Silicon Shecky

Infosec Practitioner

Connect

Welcome to 2019, please hold on

By Leave a Comment

So here we are, the start of a new year. Over 2018, I tried to write a post every week, and was mostly successful. I intend to try to do the same in 2019. Besides the normal ramblings I tend to post, I also am going ot try to post some more technical stuff. One of the projects I will be blogging about is building a multi-node Graylog setup.

Graylog is a nice, inexpensive log collector. You can do searches with it, and use it potentially as a SIEM, in case you have not heard of it. There is a good community around it, and has plug ins to parse out many different types of logs. These posts should be starting in the next few weeks, and will go until I have the new setup completed.

If you went on a twitter hiatus over the last couple weeks, another huge tweet thread(s) started on the state of hiring in the world of Cyber Security. This one got into the idea of people just getting into Cyber Security because of the pay scale, and not because of an actual interest in the field itself (sometimes called passion). Many of us remember the late 90’s/early 2000’s when this happened to the IT field in general before the tech bubble burst. The idea that we wind up over-saturated with people uninterested in the actual field itself, but got a degree in, to do the lower paying jobs that people do not want would not bother me, if I didn’t know so many people who do not have that piece of paper either in the field, or at all, who would be willing to take those positions. The other issue comes in if these people in it for the money only, get positions higher up the chain, again due to that piece of paper from a college, that prevents people who have been working their asses off because they want to grow with the industry, but will not get the time of day even with work experience. Now to be fair, sometimes someone who goes into a field for the money and winds up in love with what they do, has that passion. The big deal about passion really is a desire to learn and improve on one’s own and that can come in many ways. It is an interesting situation to think about, as we should want to be inclusive, but there is something to be said for wanting people who have a love/experience of our field in better positions first.

As a reminder, check your favorite conference for their CFP schedule, as it is CFP season. Submit early, submit often, and don’t take rejection personally.

-Shecky


2018 A Look Back

By Leave a Comment

As 2018 comes to a close, I want to thank you for choosing to read this little blog. Now for a small look back at the year.

This year has been another one of ups and downs. I have seen the twitter wars of 2018, people in the industry accused of stuff, and some of the “Rockstars” basically crap on people that have less knowledge than they do. I have seen others try to lift each other up, and promote the sharing that our field desperately needs. So what could we have learned from all of this? Simple, be a bit nicer to each other, listen closely, and if you want more people to understand things, you do no berate them.

We have had more big breaches, tons of smaller breaches, and a lot of facepalming because of the breaches. Some breaches from prior years were revealed to be completely avoidable. Lesson learned, never discount the simple attack, cause the second you overlook it, that is where it will come from.

I have blogged both positive and negative about CarbonBlack Defense. There honestly is a lot wrong with it, mostly from the lack of controls and understanding of how something is alerted on. Even the list the have of priority order on whitelisting doesn’t seem to be actually true. That said, I’ll still be working with it for a while and am going to continue to blog about issues, both good and bad, in the coming year.

I was interviewed on a podcast for the first time this year, which was pretty cool. You can check that out here. It was about CFPs and handling rejection. Yes, I have put in for another CFP for 2019 that I am pretty sure will get rejected, mostly because the conference is red team focused. That being said, the rule here is to not let it get you down, and keep putting in CFPs. I did get one accepted in 2018 for Cyphercon and enjoyed speaking there.

Speaking of conferences, I made it to my first Derbycon this year. I highly recommend going to one, even if you do not have a ticket (I saw tickets being sold at face value the day before and of the con). Just from a networking and knowledge exchange standpoint it is worth it.

Finally, looking toward 2019 I want to say that things will happen. Breaches will occur, people will get butt hurt. Remember that no one is perfect, and those that have to rip on you because you might not have the same level of knowledge, or are trying to look at things from a new perspective, are more than likely doing that because they feel threatened in their own mind. Remember to take time away, and talk to people if you feel mentally drained. Your health, both mental and physical are the most important things you have, for without them you have nothing.

May you all have an awesome 2019.

-Shecky

Reputation, what is it good for? (Absolutely Nothing)

By Leave a Comment

Reputation, something that should be taken (and usually is) seriously. It affects how we look at people and companies, what level of trust there is, and should we recommend said people/companies to others. In the world of NextGen AV and EDR reputation is suppose to work the same. This is not always the case, and can be very detrimental when it is not. When reputation levels are not proper inside of such software or security solutions you have situations where good software is blocked.

Let us start with a simple situation. You use a well known piece of software, say Commvault, which properly signs their software. CarbonBlack Protect, knows this software, and there is no issue with getting it whitelisted properly. This is not the case with CarbonBlack Defense. You would think that it would have the certificate already in the system (it doesn’t and there are other, more well known certificates that are not in there either), or at least have had the software in their back end as a known vector. Again, this is not the case as of this writing (again there is other software I have run into this issue with so it is not an isolated case). Easy enough to add the certificate into the system, but that does not make the software known at this point, it just adjusts the secret sauce scoring down, but does not guarantee that the software will not be blocked. Requesting an upload for every file that is run as part of the software would be a full time job for at least one person (if not multiple people) and that still does not mean that you will lose that unknown file tag. Even whitelisting the file itself (which can make for a huge database of exceptions to manage) does not guarantee the file will be allowed to do what it needs to do. The only way to guarantee is to put the path to the file(s) in a bypass mode of some sort. This will then prevent such things from being looked at or recorded, leaving blind spots on the system for malicious software/actors to hide in. This is an unacceptable risk, and really defeats the purpose of EDR software.

There are other issues with Unknown and Not Listed reputations that I have run into also. I have set certain policies up so that unknown software can do certain things, but surprisingly it gets blocked because the reputation in Not Listed, again even though it should be known software. The CarbonBlack Engineers have been working on this for over a month with no solution other than to put said software into a bypass type mode. Again, not a good solution.

I am lucky as I have been dealing with this on test machines before rolling out to the full company, and have heard of similar type issues with other NextGenAV and EDR products. The worst part is the response from the company, and length of time it is taking to track down such issues. This sort of issue should be a deal breaker for anyone who wants to use such software. AV is still an important and needed product on endpoints, and the shift to EDR software can be a good thing, but not when it leaves you blind. This is yet another reason why I feel EDR software is not quite ready for prime time, or in other words, the reputation I have of such software is diminishing rapidly.