De-Coder’s Ring

Software doesn’t have to be hard

Category: Uncategorized (page 1 of 6)

500k per year

I recently had a conversation with an old friend of mine. There were some awesome things about his job. He loved the day to day, hands on field work.
He didn’t love the office politics, lack of career growth, etc.

I asked him: “how can you make 500k / year in your field?”

What do you think. Is that a valid question? Is that a valid goal for everyone?

My intention was to inspire thought beyond the traditional career path in his field. Not to imply his field or career was bad/wrong.

Can you earn 500k a year using the skills and passions you have? Are you stuck at 35k/year? 100k/year?

Do you need to earn more to feel fulfilled?

Amazon Linux – Java 1.8.0 for Elasticsearch 5.3

Quick note, and it’s not too hard, but took a few minutes to remember.

Amazon Linux comes with Java 1.7.0 installed. I wanted to upgrade to 1.8.0 for Elasticsearch 5.3




Not Awesome

Just yank out 1.7.0

If you need both installed, maybe an old piece of code needs 1.7.0 and all your other stuff can deal with a global default of 1.8.0,   update your legacy apps to specify the JAVA_HOME environment variables to the real location of java-1.7.0, and update the global system like this:

Had I not removed Java 1.7 already, I’d have 1.7 and 1.8 in that list to choose from.



Cybersecurity Arms Race: The Nuclear Option

I see you

Sandboxing files and detecting unexpected system behaviors is one of the best approaches to finding exploits.  FireEye did it really well when they first came out with their network monitoring products.   Watch a network, extract files, shove into a sandbox, explode, see what happens.  They were credited with finding a ton of 0-day type events.  Now, we can do the same with open source software.

Then you hear about malware that can detect it’s in a sandbox or a Virtual Machine.   If it detects the virtual environment, then it doesn’t explode, doesn’t infect, doesn’t do the bad things.  Then we invest money into figuring out how to hide the virtual host or sandbox from the malware.   Arms race!   Who can do it better.   I hide, you detect, you hide, I detect.  It’s one example of the cybersecurity arms race.

In traditional warfare, the winner of the arms race has a bigger gun.   Well, a bigger stick, then a  bigger rock, then a bigger bow, gun, missile, etc.  There’s an end game there.   The nukes.  Whoever has the nukes is on top.   Even when the foe has a nuke, the arms has can’t continue.  We’re at a stalemate.  Mutually assured destruction if we all use our nuclear arms.  When we all have the biggest gun, none of us can use it.    (another blog post later about moving the traditional warfare to the cybers, but that’s for later.

What’s the nuclear option for cyber war fare?

The closes thing I can think of for mutually assured destruction would be around taking down the Internet as a whole.  It may not even be possible.   Can someone wipe out all the core routers, heck, all the routers in the world?   Is that the end?   It makes me think of my favorite definition of envy (vs Jealousy).    jealousy is “I want what you have”.. not totally bad, can help motivate someone, etc.    Envy is “I want what you have, but since I don’t, you can’t have it either”.   Going nuclear on the Internet would drastically affect every life on the planet (ok, maybe not every, but anyone who’s in a ‘civilized’ place).  If it’s even possible…

Good Intel Is Hard

“Good Intel Is Hard”

– Perch SOC Lead, Patrick S

Today, Patrick and I were discussing some intelligence that we’re sensing on.  This intel comes straight from a private intelligence source, that’s supposed to have highly accurate, and targeted intel.   Our focus is on private sharing communities, e.g. ISACs, ISAOs, etc.    In our experience, these sources of intel are supposed to be highly relevant and vetted, to make sure members of said communities are watching our for the most significant threats to their industry or community.

Contrast that to a threat feed like the open source Emerging Threats data.   It’s excellent data that everyone needs to be detecting against.  It’s just not specialized.   It’s valid data , that’s publicly available, and you should detect on it.   ( ( I’m trying to be super clear here, I’m not knocking ET at all…  use ET data.. pay for ET Pro, you need it, but, it’s table stakes, and getting the data from that source is key ) )

There are  few issues in the state of cyber intel that I see so far:

  1. Even targeted, industry specific intelligence ingests ‘other’ intel.  Thereby making it not very targeted.   (  One Stop Shop for Intel vs Highly Focused and Relevant)
  2. Intel is shared before it’s vetted leading to a lot of garbage (BUT I tend to prefer this, compared to ….)
  3. Intel is researched, and vetted, and analyzed before it’s shared, slowing down the release of information

TIPs and Private Communities

TIP  = Threat Intelligence Platform ..   a content management system that specializes in the creation, collaboration, ingest and export of cybersecurity intelligence data in standardized formats, for human and machine consumption.

ISACs (Intelligence Sharing and Analysis Center) and ISAOs (Intelligence Sharing and Analysis Organization) offer communities a fantastic resource, when they’re run well.  They provide a common center for analysis , research, communication with other groups (FBI/DOJ, 3 letter agencies, etc), and are chartered to disseminate intelligence with its members.   The issue that I’m currently running into during the automation of intelligence to detection, is that these highly focused groups, are ingesting data from other organizations or intelligence sources.  They’re ingesting some commercial and public feeds.   This dilutes their value, in my opinion.  Any tool that’s worth it’s salt (what a weird saying) already pulls in open source intelligence and even popular closed source intelligence.   Continue to add value by focusing and sharing highly relevant data.

Vetting of data

There’s a balance between sitting on data too long, and being paralyzed by analysis, vs sharing data too early that’s wrong.  I’d lean toward sharing too early, than too late though.   It’s very easy to tell if[.]com, is a False Positive.  I don’t mind an analyst taking 5 minutes to figure that out.  I tend towards that compared to holding valuable intelligence too long “just to make sure it’s super bad”.  By then, my systems may be “super dead” (to quote A. Hamilton, or at least the musical, Hamilton)

If you’re pretty sure it’s bad, push it out.  Let the boots on the ground figure out for sure.  Worst case scenario, we take 5-10 minutes investigating alerts because of it.  Best case scenario, I alerted to some outbound traffic to a new C&C infrastructure, and was able to squash it REALLY quickly.




Older posts

© 2017 De-Coder’s Ring

Theme by Anders NorenUp ↑