Posts

Hiring and growth for security research and response teams

August 30, 2022

Hiring #

marmot in a soc

Hire for Curiosity #

Expand your candidate list from experienced researchers to experienced engineers that have strong curiosity. Software engineers often have a background that the most experienced researchers do not; how are applications deployed at scale and how systems communicate.

These engineers know that critical credentials are stored in terraform state files and nuances, like instances in your private subnet may be able to communicate externally with a c2 over IPv6 without a NAT gateway. Exposing software engineers to experienced researchers enables team discoveries that have wider coverage of allure and day in the life practicality. Joining forces is the way.

...

Threat intel databases, part two

August 25, 2022

This post continues from “Threat intel databases, part one”. For simplicity, mentions of threat intel can be considered to include geolocation data.

Threat Intel Acquisition #

Day 0

Flat files versus the world. Day 0, your focus should be flat files. Streaming and API-based feeds can wait. Flat files provide the most lift for the effort applied. This assumes that well-known sources such as abuse.ch, PAAS mappings1, and customer submitted threat intel / trusted entities are important. With flat files, all of your customers will be able to contribute a CSV of trusted IPs or malicious entities.

...

Threat intel databases, part one

August 22, 2022

Intro #

Three types of content I manage are threat intel, geolocation, and honeypot observations.

Threat Intel is an opinion on an entity. Often that entity is a file hash, IP address, or domain that is associated with malware.

Geolocation is location information associated with an IP address. For example, an IP associated with cloud providers like AWS and Alibaba, ASN’s, or countries, states and cities. The main data differentiator of geolocation data from threat intel is how the data is queried.

...

Data brokers, spam messages, voicemail and Stan

August 11, 2022

My cell phone receives what I consider to be an excessive amount of unsolicited text messages. Between January 1 and August 10, 2022, it received 76 unsolicited messages or 1 message every 2.9 days.

Number of unsolicited text messages per day since Jan 1, 2022

spam over time

Types of messages and how I respond #

Banking fraud #

When I receive a text message with a URL that is likely banking fraud, I do the following

...