|
I've got questions regarding powershell use as a company that has to pay a great deal of attention to potential attacks. I work in sysops. Our infosec team is trying to get powershell (as an interactive console) blocked via our AV in order to reduce risk if we get attacked. 1) My understanding is: this is stupid. If we get to a point where someone has gained shell access then we have hosed up somewhere else. Is my understanding wrong? 2) This hinders some adhoc troubleshooting. I've explained this to our infosec team but they aren't swayed. 3) I've explained that blocking powershell but allowing custom .net/c# execution is: hilarious but still no change. This isn't really an argument against blocking powershell so much as an argument against their current policy set, but still. Am I on the wrong side here? I know bits and pieces about security but obviously it isn't my field professionally so I'm trying to find more information. Is there existing literature on this that I should trust? If I'm right, and blocking powershell console access on servers is silly, how should I approach the infosec team to get them to change their minds and policy?
|
#
¿
Feb 2, 2017 06:43
|
|
|
|
| # ¿ Apr 26, 2024 20:32 |
|
|
Here's some data that was useful for me to discover, that wasn't immediately clear to me based on reading the three MS patch pages: 1) Microsoft released a patch for certain builds of Windows, but not all. List here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 2) Microsoft is only making that patch available to windows clients using particular AVs. Turns out that a bunch of AVs were making unsupported calls to kernal memory that doesn't play nice with the patch, and can cause BSOD if patch is installed on a machine with a naughty AV. article: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released But it gets sliiiiiightly more murky. As it turns out, if you're running two AVs (lol i know) then you can get this patch pushed to you and make you vulnerable to BSODs. For a real life example, Defender comes installed by default on Win10 builds, and even if its disabled / stopped / set to manual, the "this is a good AV" reg key appears to persist. Thus, even when running only 1 AV (that's 3rd party) that ISN'T supported, you can still get the patch and put yourself into dangerous situations. 3) Even once you get the patch installed it is ineffective for both vulnerabilities without microcode update. As far as I can tell, Dell, for instance, has yet to release anything but its so frustratingly difficult to tell if that's true or if its just buried somewhere. There, I hope any of that is useful to other people's whose week is similarly cratered. If anyone has corrections or experience to share I'd love to hear it.
|
|
#
¿
Jan 4, 2018 22:52
|
|
|
incoherent posted:Windows 10 will let you run defender and your preferred AV simultaneously and I think it yields to the 3rd party for major cleanup but it gives a "hey buddy" notice. Hm. If its *intended* to run that way then maybe I'm interpreting the article wrong but it seems like this opens yourself up to BSODs per the articles linked previously. Cylance, for example, absolutely does not add the reg key and has been confirmed by their reps. Verified that Cylance does not add the reg key in win8.1. But in win10 Defender comes by default and does add it, and i've been able to pull the 1/3 update down no problem. I've done it again and will let you know if I run into any BSODs.
|
|
#
¿
Jan 5, 2018 00:22
|
|
|
BangersInMyKnickers posted:The conflict is in the kernel hooks for the real-time scanning engine. When defender sees 3rd party AV, it disables its realtime protection and only does on-demand scanning. It's probably a non-issue unless you have two 3rd party engines with real-time scanning enabled at once. Good info. If that's the case then it looks like it would be problematic due to this: https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windows-security-updates-released microsoft posted:The compatibility issue is caused when anti-virus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update. Since Cylance doesn't add the reg key it is likely it *does* currently make unsupported calls into Windows kernel memory.
|
|
#
¿
Jan 5, 2018 00:37
|
|
|
Diva Cupcake posted:Cylance and Carbon Black have announced compatibility with Microsoft patches but wont be setting the required registry key just in case clients are using multiple endpoint platforms that could be incompatible. Discovered that today - good news for us though is if you're using SCCM you don't have to push the reg key before - just install + 2regkey adds after + reboot and then good it seems like.
