Practice simplicity

Seek to be proactive, rather than reactive

Think creatively, but adhere to standards

Employ best practices

Sandfly Security

toolsmith #151: Agentless Linux security with unmatched speed and reliability

Sandfly Security, headquartered in New Zealand (where they know sandflies all to well), refers to itself as such because they’re like sandflies: they relentlessly bug and discourage intruders, deploying like a swarm onto endpoints, then disappear only to return again and again. Theses swarms of checks make life miserable for hackers on Linux hosts while minimizing system impact. I’ve been following Sandfly’s Craig Rowland on Twitter for awhile with the intent of giving Sandlfy a look for toolsmith, and in the time I’ve kept watch, the offering has grown into a comprehensive and robust platform for Linux security.

[Read More]

EDA with CISSM

toolsmith #150: Exploratory Data Analysis with University of Maryland's Center for International and Security Studies Cyber Attacks Database

Introduction

Exploratory data analysis (EDA) is a mission critical task underpinning the predominance of detection development and preparation for cybersecurity-centric machine learning. There are a number of actions that analysts can take to better understand a particular data set and ready it for more robust utilization. In the spirit of toolsmith, and celebration of this being the 150th issue since toolsmith’s inception in late 2006, consider what follows a collection of tools for your security data analytics tool kit.

[Read More]

Prowler v3 - AWS & Azure security assessments

As a current Google Cloud Platform defender, and former Microsoft Azure defender, I appreciate any tool or capability intended to provide multi-cloud protection. As noted via LinkedIn, Toni announced the release of Prowler v3 just before Christmas. Prowler v3 is a complete overhaul of Prowler, fully rewritten it in Python. Prowler is an open source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. [Read More]
cloud  Azure  AWS  GCP  OCI 

Chainsaw

toolsmith #148: Hunt, search, and extract event log records

/post/chainsaw/logo-thumb.PNG
I first spotted Chainsaw courtesy of Florian Roth’s Twitter feed given that Chainsaw favors using Sigma as one of its rule engines. Chainsaw is a standalone tools that provides a simple and fast method to triage Windows event logs and identify interesting elements within the logs while applying detection logic (Sigma and Chainsaw) to detect malicious activity. Chainsaw’s powerful ‘first-response’ capability offers a generic and fast method of searching through event logs for keywords (Kornitzer & D, 2022).

[Read More]

EPSScall - An Exploit Prediction Scoring System App

toolsmith #147: EPSScall - Shiny app for the EPSS API

If you follow Cyentia Institute’s Jay Jacobs via social media you may FIRST ;-) have learned about the Exploit Prediction Scoring System (EPSS) from him, as I did. I quickly learned that FIRST offers an API for the EPSS Model, which immediately piqued my interest. Per FIRST, EPSS provides a fundamentally new capability for efficient, data-driven vulnerability management. While EPSS predicts the probability (threat) of a specific vulnerability being exploited, it can scale to estimate the threat for multiple vulnerabilities on a server, a subnet, mobile device, or at an enterprise level (Jacobs, 2022).
“The (EPSS) is a community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in-the-wild. By collecting and analyzing these data, EPSS seeks to improve vulnerability prioritization by estimating the likelihood that a vulnerability will be exploited. The EPSS model produces a probability score between 0 and 1 (0% and 100%). The higher the score, the greater the probability that a vulnerability will be exploited (in the next 30 days)” (Jacobs, 2022).
As of February 2022, EPSS version 2 is available; give Jay’s write-up a good read before proceeding. EPSS v2 is preceded by EPSS v1 and CVSS v3. Note the significant increase in model coverage and efficiency per Figure 1.

/post/147/Figure1-thumb.JPG
Figure 1: EPSS Comparison by Effort

[Read More]

LotL Classifier tests for shells, exfil, and miners

toolsmith #146: A supervised learning approach to Living off the Land attack classification from Adobe SI

