August 26, 2024
While reading Imminent, a newly released book on UAPs by Luis “Lue” Elizondo, I noticed something intriguing: the text redacted by the Department of Defense was left in plain sight. Naturally, my curiosity kicked in—who wouldn’t want to uncover what’s hidden behind those blacked-out lines? Secret insights into a government U.F.O. reverse engineering program? Yes, please. As I encountered the first set of redacted text, a question sparked in my mind: “Could a Large Language Model like ChatGPT infer what’s been hidden?” After all, these models excel at predicting text based on context. So, I decided to put this idea to the test.
July 29, 2024
It is often mistakenly believed that defenders cannot gain visibility into the early stages of the Cyber Kill Chain before the delivery phase. However, monitoring during the weaponization phase is one of the most effective and cost-efficient proactive prevention strategies an organization can implement—a rare combination in this field. By scrutinizing TLS Certificate Transparency logs and new domain registrations, organizations can detect and preempt malicious activities. This proactive approach enables immediate alerts when a domain mimicking your own is identified, allowing for swift actions such as takedown requests to service providers and blocks in internal security tools within the network. These actions can prevent the domain from ever being effectively used against your organization or clients, while also raising the bar it takes to attack your organization. In this article, we will explore how these monitoring techniques can serve as powerful tools for detecting and preventing threats, including those posed by advanced persistent threats (APTs) like Scattered Spider. We will review real-world attacks to illustrate how these controls can provide early warnings and strengthen your cybersecurity defenses.
July 18, 2024
It's not often you'll hear me declare a piece of technology as a "force multiplier," but I genuinely believe that SOAR (Security Orchestration Automation and Response) platforms deserve this title. I hold this conviction for three key reasons. First, SOAR platforms force you to document your processes and procedures. Second, they simplify the automation of a multitude of tasks. Lastly, they empower subject matter experts (SMEs) who lack coding skills to automate their workflows precisely as they envision, without the risk of miscommunication when translating requirements to a software developer.
July 14, 2024
Five years ago, I co-authored the first public paper on the concept of Detection as Code. While having some technical peers review this paper, we found that a few more advanced security programs were already utilizing this sort of method, just not publicly talking about it. Our goal was to improve the way security teams manage and deploy detectors by incorporating DevOps principles into detection practices. The methodologies we introduced were inspired by software engineering practices such as Continuous Integration (CI) and Continuous Deployment (CD). In this reflection, I will discuss the evolution of Detection as Code over the past five years, share insights from client implementations, and explore current best practices in this approach.