To honeypot or not to honeypot, that's the question

Sharing is caring. SANS / DShield provide a prebuilt Cowrie-based honeypot that's very easy to install.
You can find a tutorial here [1] as well as some old stuff here: [2]

So during the holidays/nights/weekends/whatever go install this - It runs well on a Raspberry Pi (and faster, stronger, fancier) so there's no longer any valid excuses not to honeypot!

Your home firewall can also easily be used for the purpose of honeypotting, just forward the relevant iptables/pf logs to DShield as well. Further details on configuring this can be found here [3]

[1] DShield Honeypot: https://isc.sans.edu/honeypot.html
[2] Peerlyst article "Are you submitting your logs to DSHIELD": https://www.peerlyst.com/posts/are-you-submitting-your-logs-to-dshield-martin-boller
[3] HowTo: Submitting logs to DShield https://isc.sans.edu/howto.html

Windows 10 Evaluation Build 1903 Download for testlab

Keep forgetting the download link to Windows Evaluation Versions?

Basically it's always available at https://software-download.microsoft.com/download/pr/ $ISO_NAME

For Windows 10 build 1903 (May 2019) it is:
https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso

sha256sum (or get-filehash filename -Algorithm SHA256 | Format-List) should produce:
"ab4862ba7d1644c27f27516d24cb21e6b39234eb3301e5f1fb365a78b22f79b3"

Specifically for Packer:

  "variables": {
    "iso_checksum": "ab4862ba7d1644c27f27516d24cb21e6b39234eb3301e5f1fb365a78b22f79b3",
    "iso_checksum_type": "sha256",
    "iso_url": "https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso",
    "autounattend": "./answer_files/10/unattend.xml",
    "disk_size": "61440"
  }

The easiest way to find the ISO filename is to register on https://www.microsoft.com/en-us/evalcenter/
Get the name from that download and calculate the hash, then automate the installation (Using Packer or whatever your favorite is).

The same principle apply for Windows Server.
Server 2016: 17763.379.190312-0539.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso
 is available at
https://software-download.microsoft.com/download/pr/17763.379.190312-0539.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso

It's about 5 years too late - But let us kill Internet Explorer

<RANT>

When even Microsoft doesn't support it anymore, there's a Window of Opportunity to get the funding to make it happen

Go prepare that presentation for management showing why anything requiring IE should go - NOW!

Any system that still require IE is outdated and thus likely a security risk, so identify those and do something about it. Identify the developer or vendor of those applications and have them updated.

If a vendor still only support IE or Flash or Silverlight, look elsewhere, they're not worth your time and money.

The upgrade recommendation on Github should be read from right-to-left if you want to protect your privacy too:

1. Firefox 
2. Google Chrome
3. Microsoft Edge

</RANT>

DMARC Reporting: Use Parsedmarc with Elastic

If you’re worried about hosting your DMARC data (not least the Forensics reporting) with a cloud provider, or just simply want to self-host because You’re already running the Elastic Stack or Splunk and want to save the $$ for the provider, there’s a tool for you called ‘Parsedmarc’ [1].

For further information on the tool, please read the description at [1] (It would be stupid repeating all of that here).

For the purpose of installing Parsedmarc on the Elastic Stack, here’s a simple shell script to do just that [2].

Prerequisites for the script:

• Python3 Pip
• X-Pack Security - You really should use that, it's part of the Basic License now
• Run the script on the Elasticsearch node on which you want Parsedmarc to run
• I disagree with using Cloudflare for name resolution, if your local DNS resolvers aren't running faster and better than them, you should look into your DNS setup, as well as use RPZ's to protect your organization.

And please don't forget to spare a thought (or a dime) for @seanthegeek who made this possible.