|
|
#
¿
Jan 5, 2018 21:55
|
|
|
CLAM DOWN posted:Have any of you done OSWE or eWPT for web app pentesting certs? Thoughts? Are you asking for more info on the certs themselves because I'd like to know more as well. My boss wants to move two of us into more purple teaming type roles and I don't have *any* knowledge of webapp security stuff beyond OWASP.
|
|
#
¿
May 7, 2018 22:17
|
|
|
I really extremely like Splunk (and to lesser extents, ELK / Graylog). But whatever you do, do not loving get the the Cloud offering. Do not let finance shout you down about capex vs opex. Get on prem if you value sanity, and quick turn arounds on support tickets. It absolutely has its cons, but i'll take it over the other two things i've used: McAfee (was powerful, just an absolute pain in the rear end to do anything.) InsightIDR (not even a SEIM, just marketed as one. It was much better as UserInsight if you had a completely different SEIM system)
|
|
#
¿
May 23, 2018 16:57
|
|
|
Softcox posted:I’m currently tearing my hair out dealing with Splunk cloud support, the one saving grace of Cloud is hybrid search. Having an on-prem search head at least gives you some additional flexibility Yeah its _infuriating_. I don't know about hybrid search with cloud; what did having the second search head give you? I'm trying to figure out what it would gain me and can't think of anything but I'm guessing that could easily be explained with a "scale" thing. Lain Iwakura posted:Cloud support's SLA is absolute garbage. The amount of time it takes me now to install an app in contrast to how long it took when they managed it for me is absolutely asinine. You migrated to on prem? Were you able to retain the logs from cloud instance? Did they move over to your new cluster or stay in the cloud, accessible but apart from your new cluster? In about...8 months when we hit the end of the contract with splunk cloud i'm gonna be pushing hard for on prem and am curious about road blocks.
|
|
#
¿
May 24, 2018 16:43
|
|
|
Lain Iwakura posted:Yes, yes, and to answer your last question: we hired a contractor to create a hybrid search and then once the new indexers were in place we had the pre-existing data migrated to an S3 bucket and then restored via that. It took us about two months to get it down right but minus some hitches with our local forwarders, everything went flawlessly. What made it not suck so much was the fact that we were still going to have it all in AWS but 100% in our control otherwise. Dope. That process doesn't seem like murder, and my env would only have like 6-8 TB to move around. Lain Iwakura posted:If I ever get it cleared by my director, I'll probably blog about it.
|
|
#
¿
May 25, 2018 16:43
|
|
|
CLAM DOWN posted:I'm trying tenable.io for the first time, it's really slick. Big step up from the older version of Security Centre that I've used for years at my last job. What are the things that you like about tenable.io? I have heard absolutely terrible things about Tenable from a friend running TVM at another company (mixed SecCenter and tenable.io). I have mild complaints and irritations with Nexpose but nothing major and I'd def recommend you check them out if tenable.io isn't needs suiting. Monday Infosec Thoughts: Trying to wrestle Splunk Universal Forwarders to take powershell input appears to be a pain in the rear end and I really wished I had proserv for some questions like this.
|
|
#
¿
Jun 12, 2018 20:31
|
|
|
BangersInMyKnickers posted:I'm doing some test work for the Splunk guy to get away from running the UF on all the endpoint and instead do event log subscriptions out to a collector box and then drop the UF on just that, similar to how we're doing our syslog ingest. Seems easier to propagate and the permissions model is much nicer since it will run with Event Log Readers perm instead of local admin or [shudder] DA. Oh please talk about this! Two big things I want to implement are: - WEF to a collector box (you can't get rid of the bullshit at the end of windows events unless you are handling log ingestion to the indexing cluster from a heavy forwarder) which will end up saving us a few 10s of gigs on our license - Getting everyone on at least WMF5 for powershell OTS and scriptblock logging WEF seems like to do it right the company needs a PKI which we: do not have, and the PS logging seems to require some new shares set up to get it done right. How are you going about it?
