7MS #430: Interview with Dan DeCloss

I ran out of time in episode #272 to tell you about why preparing to be a speaker for ILTACON was way more stressful that preparing for Secure360 a few months ago. The main points of difference/stress were: ILTA wanted to see PowerPoint deck progress weekly, whereas with Secure360 it was pretty much "Your talk is accepted - see you at the conference!" ILTA is going to show a "speaker slide" with bio a few minutes before the sessions starts. That way the session is focused on content (and probably avoids people who like to talk about themselves too much :-) ILTA requested my PowerPoint and handouts a few weeks before the session so they could put on their Web site for attendees to see. Although that put some pressure on me to get content done early, I think it's great because presumably some people at the talk will have screened the content and therefore be more tuned in.

17 Aug 20179min

This is part 2 of a series focusing on public speaking - specifically for the ILTACON conference happening in Vegas this week. In this episode I share a high-level walkthrough of my talk and the 10 "Blue Team on a Budget" tips that the talk will focus on. These tips include: Turning up Windows auditing and PowerShell logging Installing Sysmon Installing Security Onion Don't put too much faith in endpoint protection Keep an eye on Active Directory Install RITA Deploy a Canary Use strong passwords Install LAPS Scan and patch all your things

17 Aug 201711min

Seems like every business I meet with needs some sort of help in the patching department. Maybe they've got the Microsoft OS side of the house under control, but the third-party stuff is lacking. Or vice-versa. Either way, the team I work with is excited to kick the tires of some popular patching solutions over the next few weeks, and we'll audibly barf up what we learn into this mini-series! Solutions we'll poke around with include: Ninite ManageEngine PDQ Deploy PS: None of these solutions are sponsoring 7MS. They're just popular patching solutions we're trying out to learn more about 'em and give you the pros/cons we discover! In today's episode I dive a bit into... Ninite Pros Cheap Does one thing, and does it well Been around for a long time Cloud-based - doesn't rely on LAN-side server Cons Only cloud-based...no LAN-side option Requires an agent Agent's only purpose is patching - no extra bells/whistles like remote control or inventorying capability

10 Aug 201710min

I spent a bunch of time with Security Onion the last couple week's and have been lovin' it! I ran the install, took all the defaults, ran the updates, and pretty much just let it burn in on my prod (home) environment. After a few days, I went back to check the Security Onion dashboard to check the alerts. There was a bunch of benign stuff (computers pinging each other, Dropbox broadcasting to the network) but also a couple interesting finds - SO caught one of my VMs downloading (intentionally) Invoke-Mimikatz. The dashboard allows you to see transcripts of file downloads like this, as well as a tool called Network Miner to extract a copy of the downloaded file for further analysis. One thing the SO didn't pick up on was the DNS-based C2 tunnel I setup on a test victim client. However, it turns out RITA works great for exactly this type of analysis - it reported the huge number of DNS requests from my victim client to the C2 server. Very helpful info for an incident response situation!

3 Aug 201712min

Documentation is super boring, right? Yet it's critical to getting your client/audience excited about making their security better! In this episode I talk about my mixed feelings towards the "big" standards like ISO/NIST/etc. and how a more tactical, down-to-earth documentation approach might be more effective in some cases. And I think we need our documentation to be much more focused on consultation/remediation and not just "Hey, your security sucks...and these next 100+ pages will tell you exactly why!" We can do better! Yes, this episode is like 18 minutes because, well, I guess I'm really passionate about documentation. :-)

27 Juli 201713min

Been having a blast working with the beta branch of the Sweet Security project and it anxious to try the latest fixes of the beta branch. Give it a look! I also spent a lot of time the last few nights playing with Security Onion and love it. After zipping through the install wizard and hitting reboot a few times you're pretty much good to go. A few recommendations I'd make after those initial reboots though: Run the soup command to update Security Onion with all the latest packages Use ufw to adjust the internal firewall to allow management from ports other than SSH (which is already preconfigured) On a side note, I think you might have to have your vnic in VMWare set to promiscuous mode in order to allow proper network sniffing. Do a wget http://testmyids.com to ensure Security Onion alerts are coming in the squil dashboard security alerts are pouring in. Also, check out this article for some handy tips on threat hunting with Bro. Next up on my "test this out list" is to setup DNS tunneling to a Digital Ocean droplet I setup, and see if the onion picks up on that, or if I can at least get warned somehow about a high amount of DNS traffic.

19 Juli 201712min

Today's episode is a horror story about how I recently lost 5+ years of CrashPlan backups due to what I'm calling a...small clerical error. Yes, this oopsie was 100% my fault, but I think backup providers can do a better job of warning us (via text or automated call rather than just email) before blowing away our life's work.

18 Juli 201711min

This week I've continued to play with the awesome Sweet Security IDS solution you can throw on a Raspberry Pi 3. A big update to share is that there is a beta branch which has some cool new features, such as the ability to break the Bro + ELK stack across multiple machines. I also lost a lot of sleep these last few days playing with Security Onion and will do a future episode focusing only on that!

13 Juli 201710min