Happy Holidays, readers!
First, a relevant quote from a preeminent author in the realm of intelligence analysis, Richards J. Heuer, Jr.:
“When inferring the causes of behavior, too much weight is accorded to personal qualities and dispositions of the actor and not enough to situational determinants of the actor’s behavior.”
Please consider Mr. Heuer’s Psychology of Intelligence Analysis required reading.
The security intelligence team from Adobe’s Security Coordination Center (SCC) have sought to apply deeper analysis of situational determinants per adversary behaviors as they pertain to living-off-the-land (LotL) techniques. As the authors indicate, “bad actors have been using legitimate software and functions to target systems and carry out malicious attacks for many years…LotL is still one of the preferred approaches even for highly skilled attackers.” While we, as security analysts, are party to adversary and actor group qualities and dispositions, the use of LotL techniques (situational determinants) proffer challenges for us. Given that classic LotL detection is rife with false positives, Adobe’s SI team used open source and representative incident data to develop a dynamic and high-confidence LotL Classifier, and open-sourced it. Please treat their Medium post, Living off the Land (LotL) Classifier Open-Source Project and related GitHub repo as mandatory reading before proceeding here. I’ll not repeat what they’ve quite capably already documented.

[Read More]

Zircolite vs Defense Evasion & Nobellium FoggyWeb

toolsmith #145: a standalone SIGMA-based detection tool for EVTX and JSON

I’m pleased to be back sharing outstanding tools for security practitioners with you after an extended time out to finish my Ph.D.
Here now, in our 145th installment of toolsmith, we discuss Zircolite, a standalone and fast SIGMA-based detection tool for EVTX or JSON, a fine tool brought to us courtesy of @waggabat. Zircolite’s GitHub repo tells you absolutely everything you need to know, and the documentation is more than adequate, so I’ll repeat only this:

  • Zircolite is a standalone tool written in Python 3 allowing to use SIGMA rules on Windows event logs
  • Zircolite can be used directly on the investigated endpoint or in your favorite forensic/detection lab
  • Zircolite is fast and can parse large datasets in just seconds
  • Zircolite can handle EVTX files and JSON files as long as they are in JSONL/NDJSON format
  • Zircolite can be used directly in Python or you can use the binaries provided in releases
[Read More]

Abstract: Improved Security Detection & Response Via Optimized Alert Output - A Usability Study

Cut the noise, hone the signal

Once in a while, you get shown the light in the strangest of places if you look at it right ~Garcia/Hunter

I’ve been absent here for many months, but it has been with purpose. My dissertation, Improved Security Detection & Response via Optimized Alert Output: A Usability Study, is complete, and I’ve successfully defended it; pursuit of my PhD is complete, a new journey begins. I’ll begin with posting the abstract here. I’m in the midst of the dissertation publishing process, but once ready, it will be available in a fully open source capacity, no paywalls or subscription required. I’ll also share all the data (fully anonymized) as well as statistical routines and analysis in R. I’ll continue to post the related artifacts, including to full dissertation in via the R bookdown and thesisdown packages. I look forward to sharing this research with you while discussing it in a variety of forums and extending it to additional research opportunities. Stay tuned here for more.

[Read More]

toolsmith snapshot: Adversary Simulation with Sim

Emulate user actions on a system

/post/sim/adversary-thumb.JPG
Art by Juan Casini

I spotted Sim via Twitter and was immediately intrigued as I advocate strongly for any tools and features that enable configurable adversary emulation. Adversary emulation enables blue teams to validate and optimize their detection portfolio and thus determine the true efficacy of their detective capabilities. I do not consider any detection that has not been tested via direct purple or red team engagement, or via automated adversary emulation, as production ready. Per her GitHub repo, Hope Walker’s Sim is a C# application, configured via an XML file, that performs tasks based on the configuration to resemble user actions on a system in order to facilitate training and education. As a long time SOC and DFIR manager, training for me includes “training” detection and models to ensure optimal performance. IceMoonHSV’s projects appear to be fairly recent contributions to our community, I applaud Hope’s work here and offer a hearty welcome.

[Read More]

Security Detection and Response Alert Output Usability Survey

Scenario-based Research for Cybersecurity Analysts and Managers

As a PhD candidate at Capitol Technology University I’m conducting a scenario-based security detection & response alert output usability survey for cybersecurity analysts and managers in Security Operation Center (SOC), Digital Forensic and Incident Response (DFIR), Detection and Response Team (DART) & Threat Intelligence (TI) roles. These roles often make use of output from detection methods including machine learning & data science. Individual contributors & managers alike are welcome.
The purpose of the research is to determine if there is a statistically significant difference in security analysts’ preference and acceptance between text alert output (TAO) and visual alert output (VAO) derived by these methods.
The survey should take 20 minutes.
https://www.surveymonkey.com/r/TAOvsVAO

[Read More]
SOC  Blue Team  DFIR  DART  Survey  TI