With all of the great detective technology we have today we have a number of ways to track adversary activity. If the threat you're tracking is a human adversary within your enterprise, any gap provides an opportunity for them to reestablish persistence using a different type of malware and a different command and control channel. … Continue reading Tracking Command and Control Communication
For Ignite 2020, Tali and I put together a video covering some demos showing how you can use the Advanced Hunting feature of Microsoft 365 Defender to correlate activity between the various Defender capabilities. Among other things you'll see an example of how to use Defender for Identity and Defender for Endpoint to track down … Continue reading Ignite 2020: Best Practices for Hunting Across Domains in Microsoft 365 Defender
As a former incident responder, anomaly detection was part of my day-to-day job. When an attacker persists on an endpoint or within identity there is typically something that deviates from the norm - whether that be a misspelling, obscure launch string, odd configuration, or just general strange behavior. Because of this, many of the queries … Continue reading Anomaly Detection in Microsoft 365 Defender
If you're new to advanced hunting in Microsoft 365 Defender, be sure to check out the four-part series Tali Ash and I presented in July of 2020. We start with the very basics of Kusto Query Language (KQL) and take you all the way to performing visualizations, performing anomaly detection, and track malicious activity purely … Continue reading Tracking the Adversary with M365 Defender Advanced Hunting
Authenticating to remote services with only a password is a thing of the past. Modern attack techniques make theft and reuse of passwords simple, yet we continue to use them to secure pretty much everything. In this post, we will review the various risks associated with password authentication and discuss what can be done to improve our security posture.
Recently, the Internet has been overrun with ransomware - software designed to take advantage of users by encrypting their data and holding the keys for ransom. In this post, we will use the concepts of access and authorization to assess this malware and better understand why it was so successful.
Think Like a Hacker is designed for systems administrators interested in the cybersecurity field as well as information security professionals interested in secure systems design.
Think Like a Hacker is designed to take an IT professional with an interest in cybersecurity on a journey through how an attacker thinks about a network, while posing new theoretical models on how to analyze their network through the lens of a targeted attacker. This book is not be your typical security book that focuses … Continue reading Prologue – Think Like a Hacker
Determined human adversaries, or DHA for short, have changed the information security game for everyone. Many customers take actions in attempt to evict an emplaced attacker – actions that result in alerting the attacker to the organization’s knowledge of their presence, but don’t truly evict the attacker from the network. In this blog, we will … Continue reading “But I Reset the Password” – Remediating an Enterprise After a Targeted Attack
WannaCrypt has been all over the news lately, discussing its impact and repeating details from cybersecurity analysts. In this post, we look at ransomware and its origins to gain a better understanding of WannaCrypt.