Chris Beckett

. @mubix shared this on LinkedIn and thought some of you might find it useful: “A Practical Reprioritization Guide for CISOs Entering the AI Vulnerability Era” linkedin.com/posts/mubix_th…

If you have a conditional access policy scoped to user action "Register security information" starting May 2026 the registration of Windows Hello for Business and macOS Platform SSO credentials will be in scope. #EntraID

@gymR4T Incredible right. Name and shame! audit-logs.tax

@cbecks_2 One of my biggest gripes recently is around how many of these SaaS vendors are paywalling their security and audit data. Enterprise license requirements, additional charges, etc.

Friendly reminder that Docusign still charges you extra to stream/export logs from their platform.

@merill @chukdotcom @NathanMcNulty @fabian_bader @cbrhh I was just about to make a bus factor comment 🤣

@chukdotcom @NathanMcNulty @fabian_bader @cbrhh LOL

Look who's in the bus with me! @NathanMcNulty, @fabian_bader, @cbrhh #wpninjasus

Last week our CISO asked me to present on “zero trust architecture.” I don’t know what that means. I make $340,000 a year. I haven’t touched a firewall since Obama’s first term. But I have a CISSP. I passed by memorizing acronyms. I still don’t know what half of them stand for. I opened my presentation with “assume breach.” Everyone nodded gravely. I said “defense in depth” three times. The board was captivated. Then a junior analyst raised her hand. She asked how we’d implement microsegmentation. I felt a cold sweat. I said, “Great question. Let’s take that offline.” She persisted. I said we should “leverage AI-driven solutions.” She asked which ones. I said, “The cloud-native ones.” She looked confused. I told her confusion was natural. I said, “Security is a journey, not a destination.” The CEO started clapping. I don’t know why. But others joined in. The analyst stopped asking questions. I ended with “security is everyone’s responsibility.” This meant it was no one’s responsibility. Especially not mine. We got breached two weeks later. I blamed the analyst for “creating a culture of doubt.” She got put on a PIP. I got promoted to VP. Resilience isn’t about preventing failure. It’s about surviving it. Preferably while others don’t.

This Salesloft incident is a doozy. Here’s a quick video breakdown of what’s known so far. Watch till the end for my Salesforce logging rant :)

...and we're looking for one more sucker, I mean team manager, to join the league!! You'll get to trash talk with the best while also sharing security best practices 🤣 Be warned, we do have punishments... So bring your best.

@SecurityAura Pouring one out for all my Detection Engineering homies who continue to find out just how terrible these logs are. For most I think it just makes sense to deploy a CSPM as an event logger and normalizer. I’d be curious if anyone has experiences to share from Wiz or other.

>enabling SSH on the ESXi hosts You ARE syslogging your ESXi hosts to a SIEM and alerting on this behavior aren't you? If not, you ARE alerting on the root account password being reset, right? Right? ... Right? Please say I'm right.

@SecurityAura @BushidoToken @SquiblydooBlog @jamieantisocial @MITREattack I’m just the ideas guy, @SecurityAura did the heavy lifting. Happy to hear this is providing some value!

@BushidoToken @SquiblydooBlog @jamieantisocial @MITREattack It's quite old now, probably needs to be updated 😂 I can't take all the credit for this though, original idea was from @cbecks_2 , I only contributed the EDRs I have access to 💪

There’s various reports of cybercriminals abusing CrowdStrike RTR, the SentinelOne installer, and the Wazuh SIEM Agent. Seems we could do with a new @MITREattack TTP for this threat. Should be a concern for orgs running any of type of EDR/SIEM agents. (Sources linked below)

@BushidoToken @SquiblydooBlog @SecurityAura @jamieantisocial @MITREattack Let’s get it! I’ll keep an eye out for it 👀

@SquiblydooBlog @SecurityAura @jamieantisocial @MITREattack @cbecks_2 I see Wazuh SIEM agent isn’t on there, there may be a new pull req inbound 😃

@TekDefense @permisosecurity @elevenlabs @runwayml @TekDefense Ian this is awesome! I’m really enjoying the video series lately 🍻

Last week I created Permiso Podcaster (automatic video podcast generator) and shared a sample. In this video I walk you through how I built it! - Pulls data from @permisosecurity MCP - Claude 3.5 writes a 2-host script - @elevenlabs generates audio - @runwayml clips FFMPEG stitches it all

@t3hpaul @anttitikkanen Hey All - Bumping this thread again in case anyone has learned anything. Slack search history was mentioned in the Rippling/Deel filing so figured I would ask. Thanks!

