I am the man in the lighthouse for my org. Full #DFIR owner - IR, TH, TI, FOR. Alerting. Vuln mgmt. Threat mgmt. Brush up against policy. Teaching governance that Availability is part of security. Finally got my Masters. #Sho'nuff
Just because you are in the midst of a pen test // red team exercise doesn’t mean the malicious behavior belongs to the red team. Physical penetration attempts, phishes, and other means of entry are still being used by adversaries while testing is occurring. The real adversaries don’t care about your calendar. #infosec #blueteam
Reacher Season 1 on Amazon Prime Video is actually shocking good? No joke. Go check it out. It knows exactly what it is and that is joyous. It’s a show entirely how all your problems are solved by being tall.
That's the point. We dig in and see everything digital, and realize what goes wrong. So we work and invest to the point when we don't need to do anything digital ever again.
When it comes to logging, it's always better to know. Even when it's a VIP with a questionable search history or password.xls file (no I did not misspell the extension).
I spend time IRL helping people understand what getting into the industry looks like, what entry level really means, and helping people understand hard choices as the career advances.
I've been #infosec for over 16 years. Feel free to reach out.
I was watching a Jacque Pepin video on his take on an easy at home croque monsieur. While making it he started talking about the croque madame variation. Nowadays a croque madame is usually a croque monsieur with a fried egg on top. He was saying when he began his career the difference between the two was that a croque madame, at least in Paris, was made with turkey instead of ham. Interesting food history tidbit. #FoodHistory#food#history#cooking#FrenchFood
#infosec#blueteam
I have a weird issue and I need some help. I am dealing with an adversary who is impersonating our brand, but has now hidden the impersonation behind a login page as a way to stop takedown efforts. In order to register, they don't want an e-mail, they want a phone number in their country code to which a verification text message is sent.
Is there an app or service like the google phone service that can let me send or receive text messages from a number in another country?
Reminder. For #iinfosec cyber defenders, there’s only one thing you can find where you are required by law to notify the feds immediately, before even your employer.
I am extremely fortunate I’ve never run into it, but I know #blueteam and #dfir people who have.
Always be the good guys. And leave these bad guys to the professionals. The amateur ‘catch a predator’ people have fubar’ed cases by not following legal procedure. Don’t give the villains an out.
Remember to conduct yourself internally assuming you will have a public audience. Because someday you might.
Was recently discussing a legal retention requirement in company chat. Made sure to be completely forthright and formal about responsibilities. Can’t play with that stuff.
@jerry yes. The people forcing everyone back are thinking back to the 07-08 housing crisis and what that did to their 401k investments. The logic behind that crisis that allowed such risky investments was “who doesn’t pay their mortgage?” Before March 2020 it was “who doesn’t go into the office?”
Commercial real estate (CRE) isn’t about paid off properties, it’s about cash flow, construction costs of build to suit, and selling when credit requirements and cash on hand require it. It’s like an NFL team. The banks aren’t paid off until the teams are sold, because their value never goes down. Even if some CRE values went down, no one imagined it would collapse like housing.
Please review your threat actor naming policies. Having to explain to senior leadership that entities with names akin to APT Spunking Platypus are not names I generated is not a pleasant experience. You undersexed perverts.
I have a series of rules I live by, that apply equally to life as well as my career in #infosec.
Rule #1: Give your adversary every opportunity to make a mistake.
From an Incident Response standpoint, we look at the kill chain. Until the adversary has reached Actions on the Objectives (and even then) the game is still ongoing. Snake oil peddlers will trot out the line "the bad guy only has to be right once to get in." Getting in isn't the end of the game. All getting in means is the play is in motion. A properly prepared home field means there should be plenty of hurdles and detection opportunities to discover, and take action on, the adversary.
In life, sometimes there are defined win conditions, and there aren't. Your goal should be to understand your win conditions and work toward that. If an adversary's win conditions don't conflict with yours, there's no reason to get in the way. You need to know what you're working towards, so you can recognize behavior that isn't getting in the way, and you don't spend cycles on it. This is the skier's process of focus on where you want to go, not the tree.
When adversaries are trying to interrupt your win condition, your best opportunity is to figure out theirs, and let that guide your response to get them out of the way of yours.
A classic example is that one person at work with just enough power to gum up the project. Maybe they aren't getting resources for what they need. Perhaps they are heading to irrelevance and are using what power they have for it's own sake. Maybe they just don't feel heard. Find out their pain points and steer them towards solutions. It's not as gratifying as going to their manager and launching a nuke, but you can make incremental process towards your win conditions, rather than scorch alternate paths to victory.
The goal isn't stop them, it to achieve your win conditions. Sometimes by offering to help, they use their attitude and self righteousness to flex and end up isolating themselves, clearing a path for you. Sometimes you turn an adversary into an ally with longer term benefits.
Force an adversary to make choices, and eventually they make a wrong one. Use it.