Announcing CelesTLSH CLI: A Lightweight Tool for TLSH Hash Analysis
I'm excited to announce the release of CelesTLSH CLI, a lightweight CLI interface tool for calculating, comparing, and analyzing TLSH hashes. This tool is designed to help security professionals quickly identify potentially malicious files by comparing them against a database of known attack tools.
Vintage Detection: Applying RADAR Research from 1953 to Detect Modern Cyber Threats
A 1953 mathematical framework reveals how military RADAR research can revolutionize cybersecurity. By transforming threat detection from gut feeling to probabilistic science, signal detection theory offers a powerful approach to distinguishing genuine threats from routine noise.
Falling in love with NSM again
When I started in cybersecurity, most web traffic wasn’t encrypted, which meant Firewalls and Network Intrusion Detection Systems played a critical role in detecting malicious activity. Endpoint visibility was limited—most organizations still relied on traditional Anti-Virus
UFOs and Mobile Malware - How Retaliation Against a Source Led Me to iVerify
For the past year and a half, I’ve been on one of the wildest adventures of my life, writing a book on UFOs and UAP. It has taken me through a painstaking process of finding and connecting with people who may hold valuable information for my work.
Using A.I. to Expose Redacted Sensitive Information
While reading Imminent, a newly released book on UAPs by Luis “Lue” Elizondo, I noticed something intriguing: the text redacted by the Department of Defense was left in plain sight. Naturally, my curiosity kicked in—who wouldn’t want to uncover what’s hidden behind those blacked-out lines?
The Power of Proactive Cybersecurity with Domain and TLS Monitoring
It is often mistakenly believed that defenders cannot gain visibility into the early stages of the Cyber Kill Chain before the delivery phase.
A Five Year Retrospective on Detection as Code
Five years ago, I co-authored the first public paper on the concept of Detection as Code. While having some technical peers review this paper, we found that a few more advanced security programs were already utilizing this sort of method, just not publicly talking about it.
Five Insights From My Time Building 3 SOCs and Consulting For Over 40 Fortune 500 Companies and Federal Agencies
Throughout my cybersecurity career, I’ve had the opportunity to build three Cyber Security Operation Centers (SOCs) from scratch, including two for Managed Detection and Response (MDR) providers.
Detecting RegreSSHion - CVE-2024-6387 a Guide
Recently, the killer vulnerability research team at Qualys discovered a Remote Code Execution (RCE) vulnerability in OpenSSH that exploits a race condition within SSH. This vulnerability is particularly concerning because SSH is commonly exposed to the internet for remote system management.
Commonly Abused Linux Initial Access Techniques and Detection Strategies
The volume and quality of Threat Intelligence for Linux attacks have traditionally lagged behind that for Windows, despite Linux's significant cloud presence. Most reports have focused on reverse engineering Linux-based malware and attack tools.
Operationalizing TLSH Fuzzy Hashing
If you work in cybersecurity or tech, you’re likely familiar with hashing. A cryptographic hash function generates a fixed-size hash value from any given input data. This is a one-way process, making it computationally infeasible to reverse-engineer the original data from the hash value.
The Defenders Dilemma is a Myth
This blog post stems from a recent conversation with my former colleague, David Bianco, on the Defender's Dilemma." The Defender's Dilemma is often cited by those without firsthand experience in investigating cybersecurity incidents.
The Analyst vs The Engineer
A common trope among cybersecurity practitioners is gatekeeping entry-level positions like junior Security Operations Center (SOC) analysts with statements like, "How are you supposed to secure something if you've never managed it?" This is a concept that I **highly** disagree with.
A Deep Dive into Linux Ransomware Research
Over the past few weeks, I have done a deep dive into the public research available on Linux Ransomware, seeking to understand the broader landscape as there is an over emphasis on the Mirai botnet. I discovered that although there is an abundance of *outstanding* whitepapers and research pieces,
ImpELF: Unmasking Linux Malware with a Novel Imphash Approach for ELF Binaries
As someone that primarily does Linux security research, I was frustrated that there wasn't an equivalent of an imphash for Linux ELF binaries. So, I decided to make one myself. Introducing ImpELF.
Wireshark's little known Snort post-dissector
Snort rules are considered the gold standard of Network Intrusion Detection signatures, and because of that it is important for new analysts to learn how to read and understand the logic of them. These days, there are a ton of great blogs already on understanding them, such as this one by Rapid7.
Operationalizing Mitre's ATT&CK Framework
An introduction to the Mitre ATT&CK framework, the Mitre ATT&CK Navigator, and some example processes to get you started.
Leveling up your Linux Security Monitoring
Lets face it - the state of Linux security monitoring sucks. Linux is often treated as a second class citizen in terms of feature set when compared to its windows counter parts.
Detectors as Code
Security operations and monitoring teams face a variety of challenges: the rapid evolution of adversarial tradecraft
