If You Can't Patch Your Email Server, You Should Not Be Running It

--- CVE-2020-0688 Scan Results, per Rapid7 tl;dr -- it's the title of the post: "If You Can't Patch Your Email Server, You Should Not Be Running It." I read a disturbing story today with the following news: "Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover al...

Ntopng on Security Onion

so16@so16:$ mkdir git so16@so16:$ cd git so16@so16:/git$ ls so16@so16:/git$ wget --no-check-certificate https://github.com/branchnetconsulting/so-ntopng-installer/raw/master/installntopngonso16 --2019-02-11 02:48:02--...

Lies and More Lies

Following the release of the Spectre and Meltdown CPU attacks, the security community wondered if other researchers would find related speculative attack problems. When the following appeared, we were concerned: "Skyfall and Solace More vulnerabilities in modern computers. Following the recent...

Forcing the Adversary to Pursue Insider Theft

Jack Crook pointed me toward a story by Christopher Burgess about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... who was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secre...

Importing Pcap into Security Onion

Within the last week, Doug Burks of Security Onion SO added a new script that revolutionizes the use case for his amazing open source network security monitoring platform. I have always used SO in a live production mode, meaning I deploy a SO sensor sniffing a live network interface. As the...

Dissecting Weird Packets

I was investigating traffic in my home lab yesterday, and noticed that about 1% of the traffic was weird. Before I describe the weird, let me show you a normal frame for comparison's sake. This is a normal frame with Ethernet II encapsulation. It begins with 6 bytes of the destination MAC address...

Five Thoughts on the Internet Freedom League

In the September/October issue of Foreign Affairs magazine, Richard Clarke and Rob Knake published an article titled "The Internet Freedom League: How to Push Back Against the Authoritarian Assault on the Web," based on their recent book The Fifth Domain. The article proposes the following: The...

Managing Burnout

This is not strictly an information security post, but the topic likely affects a decent proportion of my readership. Within the last few years I experienced a profound professional "burnout." I've privately mentioned this to colleagues in the industry, and heard similar stories or requests for...

Even More on Threat Hunting

In response to my post More on Threat Hunting, Rob Lee asked: Do you consider detection through ID’ing/“matching” TTPs not hunting? To answer this question, we must begin by clarifying "TTPs." Most readers know TTPs to mean tactics, techniques and procedures, defined by David Bianco in his Pyrami...

The Origin of the Quote "There Are Two Types of Companies"

While listening to a webcast this morning, I heard the speaker mention There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked. He credited Cisco CEO John Chambers but didn't provide any source. That didn't sound right to me. I could think ...

Fixing Virtualbox RDP Server with DetectionLab

Yesterday I posted about DetectionLab, but noted that I was having trouble with the RDP servers offered by Virtualbox. If you remember, DetectionLab builds four virtual machines: root@LAPTOP-HT4TGVCP C:\Users\root"c:\Program Files\Oracle\VirtualBox\VBoxManage" list runningvms "logger"...

Trying DetectionLab

Many security professionals run personal labs. Trying to create an environment that includes fairly modern Windows systems can be a challenge. In the age of "infrastructure as code," there should be a simpler way to deploy systems in a repeatable, virtualized way -- right? Enter DetectionLab, a...

Cybersecurity and Class M Planets

I was considering another debate about appropriate cybersecurity measures and I had the following thought: not all networks are the same. Profound, right? This is so obvious, yet so obviously forgotten. Too often when confronting a proposed defensive measure, an audience approaches the concept fr...

Trying Splunk Cloud

I first used Splunk over ten years ago, but the first time I blogged about it was in 2008. I described how to install Splunk on Ubuntu 8.04. Today I decided to try the Splunk Cloud. Splunk Cloud is the company's hosted Splunk offering, residing in Amazon Web Services AWS. You can register for a 1...

More on Threat Hunting

Earlier this week hellor00t asked via Twitter: Where would you place your security researchers/hunt team? I replied: For me, "hunt" is just a form of detection. I don't see the need to build a "hunt" team. IR teams detect intruders using two major modes: matching and hunting. Junior people spend...

How to Minimize Leaking

I am hopeful that President Trump will not block release of the remaining classified documents addressing the 1963 assassination of President John F. Kennedy. I grew up a Roman Catholic in Massachusetts, so President Kennedy always fascinated me. The 1991 Oliver Stone movie JFK fueled several yea...