|
|
#
¿
Jun 12, 2018 22:47
|
|
|
BangersInMyKnickers posted:The documentation says you only need PKI if you don't have kerberos for system authentication (or go noauth yolo and rely on the firewall). Hopefully that's true, since I'm banking on it. Test environment is still locked up in a zone while I wait for firewall rules to get opened so I can get it pulling logs. Interesting. I didn't catch that at all. Well, that's nice  . RE: test environment, I literally cannot get anything stood up because our pipeline terrible so I am forced to write my own local one. I'm using https://github.com/VirtualEngine/Lability to manage my free trial media for this project. So far I've only got 2 VMs and a private switch auto building because I've never used DSC before, but it seems like this'll work for me, at least to PoC before I ask for small changes in existing environments.
|
|
#
¿
Jun 15, 2018 16:25
|
|
|
Boris Galerkin posted:It's pretty good I think. It's not really an app like macOS/Windows but a plugin for Chrome and Firefox. It autoupdates versions just fine and the hotkey is a bit different (can't set win+\ or alt+\ for some reason) but it's not an issue. I never use the actual app on my MBP anyway so I don't know if I'm missing anything without the native app. I just do all my password janitoring on the 1password.com website. Will also add that the 1pass client for linux only exists if you're using the loving 1passX poo poo with a 1pass sub. This may have been mentioned already but I am Quite Upset about it  ((. If you have a self hosted vault through whatever, dropbox, you can't open it on linux.
|
|
#
¿
Sep 7, 2018 16:06
|
|
|
Maneki Neko posted:Apple turned off Group FaceTime at a server level, guess it wasn’t quite ready to leave beta TBH I like the response. Like that's a good zing and everything but respect to whoever created the "what happens if FaceTime gets super hosed" document.
|
|
#
¿
Jan 29, 2019 17:10
|
|
|
Proteus Jones posted:Oh, I forgot another one Seconded. He tweets a lot more than I would really like (so that the signal/noise ratio is reasonable) but he's a good follow. He knows his poo poo but also won't stop reading hackernews, so Also, I'd recommend following the people who's work you really like via rss subscription to twitter lists. it means you're not on twitter all day.
|
|
#
¿
Feb 22, 2019 17:49
|
|
|
LtCol J. Krusinski posted:I know the first rule of Infosec fight club is don’t roll your own crypto. I totally get that. I’m looking to understand cryptography a lot more than this is a good protocol and this is a deprecated protocol level. I’d like to maybe understand cryptographic primitives, and modern cryptographic engineering. So with that said: Books? YouTube’s? White papers you think are a must? All is appreciated. Thanks! I will nth cryptopals - its really good. Here's some other stuff that might not be covered in the typical responses to the question. This is stuff from my backlog of poo poo recommended from twitter / some poo poo i've actually read and liked: Colm MacCárthaigh is an incredible resource. A lot of his tweets are about his singer song-writer stuff but he's been involved in crypto for ages. Here's some collections i made (sorry for collections, its the only way to link tweets sanely): - How to learn crypto: https://twitter.com/Jowjoso/timelines/1037328324006240256 - (this is just a cool link rather than practical learning:) Colm was working for AWS when heartbleed dropped, here's a story about it: https://twitter.com/Jowjoso/timelines/1115082981121691653 LVH is a cloud security and cryptography guy for Latacora (a great company to follow if you are into security and crypto in particular: tqbf is the founder and he's rad) - lvh wrote a crypto 101 guide. Talk + a github book: https://www.youtube.com/watch?v=3rmCGsCYJF8 https://www.crypto101.io/ - This is a collection of recommendations that latacora published for different crypto use-cases. Putting it here even though its all latacora people: https://latacora.singles/2018/04/03/cryptographic-right-answers.html Schneier stuff: - if you're curious about crypto history he recommends: "The Codebreakers" by David Khan. I tried to read this and got BORED in the first chapter. I should really read it eventually. - Applied Cryptography is a deep dive. Its also old. I believe this is superceded by Cryptography Engineering, but I haven't read CE. Someone else in the thread? - Practical Cryptography is supposed to be akin to a c-level summary of AC. Haven't read it Books I can't speak to personally but have come up in threads before: - Handbook of Applied Cryptography by Menez, van oorschot, and vanestone - Security Engineering by Ross Anderson Oh, EDIT: For context I am not a crypto man, i'm just into it. I believe there are a few people in the sec threads who are actually knowledgeable about crypto who can hopefully chime in and correct any bad recommendations i made.
