Security on a Budget: Turning a Raspberry Pi 4 into a Low-Budget, Zeek based Network Monitoring Sensor

What is a Raspberry Pi? A Raspberry Pi is a small-form, single form computer developed by the Raspberry Pi foundation. To date, there have been five different product families produced. This post uses the newest generation termed the Raspberry Pi 4 B. The 4 B family consists of three models with varying levels of RAM … Continue reading Security on a Budget: Turning a Raspberry Pi 4 into a Low-Budget, Zeek based Network Monitoring Sensor →

Overcoming Cognitive Biases During Threat Hunts and Incident Response

The most potent tool for threat hunting and incident response arguably can't easily be entirely captured into code or automated away into a playbook or security orchestration, automation, and response (SOAR) platform. This is not to diminish the fantastic progress of the artificial intelligence research community since 1956 or rule out the role Skynet could … Continue reading Overcoming Cognitive Biases During Threat Hunts and Incident Response →

Threat Hunting vs Incident Response: Getting Proactive Instead of Staying Reactive

Over the past few years, threat hunting has grown in popularity from an isolated practice to mainstream industry acceptance. Despite the rise in conference talks, vendor pitches selling threat hunting products and services, and excellent open source tools, there are still a lot of organizations that haven't reaped the rewards of threat hunting. SANS Institute … Continue reading Threat Hunting vs Incident Response: Getting Proactive Instead of Staying Reactive →

Securing Linux Full Disk Encryption with A Multi-Factor Hardware Token

Linux Unified Key Setup (LUKS) is a powerful disk encryption specification that pairs with the Logical Volume Manager (LVM) to provide full disk encryption on most modern versions of Linux. LUKS based encryption can be secured even further with the addition of a hardware-based two-factor authentication device. This post will cover how to associate Yubico's … Continue reading Securing Linux Full Disk Encryption with A Multi-Factor Hardware Token →

Weekend Project: Network Security Monitoring for the Modern Smart Home

(Disclosure up front: I wasn't asked to or compensated in any way by any product or company mentioned in this blog.) I figured I'd branch out a bit and start a weekend projects blog every now and then to both share exciting things learned and also hopefully help anyone else out there looking to do … Continue reading Weekend Project: Network Security Monitoring for the Modern Smart Home →

Why Your Last Threat Hunt Wasn’t Successful

Threat hunting has continued to grow as a hot topic in the security community. Despite the volume of discussion, I often still see a few fundamental mistakes that lead to less than successful threat hunts. This week I will cover five mistake areas I commonly see in threat hunting programs that lead to less than … Continue reading Why Your Last Threat Hunt Wasn’t Successful →

Threat Hunting With Python Part 4: Examining Microsoft SQL Based Historian Traffic

This is the fourth part of a series I originally posted on the Dragos Blog. Working in the ICS information security space affords the opportunity to visit some cool critical infrastructure sites. From massive refineries that turn raw crude into diesel and gas to wind farms that harness the power of nature to generate electricity, it … Continue reading Threat Hunting With Python Part 4: Examining Microsoft SQL Based Historian Traffic →

Threat Hunting with Python and Bro IDS Part 3: Taming SMB

This is the third part of a series I originally posted on the Dragos Blog. 2017 was a busy year for attackers. Between the WannaCry/Petya/Bad Rabbit ransomware, GOP hacks, Game of Thrones/HBO hacks, Equifax breach and the TRISIS malware that targeted industrial control safety systems in the Middle East, many new proven attack scenarios developed that … Continue reading Threat Hunting with Python and Bro IDS Part 3: Taming SMB →

Simplifying Bro IDS Log Parsing with ParseBroLogs

This week I pushed a Python package to pip to simplify parsing logs from the Bro Intrusion Detection System. This package works on both Python 2 and Python 3. You can use the following command to install the utility in your environment: pip install parsebrologs Additional examples and the source code are available on Github. Motivation: … Continue reading Simplifying Bro IDS Log Parsing with ParseBroLogs →

Threat Hunting with Python Part 2: Detecting Nmap Behavior with Bro HTTP Logs

This is the second part of a series I originally posted on the Dragos Blog. Prologue: Begin the Hunt In the last edition of this series, we detected Nmap scans by looking for URI indicators associated with Nmap. This week we are going to move away from URI based indicators and focus on Nmap's behavior … Continue reading Threat Hunting with Python Part 2: Detecting Nmap Behavior with Bro HTTP Logs →