Other

Latest News From Blog

Other

Red Team vs. Blue Team: What’s the Difference?

The software industry often borrows names and processes from the US Army. One example is when the army splits its team into blue and red.The blue one is defending a target, and the red one is attacking.Some software companies adopted the same approach. The blue team consists of experienced experts responsible for keeping company assets secure. In turn, the red team specializes in finding a way to bypass security measures.Find out why you should have a dedicated red team that constantly tests your cybersecurity and how your organization can benefit from creating its own red and blue teams.The blue team is responsible for maintaining an IT infrastructure. They are defensive security professionals. Areas of their specialization include:network,identity management,cloud,user devices, and many more.The required skillset depends on the company's infrastructure.Together they ensure that all solutions are properly configured and maintained to ensure that all company assets are secure. Their skillset consists of understanding company security strategy, analytical skills to identify threats, and hardening skills. That means they know how to reduce the attack surface and eventually spread security awareness in the organization.Examples of blue team exercisesThe blue team implements a set of exercises to verify security.The first (and key) step is ensuring that all security devices and tools deployed in the organization are properly configured and up-to-date.That means checking the firewall, IDS/IPS antivirus configuration hardening, and update management.The blue team needs to ensure that access to assets in the company is limited. They do it by reviewing permissions to networks and assets, in general, using the least-privileged access concept. That means the user should not have access to something they do not need.The best way to grow in a blue team is to monitor new public security tools and verify if they are correctly detected or blocked.It is a great way to ensure that the team is aware of the newest threats and if current tools and processes are sufficient to handle them properly.The results from such exercises are:improved knowledge of the blue team members,new detection rules in detection and prevention systems,configuration improvements,and scheduling urgent software updates.Another exercise the blue team can do is to look for publicly available servers under the company DNS address. They do that to ensure that all of them are monitored and properly managed.What is the red team?A red team can simulate attacks on company assets.They consist of security professionals qualified in the:network,application,operating system security vulnerabilities,malware development,social engineering,and sometimes hardware and physical security.Their skillset is similar to what malware operators or hacking groups like LAPSUS$ have, but they use it only ethically. They are developing TTPs (Tactics, Techniques, and Procedures) to simulate already known and new attacks.As many companies use different software and have various infrastructure approaches, it requires a great effort to ensure that the team can deliver satisfying results for the exercises. For example, there can be a massive difference in attacks on on-premise infrastructure vs. the cloud-based one.Examples of red team exercisesDepending on the team structure, red teams may work to break security controls to achieve target access. They can learn how to execute sophisticated attack techniques using training, research, and publicly available articles and tools.Sometimes these security teams arrange access to widespread business tools. They do that to see how they work, and to find security vulnerabilities or common misconfigurations that they can use for attacks.For learning purposes, the IT security community provides applications and virtual machines that are deliberately broken. That way, they want to show typical vulnerabilities for specific cases.With all that knowledge, red team members can provide attack simulations to test the security controls of an organization. Typically there is a specific target.It can be, for example, Domain Admin in Active Directory services, high-value data in the database, or proof of getting access to a restricted area.Another thing to clarify before the test is to confirm the scope. A team needs to agree on what to attack, what is prohibited, and who to contact in case of any issues.A good example is a letter stating that this is a test with contact info to a person responsible for a test on the company side.. After the tests, the team delivers a report with the scope, findings, and recommendations. It may contain all of the executed steps so that blue team members can review them, find blind spots and remove them.Security systems are getting more complex each day. More and more processes are being automated and moved to the company infrastructure. Companies are using the new web, mobile applications, appliances, and even Internet of Things devices. In the age of digital acceleration, it is the only way to keep up with the market.Benefits of red team vs. blue team approachUnfortunately, each of these elements is a potential security risk if not properly assessed and verified in the whole environment.Blue teams can do their best given limited budgets, headcount, experience, and priorities to ensure the company is safe.But even then, there is a risk that they missed something or were wrongly prioritized. And then the breach can happen.That is why red team exercises on company assets are crucial to assess a security posture. By doing such exercises regularly, it is possible to limit how long a vulnerability is present in the system and how severe damage it can introduce to it.It is also a good idea to retest fixes as soon as they are published. That way the team can be sure that they are sufficient to resolve the vulnerability.It is also worth noting that even if they did not detect vulnerabilities in a recent test, the threat landscape is still evolving.New approaches and techniques to break into the systems are invented every day. Finally, it is a good way of elevating awareness about social engineering attacks in the whole organization.Purple teamingQuite a new approach for collaboration between the Blue team and Red team is a security methodology called Purple teaming. That means closer cooperation between the teams to improve spreading awareness and boost the performance of all team members.For a red team member, it is valuable to see how defenders usually work with services they need to protect. In turn, a blue team member can learn new attack techniques and tools with initial research delivered by a red team member.Purple teaming can improve the security posture of an organization. Keep in mind though that if there is no red team present in the organization, such exercises can be arranged together with penetration testing as a form of a workshop.

