Blue Team

573 readers
1 users here now

Blue Teamers are the first (and sometimes last) line of defense in the ongoing cyber war. This place is to chat out detection strategies, complain about SIEMs, compare SOAR playbooks, or post mean memes about the Red Team.

founded 1 year ago
MODERATORS
1
 
 

Hey everyone! Since we're creating a new community here, I'd love to hear who's here.

I've been doing security for a bit over 30 years now. Made it up to a divisional CISO, then climbed back down the ladder to find a good work/life balance. Currently part of the security leadership team at a large US bank. I run a couple of teams right now, including a firewall policy engineering team and a production support center of excellence. I'm looking forward to seeing what type of community we can build here.

2
 
 

I'm not a vendor, I'm just curious what experience people have with implementing security control frameworks?

DOD uses DISA STIGs. Else uses CIS benchmarks, or self developed based of NIST CSF?

To what degree is your organization using any of these?

Are they enforced? Monitored?

Using any vendor solutions that don't suck?

Does anyone care except you (hopefully ๐Ÿ˜‰)

3
 
 

I'm curious what tools, SaaS, or other solutions are being used for vulnerability assessments?

DOD calls it ACAS, which is just an acronym for required assessment program of record they currently fullfil with Nessus scanner and related vender solutions.

Anyone have Nessus experience that can compare to another vendor? Good, bad, etc?

4
 
 

I did a dive into what you can get out of the Edge (and probably Chrome(ium)) History sqlite database. It logs quite detailed data - useful for forensics!

5
 
 

Automated Audit Log Forensic Analysis (ALFA) for Google Workspace is a tool to acquire all Google Workspace audit logs and perform automated forensic analysis on the audit logs using statistics and the MITRE ATT&CK Cloud Framework.

By Greg Charitonos and BertJanCyber

6
 
 

The hacktivist group Anonymous Sudan claims to have breached Microsoft and stolen credentials from 30 million customers. Microsoft says they are lying. The group has done a lot of DDoS attacks, and claimed much bigger impact than they really have had. Exaggerated claims may lead to increased "panic state" at the top of the corporate food chain. How do you communicate about threat groups making bold statements like this to your higher ups or customers?

7
3
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
 
 

TL;DR: Is ISO27001 easy or am I just too dumb to see the complexity?

Hi!

Just wanted to start some conversation on a standard that's sorta kinda infamous where I'm currently at, the ISO27001 standard.

I got tasked with "polishing up an ISMS" for a company and while I can't go into details, I got basically a control name (from 27002:2022) and a description of "what we need it to do." Now that I got into it, I feel that I may be missing something. Most of their controls are "Limit access to server room" or "Make sure access is logged and not permanent."

Like, the standard is not difficult reading, but if they can explain to ME how the controls should look in the end, what am I missing? Is there some extremely difficult part? Or can I just say "Just make the creds timeout after a month. Source: dude trust me?"

If you were tasked with implementing ISO27001, did you encounter any specific hurdles that I may not see from where I'm standing? The only thing I can see after I got through all the controls was a feeling that this will be more expensive on time for the security teams.

Thank you for coming to my TED(x) talk.

8
 
 

I have found Excel to be quite useful for collecting data, doing summary analysis of logs, etc. I also liked this blog post from Mandiant, about using Excel to timeline artefacts with very different structure. It takes a bit of work using find, left, mid, right, concat, etc, but then it is quite useful! Another good thing is that a lot of people are better at creating Excel sheets than doing XPath queries.

Anyone else using Excel for DFIR, and how do you use it?

9
10
 
 

cross-posted from: https://infosec.pub/post/86834

This is an excellent series on container security fundamentals by Rory McCune who is a bit of an authority in this field:

11
12
 
 

If we are going to build a good community, we need some content! Here's a new feature in Kusto I have found useful in Sentinel, making it easier to do geolocation lookups in queries: geo_in_from_ip_address.

If we all share a little trick or something we have recently learned now and then, this will be a useful community!

13
 
 

Whether you are a buyer of security services, or a provider of them, what metrics, visuals, information is actually important to customers? What is the preferred way to consume reports - emails, dashboards, PDF reports, chat bots, smoke signals? Any thoughts and inputs much appreciated!

14
15
 
 

Some more context around the .zip domains.

16
17
 
 

๐Ÿ‘‹ Hello all! So, how big is your security organization and how are responsibilities split across teams?

I've been through I don't know how many reorgs and seen quite a few place, and while some patterns emerge it's always interesting to see how Security is split up.

In my current company we evolved from:

  • 6ppl: one security team
  • ~12ppl: one security team, distributed between two locations
  • ~12ppl: infrasec team, appsec team
  • ~30ppl: infrasec team, dir team, appsec team, risk/audit team
  • ~60ppl: infrasec team, dir team, corpsec team, appsec tooling team, appsec consulting team, risk/audit team, compliance team
18
 
 

But instead of pissing on them... Bravo for enlisting the help of @huntress to do a code review. This vuln is NOT being actively exploited... yet.

https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability