106 matches found
Mandiant Global Median Dwell Time Deteriorates from 11 to 14 Days
Oh snap. My single most important cybersecurity metric deteriorated again. In the M-Trends report for calendar year 2024, Mandiant’s global median dwell time metric worsened from 10 to 11 days. In the newest report, released today, for calendar year 2025, that metric worsened again, from 11 to 14...
Happy 23rd Birthday TaoSecurity Blog
Happy birthday TaoSecurity Blog, born on this day in 2003! The best way to digest the key lessons from this site is to browse my four volume Best of TaoSecurity Blog book series, published in 2020. It's available in print as seen here, or as a properly formatted HTML-based digital book -- none of...
We have achieved FreeBSD 15.0-REL with KDE Plasma
Houston, we have installed FreeBSD 15.0-REL with KDE Plasma 6.4.5 on a Lenovo ThinkPad X1 Carbon Gen 6 laptop. I have come full circle. I used to daily drive FreeBSD 5.x on a Thinkpad a20p in the early 2000s. Today I used the "technology preview" method for pkg installation, too. I posted this fr...
I'm Hosting a New Podcast
I'm hosting a new podcast for Corelight. Check out my first episode with our field CTO, Vince Stoffer. Expect new episodes every two weeks. This is no buddy cop discussion -- max content, minimum banter, in about 15 minutes! https://open.spotify.com/episode/0SD2gUvIuB65YFmjjtXfTR...
Creating a Linux Application Using VSCodium, Cline, OpenRouter, and Claude
In March I created a Windows Application Using Visual Studio Code, Cline, OpenRouter, and Claude. This was a program that created square screen captures. The user doesn't need to manually ensure the dimensions are a square. The program makes the window grow and shrink while keeping the length equ...
Company Wrecked by Ransomware Only Spent 120,000 Pounds Per Year on Cyber Security
Do you remember the story of the UK-based logistics company that closed due to ransomware and laid off 730 workers? Today in an article about a warning to UK businesses about cyber incidents, their “director” said they “were throwing £120,000 a year at cyber-security with insurance and systems an...
Stop Shoddy Academic "Research"
When someone cites one of my works, I get a notice from Research Gate. Today I got one, from an article from the "IEEE Open Journal of the Communications Society." It cited my first book, which is 21 years old. The PDF was available. I noticed the article referenced Prelude, a project I talked...
Creating a Large Text File Viewer by Vibe Coding with Visual Studio Code, Cline, OpenRouter, and Claude 3.7
I just created another Windows 10/11 application using AI. This is a follow-up to the SquareCap program I posted about a few weeks ago. The problem I was trying to solve this time was opening and searching extremely large text files. I used to use the old Mandiant Highlighter program for this, bu...
Creating a Windows Application Using Visual Studio Code, Cline, OpenRouter, and Claude
I just created a Windows 10/11 application that takes square screen captures. I did zero coding myself but used Visual Studio Code, Cline, OpenRouter, and Claude. I got the idea by watching a video on so-called Vibe programming by a YouTuber named Memory. I have zero Windows programming experienc...
Happy 22nd Birthday TaoSecurity Blog
Happy birthday TaoSecurity Blog, born on this day in 2003! The best way to digest the key lessons from this site is to browse my four volume Best of TaoSecurity Blog book series, published in 2020. It's available in print as seen here, or as a properly formatted HTML-based digital book -- none of...
What Are Normal Users Supposed to Do with IDS Alerts from Network Gear?
Probably once a week, I see posts like this in the r/Ubiquiti subreddit. Ubiquiti makes network gear that includes an "IDS/IPS" feature. I own some older Ubiquiti gear so I am familiar with the product. When you enable this feature, you get alerts like this one, posted by a Redditor: This is...
My First Book Is 20 Years Old Today
On this day in 2004, Addison-Wesley/Pearson published my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection. This post from 2017 explains the differences between my first four books and why I wrote Tao. Today, I'm always thrilled when I hear that someone found my books...
Retrieving Deleted Files on the Commodore C64 in 1987
When I was a sophomore in high school, from 1987 to 1988, my friend Paul and I had Commodore C64 computers. There was a new graphical user interface called GEOS that had transformed the way we interacted with our computers. We used the C64 to play games but also write papers for school. One day...
My Last Email with W. Richard Stevens
In the fall of 1998 I joined the AFCERT. I became acquainted with the amazing book TCP/IP Illustrated, Volume 1: The Protocols by W. Richard Stevens. About a year later I exchanged emails with Mr. Stevens. Here is the last exchange, as forwarded from my AFCERT email address to my home email. From...
Bejtlich Skills and Interest Radar from July 2005
This is unusual. I found this "skills and interest radar" diagram I created in July 2005. It looks like my attempt to capture and prioritize technical interests. At the time I was about to start consulting on my own, IIRC. Copyright 2003-2020 Richard Bejtlich and TaoSecurity...