Happy 16th Birthday TaoSecurity Blog

Today, 8 January 2019, is TaoSecurity Blog's 16th birthday! This is also my 3,041st blog post. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. Here are a few statistics on the blog. Blogger started providing statistics in May 2010, so these...

Know Your Limitations

At the end of the 1973 Clint Eastwood movie Magnum Force, after Dirty Harry watches his corrupt police captain explode in a car, he says "a man's got to know his limitations." I thought of this quote today as the debate rages about compromising municipalities and other information...

Seven Security Strategies, Summarized

This is the sort of story that starts as a comment on Twitter, then becomes a blog post when I realize I can't fit all the ideas into one or two Tweets. You know how much I hate Tweet threads, and how I encourage everyone to capture deep thoughts in blog posts! In the interest of capturing the...

The Origin of the Term Indicators of Compromise (IOCs)

I am an historian. I practice digital security, but I earned a bachelor's of science degree in history from the United States Air Force Academy. 1 Historians create products by analyzing artifacts, among which the most significant is the written word. In my last post, I talked about IOCs, or...

Network Security Monitoring vs Supply Chain Backdoors

On October 4, 2018, Bloomberg published a story titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” with a subtitle “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according t...

Notes on Self-Publishing a Book

In this post I would like to share a few thoughts on self-publishing a book, in case anyone is considering that option. As I mentioned in my post on burnout, one of my goals was to publish a book on a subject other than cyber security. A friend from my Krav Maga school, Anna Wonsley, learned that...

Bejtlich on the APT1 Report: No Hack Back

Before reading the rest of this post, I suggest reading Mandiant/FireEye's statement Doing Our Part -- Without Hacking Back. I would like to add my own color to this situation. First, at no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into...

Have Network, Need Network Security Monitoring

I have been associated with network security monitoring my entire cybersecurity career, so I am obviously biased towards network-centric security strategies and technologies. I also work for a network security monitoring company Corelight, but I am not writing this post in any corporate capacity...

Skill Levels in Digital Security

Two posts in one day? These are certainly unusual times. I was thinking about words to describe different skill levels in digital security. Rather than invent something, I decided to review terms that have established meaning. Thanks to Google Books I found this article in a 1922 edition of the...

Greg Rattray Invented the Term Advanced Persistent Threat

I was so pleased to read this Tweet yesterday from Greg Rattray: "Back in 2007, I coined the term “Advanced Persistent Threat” to characterize emerging adversaries that we needed to work with the defense industrial base to deal with... Since then both the APT term and the nature of our adversarie...

Thoughts on OSSEC Con 2019

Last week I attended my first OSSEC conference. I first blogged about OSSEC in 2007, and wrote other posts about it in the following years. OSSEC is a host-based intrusion detection and log analysis system with correlation and active response features. It is cross-platform, such that I can run it...

Zeek in Action Videos

This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project. Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like...

Reference: TaoSecurity News

I started speaking publicly about digital security in 2000. I used to provide this information on my Web site, but since I don't keep that page up-to-date anymore, I decided to publish it here. 2017 Mr. Bejtlich led a podcast titled Threat Hunting: Past, Present, and Future, in early July 2017. H...

Reference: TaoSecurity Press

I started appearing in media reports in 2000. I used to provide this information on my Web site, but since I don't keep that page up-to-date anymore, I decided to publish it here. As of 2017, Mr. Bejtlich generally declines press inquiries on cybersecurity matters, including those on background...

Thoughts on Cloud Security

Recently I've been reading about cloud security and security with respect to DevOps. I'll say more about the excellent book I'm reading, but I had a moment of déjà vu during one section. The book described how cloud security is a big change from enterprise security because it relies less on...

Twenty Years of Network Security Monitoring: From the AFCERT to Corelight

I am really fired up to join Corelight. I’ve had to keep my involvement with the team a secret since officially starting on July 20th. Why was I so excited about this company? Let me step backwards to help explain my present situation, and forecast the future. Twenty years ago this month I joined...

The Origins of the Names TaoSecurity and the Unit Formerly Known as TAO

What are the origins of the names TaoSecurity and the unit formerly known as TAO? Introduction I've been reading Nicole Perlroth's new book This Is How They Tell Me the World Ends. Her discussion of the group formerly known as Tailored Access Operations, or TAO, reminded me of a controversy that...

Digital Offense Capabilities Are Currently Net Negative for the Security Ecosystem

Proposition Digital offense capabilities are currently net negative for the security ecosystem.0 The costs of improved digital offense currently outweigh the benefits. The legitimate benefits of digital offense accrue primarily to the security one percent securityonepercent, and to intelligence,...

