Baller On A Budget: A series on cost-effective IT/infosec practices

I want to start a series of posts on how to do CND/DFIR/CTI on a budget.

I've spent the last decade of my life working in the IT world. I spent about half that time working as a part-time administrator/engineer in a small datacenter within a large corporation. I touched a lot of tech during that time frame and adopted a significant amount of it into my own homelab. But the last five years of my life have been devoted to CND/DFIR/CTI.

One of the things I've experienced working in this field has been the vast differences between the large and small companies in terms of capabilities. My current job involves sharing CTI with a wide variety of companies with a wide variety of maturity in terms of CND/DFIR/CTI capabilities. A common complaint I hear from the small-/medium-sized companies is that they could never keep up with the bigger companies because they lack resources. If you fall into this bucket, then this series is for you.

 A few problems I hope to solve on shoestring budgets:

  • Build a malware analysis lab (I've seen this done by a peer for roughly $600)
  • You have logs but nowhere to put them (This one requires some out-of-the-box thinking)
  • SSL makes it impossible to know what's happening on my network (Wrong!)

Comments

Post a Comment

Popular posts from this blog

Yara and Rich Headers are full of win

Rich Headers are awesome and you should read about them here: http://www.ntcore.com/files/richsign.htm I was looking at a sample recently and, being the good analyst I am, attempted to automate my DFIR processes using the tools I had handy. Step 1: Get the Rich Headers for the malicious binary. Let's use 9e6658fab423d9b3fabc3578ac5482bf4f21f6fb98949d8ef4f3cad349862b82, a known RAMNIT ransomware sample. $ laika.py 9e6658fab423d9b3fabc3578ac5482bf4f21f6fb98949d8ef4f3cad349862b82 | jq '.scan_result[].moduleMetadata | select(.META_PE) | .META_PE."Rich Header"' { "Checksum": 3183276661, "Hashes": { "SHA1": "dd0f0861bc67028b3cab0d6cdc55a29cc2822f64", "SHA256": "8fd544eee7389c64a29440555f5b968ae0632ed3b989a63402b6d43934a8973e", "MD5": "8451f317057b289c04b2c5b202c09715" }, "Rich Header Values": [ { "Count": 6, "Version":
Read more

"It's Not All Black And White" or "Why You Should Switch From Blacklisting To Whitelisting"

I think the title says a lot here: if you want to defend your information systems, you should switch from blacklisting to whitelisting. But what does that mean? Most people hear "whitelisting" in terms of CND and think "application whitelisting". But there's so many more places to do it! You already hopefully do outbound whitelisting on your firewall. You aren't really  allowing any system to talk out on TCP/3389, right? You do have a DEFAULT:DENY or DENY ANY,ANY down at the bottom of your firewall rules, right? But have you considered whitelisting outbound web traffic at your proxy as well? Most people think of their web proxy reputation lists as block lists, and for good reason: most of them are incomplete. But did you ever consider that maybe that incompleteness as a defensive measure? If you block unknown websites at your web proxy, you're going to block a huge amount of malicious websites. You're probably thinking to yourself but what abou
Read more

"WannaCry Is North Korea!" or "Rich Headers Win Again!"

http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/ https://twitter.com/neelmehta/status/864164081116225536 Samples from Unit42: a4b3404fffc581ab06d50f3f2243cb56 cab10f19ae0a6deeb7be7bd0b46a0f5f d511fa33bb3c9a238e4b4eae7bae6e84 WannaCry sample from Neel Mehta: 9c7c7149387a1c79679a87dd1ba755bc All 4 samples share significant overlap in their Rich Headers. In fact, the set of IDs and Value pairs in the Rich Headers from the 3 samples I listed above are fully contained within the set of ID and Value pairs in the Rich Headers of the WannaCry sample from Neel Mehta's Twitter post. The WannaCry sample contains several header pairs that are not present within the other samples - I do not know what tools they represent so I am unable to determine the significance of this particular data point. I don't know how significant this overlap is, but in my own repository that particular set of ID and Value pairs was unique to WannaCry and malware att
Read more