#coding #Monitor #myopinionnotyours
During my day today I was asked about how coding is relevant on a cyber detection team. This is a good question and pondered on a few of the applications that I have in my own. Then I decided that the first thing that I usually would do is watch for myself. When you are on a cyber detection team you hopefully have full access to authentication logs and they are stored in a tool that allows for API access. If you have that capability then the question is "what do I want to monitor but not send to an analyst or detection tool? ... my own authentications. Why? The short answer is that I am paranoid. I feel that nothing is worse for a cyber defense team than to be part of an incident.
Allow me to frame up a scenario, there is a penetration in your company and the team decides to leverage internal credentials from known sources. One of those credentials happens to be yours and they decide to use them to auth to server/infrastructure. Now imagine that you didn't even notice. That in my eyes is sort of egg in my face.
The scenerio's can range from internal credential loss or compromise to people trying to leverage your information to gain access. Pick you scenerio but in the end I feel that if you are a victim and are not aware that just plain isn't good. At my company I have written many scripts and one of them leverages ELK. Using the power of scripting (python) and data (ELK) with an API you would fairly quickly be able to cron out something to watch for authentication for yourself coupled with your own assets adding to a high fidelity alert. Extend that capability using twilio to send alerts and you now have your own alerting framework for yourself that you can extend.
In the the end this is just my option on the matter and just because I am paranoid doesn't mean it's right for you.
Some ideas of leveraging Twilio to extend alerting https://github.com/bl4ck0ut/scripts/blob/master/gmail_twilio_watch_and_text.py
Subscribe to:
Post Comments (Atom)
Installing Older Versions of VeraCrypt on Linux: A Step-by-Step Guide
Introduction: During some house cleaning I had an old external drive that was encrypted with an old version of truecrypt. I wanted to mount...
-
Introduction: During some house cleaning I had an old external drive that was encrypted with an old version of truecrypt. I wanted to mount...
-
Live Linux forensics in a KVM based environment (part 1) Most of this blog will be based on a image that I created that I will be walking...
-
I worked with Micah Kays over the past couple weeks on building a full-interaction honeypot. I bought a Dell desktop off Craigslist (80gb ha...
No comments:
Post a Comment