MITRE ATT&CK Tactics Are Not Tactics

Just what are "tactics"? Introduction MITRE ATT&CK is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from Marc...

Remembering When APT Became Public

Last week I Tweeted the following on the 8th anniversary of Google's blog post about its compromise by Chinese threat actors: This intrusion made the term APT mainstream. I was the first to associate it with Aurora, in this post https://taosecurity.blogspot.com/2010/01/google-v-china.html My firs...

Why Do SOCs Look Like This?

When you hear the word "SOC," or the phrase "security operations center," what image comes to mind? Do you think of analyst sitting at desks, all facing forward, towards giant screens? Why is this? The following image is from the outstanding movie Apollo 13, a docudrama about the challenged 1970...

Bejtlich Joining Splunk

Since posting Bejtlich Moves On I've been rebalancing work, family, and personal life. I invested in my martial arts interests, helped more with home duties, and consulted through TaoSecurity. Today I'm pleased to announce that, effective Monday May 21st 2018, I'm joining the Splunk team. I will ...

When You Should Blog and When You Should Tweet

I saw my like-minded, friend-that-I've-never-met Andrew Thompson Tweet a poll, posted above. I was about to reply with the following Tweet: "If I'm struggling to figure out how to capture a thought in just 1 Tweet, that's a sign that a blog post might be appropriate. I only use a thread, and no...

Security and the One Percent: A Thought Exercise in Estimation and Consequences

There's a good chance that if you're reading this post, you're the member of an exclusive club. I call it the security one percent, or the security 1% or securityonepercent on Twitter. This is shorthand for the assortment of people and organizations who have the personnel, processes, technology,...

Firewalls and the Need for Speed

I was looking for resources on campus network design and found these slides pdf from a 2011 Network Startup Resource Center presentation. These two caught my attention: This bothered me, so I Tweeted about it. This started some discussion, and prompted me to see what NSRC suggests for architectur...

Happy Birthday TaoSecurity.com

Nineteen years ago this week I registered the domain taosecurity.com: Creation Date: 2000-07-04T02:20:16Z This was 2 1/2 years before I started blogging, so I don't have much information from that era. I did create the first taosecurity.com Web site shortly thereafter. I first started hosting it ...

Addressing Innumeracy in Reporting

Anyone involved in cybersecurity reporting needs a strong sense of numeracy, or mathematical literacy. I see two sorts of examples of innumeracy repeatedly in the media. The first involves the time value of money. Recently CNN claimed Amazon CEO Jeff Bezos was the "richest person in history" and...

One Weird Trick for Reviewing Zeek Logs on the Command Line!

Are you a network security monitoring dinosaur like me? Do you prefer to inspect your Zeek logs using the command line instead of a Web-based SIEM? If yes, try this one weird trick! I store my Zeek logs in JSON format. Sometimes I like to view the output using jq. If I need to search directories ...

Troubleshooting NSM Virtualization Problems with Linux and VirtualBox

I spent a chunk of the day troubleshooting a network security monitoring NSM problem. I thought I would share the problem and my investigation in the hopes that it might help others. The specifics are probably less important than the general approach. It began with ja3. You may know ja3 as a set ...

New Book! The Best of TaoSecurity Blog, Volume 2

I published a new book! The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat It's in the Kindle Store, and if you're Unlimited it's free. Print edition to follow. The book lists as having 413 pages for the...

Seeing Book Shelves on Virtual Calls

I have a confession... for me, the best part of virtual calls, or seeing any reporter or commentator working for home, is being able to check out their book shelves. I never use computer video, because I want to preserve the world's bandwidth. That means I don't share what my book shelves look li...

Defining Counterintelligence

I've written about counterintelligence CI before, but I realized today that some of my writing, and the writing of others, may be confused as to exactly what CI means. The authoritative place to find an American definition for CI is the United States National Counterintelligence and Security...

COVID-19 Phishing Tests: WRONG

Malware Jake Tweeted a poll last night which asked the following: "I have an interesting ethical quandary. Is it ethically okay to use COVID-19 themed phishing emails for assessments and user awareness training right now? Please read the thread before responding and RT for visibility. 1/"...

New Book! The Best of TaoSecurity Blog, Volume 4

I've completed the TaoSecurity Blog book series. The new book is The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship. It's available now for Kindle, and I'm working on the print edition. I'm running a 50% off promo on Volumes 1-3 on Kindle through...