@t3hpaul @anttitikkanen We received a "less than stellar" response back when asking for this feature. They said that it can be requested retroactively in the event of a security incident but they do not plan to make the data readily available in an audit log or via API due to privacy concerns.

My fellow detection engineers: Is anyone aware of a way to get Search Query audit logging from Slack?

@thedbeaudoin @jsawadd Hoping some DFIR professionals and Slack admins may see this.. Is anyone aware of how to get the Slack search logs? I’ve yet to find anything available: api.slack.com/admins/audit-l…

@jsawadd honestly thought the part about the Information article and associated Slack searches was an underrated nominee for lowkey wildest part of the story. so blatant

Because I know most people can’t or simply won’t read Parker’s actual tweet Rippling v Deel is almost unbelievable LEGIT honeypot use ??? READ THIS PART —>

@mattjay Hoping some DFIR professionals and Slack admins may see this.. Is anyone aware of how to get the Slack search logs? I’ve yet to find anything available: api.slack.com/admins/audit-l…

This story is absolutely insane. And we don't usually get a front-row seat to insider threat investigations Spy got tricked by a honeypot and implicated the most senior leaders at the victim's biggest competitors. I go through it all here: youtu.be/tDG1WfbSZFo

@ImposeCost I haven’t taken this myself but I’ve heard great things xintra.org/training/cours…

This was new to me, so I hope it helps someone else. It looks like Enterprises can configure allowlists for VSCode extensions on Windows now. Looks like Mac is coming later: #_centrally-manage-allowed-extensions" target="_blank" rel="nofollow noopener">code.visualstudio.com/docs/setup/ent…

Within the past 24 hours, we observed Storm-2372 shifting to using the specific client ID for Microsoft Authentication Broker in the device code sign-in flow of their device code phishing campaign. Get more details from our continuous tracking of this active threat: msft.it/6016Uqc2r

@SpecterOps Do you all have any insight around where the shell commands for Azure Cloud Shell get logged?

You can also read about Lance's latest contribution to ROADTools, which you can find here: github.com/dirkjanm/ROADt…

New blog post alert! 🚨 Lance Cain shares insights from a recent security assessment about the attack surface of Single-Page Applications integrated w/ Azure and how to aid technology professionals in securing their Azure environment. ghst.ly/4gq8E5y

🔍💻 PowerShell Pro Tip! 💻🔍 Ever wondered what app opens specific file extensions on your Windows machine? 🤔 Sure, it’s not new, but it’s super handy! 💪 Use this PowerShell magic to find file extensions and their associated apps (like finding out `.rdp` opens with `mstsc.exe`)! 🚀 ``` $associations = @() $registryPaths = @( "HKLM:\Software\Classes", "HKCU:\Software\Classes" ) foreach ($path in $registryPaths) { Get-ChildItem $path | ForEach-Object { if ($_.PSChildName -like ".*") { $extension = $_.PSChildName $progId = (Get-ItemProperty -Path "$($_.PSPath)" -ErrorAction SilentlyContinue).'(Default)' if ($progId) { $commandPath = (Get-ItemProperty -Path "$path\$progId\shell\open\command" -ErrorAction SilentlyContinue).'(Default)' $associations += [PSCustomObject]@{ Extension = $extension ProgID = $progId AssociatedApp = $commandPath } } } } } $associations | Out-GridView -Title "File Extensions and Associated Applications" ``` gist.github.com/MHaggis/a5b0af… Hit enter & watch as the magic unfolds! 🎩✨ Explore the full list in a GUI to see extensions + their apps! Because sometimes… knowing is half the battle 🛡️💡 🖥️🐱‍💻