|
|
#
¿
Aug 23, 2019 18:28
|
|
|
Arsenic Lupin posted:My dad was big into crypto and crypto history, with a well-stocked set of bookshelves, and I agree that The Codebreakers is just too drat big unless you're seriously, seriously into it. (Tried rereading it when I was there for his funeral. This is rad as poo poo. Thank you for the recommendations, I'll pick up those books!
|
|
#
¿
Aug 23, 2019 22:13
|
|
|
fyallm posted:LoL. Now imagine trying to get people into vulnerability management consulting. ayy i do vuln management (and automation and IDR and and and and, whatup small teams). I'd love for you to expound on what vuln management consulting is like. I'm imagining either: A) "no really you should be scanning a lot and build out a program where stakeholders own the risk their department generates and yes definitely patching" B) "I will build configure and run TVM for you for 3 months and then hand it off peace" my next steps after my current job are pretty limited if I'm looking for continued growth; either a Very Small company where i own more poo poo, a very large company where I own one thing and get to dig in, or consulting to grab even more breadth, pay, and lose my social life. Any deets you wanna pass on wrt consulting i'd love to hear.
|
|
#
¿
Sep 18, 2019 20:29
|
|
|
apropos man posted:Haha. Alright, then. A recommendation for a package that will do basic network monitoring and I'll configure alerts by email myself. i think Zeek is the software you are looking for here then. used to be known as “bro”
|
|
#
¿
Sep 29, 2019 03:33
|
|
|
evil_bunnY posted:It is if your infra team keeps letting a basic scan find legit issues, and your CISO has literally zero weight I guess. yeah. i’m still learning how to sort through companies like this in the interview period, so my current job is pretty poo poo (but it does pay well)! Defenestrategy posted:I've kinda always wanted to get a job in the cybersec part of corporate IT, but my recent experience with it atleast at $currentcompany is that its effectively running nessus and making note of the poo poo nessus finds, while me and my compatriots in the infrastructure department are the ones who handle poo poo like firewalls, vpns, user education, patching, site access control, most of the policy stuff, and a lot of other stuff that I would think would fall in the cyber security divisions lap. Is this a common thing? ime small shop infosec seems to be at least some, maybe all, of: - run everything scan related: scan infra > triage > project manage the remediation process - run everything SEIM related: admin the SEIM, tweak rules, do terrible IDR - do user education / yell about phishing - run the probably corp mandated AV there’s also a lot of straight up infra work that is needed in security roles, which i particularly enjoy. writing playbooks to automate new collector / scan engine build outs, gluing a bunch of messaging services into your actual company-used messaging service, automating reports from services that don’t have a real reporting engine, creation of tooling in python and powershell, etc etc. i am very surprised your infra folks are doing policy creation lol.