Other

What is Cybersecurity and Why It is Important?

Cybersecurity is the protection to defend internet-connected devices and services from malicious attacks by hackers, spammers, and cybercriminals. The practice is used by companies to protect against phishing schemes, ransomware attacks, identity theft, data breaches, and financial losses.Look around today's world, and you'll see that daily life is more dependent on technology than ever before. The benefits of this trend range from near-instant access to information on the Internet to the modern conveniences provided by smart home automation technology and concepts like the Internet of Things.With so much good coming from technology, it can be hard to believe that potential threats lurk behind every device and platform. Yet, despite society's rosy perception of modern advances, cyber security threats presented by modern tech are a real danger.A steady rise in cybercrime highlights the flaws in devices and services we've come to depend on. This concern forces us to ask what cyber security is, why it's essential, and what to learn about it.What is Cyber Security?Cyber security is a discipline that covers how to defend devices and services from electronic attacks by nefarious actors such as hackers, spammers, and cybercriminals. While some components of cyber security are designed to strike first, most of today's professionals focus more on determining the best way to defend all assets, from computers and smartphones to networks and databases, from attacks.Cyber security has been used as a catch-all term in the media to describe the process of protection against every form of cybercrime, from identity theft to international digital weapons. These labels are valid, but they fail to capture the true nature of cyber security for those without a computer science degree or experience in the digital industry.Cisco Systems, the tech conglomerate specializing in networking, the cloud, and security, defines cyber security as “…the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.”How Does Cyber Security Work? The Challenges of Cyber SecurityCyber security encompasses technologies, processes, and methods to defend computer systems, data, and networks from attacks. To best answer the question “what is cyber security” and how cyber security works, we must divide it into a series of subdomains:Application SecurityApplication security covers the implementation of different defenses in an organization’s software and services against a diverse range of threats. This sub-domain requires cyber security experts to write secure code, design secure application architectures, implement robust data input validation, and more, to minimize the chance of unauthorized access or modification of application resources. Cloud SecurityCloud security relates to creating secure cloud architectures and applications for companies that use cloud service providers like Amazon Web Services, Google, Azure, Rackspace, etc.Identity Management and Data SecurityThis subdomain covers activities, frameworks, and processes that enable the authorization and authentication of legitimate individuals to an organization’s information systems. These measures involve implementing powerful information storage mechanisms that secure the data, whether in transition or residing on a server or computer. In addition, this sub-domain makes greater use of authentication protocols, whether two-factor or multi-factor.Mobile SecurityMobile security is a big deal today as more people rely on mobile devices. This subdomain protects organizational and personal information stored on mobile devices like tablets, cell phones, and laptops from different threats like unauthorized access, device loss or theft, malware, viruses, etc. In addition, mobile security employs authentication and education to help amplify security.Network SecurityNetwork security covers hardware and software mechanisms that protect the network and infrastructure from disruptions, unauthorized access, and other abuses. Effective network security protects organizational assets against a wide range of threats from within or outside the organization.Disaster Recovery and Business Continuity PlanningNot all threats are human-based. The DR BC subdomain covers processes, alerts, monitoring, and plans designed to help organizations prepare for keeping their business-critical systems running during and after any sort of incident (massive power outages, fires, natural disasters), and resuming and recovering lost operations and systems in the incident’s aftermath. User EducationKnowledge is power, and staff awareness of cyber threats is valuable in the cyber security puzzle. Giving business staff training on the fundamentals of computer security is critical in raising awareness about industry best practices, organizational procedures and policies, and monitoring, and reporting suspicious, malicious activities. This subdomain covers cybersecurity-related classes, programs, and certifications.

