holisticinfosec.io
Open in
urlscan Pro
70.40.197.78
Public Scan
URL:
https://holisticinfosec.io/
Submission: On May 10 via api from AZ — Scanned from DE
Submission: On May 10 via api from AZ — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
This website uses cookies to ensure you get the best experience on our website. Learn more Got it! Toggle navigation HolisticInfoSec * Blog * toolsmith * Menu Best Practices Events In The News Publications Simplicity Templates * About * Tags HOLISTICINFOSEC -------------------------------------------------------------------------------- Information security and assurance for all, as one. HOLISTICINFOSEC -------------------------------------------------------------------------------- Information security and assurance for all, as one. Practice simplicity Seek to be proactive, rather than reactive Think creatively, but adhere to standards Employ best practices LOTL CLASSIFIER TESTS FOR SHELLS, EXFIL, AND MINERS TOOLSMITH #146: A SUPERVISED LEARNING APPROACH TO LIVING OFF THE LAND ATTACK CLASSIFICATION FROM ADOBE SI Posted on December 24, 2021 | 6 minutes | Russ McRee, Ph.D. Happy Holidays, readers! First, a relevant quote from a preeminent author in the realm of intelligence analysis, Richards J. Heuer, Jr.: “When inferring the causes of behavior, too much weight is accorded to personal qualities and dispositions of the actor and not enough to situational determinants of the actor’s behavior." Please consider Mr. Heuer’s Psychology of Intelligence Analysis required reading. The security intelligence team from Adobe’s Security Coordination Center (SCC) have sought to apply deeper analysis of situational determinants per adversary behaviors as they pertain to living-off-the-land (LotL) techniques. As the authors indicate, “bad actors have been using legitimate software and functions to target systems and carry out malicious attacks for many years…LotL is still one of the preferred approaches even for highly skilled attackers." While we, as security analysts, are party to adversary and actor group qualities and dispositions, the use of LotL techniques (situational determinants) proffer challenges for us. Given that classic LotL detection is rife with false positives, Adobe’s SI team used open source and representative incident data to develop a dynamic and high-confidence LotL Classifier, and open-sourced it. Please treat their Medium post, Living off the Land (LotL) Classifier Open-Source Project and related GitHub repo as mandatory reading before proceeding here. I’ll not repeat what they’ve quite capably already documented. [Read More] SOC data science blue team Adobe DFIR DART TI detection LotL classifier machine learning ZIRCOLITE VS DEFENSE EVASION & NOBELLIUM FOGGYWEB TOOLSMITH #145: A STANDALONE SIGMA-BASED DETECTION TOOL FOR EVTX AND JSON Posted on September 28, 2021 | 4 minutes | Russ McRee, Ph.D. I’m pleased to be back sharing outstanding tools for security practitioners with you after an extended time out to finish my Ph.D. Here now, in our 145th installment of toolsmith, we discuss Zircolite, a standalone and fast SIGMA-based detection tool for EVTX or JSON, a fine tool brought to us courtesy of @waggabat. Zircolite’s GitHub repo tells you absolutely everything you need to know, and the documentation is more than adequate, so I’ll repeat only this: * Zircolite is a standalone tool written in Python 3 allowing to use SIGMA rules on Windows event logs * Zircolite can be used directly on the investigated endpoint or in your favorite forensic/detection lab * Zircolite is fast and can parse large datasets in just seconds * Zircolite can handle EVTX files and JSON files as long as they are in JSONL/NDJSON format * Zircolite can be used directly in Python or you can use the binaries provided in releases [Read More] SOC Blue Team DFIR DART TI detection Zircolite SIGMA ABSTRACT: IMPROVED SECURITY DETECTION & RESPONSE VIA OPTIMIZED ALERT OUTPUT - A USABILITY STUDY CUT THE NOISE, HONE THE SIGNAL Posted on August 20, 2021 | 3 