Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Detection Lab: Visibility & Introspection for Defenders

Published: 2017-12-14
Last Updated: 2017-12-15 05:00:21 UTC
by Russ McRee (Version: 1)
2 comment(s)

     Me when I discovered @Centurion's Detection Lab.

So Much Win

Chris Long, Detection & Incident Response Analyst at Palantir, released Detection Lab this past Monday. From his own Medium post, "Detection Lab is a collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices."
Detection Lab consists of four hosts:

  • DC: A Windows 2016 domain controller
  • WEF: A Windows 2016 server that manages Windows Event Collection
  • Win10: A Windows 10 host simulating a non-server endpoint
  • Logger: An Ubuntu 16.04 host that runs Splunk and a Fleet server

From the Detection Lab GitHub, "this lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts."

The feature list should close the deal for you:

  • Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
  • Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • SMBv1 Auditing is enabled

Chris really wanted defenders to "have a quick and easy way to bring up a lab environment, complete with tooling and pre-configured logging." Detection Lab represents many of his weekends worth of work, over many months, and for that, we salute him. Well done, Chris!

Russ McRee | @holisticinfosec

2 comment(s)

Security Planner: Improve your online safety

Published: 2017-12-14
Last Updated: 2017-12-14 05:01:09 UTC
by Russ McRee (Version: 1)
0 comment(s)

Just in time for holiday visits with your familes and friends, soon you will face the inevitable questions, particularly if you're a security practitioner of any sort. "There are always questions about whether the devices and services we use respect our privacy, and if they adequately safeguard our information. Has a good balance been struck? Many of us are not sure. It is easy to feel overwhelmed by the challenge of how to be safer online." Search for "how to be safe online" and you'll receive inconsistent results to be certain. Who hasn't had Mom or Dad, or your friends for that matter, ask your help to be more secure? To help rectify such situations, the Citizen Lab just released Security Planner.

All you need do is answer a few simple questions to receive personalized online safety recommendations. The app requires no personal information or access to any of your online accounts, it's confidential and can immediately help improve your online safety, with advice from experts. This is definitely something you can sit your parents down in front of knowing that, if they apply the recommendations provided after answering some very straightforward questions, they'll benefit from an improved online security posture.

"Security Planner recommendations are research-based best practices, kept up-to-date by a community of experts in digital security. Quality is maintained through a careful peer-review process: a committee of recognized experts regularly reviews and updates the survey questions and recommendations based on the latest research."

You can read the detailed philosophy behind Security Planner here.

For you, your friends, your family, the road to improved privacy, security, and safety online starts here: https://securityplanner.org

Russ McRee | @holisticinfosec

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Tracking Newly Registered Domains
Dec 13th 2017
2 days ago by Xme (0 comments)

December Microsoft Patch Tuesday Summary
Dec 12th 2017
2 days ago by Johannes (0 comments)

Pornographic malspam pushes coin miner malware
Dec 11th 2017
4 days ago by Brad (3 comments)

Sometimes it's a dud
Dec 9th 2017
5 days ago by DidierStevens (0 comments)

Using Our API To Adjust iptables Rules
Dec 8th 2017
6 days ago by Johannes (4 comments)

View All Diaries →

Latest Discussions

KRACK Attack
created Dec 5th 2017
1 week ago by AMB (0 replies)

Hex Values in the User Agent
created Nov 30th 2017
2 weeks ago by Anonymous (2 replies)

Finding the right forensics examiner
created Nov 26th 2017
2 weeks ago by Anonymous (0 replies)

Strange user-agent on DSHIELD project
created Nov 20th 2017
3 weeks ago by DrGreen (0 replies)

Suspicious traffic to unusual site names in the .info TLD
created Nov 16th 2017
4 weeks ago by jauntysankey (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
5 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
4 months ago by Johannes (12 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
3 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
3 months ago by Xme (2 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
7 months ago by Bojan (6 comments)