul. The Fool posted:Krebs is a dick and has doxxed people for disagreeing with him This. AND in this case, he's trying to exploit fear to make himself a bunch of money selling a product that might not actually help. CommieGIR fucked around with this message at 18:23 on Oct 29, 2020 |
# ? Oct 29, 2020 18:21 |
|
|
# ? May 26, 2024 15:00 |
|
BaseballPCHiker posted:So I am trying to train myself in this area now. Does anyone have any recommendations on reading, YouTube, etc that do a good job going over formal incident response? So far I've just been reading up whatever I can find online and trying to find some decent videos on it. BaseballPCHiker posted:Also is MITRE attack that widely used? There are a ton of ways it can be used, it just depends on what you're trying to accomplish. So for example if you're working in a SOC and someone asks you to do some threat hunting, you can pick tactics and look at what indicates those tactics, then search for that across your environment with whatever tools you have. We rely on it a lot during incident response as well simply to help us inform our understanding of what may have happened and what artifacts we should look for (or steps to take to contain the threat, all that IR poo poo).
|
# ? Oct 29, 2020 18:27 |