Since I first posted this, 18 Sept 2020, the Chinese PLA have since posted this video online, showing them carrying out a nuclear attack against the United States.

This furthers the point that this isn’t just about TikTok, but China’s great ambitions for a global surveillance state… to the detriment of the rest of the world.

I like to remind folks that I usually have a (strangely acute) ability to predict the future, especially as it pertains to national security-related things. I said in December 2019 that COVID is going to change society. …


Image for post
Image for post
“The Father of Eight” at the WTC site on 3 Sept 2002.

Never forget.

Interesting story I’ve never shared before… like everyone that day, I was in a state of shock. In my lifetime it was the first time we felt under attack. I remember it like it was yesterday, where I was in Symphonic Winds with Mr. Albinder. We were playing “Where Never Lark or Eagle Flew”, a somewhat eerie song for that moment. We continued to play the song, over and over and over, even after the Principal made the announcements on the loud-speaker.

Going home that day, I became even more hooked on news (I was a huge CNN Crossfire/Tucker Carlson fanboy as early as middle school… don’t ask) to learn as much as I could about “what the **** just happened”, and equally important, “why the **** someone would do that”. I was amazed on how much I didn’t know about international politics, events, etc.. I also grew a sense of nationalism, watching propaganda push agendas while individuals were mere puppets — brainwashed without any realization. Watching the extremism on the other side and realizing the lengths they would go to carry out their “terror” mission — being promised they would get a field of virgins on the other side as martyrs. …


Stay updated! Follow me on Medium. Product-specific and general best practices in Azure, Cybersecurity and development are added regularly!

Advanced Threat Analytics (ATA) v1.8 added new capabilities to monitor suspicious and anomalous activity within an Active Directory domain. This increased the number of Event ID’s ATA requires.

Customizing the Domain Controller’s Audit Settings could stop the Domain Controller from auditing activities required by ATA. This customization is common in many organizations and can have a negative impact on ATA. Additionally, many Cyber shops are not aware of their Domain Controller’s current audit policy settings nor the level of effort (LOE) changes in ATA v1.8 with Gateways vs. …


One of the biggest points of confusion I hear is that Azure Advanced Threat Protection is only applicable to Windows. That is not true. I also hear that “credential theft” is a Windows problem. Also, not true!

Here I’ll show how you can extend the Azure ATP Security Alert Playbook and leverage the harvested credentials from Admin-PC on Kali Linux. This is a vital component to be aware of as network defenders; compromised credentials can be used from other machines, including non-Domain joined Linux ones!

Here is a video showing you a play-by-play:

The above video shows the specific steps. You can use the DefendTheFlag program to replicate this environment quickly within Azure, if you so choose. …


A customer recently asked me “how do I discover Azure Storage accounts that are open?”

First off, we need to define what “open” means. Does this mean “route-able from the Internet”? Or does it mean “anonymous access”? From there, we can share how to answer that question, both from the portal as well as via Az CLI (and REST)!

Azure Storage Security Primer

First, we need an Azure Storage primer…

Goal is not to recreate the wheel here, especially when appropriate content already exists on this topic. So, I’ll send you here. Come back in 30 minutes after giving it a thorough read.

Welcome back! …


I’ve supported a lot of cyber operations, product procurements, product deployments. I’ve consulted some of the largest Fortune companies in the world, some of the biggest Governments, non-profits, research centers, and so forth. Although all these experiences were unique, there was something that did become apparent to me.

Perhaps there is a model already for what I’m about to explain. Searching online, I couldn’t find any such model, so here I am.

Before I share this, know this will be common sense to most. It’s those things which are so logical when you first look at it, when you have the “why didn’t I think of this” or the “yea, of course its this way…” — these are what I find to be the best models. …


In cybersecurity, especially in the Digital Forensics Incident Response (DFIR) space, the “Iceberg Effect” plays a detrimental role in the execution phase of response and recovery. This often leaves analysis incomplete which directly translates to insufficient response and recovery plans — and worse, a very high probability of failed attempts to evict the actor in the environment.

But what exactly is “the Iceberg Effect” and what can we do about it?

Image for post
Image for post

As cyber warriors with various tools deployed and implemented, there is tons of data at our fingertips. Most of the time too much data, since most of the bosses want to “log everything” and auditors often simply ask “do you log [x]”. To get the checkbox checked the response is either a “yes” or “no but we will start logging it!”. Now, whether anyone ever looks at that data, triggers on it to build or start specific workflows or automation, analyzes it or even knows it exists once the audit is passed becomes a secondary if not tertiary question. In the rare cases when we do have data that is actionable and where insights can be drawn from, well, this becomes “the tip of the iceberg”. This is typically where analysis stops! For example, for those who are highly trained and developed a culture of network defense, we start and stop with network defense tools — sure, they might analyze an endpoint but that typically means do some quick forensics of the box then turn it into ashes. …


‘Smart card is required for interactive logon’ was created back when the major threat to your Identity-plane was plaintext brute-force attacks. That is, we didn’t want adversaries to guess our plaintext passwords, so we literally built random-256-byte-length hashes, so that no one would even know the plaintext password.

Image for post
Image for post

This was a great capability when it was released, and for what it was created for, it was quite successful.

However, today we live in a world of credential theft. That is, now, we must defend the Kerberos TGTs and NTLM hashes that are exposed to our machines after we perform certain logon events. …


A customer recently asked me “how do I discover Azure Storage accounts that are open?”

First off, we need to define what “open” means. Does this mean “route-able from the Internet” or “anonymous access”? From there, we can share how to answer that question, both from the portal as well as via Az CLI (and REST)!

Azure Storage Security Primer

First, we need an Azure Storage primer…

Goal is not to recreate the wheel here, especially when good content already exists on this topic. So, I’ll send you here. Come back in 30 minutes after giving it a good read.

Welcome back!

Hopefully a few things stood out…


I’m new to Azure Resource Management (ARM) and Desired State Configuration (DSC), albeit not new to JSON nor PowerShell. I recently had the task to migrate our Azure Security labs to a pure Azure-based environment which meant learn ARM and DSC really quick. I had to setup VMs, build a DC, create users, make the VMs ‘insecure’, stage malicious payloads, create scheduled tasks, and much more, all so we could illustrate attacks to drive awareness and show our products detecting nefarious activities.

This blog is meant to be a reminder to myself (and you!) on the lessons learned I made.

#1: VSCode is awesome

In the past 2 years I’ve began to love VSCode especially when dealing with PowerShell (C# is another story, for now; the new remote-development feature is amazing though so maybe soon that needs to be rethought!). …

About

Andrew Harris

Sr Director, Public Sector Technology Strategy at CrowdStrike. Ex-MSFT, Department of Defense civilian. Advocate of human rights, privacy, decency.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store