Hashtagcyber

I’m a bit concerned about the non-inquisitive celebration from infosec on this. Where is the “what does keystroke latency even mean?” Without that, you can’t implement it for yourself, nor can you identify weaknesses. ~3yrs I was privately proposing similar options. So, AS SOMEWHAT OF A KEYBOARD EXPERT MYSELF 🤔💅, let’s look… First, this is most likely NOT a direct measure of network latency. This machine was physically located in Arizona. DPRK started off with shipping corp laptops overseas, but the network latency was a dead giveaway. So they started colocating them in the USA and remotely controlling them. First with remote control software, which is easy to identify if the company has security software on the machine. And then with hardware like IP-KVMs. There are sometimes a few tells that an IP-KVM is in use, but a well tuned one will identify exactly like a normal external keyboard/mouse/monitor. Unless… This is where you have to start looking beyond device identity and instead look at input anomalies. Keyboard/mouse input being sent halfway across the world via network packets to an IP-KVM can look… weird. Think bursts of input. This looks very weird with mouse data that is normally smooth. But even keystrokes start to stand out when you have a big enough dataset to compare against. So, of course, you could improve the IP-KVM to smooth out and “humanize” the inputs before relaying them to the host. But… You can also present some real time control surfaces. I don’t want to blow anyone’s defense tradecraft here. So let’s just imagine the employee needs to play a 5sec game of flappybird each day. Or maybe it’s an overt “DPRK Detector” step during login. The visual input has to travel halfway across the globe, then the input has to come all the way back. That’s a massive delay for response to visual stimulus. Certainly anomalous enough to warrant investigation. How do you beat that? Maybe an AI process running on the IP-KVM that plays DPRK Detector for you? The arms race will continue. And it’s mostly because HR and Hiring Managers don’t want to do deeper background checks needed to identify fake/stolen identities. 🤷‍♂️ And for anyone not familiar with these hunts, the detection techniques are NOT definitive proof of wrong doing. They are simply turning a mountainous hay stack into a fistful of hay that a human can quickly sift through to look for other indicators. Note: there are environment-specific detections as well. But I tried to stay in territory that’s applicable to everyone who has this risk in their threat model.

i have never failed a phishing test because i always raise a ticket directly with the cyber team pointing out that an email signed + passing DMARC & SPF from our domain AND bot addy with 0 mailtrace results means that the attacker already pwnd our exchange server n its too late

Added CloudFront because marketing wanted the site faster. Didn't expect much. Server load dropped 63%. Not because of caching. Because 60% of our traffic was bots and CloudFront just... blocked them automatically. We'd been optimizing for bot traffic for 6 months without knowing it.