Other

Cybersecurity career mistakes

I have personally made many mistakes during my career. Does that qualify me to give advice? I am not sure. Nevertheless, as a cautionary tale, I can list some mistakes that you potentially want to avoid if you can recognize them.Mistake 1: Going against the flowIf you can identify themes and ride them, it will take you farther than fighting them. For example, when terms like APT, Zero Trust, etc, become popular, you will fare better by discussing what they are, their impact, or how any industry, country, or population can be affected, you can’t go wrong with “The impact of APT’s in bakery shops led by Latinos in Canada” for example.Mistake 2: Not understanding your strengthsThere are many personal qualities that can make you more successful in particular roles. Understand how are your soft skills, hard skills, communication, empathy, technical capability, etc, and play them. There are so many different roles, technical and managerial, that for sure there is something where you are a great fit.Mistake 3: Not taking care of your networkAs your career advances, what you know is less important, and who you know becomes more important. It does not matter if you are looking for your next position, selling products or services, or finding providers. Contacts normally will take you farther faster than going solo. A nice way to gain contacts is by participating in professional associations.Mistake 5: Losing a feeling of the job marketGiving up opportunities out of comfort is a short-term win, a long-term loss. Avoiding change because you don’t want to move to another country, or your current position is too cozy may lead to missing opportunities that may not come back. Yes, there are other things in life than your career. Your mileage may vary.Mistake 6: Not learning things that are not technicalWhile it is possible to spend your whole career doing only one thing, you probably would prefer to move to higher, better-paid positions. This implies learning about project management, business management, marketing, etc. Remember cybersecurity is a business. Rather than getting many certificates on the same subject, it is better to go for a variety, including out of cybersecurity.Mistake 7: Not getting professional certificationsGoing back to mistake No 1, it does not matter if you agree with what they teach or not. Most companies don’t have people qualified enough in cybersecurity, even in the IT department, to evaluate if YOU are qualified, so they use certifications to filter candidates. Get at least a couple of relevant certificates to make sure you make it to the interviews phase.Mistake 8: Waiting for someone to promote youGetting promoted while in the same company happens less frequently than moving up when changing jobs, in my experience. Also, a promotion is not something someone grants to you by saying: Hey, now you are Senior CyberWhatever, YOU make yourself Senior/Chief/VP et al by doing the deeds of the position before you are named. When someone “promotes” you, they are just catching up with the reality of your current responsibilities and duties most of the time.