Key Network Questions
I wrote this on 7 December 2018 but never published it until today. The following are the "key network questions" which "would answer many key questions about a network, without having to access a third party log repository. This data is derived from mining Zeek log data as it is created, rather...
Cybersecurity Is a Social, Policy, and Wicked Problem
Cybersecurity is a social and policy problem, not a scientific or technical problem. Cybersecurity is also a wicked problem. In a landmark 1973 article, Dilemmas in a General Theory of Planning , urban planners Horst W. J. Rittel and Melvin M. Webber described wicked problems in these terms: “The...
Core Writing Word and Page Counts
I want to make a note of the numbers of words and pages in my core security writings. The Tao of Network Security Monitoring / 236k words / 833 pages Extrusion Detection / 113k words / 417 pages The Practice of Network Security Monitoring / 97k words / 380 pages The Best of TaoSecurity Blog, Vol ...
Happy 20th Birthday TaoSecurity Blog
Happy 20th birthday TaoSecurity Blog, born on 8 January 2003. Thank you Blogger Blogger now part of Google has continuously hosted this blog for 20 years, for free. I'd like to thank Blogger and Google for providing this platform for two decades. It's tough to find extant self-hosted security...
Best of TaoSecurity Blog Kindle Edition Sale
I'm running a BlackFriday CyberMonday sale on my four newest Kindle format books. Volumes 1-4 of The Best of TaoSecurity Blog will be half off starting 9 pm PT Tuesday 22 Nov and ending 9 pm PT Tueday 29 Nov. They are here. There also appears to be a daily deal right now for the paperback of Volu...
TaoSecurity on Mastodon
--- I am now using Mastodon as a replacement for the blue bird. This is my attempt to verify myself via my blog. I am no longer posting to my old bird account. Copyright 2003-2020 Richard Bejtlich and TaoSecurity taosecurity.blogspot.com and www.taosecurity.com...
The Humble Hub
Over the weekend I organized some old computing equipment. I found this beauty in one of my boxes. It's a Netgear EN104TP hub. I've mentioned this device before, in this blog and my books. This sort of device was the last of the true hubs. In an age where cables seem reserved for data centers or...
Zeek in Action Videos
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project. Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like...
New Book! The Best of TaoSecurity Blog, Volume 4
I've completed the TaoSecurity Blog book series. The new book is The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship. It's available now for Kindle, and I'm working on the print edition. I'm running a 50% off promo on Volumes 1-3 on Kindle through...
The Origins of the Names TaoSecurity and the Unit Formerly Known as TAO
What are the origins of the names TaoSecurity and the unit formerly known as TAO? Introduction I've been reading Nicole Perlroth's new book This Is How They Tell Me the World Ends. Her discussion of the group formerly known as Tailored Access Operations, or TAO, reminded me of a controversy that...
Digital Offense Capabilities Are Currently Net Negative for the Security Ecosystem
Proposition Digital offense capabilities are currently net negative for the security ecosystem.0 The costs of improved digital offense currently outweigh the benefits. The legitimate benefits of digital offense accrue primarily to the security one percent securityonepercent, and to intelligence,...
New Book! The Best of TaoSecurity Blog, Volume 3
Introduction I published a new book! The Best of TaoSecurity Blog, Volume 3: Current Events, Law, Wise People, History, and Appendices is the third title in the TaoSecurity Blog series. It's in the Kindle Store, and if you have an Unlimited account, it's free. I also published a print edition,...
Security and the One Percent: A Thought Exercise in Estimation and Consequences
There's a good chance that if you're reading this post, you're the member of an exclusive club. I call it the security one percent, or the security 1% or securityonepercent on Twitter. This is shorthand for the assortment of people and organizations who have the personnel, processes, technology,...
MITRE ATT&CK Tactics Are Not Tactics
Just what are "tactics"? Introduction MITRE ATT&CK is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from Marc...
Greg Rattray Invented the Term Advanced Persistent Threat
I was so pleased to read this Tweet yesterday from Greg Rattray: "Back in 2007, I coined the term “Advanced Persistent Threat” to characterize emerging adversaries that we needed to work with the defense industrial base to deal with... Since then both the APT term and the nature of our adversarie...
The FBI Intrusion Notification Program
The FBI intrusion notification program is one of the most important developments in cyber security during the last 15 years. This program achieved mainstream recognition on 24 March 2014 when Ellen Nakashima reported on it for the Washington Post in her story U.S. notified 3,000 companies in 2013...
New Book! The Best of TaoSecurity Blog, Volume 2
I published a new book! The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat It's in the Kindle Store, and if you're Unlimited it's free. Print edition to follow. The book lists as having 413 pages for the...
One Weird Trick for Reviewing Zeek Logs on the Command Line!
Are you a network security monitoring dinosaur like me? Do you prefer to inspect your Zeek logs using the command line instead of a Web-based SIEM? If yes, try this one weird trick! I store my Zeek logs in JSON format. Sometimes I like to view the output using jq. If I need to search directories ...
