Part 1 — The Functions What I want to discuss in this Blog post is my take on the breakdown of Security Functions, their inputs, outputs and core internal processes. In Part 1 I will talk about these functions, and then in Part 2 I plan to write about my personal goal and where I’m at in the journey to actually join it all up with the bits and pieces of DevOps knowledge I’ve picked up (and likely mis-understood!) such as Azure DevOps and making everything code/a work item. Security Functions OverviewThe Functions Within Cyber Security, there are a variety of complimentary functions, all w ..read more

Sheep in Wolves’ Clothing : How our IP based authentication rules need to change This is a quick post on some thoughts on this problem and some ideas of how we may need to change. It is biased a bit towards Azure but the challenge and solutions I think are universal. As always, would love your thoughts on this! IP Based detection rules vs Commerical VPN Providers (Train Meme)How IP based rules currently work and the problem Phishing remains a large threat to organisations, and traditional methods such as MFA are now being defeated with relative ease. AITM — Adver ..read more

Adversary in the Middle is growing as a Phishing threat, with its ability to steal MFA tokens it is fast becoming the only method to Phish. This is a 2 part post, part 1 is a walkthrough of me using my Honey Tenant to get Phished, and part 2 is some detection opportunities this offers. Part 2: https://medium.com/@martinconnarty/adversary-in-the-middle-detection-44dca2f79943 The Initial Email Link Often there will be a redirect chain — very often starting with a ‘legit’ site. I’ve seen places like LinkedIn, Bing, Microsoft, Google, Baidu and more all being used to obfuscate the i ..read more

Adversary in the Middle is growing as a Phishing threat, with its ability to steal MFA tokens it is fast becoming the only method to Phish. Here are a few ideas I’ve developed. As always this will change as I learn more. Your Tenant Image Many of the Adversary in the Middle pages that I’ve observed utilise a feature which loads the background image of the victim’s tenant. As defenders, given we have access to the right type of logs (Web proxy logs with URLs and Referrers) we can do some detections! An AiTM page will often pull in the image directly from authcdn (https://aadcdn.msauth ..read more

First draft — would love comments, feedback and suggested reading! In my blog post “Threat Intelligence lead content creation — Part 1” I wrote about how Threat Intelligence and hunting is the root of how we design our later detection content, which leads to the production of various machine readable objects, such as the rule itself, threat dossiers, playbooks (and their response actions), and ties to the data source components we need to detect them. I’ve also discussed in another blog post (Security Value Pyramid) that the true value of security teams should be utilised in looking for t ..read more

Note — This was originally posted on my site infosecamateur.com in July 2020. Follow me on Twitter @mconnarty! There are a cornucopia of products and methods that organisations use to attempt to be “secure”. This includes our device logs to monitor, pentest services, endpoint protection tools, vulnerability scanners and the list goes on. However, a bit like the frustrating saying when you lose something “It’s in the last place you look”, the breach is going to be in the thing you least secured — often the place you had no idea about. In this post I would like to talk about what I consider ..read more

Note — This was originally posted on my site infosecamateur.com in September 2020. Follow me on Twitter @mconnarty! Thoughts on this as of Jan 2022 I’m changing my thinking around this blogpost — if Risk Based Alerting is implemented then a formula similar to this may be used to determine the eventual risk score of a rule instead of deciding whether or not to enable it. Another consideration I’ve had is that perhaps with some variation, a formula such as this could be applied to the data sources themselves to prioritise them, especially if ingestion costs are high. Essentially, if th ..read more

The below was originally posted on my site — infosecamateur.com in July 2021 Follow me on twitter! @mconnarty Note Jan 2022 - Since I initially wrote this, Mitre have continued to develop the data source relationships that are used in the Mitre ATT&CK framework. They are now structured in a STIX format which allows the mappings to be machine readable. To understand coverage against it, the challenge now becomes mapping the fields that you have available to you in the raw logs, to a common language (e.g. CIM in Splunk) which then maps to the higher level abstract Mitre Data Source ..read more

Note: This originally appeared on my site — infosecamateur.com on Jan 18 2022 Mid last year I followed a thread of thinking which took me into an interesting area, which I would still say is possibly not fully appreciated — although Log4Shell has since opened people’s eyes somewhat! This is what became VilNE (Victim Initiated Local Network Exploiter/Exploitation). I’ve decided to write this up, what I learned and where I think we’re still at in the industry. Background Around mid last year I read an interesting blog post about DNS Rebinding (https://medium.com/@brannondorsey/attacking-pr ..read more

Security Pyramid This security value pyramid was something I put together after being a bit frustrated during Log4Shell, much like everyone else! It seemed there was a huge emphasis on patching this one, albeit, high risk threat, whereas some of the basic and arguably cheaper design steps could have a far wider impact on security, not just for this one threat but for many others. I believe there’s a variety of reasons for this, some which spring to mind: Organisational growth and assimilation — as organisations have grown and sometimes others acquired, the network adds more bolt-ons ..read more