Other

A day as an MDR analyst

What is an MDR analyst?Managed Detection and Response (MDR) entails the outsourcing of cybersecurity to a third party for the purpose of protecting an organization where time and scope would otherwise not allow. An MDR team would step in to manage the security and safety of the organization. This is often done by utilizing a mix of automated, reactive, and proactive responses to threats, including threat intelligence, 24/7 monitoring, and incident response – all carried out by a team of experienced security analysts.Day in the lifeEvery MDR team manages its day-to-day operations differently, but having efficient planning is key when analyzing different types of data from multiple international companies with hundreds or thousands of users and devices.On a day-to-day basis, we utilize a mix of Extended Detection and Response (XDR) and Security Information and Event Management (SIEM). The mix of XDR's holistic, SaaS-based vendor-specific security implementations allows for deep and narrow threat response and Siem's broader scale makes the two work hand-in-hand for a holistic approach to mitigation, protection, and remediation.Our SIEM solution helps the analyst coming on shift by generating incidents based on log data and detection rules, alerting them if something worth investigating occurs. As part of daily life, we examine these incidents and examine potentially malicious or suspicious activity to determine if it’s benign, false positive, true positive, and so on.Finding false negatives is also important, which is done through proactive threat hunting and tweaking the existing analytics rules we’ve developed. For me personally, this is a big part of my day-to-day as I work closely with the detection indexes we use, letting me practice my KQL and improve my understanding of database and log management. Once one of my (or another analyst’s) detection rule triggers, we open and investigate the incident, remediating and blocking the risk as needed.If the shift leaves time for it, after customers' needs have been tended to, there’s usually time to work on improving our environment via an Agile Continuous Service Improvement. This is more specifically handled through planning cards, which can range from programming tasks, reviewing analytics rules, crafting detection indexes, building logic applications or playbooks – or anything that needs doing, really. This also enables the opportunity to develop within the field of your choosing, be it forensics, red teaming, blue teaming, or some specific XDR or SIEM solution.Relatedly, the shift often ends or begins with some banter or chatting with coworkers, where people share knowledge and help one another with potential blockers, or we discuss new CVEs and development in different fields or tech.Critical IncidentsWhile the critical incidents hopefully don’t occur just as one has stepped off shift, once the alarm is run, it’s all hands on deck.People who aren’t on shift hop on at least to get the updates and details regarding the situation and to hear from incident leads. Sometimes other teams within Onevinn are pulled in to operate within their areas of expertise, such as mobile or application security, act as incident leads, or keep open communication with the customer.After that, we follow a priority schema – assuming it’s a cyber-attack, assets may need to be secured, or attackers need to be removed from the network. We analysts work methodically, asking for help as needed and contributing to the securing of the customer’s infrastructure. The work itself can be challenging, but with the combined knowledge and experience of our seniors, we’re able to learn at a remarkable pace without the stress of imminent failure affecting the quality of the work. In fact, despite the risk of long hours or overtime work, the first time I personally joined in during a big incident in my time as a part-timer, the first thing I heard was a cheerful conversation. Maintaining focus and positivity throughout critical incidents is key, and for that, we have one of the best teams I’ve ever seen.

Other

Can Docker containers replace VMs for bug bounty hunters and penetration testers?

