Posts

Find and list Unsecured Azure Storage Blobs

Image
Unsecured cloud storage are often the cause of breaches. It regularly makes the headlines when an Amazon S3 bucket is found with public access and contains tens of thousands or even  millions of records including PII (Personally Identifiable Information) such as addresses, phone numbers and email addresses. The same problem can beset Azure, or I guess, any cloud platform, and while defaults have improved it is still a common misconfiguration that can lead to a breach.  Recently I found myself needing to examine some Azure storage to check for misconfigured public access on some Azure storage accounts. A colleague suggested a script he'd come across Invoke-EnumerateAzureBlobs  (thanks Stephen). The PowerShell script can be used to find storage accounts and then enumerate files within that storage account if the permissions allow it. The original article can be found here and the github repo here . I would recommend reading the original post.  On this occasion I used the this to

Modern Honey Network - Extract Threat Intel

Image
The Modern Honey Network is an application for the deploying and collecting data from Honey Pots. Honey Pots can be a very useful detective control but they can also be useful for collecting threat intelligence.  There is great introductory blog post on Lenny Zeltser’s blog .  I use a popular cloud service to deploy my honeypots on the Internet.  I use it collect various Threat Intelligence such as scanning IPs and source addresses that are doing password brute force attacks. I feed the IP addresses into tools like Security Onion and SOF-ELK . As MHN can write to Elasticsearch via logstash installed locally it’s easy to query and extract the data from there. I wrote a small python program to extract either unique IP Addresses or a unique password list that can be used for checking passwords against to make sure you don’t use ones that appear in the attackers dictionaries.  Once extracted, the unique IP addresses can be used as threat intelligence in your SIEM or you could furt

Squid Proxy with SOF-ELK Part 2 Analysis

Image
Firstly, I’m happy to report that I received a SANS SEC530 Red Challenge Coin for submitting a blog post that builds upon the SEC530 course subject matter for Squid Proxy with SOF-ELK Part 1 . Thank you very much  Justin Henderson and Ismael Valenzuela for the coin. Analysis In this post I wanted to go a little deeper into how to analyse Squid logs collected in SOF-ELK and develop some potential security use cases.  In Part 1 we configured Squid to use OpenDNS Home edition to block access to sites that were undesirable such as Gambling site and sites known to serve Malware. We also configured Kibana to show meaningful block codes rather than just the IP address that OpenDNS redirected them to when a user visited a blocked site. From the users perspective they will see a blocked message from OpenDNS like this: On SOF-ELK we can see the details of the block browsing as shown here: We can use the block type to create a visualisation to examine which type of block is prevalent

Defensible Network Architecture 2.0 Mind Map

Image
This post is just my mind map for Richard Bejtlich 's excellent Defensible Network Architecture 2.0 . Please go read the original post for full details. This mind map just helps me visualise and expand each of the topics. I also find it useful to think about how things fit together and work together; this is shown in the linkages. The top level is numbered and runs clockwise which matches the priority numbering in the original post. MICCMAC 'mick-mack' Hopefully I will continue to update this as I re-arrange it and add more levels. You can download the XMind version my GitHub .

Squid Proxy with SOF-ELK Part 1

Image
In this post I wanted show how a Squid Proxy could be used with OpenDNS to provide a simple but effective security for home  or small business. This blog post was inspired by the SANS course SEC530 Security Architecture & Engineering  which leads to the GIAC Defensible Security Architecture (GDSA) certification. This is a great course for anyone looking to develop and improve their 'full stack' defensive posture.  Monitoring is by courtesy of SOF-ELK , one of the many tools by those nice people at SANS .  SOF-ELK is used in a few SANS course including FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response ,  and SEC555 SIEM with Tactical Analytics . OpenDNS Enterprise is now Cisco Umbrella , however, the OpenDNS Home service is available for free and small businesses can use the Prosumer services for a modest fee. The fist step is to install a CentOS 7 minimal and then apply the latest updates. In order to use the OpenDNS Home service I inst

Entropy in a given character set

This is a python program to work out the Bits of Entropy for a given character set for a specific password size. In other words how random  can a password be at a specific size when drawn from a range of characters. 

Are you being sabotaged in meetings?

Image
If you feel like your progress is being sabotaged in meetings; perhaps it is. Excerpt from the CIA Simple Sabotage Field Manual