I Did Not Write This Book
--- Fake Book Someone published a "book" on Amazon and claimed that I wrote it! I had NOTHING to do with this. I am working with Amazon now to remove it, or at least remove my name. Stay away from this garbage! Update: Thankfully, within a day or so of this post, the true author of this work...
New Book! The Best of TaoSecurity Blog, Volume 1
I'm very pleased to announce that I've published a new book! It's The Best of TaoSecurity Blog, Volume 1: Milestones, Philosophy and Strategy, Risk, and Advice. It's available now in the Kindle Store, and if you're a member of Kindle Unlimited, it's currently free. I may also publish a print...
If You Can't Patch Your Email Server, You Should Not Be Running It
--- CVE-2020-0688 Scan Results, per Rapid7 tl;dr -- it's the title of the post: "If You Can't Patch Your Email Server, You Should Not Be Running It." I read a disturbing story today with the following news: "Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover al...
Seeing Book Shelves on Virtual Calls
I have a confession... for me, the best part of virtual calls, or seeing any reporter or commentator working for home, is being able to check out their book shelves. I never use computer video, because I want to preserve the world's bandwidth. That means I don't share what my book shelves look li...
Skill Levels in Digital Security
Two posts in one day? These are certainly unusual times. I was thinking about words to describe different skill levels in digital security. Rather than invent something, I decided to review terms that have established meaning. Thanks to Google Books I found this article in a 1922 edition of the...
When You Should Blog and When You Should Tweet
I saw my like-minded, friend-that-I've-never-met Andrew Thompson Tweet a poll, posted above. I was about to reply with the following Tweet: "If I'm struggling to figure out how to capture a thought in just 1 Tweet, that's a sign that a blog post might be appropriate. I only use a thread, and no...
COVID-19 Phishing Tests: WRONG
Malware Jake Tweeted a poll last night which asked the following: "I have an interesting ethical quandary. Is it ethically okay to use COVID-19 themed phishing emails for assessments and user awareness training right now? Please read the thread before responding and RT for visibility. 1/"...
Seven Security Strategies, Summarized
This is the sort of story that starts as a comment on Twitter, then becomes a blog post when I realize I can't fit all the ideas into one or two Tweets. You know how much I hate Tweet threads, and how I encourage everyone to capture deep thoughts in blog posts! In the interest of capturing the...
Five Thoughts on the Internet Freedom League
In the September/October issue of Foreign Affairs magazine, Richard Clarke and Rob Knake published an article titled "The Internet Freedom League: How to Push Back Against the Authoritarian Assault on the Web," based on their recent book The Fifth Domain. The article proposes the following: The...
Happy Birthday TaoSecurity.com
Nineteen years ago this week I registered the domain taosecurity.com: Creation Date: 2000-07-04T02:20:16Z This was 2 1/2 years before I started blogging, so I don't have much information from that era. I did create the first taosecurity.com Web site shortly thereafter. I first started hosting it ...
Reference: TaoSecurity Research
I started publishing my thoughts and findings on digital security in 1999. I used to provide this information on my Web site, but since I don't keep that page up-to-date anymore, I decided to publish it here. 2015 and later: Please visit Academia.edu for Mr. Bejtlich's most recent research. 2014...
Reference: TaoSecurity News
I started speaking publicly about digital security in 2000. I used to provide this information on my Web site, but since I don't keep that page up-to-date anymore, I decided to publish it here. 2017 Mr. Bejtlich led a podcast titled Threat Hunting: Past, Present, and Future, in early July 2017. H...
Reference: TaoSecurity Press
I started appearing in media reports in 2000. I used to provide this information on my Web site, but since I don't keep that page up-to-date anymore, I decided to publish it here. As of 2017, Mr. Bejtlich generally declines press inquiries on cybersecurity matters, including those on background...
Know Your Limitations
At the end of the 1973 Clint Eastwood movie Magnum Force, after Dirty Harry watches his corrupt police captain explode in a car, he says "a man's got to know his limitations." I thought of this quote today as the debate rages about compromising municipalities and other information...
Dissecting Weird Packets
I was investigating traffic in my home lab yesterday, and noticed that about 1% of the traffic was weird. Before I describe the weird, let me show you a normal frame for comparison's sake. This is a normal frame with Ethernet II encapsulation. It begins with 6 bytes of the destination MAC address...
Troubleshooting NSM Virtualization Problems with Linux and VirtualBox
I spent a chunk of the day troubleshooting a network security monitoring NSM problem. I thought I would share the problem and my investigation in the hopes that it might help others. The specifics are probably less important than the general approach. It began with ja3. You may know ja3 as a set ...
Thoughts on OSSEC Con 2019
Last week I attended my first OSSEC conference. I first blogged about OSSEC in 2007, and wrote other posts about it in the following years. OSSEC is a host-based intrusion detection and log analysis system with correlation and active response features. It is cross-platform, such that I can run it...