106 matches found
Thoughts on Cloud Security
Recently I've been reading about cloud security and security with respect to DevOps. I'll say more about the excellent book I'm reading, but I had a moment of déjà vu during one section. The book described how cloud security is a big change from enterprise security because it relies less on...
Ntopng on Security Onion
so16@so16:$ mkdir git so16@so16:$ cd git so16@so16:/git$ ls so16@so16:/git$ wget --no-check-certificate https://github.com/branchnetconsulting/so-ntopng-installer/raw/master/installntopngonso16 --2019-02-11 02:48:02--...
Forcing the Adversary to Pursue Insider Theft
Jack Crook pointed me toward a story by Christopher Burgess about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... who was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secre...
Fixing Virtualbox RDP Server with DetectionLab
Yesterday I posted about DetectionLab, but noted that I was having trouble with the RDP servers offered by Virtualbox. If you remember, DetectionLab builds four virtual machines: root@LAPTOP-HT4TGVCP C:\Users\root"c:\Program Files\Oracle\VirtualBox\VBoxManage" list runningvms "logger"...
Trying DetectionLab
Many security professionals run personal labs. Trying to create an environment that includes fairly modern Windows systems can be a challenge. In the age of "infrastructure as code," there should be a simpler way to deploy systems in a repeatable, virtualized way -- right? Enter DetectionLab, a...
Happy 16th Birthday TaoSecurity Blog
Today, 8 January 2019, is TaoSecurity Blog's 16th birthday! This is also my 3,041st blog post. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. Here are a few statistics on the blog. Blogger started providing statistics in May 2010, so these...
Notes on Self-Publishing a Book
In this post I would like to share a few thoughts on self-publishing a book, in case anyone is considering that option. As I mentioned in my post on burnout, one of my goals was to publish a book on a subject other than cyber security. A friend from my Krav Maga school, Anna Wonsley, learned that...
Managing Burnout
This is not strictly an information security post, but the topic likely affects a decent proportion of my readership. Within the last few years I experienced a profound professional "burnout." I've privately mentioned this to colleagues in the industry, and heard similar stories or requests for...
The Origin of the Quote "There Are Two Types of Companies"
While listening to a webcast this morning, I heard the speaker mention There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked. He credited Cisco CEO John Chambers but didn't provide any source. That didn't sound right to me. I could think ...
The Origin of the Term Indicators of Compromise (IOCs)
I am an historian. I practice digital security, but I earned a bachelor's of science degree in history from the United States Air Force Academy. 1 Historians create products by analyzing artifacts, among which the most significant is the written word. In my last post, I talked about IOCs, or...
Even More on Threat Hunting
In response to my post More on Threat Hunting, Rob Lee asked: Do you consider detection through ID’ing/“matching” TTPs not hunting? To answer this question, we must begin by clarifying "TTPs." Most readers know TTPs to mean tactics, techniques and procedures, defined by David Bianco in his Pyrami...
More on Threat Hunting
Earlier this week hellor00t asked via Twitter: Where would you place your security researchers/hunt team? I replied: For me, "hunt" is just a form of detection. I don't see the need to build a "hunt" team. IR teams detect intruders using two major modes: matching and hunting. Junior people spend...
Cybersecurity and Class M Planets
I was considering another debate about appropriate cybersecurity measures and I had the following thought: not all networks are the same. Profound, right? This is so obvious, yet so obviously forgotten. Too often when confronting a proposed defensive measure, an audience approaches the concept fr...
Have Network, Need Network Security Monitoring
I have been associated with network security monitoring my entire cybersecurity career, so I am obviously biased towards network-centric security strategies and technologies. I also work for a network security monitoring company Corelight, but I am not writing this post in any corporate capacity...
Network Security Monitoring vs Supply Chain Backdoors
On October 4, 2018, Bloomberg published a story titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” with a subtitle “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according t...
Firewalls and the Need for Speed
I was looking for resources on campus network design and found these slides pdf from a 2011 Network Startup Resource Center presentation. These two caught my attention: This bothered me, so I Tweeted about it. This started some discussion, and prompted me to see what NSRC suggests for architectur...
Twenty Years of Network Security Monitoring: From the AFCERT to Corelight
I am really fired up to join Corelight. I’ve had to keep my involvement with the team a secret since officially starting on July 20th. Why was I so excited about this company? Let me step backwards to help explain my present situation, and forecast the future. Twenty years ago this month I joined...
Defining Counterintelligence
I've written about counterintelligence CI before, but I realized today that some of my writing, and the writing of others, may be confused as to exactly what CI means. The authoritative place to find an American definition for CI is the United States National Counterintelligence and Security...
