Jaysus

ATT&CK v19 is live! We've split Defense Evasion into Stealth and Defense Impairment, introduced Sub-Techniques to ICS ATT&CK, Detection Strategies to Mobile, and added some AI and Social Engineering to Enterprise. Check out all the details in our blog post https://t.co/XHzwGHZuNX

I spent my normal whiskey/cigar break thinking and reading and counting how many configuration "switches" are available when you are a firm like Stryker. 36,000 to 45,000 config settings And that's before you count the permutations. You think a spreadsheet and a quarterly review covers it?

Taken from the Stryker Handala / Intune Detection Pack v2 "Check PIM role settings for Global Administrator, Intune Administrator, and Cloud Device Administrator. If you see only the "Require Azure MFA" checkbox and no Authentication Context configured, you have the same gap that enabled the Stryker wipe. Configure Authentication Context with FIDO2 or certificate-based auth today. Enable Intune Multi-Admin Approval for wipe, retire, and delete actions. Tenant Administration > Multi Admin Approval. Under 10 minutes. No additional licensing required. Deploy Rule 13 (bulk wipe threshold alert). Five wipes in 15 minutes from a single identity fires the alert. Wire it to a Logic App that calls revokeSignInSessions on the triggering account via Microsoft Graph. " link to Detection Pack v2 blog and direct download. Please share so others can lock down their InTune environments please https://t.co/nLhS49kxut

The 3 AI SOCs I’ve demoed with this month all give me serious cause for concern. Traditional ML in a SIEM with UEBA should probably be leveraged before AI solutions. Following that, SOAR with AI sprinkled in where necessary, then more advanced AI measures. Also, security architecture evals for our own deployments has proven more difficult than I expected. Like Gall said in the 70s: complex systems are never built. They evolve from simpler ones.

There’s an astronomical skill gap between good security people, and the rest. There’s no mid. Accounts you see posting their research here are absolutely cracked, it’s not the norm. When you go out and talk to security folks that don’t go to conferences, don’t read up on research, you realize- holy shit. They have no fucking clue. The majority of the cybersecurity work force is absolutely incompetent. It’s partly why vendors can come up with inane bullshit as marketing material and it works on many CISOs. If you’re reading this, you’re most likely 1000x the skill level of the average person. Like I cannot emphasize enough how low the bar is when the sample size is the entire industry.