Microsoft’s Copilot for Security has both positive and negative reviews, but using AI for log analysis is enticing. An insecure Linux server is set up, vulnerable to brute-force attacks and p…
I tested using Google's Gemini as a helping hand in Linux log based threat hunting - and it is actually helpful, although not ready to take the security analyst's job (yet).
We build self-driving cars and ships, but we don’t teach them to defend against cyber adversaries. Here’s what needs to change about that!
A blog post I made based on discussions at a conference last week - we need to teach smart things like self driving cars and ships to defend themselves against cyber attacks. This outlines how we should approach it.
What can the History database of Edge reveal about downloads and searches?
I did a dive into what you can get out of the Edge (and probably Chrome(ium)) History sqlite database. It logs quite detailed data - useful for forensics!
Hacktivists with exaggerated claims again?
Microsoft has denied the claims of the so-called hacktivists "Anonymous Sudan" that they breached the company's servers and stole credentials for 30 million customer accounts.
The hacktivist group Anonymous Sudan claims to have breached Microsoft and stolen credentials from 30 million customers. Microsoft says they are lying. The group has done a lot of DDoS attacks, and claimed much bigger impact than they really have had. Exaggerated claims may lead to increased "panic state" at the top of the corporate food chain. How do you communicate about threat groups making bold statements like this to your higher ups or customers?
The controls themselves are not hard to understand. Writing policies describing these controls is also not that hard. But: changing the way an organization is working, in terms of habits, documentation, information management, how we collaborate - that can be really, really hard. So even if the requirements in ISO 27001 and the controls guidance in ISO 27002 look straight forward from a technical point of view, it is not easy to change the way of working for a whole organization! It requires leadership, it requires resources, and enough competent people with internal social capital to help support and drive the change. This is why an ISO 27001 journey is usually not just smooth sailing.
Excel as log analysis tool?
I have found Excel to be quite useful for collecting data, doing summary analysis of logs, etc. I also liked this blog post from Mandiant, about using Excel to timeline artefacts with very different structure. It takes a bit of work using find, left, mid, right, concat, etc, but then it is quite useful! Another good thing is that a lot of people are better at creating Excel sheets than doing XPath queries.
Anyone else using Excel for DFIR, and how do you use it?
Thank you for an excellent perspective! I really like the narrative story approach. Often I find reports too dry to provide the necessary context, the storytelling approach can provide a good antidote against that!
Learn how to use the geo_info_from_ip_address() function to retrieve geolocation information about IPv4 or IPv6 addresses.
If we are going to build a good community, we need some content! Here's a new feature in Kusto I have found useful in Sentinel, making it easier to do geolocation lookups in queries: geo_in_from_ip_address.
If we all share a little trick or something we have recently learned now and then, this will be a useful community!
Reports from MSSP's - what do people actually care about?
Whether you are a buyer of security services, or a provider of them, what metrics, visuals, information is actually important to customers? What is the preferred way to consume reports - emails, dashboards, PDF reports, chat bots, smoke signals? Any thoughts and inputs much appreciated!
Hi, security consultant and service developer focusing on OT and DFIR. Working for an international consulting firm, based in Europe. Originally a chemical engineer. Big fan of knowledge sharing!