Lets Automate It

from Josh Rickard

Automating Attck Testing With Soar and Atomic Red Team

2020-07-24 swimlane Josh Rickard
MITRE ATT&CK is the defacto framework for organizations to measure their defense posture. ATT&CK provides categorical verticals in the form of tactics, which align to the common methodologies attackers use. Within these verticals are a set (and subsets) of common ways in which attackers accomplish a tactic (vertical). These are known as techniques. Some techniques may be common across multiple operating systems. This usually equates to a broad definition of a technique. Continue reading

Making MITRE ATT&CK Actionable

2020-07-16 swimlane Josh Rickard
The Swimlane Deep Dive team is excited to announce the release of pyattck 2.0 and an equivalent PowerShell version called PSAttck. These open-source tools provide security operations centers (SOCs), defenders and offensive security teams with external data points that enrich MITRE ATT&CK by providing potential commands, queries and even detections for specific techniques. Additionally, these data points enable context related to specific attacker actors or groups, as well as details about different tools used by malicious actors. Continue reading

Responding to Insider Threats With Soar

2020-04-24 swimlane Josh Rickard
Insider threats occur when an individual with ties to an organization misuses their access for malicious intent, such as stealing intellectual property or other data. Detecting insider threats can be difficult. But by using a security information and event management (SIEM) system or data loss prevention (DLP) products, you can create alerts to detect the exfiltration of data leaving your organization that is unauthorized or unexpected. Once you have detected these events, your security operations center (SOC) needs to investigate rapidly. Continue reading

Identify Malicious Domains Using Soar

2020-03-25 swimlane Josh Rickard
Domain Squatting, typosquatting and IDN homograph attacks are commonplace when it comes to phishing and other forms of social engineering. Attackers use domain squatting and typosquatting of domains to trick users into providing their credentials, distribute malware, harm an organization’s reputation, or otherwise maliciously impersonate a legitimate domain. We’ve discussed this topic before and have developed a unique use case with Swimlane to detect this malicious activity automatically. Recently, we began to monitor domains related to coronavirus (COVID-19), knowing there would be an increase in traffic to research the outbreak, which could be exploited by bad actors. Continue reading

You Dont Have Windows 7 in Your Environment Do You

2020-01-14 swimlane Josh Rickard
Today is the day. Microsoft Windows 7 is officially end-of-life (EOL). The Windows 7 operating system was released on October 22, 2009. For 10 years now, IT and system administrators around the globe have relied on their trusty old Windows 7 OS. I mean, it was a step beyond Windows XP for sure. With EOL here, have you migrated all of your systems to Windows 10? If you have not migrated, you definitely should. Continue reading

Every Security Team Is a Software Team Now

2019-08-01 swimlane Josh Rickard
Building and facilitating a culture with continuous collaboration between engineers and security forces is becoming the new philosophy in security, which is why I am stoked for this year’s Black Hat USA keynote speaker: Dino Dai Zovi, staff security engineer at Square. “Every Security Team is a Software Team Now” promises to dive into the latest iteration of security operations as current security teams morph into in-house security software teams, delivering multi-vertical value through self-service platforms and tools. Continue reading

Microsoft Defender Advanced Threat Detection Queries

2019-07-18 swimlane Josh Rickard
Recently, I shared on Twitter how you could run a query to detect if a user has clicked on a link within their Outlook using Microsoft Defender Advanced Threat Protection (MDATP). If you are not familiar, MDATP is available within your Microsoft 365 E5 license and is an enhancement to the traditional Windows Defender you might be used to. What is Microsoft Defender Advanced Threat Protection? Microsoft says that “Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Continue reading
Older posts