De-Coder’s Ring

Software doesn’t have to be hard

Category: cybersecurity (page 1 of 4)

Spilling the beans…

Today, I’m at ILTA’s LegalSec Summit 2017.    Giving a talk later about Threat Automation:

Me

Talk

I’m excited about sharing some information about Threat Intelligence, automation and application on a network sensor.  That’s all good stuff.

What I’m really happy about, is that I can be totally open with the technology.  My goal is to educate folks on how they can do what my company does on a daily basis.  As an open source advocate, and a giant fan of a lot of the technology that I use every day (duh!), it’s good to show others how to do it.  We don’t provide anything that qualifies as super cool intellectual property….  we have some, but anyone can build the basics to run in their shop.  The challenge comes with the human capital needed to build and run this stuff.   That’s a big part of the challenge.

WannaCry over WannaCry :(

Information is developing faster than we can keep up, but, the UK health system was hit by a huge wave of Ransomware today.   The WannaCry campaign has devastated hospitals and trauma centers.  Patients are being refused.  Records are inaccessible.  The only work being done is high level emergency work to save life and limb.

Ongoing information can be found here:

Hospitals across England hit by large-scale cyber-attack from worldnews

Some language, some frustration, but this is real life.   There is every expectation that life will be lost due to this ridiculous cyber attack.

If it turns out to be a pissed off kid who couldn’t get some vicodin from his doctor, heaven help him.

This is a good time to point out that the Emerging Threats Pro rule set apparently will trigger on the traffic that caused the exploit:

ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response

I won’t make any money if you buy an ET Pro license, but, I recommend it.

Patch your systems!  This is information about the exploit found in Windows… fixed a few weeks back.. Hospitals are notorious for having old and unpatched devices..

https://support.microsoft.com/en-us/help/4013389/title

 

I Spy on You

I spy on you, it’s my job.  

I build tools that monitor your computer network.  

They will get installed at your employer and because of that, we have 100% visibility into what you’re doing on your network…. and you should be glad!

Cybersecurity is a hard ‘thing’.   It’s a constant arms race for new exploits, new tool kits to take advantage of those exploits and new defenses on how to stop those exploits.  It’s not a new game, and the game will never go away.  The rules are pretty simple.   There are people out there who want to impact your computer network.  Then, there are people who try to defend your network.   Pretty straight forward eh?

The attackers have various reasons they want to attack.

  1. Personal education, figuring out how to break things
  2. Bragging rights, so they can seem cool in their dark circles
  3. Theft, stealing your personal/customer/employee data 
  4. Reward, getting paid to attack, corrupt, encrypt, etc

Why I need to Spy on You

In order to understand what’s going on, we need 100% visibility into a network.   We need to see how data flows.   Need to see how address lookup (DNS) works.  Need to see what web sites are visited, URLs and files are loaded.    Is your computer talking to a known bad web site?  A  known exploited file got downloaded?  We need to log everything.  It’s like CSI..   but network forensics.

…  just remember, I don’t care how much time you spend on Facebook.  I don’t care about your, eh, OTHER online browsing habits, as long as they don’t infect your computer!  

 

 

Slow Down: Wrong Cables

I made a bone head move this week.   I went onsite to a new customer, who we love, to install a new network sensor.  It’s been a crazy hectic few weeks with the growth we’re having @ Perch Security, but that’s not really a valid excuse.  I’m owning up to my mistake, and reflecting on it.. thankfully, our customers are super cool and they get it.

Normally, I label our sensors for easy installation.

Dang, look at that sticker

That way, our customers know which port to plug into their management network, and which port is going to be watching their mirror/span/tap.  The installation went well.  The sensor was talking to my cloud.  The problem was, the sensor was only seeing broadcast data.  No typical network traffic (HTTP, SMTP, etc.  see:  post ).  Obviously it was a mirror configuration problem.  After all, if the sensor has an IP address and can talk out, the management port CAN’T be plugged into the mirror port.  It’s not my problem, it’s the switch!    (Uh oh, bad assumption right there, it turns out).     I would have known that, if I had the right ports plugged into the right ports on the switch.   Ugh.

Of course, this time we had a lot of new things

  • New hardware build, so unfamiliar with layout of the back
  • No stickers (cause it fell off in transit, argh!)
  • No indicator on the back of the sensor to which port is which

All of these things were in place because I was rushing around like a dying chicken.  That’s a thing, right?

Now it’s time to reflect.   How do I set us up for success going forward?     I have instructions.  I have labels.   I have the know how to do it all.

I just need to slow down.  Slow down.  Slow down.

(( Thank you for reading my self reflection for the week.  If you don’t hire me some day because of this post, that’s OK.. I ain’t perfect  ))

 

Older posts

© 2017 De-Coder’s Ring

Theme by Anders NorenUp ↑