[1] https://github.com/domainaware/parsedmarc

[2] https://github.com/martinboller/parsedmarc-install

Installing logstash-filter-tld plugin for newer Logstash versions

The logstash tld plugin (logstash-filter-tld) is used to extract the individual labels of a fqdn. This is great for analysis of e.g. domains from a Domain Generation Algorithm (DGA). Unfortunately this plugin does not work on newer logstash versions. (See https://github.com/logstash-plugins/logstash-filter-tld/pull/10)
This is caused by java version requirements. To make it work, all that is needed is changing that requirement, then (re)building the gem. This is a few simple steps (done on Debian below - substitute with your distros package manager).
On the development machine:

• apt-get -y install jruby bundler
• gem install bundler
• git clone https://github.com/logstash-plugins/logstash-filter-tld.git
• cd logstash-filter-tld/
• nano (or vi) logstash-filter-tld.gemspec
• change logstash-filter-tld.gemspec, '=1.4.6' '' to logstash-filter-tld.gemspec, '~> 3'
• gem build logstash-filter-tld.gemspec

The finalized plugin is now saved as logstash-filter-tld-3.0.3.gem. Copy that to your logstash instances, then install it using:

• /usr/share/logstash/bin/logstash-plugin install --no-verify ./logstash-filter-tld-3.0.3.gem

For the logstash .conf-file(s) here's an example using the tld plugin:

filter {        

   tld {

        source => "computer_name"

    }


    mutate {

        rename => { "[tld][domain]" => "highest_registered_domain" }

        rename => { "[tld][trd]" => "sub_domain" }

        rename => { "[tld][tld]" => "top_level_domain" }

        rename => { "[tld][sld]" => "parent_domain" }

    }

}

Take a look at these logstash configurations too: https://github.com/HASecuritySolutions/Logstash

This post was first published on Peerlyst: https://www.peerlyst.com/posts/installing-logstash-filter-tld-plugin-for-newer-logstash-versions-martin-boller

Skills shortage in Cyber Security

Part of the skills shortage in Cybersecurity is caused by the time wasted explaining the basics to the numerous tricksters in our line of work. It's nigh impossible to counter all the BS from the checkmark brigade. People don't scale.

The trouble is that the easy solutions are compelling, and that the lack of a consistent story is ruining it for all of us - it is easier to sell "we have a firewall, so it's secure" than "we need to improve our detection and response capabilities - and oh, btw. I need two more FTEs for Threat Hunting".

While wasting our time explaining the basics over and over again, we miss the opportunity to mentor and grow real competences in security and it has to stop. There's competences everywhere; In help-desk, in Dev, in HR, but they - too - are being held back by the personalities discussed above, so let's all help grow the ones that can make a difference and call out the tricksters.

IT (and InfoSec) titles and descriptions are mostly BS

What's in a word?

The following is a true story. Only the names have been changed to protect the guilty.

So this morning (GMT+2) I perused LinkedIn [1] ;) and stumbled upon a few titles and headlines that immediately gave  food for thought - Not least combined with (some) knowledge of the suspects.

(Disclaimer: There's some genuinely good people using the word salads discussed below, so please be nice to them - or, actually, be nice to everyone).

General offenders

Anyone using the terms innovation or disruption appear to have never done any innovation or disruption themselves, but merely just talk about it. If You're copying (or repeating) what others have done You're not innovating, and certainly not disrupting. While we all stand on the shoulders of giants and are building on previous knowledge (which we should) there's nothing worse than listening to "Motivational Quotes" from someone you know as a mediocre developer and/or manager. Just stop it and use your time on becoming a good leader or whatever else makes you happy.

But that is likely too  hard when You've spent your career being a sycophant?

Digitalization; If You're in IT, maybe you should think hard about your career if you missed the digitalization part of IT.

But more about that below.

Other headlines/titles

During the self-flaggelation (remember; Perusing LinkedIn) I stumbled upon this gem:

"Collaborative strategy enabler by means of IT and Digitalization"

What does this even mean?

IT is needed for Digitalization, so redundant information here, and some (most?) companies have a collaborative strategy [2], but it is likely to be different depending on the organizations business strategy and vision, so how does that ensure you can enable company X's specific strategy?

 So basically it means "I'm in IT, maybe a leader"?

Last, but not least

Calling yourself a Rock Star or Thought Leader.....

[1] Peruse means "to read carefully" and "to skim"? How?

[2] Collaborative Strategy on Quora

[3]  Dancing on your grave - Mötörhead

Who the f... do you think you are, calling yourself a "Cyber Security Architect"?

Well, what's wrong with being a hypocrite! [3]