cyberhakon

joined 1 year ago
 

I tested using Google's Gemini as a helping hand in Linux log based threat hunting - and it is actually helpful, although not ready to take the security analyst's job (yet).

 

A blog post I made based on discussions at a conference last week - we need to teach smart things like self driving cars and ships to defend themselves against cyber attacks. This outlines how we should approach it.

 

I did a dive into what you can get out of the Edge (and probably Chrome(ium)) History sqlite database. It logs quite detailed data - useful for forensics!

 

The hacktivist group Anonymous Sudan claims to have breached Microsoft and stolen credentials from 30 million customers. Microsoft says they are lying. The group has done a lot of DDoS attacks, and claimed much bigger impact than they really have had. Exaggerated claims may lead to increased "panic state" at the top of the corporate food chain. How do you communicate about threat groups making bold statements like this to your higher ups or customers?

[–] cyberhakon@infosec.pub 7 points 1 year ago* (last edited 1 year ago)

The controls themselves are not hard to understand. Writing policies describing these controls is also not that hard. But: changing the way an organization is working, in terms of habits, documentation, information management, how we collaborate - that can be really, really hard. So even if the requirements in ISO 27001 and the controls guidance in ISO 27002 look straight forward from a technical point of view, it is not easy to change the way of working for a whole organization! It requires leadership, it requires resources, and enough competent people with internal social capital to help support and drive the change. This is why an ISO 27001 journey is usually not just smooth sailing.

 

I have found Excel to be quite useful for collecting data, doing summary analysis of logs, etc. I also liked this blog post from Mandiant, about using Excel to timeline artefacts with very different structure. It takes a bit of work using find, left, mid, right, concat, etc, but then it is quite useful! Another good thing is that a lot of people are better at creating Excel sheets than doing XPath queries.

Anyone else using Excel for DFIR, and how do you use it?

[–] cyberhakon@infosec.pub 2 points 1 year ago

Thank you for an excellent perspective! I really like the narrative story approach. Often I find reports too dry to provide the necessary context, the storytelling approach can provide a good antidote against that!

 

If we are going to build a good community, we need some content! Here's a new feature in Kusto I have found useful in Sentinel, making it easier to do geolocation lookups in queries: geo_in_from_ip_address.

If we all share a little trick or something we have recently learned now and then, this will be a useful community!

 

Whether you are a buyer of security services, or a provider of them, what metrics, visuals, information is actually important to customers? What is the preferred way to consume reports - emails, dashboards, PDF reports, chat bots, smoke signals? Any thoughts and inputs much appreciated!

[–] cyberhakon@infosec.pub 2 points 1 year ago

Hi, security consultant and service developer focusing on OT and DFIR. Working for an international consulting firm, based in Europe. Originally a chemical engineer. Big fan of knowledge sharing!