June 28, 2024
The volume and quality of Threat Intelligence for Linux attacks have traditionally lagged behind that for Windows, despite Linux's significant cloud presence. Most reports have focused on reverse engineering Linux-based malware and attack tools. While valuable, this approach is difficult to translate into actionable detection due to the limited data available to detection engineers and security analysts.
June 22, 2024
The Cybersecurity Kill Chain is a widely taught framework in the field. Early in my career, I didn't realize it could be used as a practical investigative aid for defenders, not just an academic concept. I believe this is partly because it's written from an attacker's perspective, which doesn't always translate well for defense. Additionally, its vague language makes it awkward to apply, as not every phase is relevant to many attacks, more so than an edge case, and there are frequent overlaps.
June 19, 2024
If you work in cybersecurity or tech, you’re likely familiar with hashing. A cryptographic hash function generates a fixed-size hash value from any given input data. This is a one-way process, making it computationally infeasible to reverse-engineer the original data from the hash value. Hashing is excellent for identifying specific files or binaries, such as a particular malware sample. However, its effectiveness in detection diminishes quickly because even a single change in the input (like altering one character) will result in a completely different hash value. Changing a binary's hash is incredibly easy; malware authors might inject random words, or a binary might be compiled with specific information for a targeted organization, resulting in a different hash for each impacted organization.
June 15, 2024
This blog post stems from a recent conversation with my former colleague, David Bianco, on the Defender's Dilemma." The Defender's Dilemma is often cited by those without firsthand experience in investigating cybersecurity incidents. The premise is that hackers only need to succeed once, while defenders must be successful every time. This notion is flawed and reveals a fundamental misunderstanding of a typical cybersecurity attack.
May 15, 2024
A common trope among cybersecurity practitioners is gatekeeping entry-level positions like junior Security Operations Center (SOC) analysts with statements like, "How are you supposed to secure something if you've never managed it?" This is a concept that I **highly** disagree with.
July 17, 2023
Over the past few weeks, I have done a deep dive into the public research available on Linux Ransomware, seeking to understand the broader landscape as there is an over emphasis on the Mirai botnet. I discovered that although there is an abundance of *outstanding* whitepapers and research pieces, they are distributed across various blogs, making them challenging to assemble. Adding to the complexity, most samples are typically only accessible via a paid service like VirusTotal.
April 19, 2023
As someone that primarily does Linux security research, I was frustrated that there wasn't an equivalent of an imphash for Linux ELF binaries. So, I decided to make one myself. Introducing ImpELF.
March 17, 2023
Working as a detection engineer, I'm constantly researching and trying to come up with innovative and new ways to detect adversary tradecraft. With all of the new hype around ChatGPT and it's capabilities I figured I'd give it a try and put it to a test to see how well it performed at detecting common and well known modern attacks vs a benign process.
October 29, 2022
This is a blog dedicated to those like myself who may have an "alternative" background when it comes to getting into cybersecurity.
April 17, 2022
Snort rules are considered the gold standard of Network Intrusion Detection signatures, and because of that it is important for new analysts to learn how to read and understand the logic of them. These days, there are a ton of great blogs already on understanding them, such as this one by Rapid7 https://www.rapid7.com/blog/post/2016/12/09/understanding-and-configuring-snort-rules/
April 14, 2022
Have you heard of Adversary Emulation platforms, but aren't really sure what they are or how they work? Or perhaps think they are security tools reserved for only the most advanced teams with huge budgets? Let's take a look at what an Adversary Emulation platform is, go over some sample use cases, and we'll go over how you can get started for free using MITRE's Open Source tool - Caldera.
March 2, 2022
Recently I came across a great GitHub page entitled Big-Data-Broker-Opt-Out-List which contains a list of companies that collect your personal data, likely without your knowledge, and how to opt-out of said services.
February 19, 2022
An introduction to the Mitre ATT&CK framework, the Mitre ATT&CK Navigator, and some example processes to get you started.
February 9, 2022
The trouble with modern Linux security monitoring and an easy to use tool that aims to fix it.
January 30, 2022
This is a guide to setting up a minimal and secure Python development environment for Ubuntu
May 17, 2019
Security operations and monitoring teams face a variety of challenges: the rapid evolution of adversarial tradecraft, poor detector documentation, lack of detector version control, poor detection methodology, lack of testing procedures, and change control processes that are slow and time consuming. These issues plague security teams of all sizes, often leading to missed malicious activity, increase in dwell time, and a lower return on investment (ROI) for the overall security program. As a managed detection and response vendor, Soteria recognized that our business would require us to develop new strategies to address these problems in order to provide high quality, actionable detector that scale.