Why Do SOCs Look Like This?
When you hear the word "SOC," or the phrase "security operations center," what image comes to mind? Do you think of analyst sitting at desks, all facing forward, towards giant screens? Why is this? The following image is from the outstanding movie Apollo 13, a docudrama about the challenged 1970...
Bejtlich on the APT1 Report: No Hack Back
Before reading the rest of this post, I suggest reading Mandiant/FireEye's statement Doing Our Part -- Without Hacking Back. I would like to add my own color to this situation. First, at no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into...
Bejtlich Joining Splunk
Since posting Bejtlich Moves On I've been rebalancing work, family, and personal life. I invested in my martial arts interests, helped more with home duties, and consulted through TaoSecurity. Today I'm pleased to announce that, effective Monday May 21st 2018, I'm joining the Splunk team. I will ...
Trying Splunk Cloud
I first used Splunk over ten years ago, but the first time I blogged about it was in 2008. I described how to install Splunk on Ubuntu 8.04. Today I decided to try the Splunk Cloud. Splunk Cloud is the company's hosted Splunk offering, residing in Amazon Web Services AWS. You can register for a 1...
Importing Pcap into Security Onion
Within the last week, Doug Burks of Security Onion SO added a new script that revolutionizes the use case for his amazing open source network security monitoring platform. I have always used SO in a live production mode, meaning I deploy a SO sensor sniffing a live network interface. As the...
Lies and More Lies
Following the release of the Spectre and Meltdown CPU attacks, the security community wondered if other researchers would find related speculative attack problems. When the following appeared, we were concerned: "Skyfall and Solace More vulnerabilities in modern computers. Following the recent...
Addressing Innumeracy in Reporting
Anyone involved in cybersecurity reporting needs a strong sense of numeracy, or mathematical literacy. I see two sorts of examples of innumeracy repeatedly in the media. The first involves the time value of money. Recently CNN claimed Amazon CEO Jeff Bezos was the "richest person in history" and...
Remembering When APT Became Public
Last week I Tweeted the following on the 8th anniversary of Google's blog post about its compromise by Chinese threat actors: This intrusion made the term APT mainstream. I was the first to associate it with Aurora, in this post https://taosecurity.blogspot.com/2010/01/google-v-china.html My firs...
Happy 15th Birthday TaoSecurity Blog
Today, 8 January 2018, is the 15th birthday of TaoSecurity Blog! This is also my 3,020th blog post. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. I don't believe I've released statistics for the blog before, so here are a few. Blogger...
Spectre and Meltdown from a CNO Perspective
Longtime readers know that I have no problem with foreign countries replacing American vendors with local alternatives. For example, see Five Reasons I Want China Running Its Own Software. This is not a universal principle, but as an American I am fine with it. Putting my computer network...
On "Advanced" Network Security Monitoring
My TaoSecurity News page says I taught 41 classes lasting a day or more, from 2002 to 2014. All of these involved some aspect of network security monitoring NSM. Many times students would ask me when I would create the "advanced" version of the class, usually in the course feedback. I could never...
How to Minimize Leaking
I am hopeful that President Trump will not block release of the remaining classified documents addressing the 1963 assassination of President John F. Kennedy. I grew up a Roman Catholic in Massachusetts, so President Kennedy always fascinated me. The 1991 Oliver Stone movie JFK fueled several yea...
Latest Book Inducted into Cybersecurity Canon
Thursday evening Mrs B and I were pleased to attend an awards seminar for the Cybersecurity Canon. This is a project sponsored by Palo Alto Networks and led by Rick Howard. The goal is "identify a list of must-read books for all cybersecurity practitioners." Rick reviewed my fourth book The...
Five Reasons I Want China Running Its Own Software
Periodically I read about efforts by China, or Russia, or North Korea, or other countries to replace American software with indigenous or semi-indigenous alternatives. I then reply via Twitter that I love the idea, with a short reason why. This post will list the top five reasons why I want China...
Cybersecurity Domains Mind Map
Last month I retweeted an image labelled "The Map of Cybersecurity Domains v1.0". I liked the way this graphic divided "security" into various specialties. At the time I did not do any research to identify the originator of the graphic. Last night before my Brazilian Jiu-Jitsu class I heard some ...
Bejtlich Moves On
Exactly six years ago today I announced that I was joining Mandiant to become the company's first CSO. Today is my last day at FireEye, the company that bought Mandiant at the very end of 2013. The highlights of my time at Mandiant involved two sets of responsibilities. First, as CSO, I enjoyed...