|
|
#
¿
Dec 1, 2019 22:39
|
|
|
SAVE-LISP-AND-DIE posted:I'm investigating a move from developing line of business apps in finance to infosec. I've got ~5 years experience as a software engineer, following a 2 year stint in customer success at a software company. Over the last 2 years it's become my job to "do security" i think doing AppSec is a good way forward for you yeah. There are other roles that may also be good fits once you have your foot in the door, officially. I can’t speak to a few of your questions, but i can provide some general experiences i have: - smaller shops probably won’t have a dedicated appsec person; they may have a role that does that in addition to other things, not have one at all, or outsource it completely. this may limit your job opportunities to contracting or larger orgs in general. This likely is locale specific! - qualifications are a sore point in the community; you may run into some people who swear by them or people who hate them. Look at job listings in your area and see what they request; in the US, at least, it’s common for people to ask for things like CEH, sec+, and CISSP even when none of those apply to the job you are interviewing for. You can get by without them sometimes, but it makes it harder to get through the HR screen This thread is mostly not appsec folks (though there may be some around!) It may be useful to you to check out a local security meetup and get some resources there (OWASP has a slack channel dedicated to mentoring, for instance, that might be useful to you)
|
|
#
¿
Jan 18, 2020 16:27
|
|
on my projects. Yeah, it's distressing from an organisational perspective, and I've been trying to learn as much as I possibly can but I've discovered that I enjoy applying the practices to our code base and infrastructure. In my experience that seems out of the ordinary for a dev, so why not get paid (more?) to do it full time? I understand infosec is a massive sector, I suppose I'd see myself specialising in defensive application security, but I'm still early on in my research.
|
CLAM DOWN posted:Curious, do you all use hard tokens or phone apps for 2FA? We got rid of our RSA fobs in favour of the Microsoft Authenticator app. Personally, both (NFC yubikeys are cool!). At work, only soft tokens because of budget.
|
|
#
¿
Jan 18, 2020 18:06
|
|
|
Defenestrategy posted:Good play, if he's a cop now he has to tell us. yeah, if you ask a cop his favorite movie he has to tell you it’s entrapment (1999)
|
|
#
¿
Aug 12, 2021 05:47
|
|
|
Esran posted:2.16.0 should have deleted the lookup-placeholders-in-log-strings code, and also have disabled JNDI by default. Is it still vulnerable in some way? Google doesn't turn up anything for me about 2.16 still being vulnerable, just the 2.15 released last week. I saw people on Twitter posting about it but the only thing I could find was some PR about how all the docs are bad and don't tell people that untrusted input is dangerous. which like, fine, they probably are bad! but that's not really what I care about in this context. did anyone find other reasons for 2.16 to be considered bad?
|
|
#
¿
Dec 17, 2021 14:39
|
|
|
alright. 2.15 DOS has been upgraded to RCE. https://logging.apache.org/log4j/2.x/security.html 2.16 now has a DOS found in it.
|
|
#
¿
Dec 17, 2021 15:42
|
|
|
Rooney McNibnug posted:Apologies, for I am tired i told my lady the other day that I haven't been this tired since I was a teen staying up 3 days I play quake, I am beaaaaat I hope your poo poo is almost done and you get to nap soon ✨
|
|
#
¿
Dec 17, 2021 20:19
|
|
|
|
| # ¿ Apr 26, 2024 20:32 |
|
|
Defenestrategy posted:Can yall give me some insight into how yall triage/remediate your pentest/scan tickets. In cases like this its really important to look into systemic themes behind individual vulnerabilities found in a scan. Is there a regular patching cycle or not? If not, push for that rather than individual vulnerability remediation, and move to using aggregated metrics over time to measure the efficacy of the program. Are you finding vulns in containers? Is there a system that ensures folks are following latest major lts versions? If not, that's a good place to spend time and human capital. Are folks using a myriad of OSes and images? Probably worth looking into building a blessed image factory for a few supported OSes and try and get people onto the same standard. Bulging out an image factory will also allow certain kinds of workloads to be run ephemerally, which can address a whole swathe of patching issues. Basically, if they can't improve mean time to remediation under the current system, evaluate if the current system is any good and then make changes to it (with their partnership). Everyone's MTTR looks great if everytime they deploy they get the latest system patches
|
|
#
¿
Jul 20, 2023 14:04
|
|