Raiders of the Lost ARP

Amateur Security Archaeologists, trying not to break things.

Page 4 of 13

Target Recon Phase: Don’t make it too easy!

Most adversaries have a plan. Those plans vary greatly – in both complexity and rigor – from actor to actor, target to target. As we’ve discussed in prior posts, adversary plans are usually built from repeatable procedures – techniques and sub-techniques. The power of MITRE’s ATT&CK, CAPEC, or LMCO Kill Chain is that they help us track behaviors. Most of the time, I see organizations rush to address techniques through either detection & visibility or through protection. I think we all could use a dash of prevention – not just policy, but waaaay out front. We need to make even the selection of the plan difficult, and to reveal so little that the bad guys struggle to select the right plans. So let’s talk about making the recon phase hard for the adversary!

Continue reading

What’s causing Mike’s Indigestion now? Taking patients hostage (1 Mar 2024)

Whoa, what a week! We’re seeing a lot of the organizations I have the privilege to talk to battling a confluence of ransomware events. All the while, the battle between law enforcement and those threat actors is playing out in the open. If you prefer your news to be steadily bad, there are stories for you there as well. So let’s get right into the top news, where threat actors are taking patients hostage.

Continue reading

What’s causing Mike’s Indigestion now? Malice in Chains (15 Feb 2024)

Good evening, folks! Sorry for the delay in getting back to normal cadence. The last couple of weeks have been a blur. Cisco Live EMEA was busy yet rewarding, but I managed to get sick on the way back. Perhaps most importantly, it was a rough week for some colleagues I deeply respect. If you need help I can offer, please let me know folks! For now, let’s round up some threat and vuln updates with supply chains, VPN devices, and AI taking center stage.

Continue reading

Membership has its benefits: Using ATT&CK for Insider Threats

Happy Monday folks! I’m super excited to be getting back to it and blogging about some cybersecurity goodness. I’ve picked up a ton of cool ideas after a long but fantastic week in Amsterdam for Cisco Live Europe. Once again, my buddy Mark Stephens and I presented an Interactive Breakout called “Empty Threats – Building Your Own Cyber Threat Picture”. Offered at the last 4 Cisco Live US and Amsterdam events, each is a goldmine. What I love about these sessions is that our customers teach us so much about how they tackle security problems. Last week’s iteration did not disappoint. We had a fantastic discussion around using ATT&CK for insider threats. An attendee named Tommy brought up the question of how we factor them in, weigh their TTPs, etc. As with so many of these interactions, I am now thinking a lot about how to carry that forward. Let’s see how we might tackle this thorny topic!

Continue reading

This is the Way: Beginning my Cyber Threat Intelligence Journey

I have gotten older, I find I’m less eager learn the depths of every technical solution, and have been searching for my happy place. Since my SANS studies, I have gravitated towards an area that is – from what I can see – fun as heck. That area? Cyber Threat Intelligence (CTI). My rookie impression is that this vast world is understaffed and under-supported, and this might be because organizations are so busy looking for operators that they don’t classify this role as mission critical. Fast forward to today: I spent a good part of the day listening into the SANS CTI Conference virtually, and I took away two things. First, there are some wicked sharp folks who have a passion in this area. Second, while I am not likely to become a full-fledged CTI professional, I sure want to learn more and incorporate what I can to help organizations see CTI’s value. This post launches my cyber threat intelligence journey.

Continue reading
« Older posts Newer posts »
Verified by MonsterInsights