The Missing Trends in M-Trends 2017
FireEye released the 2017 edition of the Mandiant M-Trends report yesterday. I've been a fan of this report since the 2010 edition, before I worked at the company. Curiously for a report with the name "trends" in the title, this and all other editions do not publish the sorts of yearly trends I...
The Origin of Threat Hunting
--- 2011 Article "Become a Hunter" The term "threat hunting" has been popular with marketers from security companies for about five years. Yesterday Anton Chuvakin asked about the origin of the term. I appear to have written the first article describing threat hunting in any meaningful way. It wa...
Does Reliable Real Time Detection Demand Prevention?
Chris Sanders started a poll on Twitter asking "Would you rather get a real-time alert with partial context immediately, or a full context alert delayed by 30 mins?" I answered by saying I would prefer full context delayed by 30 minutes. I also replied with the text at left, from my first book Th...
Guest Post: Bamm Visscher on Detection
Yesterday my friend Bamm Visscher published a series of Tweets on detection. I thought readers might like to digest it as a lightly edited blog post. Here, then, is the first ever as far as I can remember guest post on TaoSecurity Blog. Enjoy. When you receive new threat intel and apply it in you...
Bejtlich Books Explained
A reader asked me to explain the differences between two of my books. I decided to write a public response. If you visit the TaoSecurity Books page, you will see two different types of books. The first type involves books which list me as author or co-author. The second involves books to which I...
Meeting Cliff Stoll
Today I had the chance to meet the man who unintentionally invented the modern digital forensics practice, Cliff Stoll. In 1989 he published a book about his 1986-87 detection and response against KGB-backed spies who hacked his lab and hundreds of government, military, and university computers. ...
Check Out My TeePublic Designs
Over the years fans of this blog have asked if I would consider selling merchandise with the TaoSecurity logo. When I taught classes for TaoSecurity from 2005-2007 I designed T-shirts for my students and provided them as part of the registration package. This weekend I decided to exercise my...
Five Ways That Good Guys Share More Than Bad Guys
It takes a lot for me to write a cybersecurity blog post these days. I spend most of my writing time working on my PhD. Articles like Nothing Brings Banks Together Like A Good Hack drive me up the wall, however, and a Tweet rant is insufficient. What fired me up, you might ask? Please read the...
Updated PhD Thesis Title
Yesterday I posted Latest PhD Thesis Title and Abstract. One of my colleagues Ben Buchanan subsequently contacted me via Twitter and we exchanged a few messages. He prompted me to think about the title. Later I ruminated on the title of a recent book by my advisor, Dr. Thomas Rid. He wrote Cyber...
Latest PhD Thesis Title and Abstract
In January I posted Why a War Studies PhD? I recently decided to revise my title and abstract to include attention to both offensive and defensive aspects of intrusion campaigns. I thought some readers might be interested in reading about my current plans for the thesis, which I plan to finish an...
Lt Gen David Deptula on Desert Storm and Islamic State
This weekend Vago Muradian interviewed Lt Gen ret David Deptula, most famous for his involvement as a key planner for the Desert Storm air campaign. I recommend watching the entire video, which is less than 8 minutes long. Three aspects caught my attention. I will share them here. First, Lt Gen...
Why a War Studies PhD?
When I begin receiving multiple questions on a topic, it's a signal that I should write a blog post. Several of you have asked me about my experience as a PhD candidate in the King's College London Department of War Studies. In this post I will try to answer your questions by explaining how I got...
Happy 13th Birthday TaoSecurity Blog
Today, 8 January 2016, is the 13th birthday of TaoSecurity Blog! This is also my 3,000th blog post. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. Kevin Mandia was my boss. Today I am starting my third year as Chief Security Strategist at...
2014-2015 Professional Reading Round-Up
At an earlier point in my career, I used to read a lot of technical security books. From 2006 to 2012 I published a series of Best Book Bejtlich Read posts. Beginning in 2013 I became much more interested in military-derived strategy and history, dating back to my studies at the Air Force Academy...
A Brief History of the Internet in Northern Virginia
Earlier today I happened to see a short piece from the Bloomberg Businessweek "The Year Ahead: 2016" issue, titled The Best Places to Build Data Centers. The text said the following: Cloud leaders including Amazon.com, Microsoft, Google, IBM, and upstart DigitalOcean are spending tens of billions...
Domain Creep? Maybe Not.
I just read a very interesting article by Sydney Freedberg titled DoD CIO Says Spectrum May Become Warfighting Domain. That basically summarizes what you need to know, but here's a bit more from the article: Pentagon officials are drafting new policy that would officially recognize the...