7MS #467: How to Succeed in Business Without Really Crying - Part 9

Hey friends! Today I've got some exciting personal/professional news to share: our Light Pentest eBook - which is a practical, step-by-step playbook for internal network penetration testing - is now available for purchase! Note: this eBook and the Light Pentest LITE training are two separate things, but do cover some of the same topics. The Light Pentest eBook covers: Grabbing and analyzing packet captures Abusing insecure network protocols Exploiting (the lack of) SMB signing Capturing, cracking and passing hashes Locating high-value targets with DNS zone transfers Exploiting vulnerable Group Policy Objects Scraping screenshots of Web interfaces with WitnessMe Finding and cracking "Kerberoastable" and "ASREPRoastable" Active Directory accounts Dumping, passing and cracking hashes from domain controllers The Light Pentest eBook is available now for $7.77, and by purchasing it you are entitled to all future editions/revisions going forward.

28 Sep 20217min

Today our good buddy Joe Skeen and I virtually sit down with Matt Quammen of Blue Team Alpha to talk about all things incident response! Topics covered include: Top 5 things to do and not do during ransomware event Challenges when responding to ransomware events Opportunities to break into infosec/IR The value of tabletop exercises, and some great ideas for conducting your own Incident response stress and success stories Cyber insurance - worth it or not?

22 Sep 202139min

Today our friend Christopher Fielder from Arctic Wolf is back for an interview four-peat! We had a great chat about making sense of vendor alphabet soup terms (like SIEM, SOC, EDR/MDR/XDR, ML, AI and more!), optimizing your SOC to "see" as much as possible, tackling vendor/customer communication problems, and simplifying security product pricing to make purchases less stressful for customers! And don't forget to check out Christopher's first, second and third interviews with 7MS.

15 Sep 202152min

Today we're continuing our series called Desperately Seeking a Super SIEM for SMBs - this time with a focus on a new contender in our bake-off: Perch Security! It might help you to go back and take in part 1 and part 2, but today we're focusing on the first experience I had chatting with the sales/technical folks at Perch. TLDL: I really liked a lot of things I was hearing and seeing. Pros (perceived) include: Simple pricing model Easy to use dashboard Cool "marketplace" of integrations you can add to your instance and start getting alerts for Nice API integration that seemed pretty simple to use - and that covers a lot of different cloud products and services Ticket dashboard looked straightfoward to use and interpret Can quickly add IPs/subnets that you don't want to monitor, if appropriate

8 Sep 202146min

Today we continue our series we started recently (part 1 is here about finding a super SIEM for SMBs. Specifically I have some updates on (and frustrations with) Arctic Wolf, Elastic, Milton Security and Perch Security. Here's the TLDL version: Arctic Wolf They remain a strong contender in my bake-offs. They also could tick several boxes for an org as they offer continuous internal/external vulnerability scanning as well as a managed SOC. (And yes, I'm probably a tiny bit biased because I know a bunch of AWN's engineers and like the product) Elastic I've loved my interactions with the sales folks and engineers at Elastic. My initial trial had some technical speed bumps (which Elastic helped me remedy). I eventually did get some Elastic agents enrolled on endpoints in my lab. However, now that I'm up and running (and admittedly I should go through the Webinars and online training), I'm feeling overwhelmed. There's a jillion menus and submenus to explore. I feel like I've been given a high-performance sports car but completely lack the knowledge on how to make the most of it. I'll keep Elastic in my back pocket, but I don't think I can feel comfortable handing this dashboard over to a SMB IT/security staff and have them run with it. Milton Security A few weeks ago I had my first ever sales call with this group, and liked a lot of what I heard. They're up front about being a threat-hunt-as-a-service organization and they're not looking to partner with just any customer. The way they bundle sources of data (for the sake of pricing) makes sense to me, and although I haven't seen a formal quote from them yet, I think they will be reasonably priced when compared to some of the "big box" solutions. Perch Security After part 1 of this series, several of you pinged me and said to check out Perch Security. I'm very excited to connect with them but had a tough time getting someone to respond to my inquires (two weeks to be exact). Good news is I've got a call scheduled with them this week and am anxious to share what I learn about Perch on our next episode in this series.

1 Sep 202144min

Today we're continuing our discussion on phishing campaigns - including a technical "gotcha" that might redirect your phishing emails into a digital black hole if you're not careful! As I mentioned last week, I've been heavy into spinning up and tearing down phishing campaigns, so I finally got around to documenting everything in episode 481. This week I ran into a bizarre issue where test phishes to myself suddenly disappeared from my Outlook altogether! After chatting with some folks on Slack I did a message trace in the Exchange Admin Center under: Mail flow > Message Trace > Start a trace then make the Sender field be the user you're sending phishing emails from. That showed me that my phishes were being quarantined! To get around the quarantine, I went into Mail flow > Rules and then created a new rule with the following properties: Apply this rule if > The sender's domain is > yourphishingdomain.com Then under Do the following: Set the spam confidence level (SCL) to...Bypass spam filtering Under And, click the drop-down and choose: Modify the message properties...set a message header...X-MS-Exchange-Organization-BypassClutter Then click where it says Enter text and change header value to True and click OK.

26 Aug 202113min

Today we're revisiting how to make a kick-butt cred-capturing phishing campaign with Gophish, Amazon Lightsail, LetsEncrypt, ExpiredDomains.net and a special little extra something that makes creating phishing landing pages waaaaaaayyyyyyyyyy easier! For some quicker review, you can check out part 1 and also the complementary YouTube video, but I wanted to revisit this kick-butt process and update a few items: First, this SingleFile extension is amaaaaaaaazing for making phishing landing pages with ease! The process to get GApps to let you generate an app-specific password for using with GoPhish is kinda annoying. The steps below should get you going: After domain registration, log into admin.google.com or click Manage Workspace button at checkout. At the next screen click Workspace Admin Console. Sign in with the person you’ll be spoofing from, and the temporary password emailed to your backup email account during checkout. In the search bar search for Less Secure Apps, choose Allow users to manage their access to less secure apps. Now, in the upper right, hit Manage Your Google Account. Under Security, click Protect your account and click Add phone number. Finish that process, then click Continue to your Google account. Back at the main admin page, under Less secure app access, click Turn on access (not recommended). At the next screen click Allow less secure apps: ON Back at the main screen, click 2-Step Verification and set it to On. Back at the main screen again, a new option called App passwords should be there. Click it. Choose to generate a custom name like LOL and then then an app password will appear. Write it down as it only appears once! Finally, a quick reference for getting your LetsEncrypt cert to work with GoPhish. Get your LetsEncrypt cert generated, and then forge a .crt and .key file to use with GoPhish: cp /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem ./domain.crt cp /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem ./domain.key Now go into the GoPhish .json config file and change the cert_path and key_path to the ones you just generated, and change use_tls to TRUE on both places in the config as well.

19 Aug 202127min

Today we're talking about the SIEM bake-off for SMBs that we've recently embarked on. We're currently evaluating several solutions - either for customer-facing purposes, internal kick-the-tires fun, or both. Candiates include: Arctic Wolf Elastic Milton Security Protocol46 Sumo Logic First we're starting by running each vendor through a series of questions, then likely following up with a demo where we'll run some technical tests and simulated hacking to see which vendor or vendors reign supreme!

12 Aug 202149min