minutes | Russ McRee, Ph.D. Once in a while, you get shown the light in the strangest of places if you look at it right ~Garcia/Hunter I’ve been absent here for many months, but it has been with purpose. My dissertation, Improved Security Detection & Response via Optimized Alert Output: A Usability Study, is complete, and I’ve successfully defended it; pursuit of my PhD is complete, a new journey begins. I’ll begin with posting the abstract here. I’m in the midst of the dissertation publishing process, but once ready, it will be available in a fully open source capacity, no paywalls or subscription required. I’ll also share all the data (fully anonymized) as well as statistical routines and analysis in R. I’ll continue to post the related artifacts, including to full dissertation in via the R bookdown and thesisdown packages. I look forward to sharing this research with you while discussing it in a variety of forums and extending it to additional research opportunities. Stay tuned here for more. [Read More] SOC Blue Team DFIR DART TI user acceptance user experience security alert detection data science visualization visual alert output text alert output TOOLSMITH SNAPSHOT: ADVERSARY SIMULATION WITH SIM EMULATE USER ACTIONS ON A SYSTEM Posted on February 21, 2021 | 4 minutes | Russ McRee, Ph.D. Art by Juan Casini I spotted Sim via Twitter and was immediately intrigued as I advocate strongly for any tools and features that enable configurable adversary emulation. Adversary emulation enables blue teams to validate and optimize their detection portfolio and thus determine the true efficacy of their detective capabilities. I do not consider any detection that has not been tested via direct purple or red team engagement, or via automated adversary emulation, as production ready. Per her GitHub repo, Hope Walker’s Sim is a C# application, configured via an XML file, that performs tasks based on the configuration to resemble user actions on a system in order to facilitate training and education. As a long time SOC and DFIR manager, training for me includes “training” detection and models to ensure optimal performance. IceMoonHSV’s projects appear to be fairly recent contributions to our community, I applaud Hope’s work here and offer a hearty welcome. [Read More] SOC Blue Team DFIR Sim Adversary Emulation user behavior SECURITY DETECTION AND RESPONSE ALERT OUTPUT USABILITY SURVEY SCENARIO-BASED RESEARCH FOR CYBERSECURITY ANALYSTS AND MANAGERS Posted on January 18, 2021 | 2 minutes | Russ McRee, Ph.D. As a PhD candidate at Capitol Technology University I’m conducting a scenario-based security detection & response alert output usability survey for cybersecurity analysts and managers in Security Operation Center (SOC), Digital Forensic and Incident Response (DFIR), Detection and Response Team (DART) & Threat Intelligence (TI) roles. These roles often make use of output from detection methods including machine learning & data science. Individual contributors & managers alike are welcome. The purpose of the research is to determine if there is a statistically significant difference in security analysts' preference and acceptance between text alert output (TAO) and visual alert output (VAO) derived by these methods. The survey should take 20 minutes. https://www.surveymonkey.com/r/TAOvsVAO [Read More] SOC Blue Team DFIR DART Survey TI TOOLSMITH SNAPSHOT: GORDON - CYBER REPUTATION CHECKS QUICKLY PROVIDES THREAT & RISK INFORMATION ABOUT OBSERVABLES Posted on January 4, 2021 | 2 minutes | Russ McRee, Ph.D. Happy New Year! Here’s to 2021 being less of a dumpster fire than 2020. I’ve been really lagging in between posts, apologies for that. Between working on my dissertation, and current events courtesy of brown bears and SolarWinds, I’ve been a bit busy. ;-) That said, even if they’re just quick snapshots like this one, I’ll resume posting with more regularity. Gordon is a great website for security analysis and threat intelligence practitioners courtesy of Marc-Henry Geay of