7MS #462: Pentesting with the Hak5 Key Croc

This is part 2 of a series focusing on public speaking - specifically for the ILTACON conference happening in Vegas this week. In this episode I share a high-level walkthrough of my talk and the 10 "Blue Team on a Budget" tips that the talk will focus on. These tips include: Turning up Windows auditing and PowerShell logging Installing Sysmon Installing Security Onion Don't put too much faith in endpoint protection Keep an eye on Active Directory Install RITA Deploy a Canary Use strong passwords Install LAPS Scan and patch all your things

17 Aug 201711min

Seems like every business I meet with needs some sort of help in the patching department. Maybe they've got the Microsoft OS side of the house under control, but the third-party stuff is lacking. Or vice-versa. Either way, the team I work with is excited to kick the tires of some popular patching solutions over the next few weeks, and we'll audibly barf up what we learn into this mini-series! Solutions we'll poke around with include: Ninite ManageEngine PDQ Deploy PS: None of these solutions are sponsoring 7MS. They're just popular patching solutions we're trying out to learn more about 'em and give you the pros/cons we discover! In today's episode I dive a bit into... Ninite Pros Cheap Does one thing, and does it well Been around for a long time Cloud-based - doesn't rely on LAN-side server Cons Only cloud-based...no LAN-side option Requires an agent Agent's only purpose is patching - no extra bells/whistles like remote control or inventorying capability

10 Aug 201710min

I spent a bunch of time with Security Onion the last couple week's and have been lovin' it! I ran the install, took all the defaults, ran the updates, and pretty much just let it burn in on my prod (home) environment. After a few days, I went back to check the Security Onion dashboard to check the alerts. There was a bunch of benign stuff (computers pinging each other, Dropbox broadcasting to the network) but also a couple interesting finds - SO caught one of my VMs downloading (intentionally) Invoke-Mimikatz. The dashboard allows you to see transcripts of file downloads like this, as well as a tool called Network Miner to extract a copy of the downloaded file for further analysis. One thing the SO didn't pick up on was the DNS-based C2 tunnel I setup on a test victim client. However, it turns out RITA works great for exactly this type of analysis - it reported the huge number of DNS requests from my victim client to the C2 server. Very helpful info for an incident response situation!

3 Aug 201712min

Documentation is super boring, right? Yet it's critical to getting your client/audience excited about making their security better! In this episode I talk about my mixed feelings towards the "big" standards like ISO/NIST/etc. and how a more tactical, down-to-earth documentation approach might be more effective in some cases. And I think we need our documentation to be much more focused on consultation/remediation and not just "Hey, your security sucks...and these next 100+ pages will tell you exactly why!" We can do better! Yes, this episode is like 18 minutes because, well, I guess I'm really passionate about documentation. :-)

27 Jul 201713min

Been having a blast working with the beta branch of the Sweet Security project and it anxious to try the latest fixes of the beta branch. Give it a look! I also spent a lot of time the last few nights playing with Security Onion and love it. After zipping through the install wizard and hitting reboot a few times you're pretty much good to go. A few recommendations I'd make after those initial reboots though: Run the soup command to update Security Onion with all the latest packages Use ufw to adjust the internal firewall to allow management from ports other than SSH (which is already preconfigured) On a side note, I think you might have to have your vnic in VMWare set to promiscuous mode in order to allow proper network sniffing. Do a wget http://testmyids.com to ensure Security Onion alerts are coming in the squil dashboard security alerts are pouring in. Also, check out this article for some handy tips on threat hunting with Bro. Next up on my "test this out list" is to setup DNS tunneling to a Digital Ocean droplet I setup, and see if the onion picks up on that, or if I can at least get warned somehow about a high amount of DNS traffic.

19 Jul 201712min

Today's episode is a horror story about how I recently lost 5+ years of CrashPlan backups due to what I'm calling a...small clerical error. Yes, this oopsie was 100% my fault, but I think backup providers can do a better job of warning us (via text or automated call rather than just email) before blowing away our life's work.

18 Jul 201711min

This week I've continued to play with the awesome Sweet Security IDS solution you can throw on a Raspberry Pi 3. A big update to share is that there is a beta branch which has some cool new features, such as the ability to break the Bro + ELK stack across multiple machines. I also lost a lot of sleep these last few days playing with Security Onion and will do a future episode focusing only on that!

13 Jul 201710min

I've been wanting to get a Bro IDS installed for a long time now - and for several reasons: It looks fun! My customers have expressed interest It will be part of my upcoming ILTACON session. So this weekend I started getting the hardware portion ready, which includes: Ubiquiti Edge Router X (~$99) TP-Link TL-SG105E (~$35) CanaKit Raspberry Pi 3 Complete Starter Kit (~$70) If you need additional information such as screenshots/configs etc to get the VLANs passing properly from the Edge Router X to TP-LINK switch, let me know. Otherwise for now I'm just focusing on crafting content for part 2, where we'll dive into actually turning the Pi into a Bro sensor using Sweet Security.

5 Jul 201710min