Amateur Security Archaeologists, trying not to break things.

Category: Security (Page 12 of 14)

Spooked out about Threats? Model with STRIDE and DREAD

As you can see in the previous post, the “know yourself” side of the Threat Modeling process is extensive and covers all but one of the steps. While some may be tempted to deal only in knowing the adversary, you must grasp on your organization’s own policies, capabilities, and design to model most effectively. These efforts also feed related activities, such as project planning and roadmap development, business strategy, risk management, and procurement & staffing. Several externally focused frameworks and methodologies map adversary behaviors and their impacts to the environment and should be selected to compliment the skills and capabilities of your organization. Each offers different areas of focus, fidelity, and processes that can be adapted to your organization’s needs.

Continue reading

What is Threat Modeling?

As Sun Tzu might advise, “If know the enemy and know yourself, you need not fear the result of a hundred battles.” Let’s focus on “knowing yourself” first. We introduced this as an important step to Threat Hunting in a prior post. All organizations should start by identifying and scoping the environment’s key assets, data types, and security controls (both technical and process related). What are you trying to protect? Why are they important? Who needs or uses those things? Threat Modeling is the proactive process that helps you understand and address security risks before they can be exploited by attackers. This requires an understanding of both the environment to be protected and the way threats might overcome those defenses.

Continue reading

On the topic of Threat Hunting

All of us encounter the use (and misuse) of terms like threat hunting, threat modeling, threat intelligence, and threat picture.

  • Threat hunting is about leveraging knowledge of adversaries and the target system to proactively identify (and hopefully eradicate) threats before damage is incurred.
  • Threat Modeling is a structured approach used to identify, assess, and mitigate potential threats and vulnerabilities in a system, application, or environment – outlining the hypothetical ways that a threat might attack us.
  • Threat Intelligence (often called Cyber Threat Intelligence or CTI) characterizes the potential adversaries or troublesome events that might exploit those weaknesses, the organization’s most likely adversaries, attack vectors, and dependencies must be evaluated against that context.
  • The likely adversaries portion of threat modeling is often called the Threat Picture – an externally-focused view of the most likely attacks your organization will face. 
Continue reading

Adventures in Zeek – Background and Setup

A revelation during my studies with SANS revealed a lot of open source tools that I find amazing. One of those is the tool Zeek (formerly Bro) IDS. While I have enjoyed and been enriched by my studies of SiLK, Snort, Suricata, Tshark and TCPDump, Zeek is the tool that jumps out to me as that offering greatest potential to learn about and explore networks.

In this blog entry, we’re going to create a single-node Zeek sensor on our virtual host and turn it loose monitoring the network tap we have between our Core switch and the ESXi host. I am starting with Ubuntu 20.04 again, a minimal install, so we can get up and running and have some consistency with the ELK host we are also running. I know lots of distributions run these applications on CentOS/RedHat as well, and there are plenty of good blogs on installing it for yum/RPM based distributions, but we’ll stick with my feeble limitations for now😉

Continue reading

The Struggle is Real! Balancing Platform Simplicity and Complexity

I know this seems like a pretty weak byline, but bear with me. In studying for the GCIH exam I have been finding myself pondering some of the wisdom I have been given by John Strand, the VoD’s recorded instructor. In the course-ware, he stresses the need for an organization to truly understand their environment and patch efficiently, and that the best way to facilitate that might be to standardize on as few platforms as possible.The homogeneity of the environment will both simplify the  patching and vulnerability management AND make the environment easier to understand and thus protect.  This gets back to a fundamental concept in securing anything: you can’t protect what you aren’t aware of. Continue reading

« Older posts Newer posts »
Verified by MonsterInsights