France. It’s a fine offering that quickly provides threat and risk information about observables such as IPv4 addresses, URLs, Domains/FQDNs, MD5, SHA-1, SHA-256 hashes, or email addresses. [Read More] SOC Blue Team DFIR Gordon SolarWinds SUNBURST TOOLSMITH SNAPSHOT: SOOTY - SOC ANALYST'S ALL-IN-ONE TOOL SPEED UP SOC WORKFLOW Posted on October 13, 2020 | 3 minutes | Russ McRee, Ph.D. It’s been a bit longer than I like between posts, it’s definitely been busy here in the Pacific Northwest. I like to keep a running list of possible toolsmith topics, and I spotted Sooty back in December 2019, back in the good old days before our current pandemic and political mayhem. Sooty was developed with the intent of helping SOC analysts automate parts of their work flow. Sooty serves to perform the more mundane and routine checks SOC analysts typically undertake with the hope of freeing the analyst to conduct deeper analysis in a more efficient and timely manner. [Read More] SOC Blue Team DFIR Sooty TO THE BRIM AT THE GATES OF MORDOR TOOLSMITH #144: SEARCH & ANALYZE MORDOR APT29 PCAPS WITH BRIM Posted on August 3, 2020 | 8 minutes | Russ McRee, Ph.D. Herein lies an opportunity to explore the dark in the name of light. “Some believe that it is only great power that can hold evil in check. But that is not what I’ve found. I found it is the small things. Every day deeds by ordinary folk that keeps the darkness at bay.” ~Gandalf These words ring ever true in the every day fight we face combatting cyber crime and Internet malfeasance. Two offerings come forth to join this fight and converge here to create ample learning opportunities. Brim offers a new way to browse, store, and archive logs with their free and open source Brim Desktop app, as well as the ZQ command line execution engine and query language. The Mordor project provides pre-recorded security events generated by simulated adversarial techniques, categorized by platforms, adversary groups, tactics and techniques defined by the MITRE ATT&CK Framework, Evaluations, and Arsenal. MITRE really is the third protaganist in our epic, we owe them much as defenders of the realm. [Read More] Brim ZQ Blue Team DFIR MITRE ATT&CK TOOLSMITH SNAPSHOT: SPECTX IP HITCOUNT QUERY DETECT POSSIBLE BOTS & AUTOMATED QUERIES Posted on June 10, 2020 | 2 minutes | Russ McRee, Ph.D. Apologies for the lag between posts, dear reader. I’m in the midst of a doctoral dissertation, almost finished my second chapter, and it doesn’t leave a lot of room for additional writing. Treat this entry as a stop gap, courtesy of Raido, from SpectX, the subject of our last toolsmith #143 on SpectX4DFIR. Herein, Raido provides us with a SpectX query to count hits from IPs during different time intervals. [Read More] Blue Team DFIR SpectX SpectX4DFIR SPECTX: LOG PARSER FOR DFIR TOOLSMITH #143 Posted on April 10, 2020 | 6 minutes | Russ McRee, Ph.D. Welcome to the first COVID edition of toolsmith, I do hope this finds you all safe, healthy, and sheltered to the best of your ability. In February I received a DM via Twitter from Liisa at SpectX regarding my interest in checking out SpectX. Never one to shy away from a tool review offer, I accepted. SpectX, available in a free, community desktop version, is a log parser and query engine that enables you to investigate incidents via log files from multiple sources such as log servers, AWS, Azure, Google Storage, Hadoop, ELK and SQL-databases. Actions include: * Large-scale log review * Root cause analysis (RCA) during incidents * Historical log analysis * Virtual SQL joins across multiple sources of raw data * Ad hoc queries on data dumps SpectX architecture differs from other log analyzers in that it queries raw data without indexing directly from storage. SpectX runs on Windows, Linux or OSX, in the cloud, or an offline on-prem server. [Read More] Blue Team DFIR SpectX SpectX4DFIR * Older Posts → * * * * * * * Russ McRee, Ph.D. • © 2021 • HolisticInfoSec Hugo v0.91.2 powered • Theme Beautiful Hugo adapted from Beautiful Jekyll