7MS #551: Interview with Matt Warner of Blumira

Today we welcome our pal Matthew Warner (CTO and co-founder of Blumira) back to the show for a third time (his first appearance was #507 and second was #529).

I complained to Matt about how so many SIEM/SOC solutions don't catch early warning signs of evil things lurking in customer networks. Specifically, I whined about 7 specific, oft-missed attacks like port scanning, Kerberoasting, ASREPRoasting, password spraying and more. (Shameless self-promotion opportunity: I will be discussing these attacks on an upcoming livestream on December 29).

Matt dives into each of these attacks and shares some fantastic insights into what they look like from a defensive perspective, and also offers practical strategies and tools for detecting them!

Note: during the discussion, Matt points out a lot of important Active Directory groups to keep an eye on from a membership point of view. Those groups include:

• ASAAdmins
• Account Operators
• Administrators
• Administrators
• Backup Operators
• Cert Publishers
• Certificate Service DCOM
• DHCP Administrators
• Debugger Users
• DnsAdmins
• Domain Admins
• Enterprise Admins
• Enterprise Admins
• Event Log Readers
• ExchangeAdmins
• Group Policy Creator Owners
• Hyper-V Administrators
• IIS_IUSRS
• IT Compliance and Security Admins
• Incoming Forest Trust Builders
• MacAdmins
• Network Configuration Operators
• Schema Admins
• Server Operators
• ServerAdmins
• SourceFireAdmins
• WinRMRemoteWMIUsers
• WorkstationAdmins
• vCenterAdmins