Goblin Loot

Introduction   This blog series will capture how to maximise the protection of an endpoint using the various technologies in the Defender suite. The controls outlined in the series will each need to have their own considerations taken into account for a given environment but hopefully at a minimum it will be clear just how powerful of an offering Microsoft has.  Unfortunately due to the highly modular and distinct diversity in controls Microsoft offers things are often overlooked and misconfigured when tests are conducted. With this in mind, the shortest possible route to a solution for this is utilizing the recommendations, CSPM and Secure Score technology contained within Defender 365 and Defender for Cloud as it will automatically conduct posture assessments and inform you of things you have missed and may want to turn on (IE dont take these recommendations lightly) Lastly, I would recommend reading the book “Defender for Endpoint in depth” from packt as it showcases the co...

  Introduction This post outlines a format for note-taking designed to aid analysts and ensure the knowledge they acquire over time is kept so that it can easily be consumed later. This format is designed to be technology agnostic so it can be applied to a note-taking tool or platform of the analyst’s choice. I designed this format because analysts often received what you could call unplanned information whereby at any given moment during their day they could learn something highly impactful to their role via any medium. This really exasperates the need for good note-taking practices for analysts. Illustrated above is the wireframe that analysts can implement into their note-taking platforms. Each section contains sub-sections that allow for different knowledge to remain segregated and more searchable. Meeting Notes Within any given week analysts can have countless meetings and so it is important to note down items from meetings for future review. Not every meeting needs to be ...

Introduction Making the leap to purchasing and maintaining an EDR solution can be huge for organisations so huge in fact that they never really progress from there when it comes to visibility on assets. This is an important consideration because organisations should aim to achieve some level of detection engineering but will likely never get to explore the associated complexities. So how can organisations effectively and easily write detections that actually help to protect them when they are only able to leverage an EDR tool. Understanding your tools limitations To most people EDR tools are incredibly verbose in the telemetry they capture from any given asset but unfortunately relative to overall telemetry available they actually only capture what the vendors think is the most pertinent. This is for obvious reasons because ingesting telemetry at the scale vendors do comes at a significant cost so they implement "cost-saving measures" like limiting the amount of any one given...

Introduction A commonly forgotten fact within the cybersecurity industry is that most organizations are not equipped nor have started to form any sort of security program. This is the case for many reasons because most organizations are SMBs so they don't and likely will never have funds to purchase people and technology and the fact that the cybersecurity industry is incredibly toxic for low expertise and or low capability teams as the well of knowledge we all rely on has been poisoned by vendors and 'thought leaders'. With this in mind, I have created a small resource that will guide you through what you need to do to make a start. This resource won't reference vendors and I will try to avoid specific jargon. Enumerate The term 'You can't secure what you don't know' stands strong even to this day and should be your primary focus before you do anything else. Understanding what assets, you have both physically (computer hardware) and logically (applicati...

 Introduction I've put together some general observations and trends I've seen other the last year below. Overall I think the industry as a whole is in a transient or potentially post-shock stage where we are seeing some improvements but also a lot of firefighting against poor practice. Identity is the new endpoint echoed across all major teams and vendors. Cloud identity-related attacks now overshadow endpoint incidents and vendors have followed suit with varying products and feature updates to include identity-related protection. At present detecting identity-related attacks is still poorly understood the technology put out by vendors needs a lot of work but lack of coverage has been an issue for a long time so its good to see movement in this area. Buy Buy Buy. Most of the largest security vendors have brought up at least one organization this year. This trend sees more capabilities being available to customers at a faster rate but questions still exist about how much the ca...

 Introduction SOC analysts spend 99 percent of their time looking at the same data and patterns over and over again. They develop muscle memory that helps them use their platforms without much effort but also in grains in them potentially poor practices. Most analysts are new to the industry and are taking certifications like CompTIA Cysa+ and Azure SC200 but none of these certifications teach them what genuine malicious actions look like. So how do you train a team of people how to detect malicious activity and respond in the ever-morphing threat landscape? You throw them through the ring of fire. You make them triage real (as close as possible) incidents and appropriately monitor their behavior and progress to tune the processes perpetually. Analysts are arguably the single most important role within a SOC, they carry the burden of triaging alerts and correctly identifying whether malicious activity is occurring. They are the first, middle and last line of defense. However, despi...

Introduction If you have worked in IT for long enough, you would have stumbled across a handful of things that you know the user definitely shouldn't have. Well, that was likely "shadow IT". I describe shadow IT as "Anything technology related within a consistency that is not authorized by the service provider". This description is as broad as possible because that is the reality of shadow IT it exists in basically any form and as an IT service provider, the instructions and objectives given to you by executives are also likely equally as broad ("if it runs on electricity, it's your problem"). Below I've listed some key points that everyone should consider when thinking about Shadow IT: Tackling shadow IT is a never-ending battle. You need to be vigilant and always looking for improvements It's a human problem if your company hires humans, you have shadow IT. Decreasing friction and improving the relationship between the service provider...

 Introduction Threat hunting (detecting and finding things that you weren't previously aware of) has been around for a long time and most 'medium maturity' organizations will attempt to set up some form of threat-hunting activity or program but will find themselves stuck thinking about all the super cool advanced stuff and end up not actually really doing anything at all. So, I've created this blog post to help get people on track to actually develop something for their organization. Why bother? You and your organization should be doing threat hunting because at its heart it is just an application of a foundational concept within cybersecurity. Understanding what is going on in your consistency. So, because of this, it's virtually impossible to not receive a return on investment. Start a hunt and find you haven't been collecting logs for the last 6 months? Great! that's a positive output from threat hunting! Start a hunt and find more shadow IT than you can ...

 Hi, I do alot of research into threat hunting, detection engineering and security architecture. This place will be to store my loot (things I find interesting). Feel free to do whatever you like! I will try to keep the format of this blog as formal as possible so if you want random insane ramblings about my loot you can stare at my twitter.