There’s a flawed logic that exists within many tech and cyber teams. High-performing individual contributors are offered leadership opportunities, because there’s an assumption their technical expertise translates to leadership expertise. The truth is: being a great leader requires a specialized skill set. Below is a list of books every leader needs to read, digest, and […]
Author Archives: user
Insider Threat Training & Program Development
Building an Insider Threat Program: Essential Resources Insider threats are often downplayed, but they pose a significant risk to organizations, as employees, contractors, and business partners often have access to sensitive systems and data. Unlike external cyber threats, insider threats originate from individuals with legitimate credentials, making them harder to detect and mitigate. These threats […]
Insider Threat Hunting PRECEED Framework
As I reflect on my early days learning about digital forensics and incident response, I recall a particularly challenging experience that had an impact on my approach to threat hunting. It was during a SANS FOR500 course where we were presented with a case involving a missing person’s laptop hard drive. The capstone task was: […]
Threat Hunting: Hypothesis Chaining
Hypothesis chaining is a method that enables threat hunters to narrow down search results during a hunt by appending or branching off of their original hypothesis. This technique helps threat hunters take an overwhelming output from a hunt and continue their investigation without being hindered by a large volume of results. For example, a threat […]
Hunting Punycode IDNs Using Carbon Black EDR
Running a “ipport:53” process search in Carbon Black has helped to locate hosts and/or processes performing an abnormal number of DNS queries, however recently I wanted to hunt processes generating punycode IDN DNS queries on a client network. Alerts were triggered by their SIEM, which was ingesting Microsoft Server DNS logs. The Sumo Logic alert […]
Acquiring a Triage Image Using KAPE and Carbon Black Go Live
Before starting, big shout out to Eric Zimmerman (https://github.com/EricZimmerman/) for creating so many great free DFIR tools. KAPE can be downloaded here: https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape KAPE is a standalone program that does not need to be installed. Decompress the zip file to a directory of your choosing and you are ready to go. KAPE requires administrator rights […]
InfoSec Reading List
I often get asked which books are worth reading for an aspiring InfoSec pro. While there are many great books out there, each serving a unique purpose, here are my general recommendations. The Basics: Wireshark 101: Essential Skills for Network Analysis – Second Edition: Wireshark Solution Series Practical Packet Analysis, 3E: Using Wireshark to Solve […]
Intuit Lacerte Vulnerability and Data Exposure CVE-2018-11338 & CVE-2018-14833
NOTE: This vulnerability was discovered in early April of 2018. I immediately contacted Intuit support and their security team to responsibly disclose the vulnerability. I offered suggestions and help in finding a solution to protect the public at no cost. As of 12/25/2018 the software remains vulnerable and I am disclosing my findings in hopes […]
UltraTax CS Data Exposure Vulnerability CVE-2018-14608 & CVE-2018-14607
NOTE: This vulnerability was discovered in late July of 2018. I immediately contacted Thompson Reuter support, their sales team, and Tweeted to them to responsibly disclose the vulnerability. I offered suggestions and help in finding a solution to protect the public at no cost. CVE-2018-14608 CVE-2018-14607 After recent discoveries of the Intuit Lacerte data exposure […]