|
To expand on the Practical Malware Analysis front, this popped up on github the other day: https://github.com/RPISEC/Malwarequote:About the Course Might be a worthwhile place to start if you have some interest in reversing.
|
# ¿ Jan 14, 2016 17:28 |
|
|
# ¿ Apr 19, 2024 07:00 |
|
Rufus Ping posted:If you're running linux without grsec (which renders this unexploitable) you're a bit of a mug imo I worked with spender, he is a cool and smart guy. Run grsec.
|
# ¿ Jan 20, 2016 06:54 |
|
ReagaNOMNOMicks posted:I have nerver ever posted ITT or anywhere in SH/SC I think because I'm a mere user but I think I found somthing you guys might like! Drupal, Joomla, Wordpress...any time I do a "hacked" web server investigation, it's a 99% chance that it's one of those. Not surprised at all.
|
# ¿ Apr 6, 2016 19:18 |
|
OSI bean dip posted:We've been using it in a DFIR setting as of late God yes, Splunk is awesome for log comparison.
|
# ¿ Apr 28, 2016 13:12 |
|
Twerk from Home posted:You really shouldn't be running any sort of Antivirus product in 2016. I would qualify this by saying "you shouldn't be running antivirus as a primary line of defense in 2016". There are some use cases for it, but it's better supplemented with additional tools (on endpoints at least). I can point to a real world example with a customer I just finished working with that had no security software on approximately 1000 endpoints in a healthcare environment, even though they had a standing contract with a major AV vendor. They didn't replace AV with anything, they just didn't have anything on their systems. When they got hit by a 7-year-old worm and came screaming to us, we pointed out that the exact hashes they had would have been picked up by their AV solution and they really had no excuse as to why it hadn't been deployed. Traditional AV is on life support, but as a last line of defense (e.g. if AV detects something you're already hosed but maybe it might save you a little bit) it's worth having. EDIT: I should note that there were a lot of internal politics that led to that decision (due to acquisitions and such) but people are literally taking the saying "AV is dead" at face value and running with nothing, in the real world, in 2016. The security industry needs to be careful about what they soapbox. co199 fucked around with this message at 22:55 on Apr 29, 2016 |
# ¿ Apr 29, 2016 22:52 |
|
Wiggly Wayne DDS posted:The current use cases for AV are checking a box on audits and providing an entrypoint for everyone else. The circumstances around this engagement were more complicated than just "oh they weren't running AV lol it would have fixed them". I think we're all aware of the travesty that is the healthcare IT environment, especially concerning legacy applications and operating systems. You're absolutely correct that they weren't keeping systems securely up-to-date and again, it's more than just a case of AV solving the problem - I was simply using it as an example where actually having an AV product deployed would have helped with one aspect of the issue. There are other, better answers (including tools like Carbon Black) for getting visibility into endpoints, and I'm certainly not hopping on the AV dick to say everyone "needs" AV. I agree completely that there are better tools out there - again, not saying AV is a necessity - in this case it would have been better than the nothing they had, even if not the optimal (multiple layer) solution. You obviously have to balance hardware, software and personnel solutions along with actual effective policies internally. We were deployed in an IR capability, predominantly to identify just what the gently caress was happening as the customer had no visibility and no idea what the gently caress was going on. Our initial reaction was "burn the whole thing to the ground and start again", but unfortunately that wasn't realistic so we actually engaged other teams that had standing relationships with the customer (and SMEs on the tools in their environment) to help with remediation.
|
# ¿ Apr 30, 2016 00:01 |
|
Subjunctive posted:It's also possible that wearing a seatbelt can kill you by trapping you in a car, but the seatbelt soapbox is still exactly the right one to stand on. You can have a fatal reaction to a vaccine, but you should still get them. The most likely outcome of having AV installed is worse than the most likely outcome of skipping it. I'm not trying to be an rear end in a top hat here, but can you give me a real-world example of securing an environment of say, 10,000 endpoints (we'll softball it with a mix of XP, 7 and 10, Server2k3,2k8r2 and 2k12) without using AV and without getting laughed out of a boardroom for presenting a cost of $texas?
|
# ¿ Apr 30, 2016 00:15 |
|
Subjunctive posted:My company has > 10K end-user machines and we don't run AV. I wouldn't replace AV, that's the point - I'd use it in conjunction with other tools. You didn't answer the question, you just asked another one.
|
# ¿ Apr 30, 2016 00:19 |
|
|
# ¿ Apr 19, 2024 07:00 |
|
apseudonym posted:Why do you think using AV makes it cheaper? Ok, I'm not saying AV makes it cheaper, my question was specifically around securing a large enterprise, without AV, for a "reasonable" price. That's probably too broad of a specification, realistically, but for the sake of conversation we'll let it stand.
|
# ¿ Apr 30, 2016 00:22 |