J P

2.6K posts

J P

J P

@JPoForenso

Threat Detection / Incident Response in the Cloud. Livin' on the *nix command line. I've got a fever, and the only prescription is more #DFIR.

Remote Katılım Mayıs 2014
217 Takip Edilen1.7K Takipçiler
J P
J P@JPoForenso·
@ImposeCost But, it's specifically written as an "also" statement to, by design/definition, imply no priority. Still trying to figure out the animosity here... hard to imagine we're not actually on the same page, given our shared tenure in the industry.
English
0
0
1
25
Andrew Thompson
Andrew Thompson@ImposeCost·
@JPoForenso A little of all of the above. It implies a degree of prioritizing victim blame over going after offenders.
English
1
0
0
49
Andrew Thompson
Andrew Thompson@ImposeCost·
Now if we can just drop some of that hate on the heads of some ransomware operators that hit hospitals, that'd be great.
English
12
4
88
13K
J P
J P@JPoForenso·
@ImposeCost Saying that posting anything on X is a priority in my life would certainly make a lot of people laugh 😀 But, to answer your question, likely for the same reason(s) you posted yours? Just guessing, though. I apologize, I can't tell if this is hostile/rhetorical or genuine.
English
1
0
1
31
J P
J P@JPoForenso·
@usetraceix Huh? Not sure what you are asking.
English
0
0
0
7
Traceix
Traceix@usetraceix·
@JPoForenso Never gotten a like LinkedIn before have you..?
English
2
0
0
18
J P
J P@JPoForenso·
Interestingly enough, this is one big reason I went out on my own. So many people need the tenured expertise, but think it's too much $$$$. Ironically, it ends up being very similar in cost. Charge 4x a junior, but do it in .25x of the time = same cost, BUT deliver 10x value.
solst/ICE of Astarte@IceSolst

Why are consultants young. I’d rather consult a white haired wizard that’s lived a thousand years and only appears in the ghastly Tower when lightning hits it on a full moon (you’ll have to solve three riddles to enter). Instead I get a hungover 23 yo from coalfire.

English
0
0
2
194
J P
J P@JPoForenso·
@DirectoryRanger This looks eerily like a paraphrased and copy/pasted version of one of my blog posts from way back in 2018 (with some typos - 1179 is not the correct Event ID). 🧐 Full version below (or just Google "Windows RDP Investigation" - it's the first result): ponderthebits.com/2018/02/window…
English
0
0
0
122
J P
J P@JPoForenso·
@georgemporter If it's the second time and it remains a largely impactful issue, I'd definitely recommend researching and implementing the variety of relatively easy mechanisms that exist to both prevent and reactively detect such situations with your account(s). Pay now or pay later (again).
English
0
0
0
76
J P
J P@JPoForenso·
#DFIR public speakers/presenters: Is it acceptable to you, as a speaker, to receive no travel or accommodation assistance for a paid attendance speaking event? If yes/no, please share your thoughts/experiences.
English
0
0
1
378
J P
J P@JPoForenso·
@OpenAI relies on models (vast amounts of SME) for #AI and @MsftSecIntel (i.e., Security CoPilot) relies on models (again, SME skills/experience). Common denominator is deep/wide SME knowledge. Where are we getting this with our current dearth of #DFIR talent/expertise? 🤔
English
0
0
0
38
Rami McCarthy
Rami McCarthy@ramimacisabird·
🪣"practical guidance for your AWS security program": ramimac.me/s3-logging 🪣 This time, we're tackling S3 Logging! As one of the foundational services, I expected "best practices for s3 logging" to be well established. I was disappointed ...
English
4
20
55
5.8K
J P
J P@JPoForenso·
@hashishrajan @CloudSecPod Important clarification here. CloudTrail Event History maintains 90 days of management events ONLY. You will NOT have any data events like you will if you create a dedicated Trail. This is incredibly important to understand if you decide against creating a Trail.
English
1
0
1
117
J P
J P@JPoForenso·
My customized more granular IR lifecycle didn't make it in, but many other things did. 🙃 This is the result of a lot of work from smart folks passionate about creating more prescriptive and informative #DFIR guidance for folks operating in #AWS. Feedback always welcome!
AWS Security@AWSSecurityInfo

💪We've updated the #AWS Security Incident Response Guide to more clearly explain what you should do before, during, and after a security event. Below are highlights of a some of the changes and instructions on how to use the updated guide 👇 #cybersecurity #incidentresponse

English
0
0
3
730
J P
J P@JPoForenso·
@jhencinski Man, I wonder how this works out in practice. Wondering if an effective "detection + immediate notification + response requirement" mechanism is a better balance of flexibility with security. Just thinking out loud. Any insights from your experience?
English
0
0
0
102
Jon Hencinski
Jon Hencinski@jhencinski·
Detection: - Alert when new MFA device added from unusual location (you’ll need IP enrichment here) Prevention: - Require MFA registration from a trusted location. Create a conditional access policy to require MFA registration from a location marked as a trusted network.
English
6
4
55
4.3K
Jon Hencinski
Jon Hencinski@jhencinski·
Recent #BEC in O365 tactics - Initial access via phishing - Phish contains link to attacker controlled proxy site - AiTM to steal session cookie to auth & bypass MFA - Query inbox for phishing email - Moves phishing email to deleted items - Register new MFA device to persist
English
9
79
300
84.8K
J P
J P@JPoForenso·
@cyb3rops Perhaps the most clear and overarching highlight here is that the USN Journal $J is a great mechanism for identifying system/file activity, especially for non-resident files (paired with $Secure for identifying ownership/permissions), so long as it's still in the buffer.
English
0
0
1
275
J P
J P@JPoForenso·
@binaryz0ne @professorbike @bettersafetynet If you only care about the memory (for testing), then the methodology you are using should be just fine. Just FYI, based on your needs and what you're looking to do. Good luck in your research/testing!
English
1
0
1
0
J P
J P@JPoForenso·
@binaryz0ne @professorbike @bettersafetynet Keep in mind by adding a drive and attaching it to the system, you are introducing modification/alteration of system artifacts, which is something we try to avoid as a best practice for response. Snapshot is the easiest mechanism to mitigate that and capture both memory and disk.
English
2
0
1
0
Ali Hadi | B!n@ry
Ali Hadi | B!n@ry@binaryz0ne·
Wish there was a clear resource out there about acquiring memory from VMs. Yes, there's many, but with lots of issues & inconsistencies. My tests were using VMWare. Did lot of converting & playing around but still. Add to that, the tools you use don't work/support all mem dumps!
English
5
2
15
0
J P
J P@JPoForenso·
@hal_pomeranz @WWHackinFest I'll answer one 😀 (With filesystem mounted at "/mnt/X/") $ zdump /mnt/X/etc/timezone $ zdump /mnt/X/etc/localtime $ cat /mnt/X/etc/timezone $ ls -l /mnt/X/etc/localtime $ readlink /mnt/X/etc/localtime Did I miss any?
English
0
0
0
0
Hal Pomeranz
Hal Pomeranz@hal_pomeranz·
@WWHackinFest Daily Linux Forensics Trivia #12 - Given only a disk image, how do you determine the default timezone of a Linux system?
English
3
0
4
0

Keşfet

@ImposeCost @usetraceix @AngryFenixDfnd @DirectoryRanger @OpenAI @MsftSecIntel @ramimacisabird @hashishrajan