🚨 BLOG ALERT 🚨
I dove into maintenance in #DetectionEngineering - why it matters so much and the paradox that won’t let me sleep at night.
This is the first post in a new series:
One of the least discussed topics in detection engineering is maintenance. But why is no one talking about this? In this first blog we explore its relevance to #detectionengineering and the paradox that keeps us awake at night. Enjoy!
https://t.co/18u2SD6EFG
🚨 BLOG ALERT 🚨
The #DetectionEngineering maintenance series continues!
This time, we share a practical guide on applying data science principles to detection maintenance, and a lot more!
This is the second post in the series:
https://t.co/JaFysjFmoK
FalconForce’s @KwaLeeTea brings you an early Christmas present🎁: the 2nd blog in #detectionengineering maintenance. Learn about how data science can boost your detection maintenance … and keep you from herding sheep. Enjoy the read and happy holidays🎄
https://t.co/4pfC61z01s
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: https://t.co/jD6EaGtsn3
Looking to elevate your #ThreatDetection strategy? 👀 Learn how to design repositories for detection-as-code with tips on branch strategy, repo organization & more. Part 2 of @_st0pp3r_‘s blog post series on #DetectionEngineering is live! 👇
https://t.co/XiuwVAwBuj
Curious how others are thinking about detection maintenance - how do you approach it? What metrics do you track to measure the effectiveness of the rule set? Do you keep historical data for a deeper understanding of rule behavior?
🚨 BLOG ALERT 🚨
I dove into maintenance in #DetectionEngineering - why it matters so much and the paradox that won’t let me sleep at night.
This is the first post in a new series:
One of the least discussed topics in detection engineering is maintenance. But why is no one talking about this? In this first blog we explore its relevance to #detectionengineering and the paradox that keeps us awake at night. Enjoy!
https://t.co/18u2SD6EFG
I am happy to announce JonMon2.0 has been published.
2.0 offers a lot of feature updates, as well as stability. More features still to come as time goes on. Enjoy and let me know if you have any issues or questions.
Link: https://t.co/LA77K2FGH9
Today I am writing a guide on the following topic: how to talk to idiots who believe that fully-automated, humanless, autonomous #SOC is coming any day?
I'm so excited today to announce that I'm launching my own online training platform @CalypsoLabs 🎊
The first course to appear on Labs is "Windows Instrumentation with Frida", check it out:
https://t.co/mmQbvDAsZc
Labs is partnering with @vector35, when you sign up you get a non-commercial Binary Ninja license valued at $299 👀🔥
👹 12 hours of video content
👹 27 labs
👹 Practical, grounded, real-world skills
I have been teaching this course at Black Hat for the last 3 years. Now you can suffer, painfully, at your own pace and really immerse yourself in the mechanics of binary instrumentation on Windows!
📢Join me and my favorite dog at #SOCON2024 next week.
I'll be there to:
- 🐶Give a #BloodHound Talk
- 🔥 Drop a new #PowerShell Tool
- 👻Hang out with my new @SpecterOps colleagues!!
Exciting time ahead...
See you there.
# on shortification of "learning"
There are a lot of videos on YouTube/TikTok etc. that give the appearance of education, but if you look closely they are really just entertainment. This is very convenient for everyone involved : the people watching enjoy thinking they are learning (but actually they are just having fun). The people creating this content also enjoy it because fun has a much larger audience, fame and revenue. But as far as learning goes, this is a trap. This content is an epsilon away from watching the Bachelorette. It's like snacking on those "Garden Veggie Straws", which feel like you're eating healthy vegetables until you look at the ingredients.
Learning is not supposed to be fun. It doesn't have to be actively not fun either, but the primary feeling should be that of effort. It should look a lot less like that "10 minute full body" workout from your local digital media creator and a lot more like a serious session at the gym. You want the mental equivalent of sweating. It's not that the quickie doesn't do anything, it's just that it is wildly suboptimal if you actually care to learn.
I find it helpful to explicitly declare your intent up front as a sharp, binary variable in your mind. If you are consuming content: are you trying to be entertained or are you trying to learn? And if you are creating content: are you trying to entertain or are you trying to teach? You'll go down a different path in each case. Attempts to seek the stuff in between actually clamp to zero.
So for those who actually want to learn. Unless you are trying to learn something narrow and specific, close those tabs with quick blog posts. Close those tabs of "Learn XYZ in 10 minutes". Consider the opportunity cost of snacking and seek the meal - the textbooks, docs, papers, manuals, longform. Allocate a 4 hour window. Don't just read, take notes, re-read, re-phrase, process, manipulate, learn.
And for those actually trying to educate, please consider writing/recording longform, designed for someone to get "sweaty", especially in today's era of quantity over quality. Give someone a real workout. This is what I aspire to in my own educational work too. My audience will decrease. The ones that remain might not even like it. But at least we'll learn something.
I thought a bit about this tweet people have been quoting. I don't think it's necessary to address the contents specifically but I want to share some learnings being in the industry for over a decade.
- There are always bad and good consulting companies. You don't have to settle with a place where you are treated poorly or where you can tell clients are not respected by how a company operates.
- Security is NOT easy work ok. I spent a few years in a buzzsaw, that was no walk in the park fr fr. The work was incredibly stressful and high-pressure. Also, some people just can't take that kind of pressure, I have seen a number burn out completely. The pressure btw is apart from the quality of the consultancy work itself.
- When you start out you will likely have to grind like a mf. That's just how it goes, if you survive or indeed thrive you can build out your skills and specialize to the point where people need you specifically for something. You can then develop a better balance as well.
- Remember always that you are a product for your employer. It's important, if arduous, to do some public work (blogs/talks/etc) for your public viz. Make opportunities for yourself and thank me later.
- There are many thing you just can't do as a junior. Forget about doing Adversary Simulation without experience and training. Anyone promising that is selling the client something else. Part of the problem in the US also is the lack of a regulatory framework like we have in the UK with CBEST/TIBER which lets people sort of scam clients and call everything red teaming.
No sympathy for the devil; keep that in mind. Buy the ticket, take the ride…and if it occasionally gets a little heavier than what you had in mind, well…maybe chalk it up to forced consciousness expansion: Tune in, freak out, get beaten.
We are thrilled to publish SOAPHound: a custom-developed data collector tool to enumerate Active Directory environments via the ADWS-protocol. Enjoy!
https://t.co/xO0Jv9ONNd
🚨 Stepping into the world of Generative AI has been an eye-opening experience for me as a security researcher! ⚔️ If you have been curious about these topics, then this blog post is for you!
I go all the way from the basics to running experiments with @ProjectJupyter notebooks and libraries like @langchain to show practical applications in security 🚀
I hope this helps you and inspires you to build your own tools! @OTR_Community 💜
https://t.co/ic7wJdBfIk
💻I've published a new blog post where I discuss practical use cases of LLM applied to threat intelligence. Check this out for a real talk about LLM usage for threat intelligence! 🤓 #infosecurity#threatintel#cybersecurity
https://t.co/1w9gMIiZWS
New blog: Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
I teased this a bit during my Windows Hello talks, now found some time to write about this interesting technique. Also contains defenses and detection opportunities.
https://t.co/KSPVRm5iGo