Modern Threat Hunting with your SIEM on a $0 Budget – Ryan Fried – ESW #284
Security analysts can move past traditional Indicators of Compromise from threat intel like domains, hashes, URLs, and IP addresses. These indicators typically aren't valid shortly after the incidents happen. Modern threat hunting by doing things like reading recent and relevant security articles, pull out behaviors that attackers are doing like commands such as net group "domain admins" or RDPing from workstation to workstation and translating those to threat hunting queries. I will talk about how to start small and will give a few examples where we proactively found evil in our environment.
Segment Resources: https://www.scythe.io/library/operationalizing-red-canarys-2022-threat-detection-report https://www.itbrew.com/stories/2022/05/09/quantum-ransomware-can-now-move-from-entry-to-encryption-in-under-four-hours?utmcampaign=itb&utmmedium=newsletter&utmsource=morningbrew&mid=1e3360a49c0b72a4c0e4550356ffee54 https://www.cisa.gov/uscert/ncas/alerts/aa22-181a
Ryan has 10+ years of experience in IT security ranging from compliance, analyst engineer, CISO and consultant. He also has taught cyber security at the community college level for the last 8 years. Ryan has most recently been leading initiatives such as SOAR, purple teaming, network segmentation, devsecops and cloud security posture management.
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Zero to Full Domain Admin: The Real-World Story of a Ransomware Attack – Joseph Carson – ESW #284
Following in the footsteps of an attacker and uncovering their digital footprints, this episode will uncover an attacker’s techniques used and how they went from zero to full domain admin compromise, which resulted in a nasty ransomware incident. It will also cover general lessons learned from Ransomware Incident Response.
Joseph Carson is a cybersecurity professional with 25+ years’ experience in enterprise security, an InfoSec Award winner, author of Privileged Access Management for Dummies and Cybersecurity for Dummies. He is a CISSP and an active member of the cyber-community, speaking at conferences globally. He’s an advisor to several governments, as well as critical infrastructure, financial and maritime industries. Joseph is a host in the award-winning podcast 401 Access Denied where he interviews cybersecurity thought leaders on educational topics.
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Normalyze, Axio, Flashpoint, Medical Records With Amazon, & Dial-Up Service Returns! – ESW #284
Finally, in the enterprise security news, Normalyze and Flow Security raise money to protect data, Axio and Lumu raise money to assess risk, Bitsight intends to acquire ThirdPartyTrust, Flashpoint acquires Echosec Systems, ZeroFox goes public, Rumble rebrands as runZero, Trusting Amazon with medical records, Taking cryptocurrency off the (payment) menu, AWS’s CISO tells us why AWS is so much better than their competitors, and an ancient dial-up Internet service returns!
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
Adrian Sanabria
- FUNDING: Axio lands $23M to help companies quantify cyber risk – TechCrunch
- FUNDING: Normalyze Announces $22 Million for DSPM Technology
- FUNDING: LIAN Group invests eight-digit amount in Alkira, a top disruptor in the cloud industry, backed by Sequoia, Kleiner Perkins, Google Ventures, and Koch Disruptive Technologies
- FUNDING: Flow Security Is Protecting Data At Rest and In Motion with $10M In Seed Funding – Grit Daily News
- FUNDING: Cybersecurity Company Lumu Raises $8M, Signs Partnership with KnowBe4, the World’s Largest Integrated Platform for Security Awareness Training
- FUNDING: Footprint – one-click KYC & PII vault$6M seed round led by Index Ventures
- FUNDING: Mesh Security emerges from stealth with $4.5 million Seed round to improve Zero Trust in the cloud
- ACQUISITIONS: BitSight Announces Intent to Acquire ThirdPartyTrust to Simplify and Modernize Third-Party Risk Management Throughout the Entire Vendor Lifecycle
- ACQUISITIONS: Flashpoint Acquires Open Source Intelligence Leader Echosec SystemsFlashpoint is busy building quite the security intelligence platform these days. The company is historically a threat intel vendor, going deep on researching and understanding threat actors, not just gathering and distributing IoCs. This Echosec acquisition adds the ability to monitor risks and events in real time across social media, forums, news, dark web, and other sources. No deal We missed the announcement of Flashpoint Automate last month, the rebrand of a SOAR tool Flashpoint acquired back in 2020, called CRFT. The company also picked up Risk-Based Security back in January as well, making Echosec its third. It's also worth mentioning that Flashpoint got picked up by a private equity firm, Audax Private Equity, about a year ago, and acquire/mashup/sell is a PE strategy we see often.
- IPOs: ZeroFox Begins Trading on Nasdaq Under Symbol “ZFOX”Originally announced back in December 2021, the $1.4B transaction closed last week and ZeroFox has gone public on the NYSE under ZFOX. This was achieved through a SPAC named L&F Acquisition Corp (NYSE:LNFA) and as part of the deal, ZeroFox will acquire IDX, a privacy and identity protection platform.
- REBRANDING: runZero 3.0: Check out our new name, and sync assets, software, and vulnerability data from Qualys
- NEW PRODUCTS: Canonic Security’s AppTotalA novel approach to SaaS security, AppTotal gives some deep background on 3rd party apps and integrations. It even evaluates whether the permissions requested are actually necessary or not!
- TRENDS: Do You Trust Amazon With Your Medical Records?
- TRENDS: Accepting Crypto: A Vendor PerspectiveAn interesting piece by Shodan's founder, he details the company's experiences accepting cryptocurrency as payment for memberships. This reminds me of a time I tried to give the TOR network the benefit of the doubt, but in the end, decided to block it, after realizing we had never received a single legitimate customer login from TOR, while the number of attacks we received from it was massive. TOR evangelists didn't like it, but no one was paying their mortgages via TOR, so there was little reason to endure the amount of abuse we received from TOR when we could simply block it all by checking a box in our Palo Alto Firewalls. (https://twitter.com/sawaba/status/637454396201267204) Similarly, Matherly offers some very logical reasoning in choosing not to accept cryptocurrency - few people use it and it attracts a lot of scams. It simply isn't worth the trouble it generates. He might take some flack for it, but it's the right choice.
- TOOLS: A defender’s MITRE ATT&CK cheat sheet for Google Cloud Platform (GCP)
- HOT TAKE: AWS CISO On Why Its Security Strategy Tops Microsoft, Google"We’re Not Playing Checkers, We’re Playing Chess", says CJ Moses. Ooooh, what now, Google? Need some cream for that burn, Microsoft?
- SQUIRREL: Prodigy ReloadedYup, a group of reverse-engineering techno-necromancers reanimated Prodigy. Why? Because our silly brains reward nostalgia (https://www.neurologylive.com/view/brain-and-nostalgia).
