|
BaseballPCHiker posted:So I am trying to train myself in this area now. Does anyone have any recommendations on reading, YouTube, etc that do a good job going over formal incident response? So far I've just been reading up whatever I can find online and trying to find some decent videos on it. BaseballPCHiker posted:Also is MITRE attack that widely used? There are a ton of ways it can be used, it just depends on what you're trying to accomplish. So for example if you're working in a SOC and someone asks you to do some threat hunting, you can pick tactics and look at what indicates those tactics, then search for that across your environment with whatever tools you have. We rely on it a lot during incident response as well simply to help us inform our understanding of what may have happened and what artifacts we should look for (or steps to take to contain the threat, all that IR poo poo).
|
#
¿
Oct 29, 2020 18:27
|
|
|
|
| # ¿ May 19, 2024 18:43 |
|
|
Well poo poo, I can write a half-assed effortpost on threat hunting to distract myself from politics. A bunch of people have hit on a lot of the basics for what threat hunting is and all that - basically proactively going out and looking through your security telemetry for indicators of malicious activity. It's kind of the inverse of typical secops where you're playing whack-a-mole with alerts. Hunting can be a really formal thing, where you'd have a dedicated team attached to your SOC, or something informal like one person getting inquisitive on a Friday afternoon for shits and grins. Most security teams are so strapped for resources and have other fundamental problems so hunting is not really a thing. But it's a loving fantastic buzzword so everyone thinks it's right for them and vendors love to talk about how they can help you do it. In bigger enterprise SOC environments where you've got a reasonably mature security program, you may see a division carved off as a formal hunt team. If you contract out your front line security monitoring to a MSSP then they may claim to do some of this too. The academic idea is basically that you'd take a hypothesis for what a bad guy would do on your network, and then using whatever tools are at your disposal you'd look for indicators of malicious activity consistent with your hypothesis. If you go back to the MITRE ATT&CK discussion from a few pages back, that's a pretty common point of reference for this and this is one of the more common applied uses of the framework. So it's kind of meant to be a bit of a scientific process, which is cool as a concept and it's way more engaging than waiting for alerts to roll in passively. It also pairs up with some of the concepts laid out in David Bianco's Pyramid of Pain model which is worth a read. Anyway, with how all of this works there's an unspoken expectation that you'd have access to legit threat intel too. Not ephemeral poo poo like IP and hash lists (the bottom of the pyramid model!) but more of the ATT&CK-like stuff. If you have reliable threat intel (and let's be clear: few do), then they can say "hey we have high confidence that criminal actors are targeting companies like ours to collect trade secrets, and these are the tactics that have been observed that are consistent with these actors". So the idea would be that your hunters could take that intel and then start looking for all of those tactics - for example, maybe this is rudimentary poo poo like looking for evidence of passing the hash in windows event logs. And if they find something malicious then your incident response processes (basically everything after the alert) would kick in to deal with the threat. I'm oversimplifying a bunch. Realistically you can hunt using pretty much anything from looking at your AV logs or something to running WMI queries across the network and analyzing the output. I'm a shithead consultant so I see a bit of everything, most of the time the most common approach I see combines an EDR product (Carbon Black or Crowdstrike, Defender ATP, etc.) and a decent SIEM. The SIEM part is still sometimes a bitch though because log sources are pretty inconsistent though - not collecting logs from user workstations results in a massive visibility gap which is not great when the bad guys target users first. SysMon events fed into an ELK stack is also a really great one. I've also seen some really awesome stuff being done with tools like OSquery and Kolide too.
|
|
#
¿
Nov 6, 2020 03:06
|
|
|
Defenestrategy posted:My follow up question: whats the path so you can get paid to do that look like because that sounds fun I'd say that it is part of the progression that comes with working in a really big enterprise SOC (where they don't care about skill so much as your ability to close alerts quickly) or working for a MSSP as an analyst in their SOC, sucking the correct amount of management butthole, and proving you're competent. Typically hunters are the people in the SOC who have shown they are good at using the available tools and just generally know their poo poo. Getting past the automated HR keyword screening is probably the biggest hurdle for getting started. You can also start doing this poo poo independently wherever you currently are and start to build a solid resume that way by playing up how you built your employer's threat hunting program from scratch. Recruiters love that poo poo. Outside of that, networking helps a lot. Black Hills Information Security runs a pretty sizable Discord and is a great resource for career development. If you follow them on LinkedIn they sometimes post the link to join (and then delete it later on). The community there is really helpful when you're getting started and there are tons of discussions around building a career and getting further into it.
|
|
#
¿
Nov 6, 2020 04:14
|
|
|
CommieGIR posted:Not paying the ransom is basically the "Too big to fail" problem all over again, are you really willing to let a major company collapse? Not likely in the US despite DOJ claims. Yeah I will agree as well, there is no silver bullet. I tend to argue based on my experience that not-paying is a major component of the solution but it is not that simple. Cyber liability insurers are more problematic, as they have turned into the "solution" by reimbursing ransom payments. This incentivizes the attackers of course, since they're getting paid and they know insurers have deep pockets, and I've had clients straight up say their plan for ransomware is to just pay and let insurance deal with it. Insurance claims aren't necessarily just the cost of the ransom itself either. Some policies may cover lost revenues due to downtime, incident response fees, legal fees, data breach related fees, etc. Some insurers are making changes here, so maybe we will see trends start to shift a bit. But a lot of this seems to boil down to "paying the insurance premium is cheaper than investing in security". The OFAC sanctions from last year matter a little as well, as insurers aren't fans of reimbursing payments to sanctioned entities. Beyond that, the other thing I notice is that while the big "whale" victims get headlines and have massive ransoms, there is still a lot more of this impacting very small organizations. Many may not have any insurance, but also have no meaningful security budget (such as the one-person IT/Infosec team). Even if the ransom demanded of them is a fraction of what you saw with Garmin or whoever else, they're incredibly soft targets and there are a lots of them to hit so it adds up to a lot of money. These people have no budget for security and even if you have the best access to open-source tools there's nobody watching controls 24/7. Even with the big human-operated ransomware attacks the sophistication is kind of middling. Frequently there are tons of alerts firing on various controls, but nobody's paying attention or responding promptly... who gives a poo poo if you've got some poo poo-hot market leading product when it's not even deployed correctly or monitored.
|
|
#
¿
Jun 3, 2021 23:18
|
|
|
The real target seems to be the OTP code. The caller claimed to represent Wells Fargo for the sake of the social engineering narrative, but that doesn't mean they couldn't have been targeting another account altogether. Sounds like they found some historic personal information that was likely valid and pivoted from there. What they wanted was for you to get that SMS message and read them the code so that they could access whatever they were trying to access, to do whatever they wanted to do. I'm usually of the opinion that attackers aren't obligated to be transparent as to their objectives, they're just gonna say or do whatever they think will work.
|
|
#
¿
Jan 18, 2024 19:53
|
|
|
|
| # ¿ May 19, 2024 18:43 |
|
|
Hughmoris posted:
I haven't vetted these myself but the folks behind the DFIR Report have started offering a few hands-on labs which might be good: https://the-dfir-report-store.myshopify.com/collections/dfir-labs Considering the quality of their writeups, I'd wager they will be pretty good.
|
|
#
¿
May 6, 2024 15:21
|
|