Posts

Protecting Applications Using AWS WAF

Image
  Amazon's Web Application Firewall (WAF) allows for seamless integration with existing AWS resources and easy configuration. It may have its limitations, but it provides many common protections for web applications and can be spun up very quickly. Everything I've included below can be found in Amazon's documentation . However, I've highlighted parts that I found particularly important and left other details out. AWS WAF Classic vs AWS WAF If you're still on WAF Classic, you should try to migrate to AWS WAF. The "new" version has been out several years (though rules do not automatically convert and Amazon's conversion tool does not work in all scenarios). There are a number of new capabilities and features, notably managed rules. And if you have version control and infrastructure as code (IaC) implemented widely throughout your environment, rules are now JSON objects. I will leave it at that as I suspect most people are on the current AWS WAF. Resource

Cybersecurity Fundamentals

Image
  While some hacks truly are sophisticated, nation-state attacks , many more are the result of simpler exploits or just social engineering. After the details of such a compromise are released, people comment about how organizations should be doing at least the "basics" or "fundamentals." So what are the fundamentals? And at what point do you cross over into intermediate or expert practices? I have my opinion, but let me first share a couple official lists: NIST - Cybersecurity Basics CISA - Cyber Essentials These are great lists but allow me to expand. Multi-factor Authentication First up is multi-factor authentication (MFA). Even in 2024, lack of MFA has resulted in account or organization compromise. Take the recent SEC X / Twitter hack  -- the US Securities and Exchange Commission had their X account taken over and was used to post false information. While "SIM swapping" also played a role in the hack, had MFA been enabled, the threat actor may have bee

The Power of Procmon (Process Monitor)

Image
  Procmon (Process Monitor) is "an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity." This accurately describes what Procmon does, but it doesn't come close to describing the power that it provides to monitor, investigate, and troubleshoot on a Windows system.  Let explore it (download from Microsoft to follow along). Activity Options Procmon had a hard time adjusting to my display resolution, but you can see here and in the screenshot at the top the Activity display options. These will enable / disable various types of activities from being displayed. Deselecting one of these options doesn't erase any existing logs, but just narrows down the output to the types of events you want to see. These include registry, file system, network, and process/thread activity.  These are helpful for narrowing focus when troubleshooting an issue, but you can still be left with thousands of entries. This is where filters come

Regular Expressions (Regex) for Beginners

Image
  Regular expressions (regex) are used to to extract information or patterns from text. They are used by programming languages, AV/EDR software, application whitelisting software, data loss prevention (DLP) software, personally identifiable information scanning software, and more. While simple in concept, regex can become quite complex depending on what strings of text need to be extracted. I'll be using regex101.com  to show my examples, but there are a ton of great resources and "testers" available for free on the Internet.  Tokens  are how regular expressions are defined. There are dozens available, and we'll get to them in a minute, but nothing is more basic in regex than just typing the exact string you're looking for.  Example 1 - string If you're searching for the string "fire" in a given sentence, you would make your regular expression  fire . We can see here that this regex pattern patches on lines "fire", "firetruck", &q

SPF, DKIM, and DMARC Explained

Image
  I found myself reading RFC 733 today as I had no idea how long BCC emails had been around. Turns out, it's a long time (November 21, 1977). In fact, that is when the "Standard for the Format of ARPA Network Text Messages" was ratified so a whole lot of other things were included in that RFC that are still used in email today, not just BCC emails. Some things that weren't proposed in 1977 for obvious reasons are SPF , DKIM , and DMARC . We'll be talking about those today! (If you're curious like I was what those RFCs are anyway, I linked them so you can check those out too).  SPF - Sender Policy Framework SPF is an authentication mechanism that allows an email server to verify that an email it receives was sent from an authorized server. SPF does this by checking the domain contained in the email header (specifically the envelope sender/MAILFROM), queries for an SPF TXT record that should be contained in that domain's DNS records, and depending on what t

Detecting Phishing Emails

Image
Detecting and preventing the effects of phishing emails has become a primary interest for enterprises and governments today. Often because phishing emails lead to network breaches, ransomware, and exfiltration of sensitive information. Patching vulnerabilities, ensuring AV/EDR/XDR is installed on endpoints, network segmentation, and MFA are all great to do, but one step we can take before relying on these measures is ensuring the end-user community is routinely educated on how to detect phishing emails.  So how do we detect phishing emails? Screening Emails Here are some of the items on what I call my "initial phishing screening checklist": Sender name and email address (especially domain) that doesn't match a legitimate one. Statements urging me to act quickly. Was I expecting an email like this? If I know the person and/or can reach them by phone, can I confirm it is them truly sending the email? (Out-of-band communication).  At least on this one they give 24 hours not

Windows Security Overview

Image
In terms of security, we've come a long way since the days of Windows XP. Even compared to your typical Windows 7 Enterprise install just a few years ago there have been huge security advancements in the industry and specifically within Windows. Here is an overview of some of those improvements, and if this series is popular enough, I may do a deep-dive on some of the individual features in the future. Secure Boot Before ransomware became the go-to malware for bad actors, one of the popular, more sophisticated pieces of malware was the rootkit. This allowed code to be run in kernel mode within Windows effectively bypassing most antivirus software installed on the system. This also meant being capable of performing almost anything on the system without issue. To mitigate this issue something was needed to verify that the bootloader run before Windows was legitimate. This is where Secure Boot fits into the Windows Security picture (though Secure Boot works with macOS and Linux comput