I recently had the opportunity to build out a penetration testing service offering from the ground up, and I took this opportunity to question each aspect of what makes up a penetration testing engagement to find areas that could be improved or overhauled based on my own experience and the experiences of others in the field.Dedicating some time to this was a great experience and is a thought process that I hope every penetration tester and technical professional takes the time to go through. One of the more interesting parts of the work we do is to look introspectively into the value that we offer, and how we can maximize our value. Refining how we go about things is a great way to provide greater value.There were many things to consider, and we may talk about some of those things in the future, but the aspect of penetration testing I want to talk about today is the infrastructure we use to conduct a penetration test.What do we need from our infrastructure?Penetration testers and bug bounty hunters typically use an environment separate from their BAU environment to conduct their testing. The main reasons for this include:The tooling we use for security testing is specialised and very different from the software we use day-to-day.We need to isolate the data collected throughout an engagement to protect sensitive information about our clients and targets.We need to run scripts and tools that we would not be comfortable with running in an environment that has access to other sensitive files and resources.We want to allocate dedicated computing resources for testing so we are not confined to the computational power of our workstations.We need to allow long-running tasks and listeners to operate without interruption caused by our day-to-day movements.We need to allocate a static IP address or IP range from which all traffic originates, so our clients can be aware of where testing traffic is coming from and perform any allow-listing that needs to occur.These factors largely apply to all types of security testing; however, the way we achieve these needs may differ depending on the type of test. For example, the tools we need for wireless network testing are very different from the tools we need to test a client’s external network footprint.I specialize in web application security testing, so this post will focus on the infrastructure used for this type of engagement. You may have different needs and approaches if you do other forms of security testing.What are some limitations of using VMs for our testing environment?I am all for trying out new tools and techniques to find better ways of doing the work that we do, but before we throw out tried-and-tested approaches, we need to be aware of the strengths and limitations of existing approaches to warrant the research and upskilling that is necessitated by adopting a different approach.What I mean by this is: Why don’t we just use VMs?I understand that I am not speaking for all security professionals, but my experience talking with people in infosec and watching what others do online suggests that virtualization is the most common way we achieve the requirements listed above.We spin up Kali or another Linux distribution in a VM, and we can either do that locally on our workstation, on a dedicated server on-premises, in a data center or in the cloud.When following this approach, there are a few limitations and considerations that came to mind that made me think it was worthwhile exploring other options:Maintaining a hardened SOE is a painLike any operating system we use, the operating system we use for testing needs to be hardened. One approach to hardening the OS used by each of our security testers is to maintain a single Standard Operating Environment (SOE) so that each of our testers can use a common hardened image.This is an important but time-intensive process, and every hour spent updating or rebuilding an SOE is time that could be better spent hacking, upskilling or building out tooling.Standard VMs make custom configuration difficultOn top of the effort that goes into updating and maintaining an SOE, there is all the effort that is spent by the testing team to start using the new SOE. There is significantly more time that is lost in this stage, as the effort is multiplied for each tester that needs to go through this process, rather than the individual or small team of people in charge of maintaining the SOE.The issue here is that, while we may follow similar base methodologies, each tester has their own set of tools and configurations that they feel most comfortable using to be productive and get the job done. This means that each time a new SOE is pushed out, the tester needs to download the image, set up a new VM, then download and set up all their favorite tooling all over again.A seasoned security professional might script this process or utilize some build tooling to make it a little faster, but I know I find this a little dull and laborious.New technologies are available that could be viable alternativesThere are a number of technologies that have become widely adopted by software developers and operations teams that may be suitable for what we need. More organizations are moving their computing into the cloud, and the pervasiveness of DevOps and web technologies in the software development space has bought Docker, Kubernetes, serverless computing, CI/CD pipelines, and many other technologies into widespread adoption.At this point, it seems sensible to reevaluate whether VMs are the optimal way to manage penetration testing infrastructure.

Other

Knowledge Objects in Splunk.

Knowledge objects are various sets of classifications and constructs that structure Splunk's data enrichment structure. They're how Splunk organizes meaning and stores it in a very reusable form, so you'll be able to share efforts and devolve on the ideas of others. Fields, searches, and reports are all samples of knowledge objects.A collection of information objects that address a selected use case is named an app. Knowledge objects that service other apps in how are called add-ons. You'll be able to develop apps and add-ons for your own use, and you'll also find apps and add-ons created by Splunk and other users on Splunkbase, so you must not reinvent the wheel. Splunk architect certification has a thorough understanding of Splunk Deployment Methodology and best practices for planning, data collection, and sizing for a distributed deployment and is able to manage and troubleshoot a standard distributed deployment with indexer and search head clustering.Splunk also offers full-scale solutions, which are apps and add-ons that address advanced use cases for whole business areas and industries: Splunk.com > Solutions.Knowledge object: A user-defined block of logic that permits you to leverage your information in specific ways to infer meaning from your data. Knowledge objects are the units Splunk uses to interpret, classify, enrich, normalize, and model data. You'll create, edit, save and share knowledge objects.Splunk apps: a group of information objects that address specific use cases. Splunk apps run in Splunk Web, and you access them from the house page or the Apps menu. A Splunk app can include elements like a custom UI with dashboards, reports, and custom search commands. They don't seem to be computer code sort of a telephone app, so don't fret, you must not be a coder.Splunk add-ons: a kind of app that has specific capabilities to other apps, like getting data in, mapping data, or providing saved searches and macros to be used by one or more apps. Add-ons don't contain a full UI, and infrequently provide some custom configurations or data inputs. An add-on may be a reusable component that supports other apps across a variety of various use cases.