Since I first posted this, 18 Sept 2020, the Chinese PLA have since posted this video online, showing them carrying out a nuclear attack against the United States.

This furthers the point that this isn’t just about TikTok, but China’s great ambitions for a global surveillance state… to the detriment of the rest of the world.

I like to remind folks that I usually have a (strangely acute) ability to predict the future, especially as it pertains to national security-related things. I said in December 2019 that COVID is going to change society. …


Stay updated! Follow me on Medium. Product-specific and general best practices in Azure, Cybersecurity and development are added regularly!

Advanced Threat Analytics (ATA) v1.8 added new capabilities to monitor suspicious and anomalous activity within an Active Directory domain. This increased the number of Event ID’s ATA requires.

Customizing the Domain Controller’s Audit Settings could stop the Domain Controller from auditing activities required by ATA. This customization is common in many organizations and can have a negative impact on ATA. Additionally, many Cyber shops are not aware of their Domain Controller’s current audit policy settings nor the level of effort (LOE) changes in ATA v1.8 with Gateways vs. …


One of the biggest points of confusion I hear is that Azure Advanced Threat Protection is only applicable to Windows. That is not true. I also hear that “credential theft” is a Windows problem. Also, not true!

Here I’ll show how you can extend the Azure ATP Security Alert Playbook and leverage the harvested credentials from Admin-PC on Kali Linux. This is a vital component to be aware of as network defenders; compromised credentials can be used from other machines, including non-Domain joined Linux ones!

Here is a video showing you a play-by-play:

The above video shows the specific steps. You can use the DefendTheFlag program to replicate this environment quickly within Azure, if you so choose. …


A customer recently asked me “how do I discover Azure Storage accounts that are open?”

First off, we need to define what “open” means. Does this mean “route-able from the Internet”? Or does it mean “anonymous access”? From there, we can share how to answer that question, both from the portal as well as via Az CLI (and REST)!

Azure Storage Security Primer

First, we need an Azure Storage primer…

Goal is not to recreate the wheel here, especially when appropriate content already exists on this topic. So, I’ll send you here. Come back in 30 minutes after giving it a thorough read.

Welcome back! …


I’ve supported a lot of cyber operations, product procurements, product deployments. I’ve consulted some of the largest Fortune companies in the world, some of the biggest Governments, non-profits, research centers, and so forth. Although all these experiences were unique, there was something that did become apparent to me.

Perhaps there is a model already for what I’m about to explain. Searching online, I couldn’t find any such model, so here I am.

Before I share this, know this will be common sense to most. It’s those things which are so logical when you first look at it, when you have the “why didn’t I think of this” or the “yea, of course its this way…” — these are what I find to be the best models. …


In cybersecurity, especially in the Digital Forensics Incident Response (DFIR) space, the “Iceberg Effect” plays a detrimental role in the execution phase of response and recovery. This often leaves analysis incomplete which directly translates to insufficient response and recovery plans — and worse, a very high probability of failed attempts to evict the actor in the environment.

But what exactly is “the Iceberg Effect” and what can we do about it?

Image for post
Image for post

As cyber warriors with various tools deployed and implemented, there is tons of data at our fingertips. Most of the time too much data, since most of the bosses want to “log everything” and auditors often simply ask “do you log [x]”. To get the checkbox checked the response is either a “yes” or “no but we will start logging it!”. Now, whether anyone ever looks at that data, triggers on it to build or start specific workflows or automation, analyzes it or even knows it exists once the audit is passed becomes a secondary if not tertiary question. In the rare cases when we do have data that is actionable and where insights can be drawn from, well, this becomes “the tip of the iceberg”. This is typically where analysis stops! For example, for those who are highly trained and developed a culture of network defense, we start and stop with network defense tools — sure, they might analyze an endpoint but that typically means do some quick forensics of the box then turn it into ashes. …


‘Smart card is required for interactive logon’ was created back when the major threat to your Identity-plane was plaintext brute-force attacks. That is, we didn’t want adversaries to guess our plaintext passwords, so we literally built random-256-byte-length hashes, so that no one would even know the plaintext password.

Image for post
Image for post

This was a great capability when it was released, and for what it was created for, it was quite successful.

However, today we live in a world of credential theft. That is, now, we must defend the Kerberos TGTs and NTLM hashes that are exposed to our machines after we perform certain logon events. …


I’m new to Azure Resource Management (ARM) and Desired State Configuration (DSC), albeit not new to JSON nor PowerShell. I recently had the task to migrate our Azure Security labs to a pure Azure-based environment which meant learn ARM and DSC really quick. I had to setup VMs, build a DC, create users, make the VMs ‘insecure’, stage malicious payloads, create scheduled tasks, and much more, all so we could illustrate attacks to drive awareness and show our products detecting nefarious activities.

This blog is meant to be a reminder to myself (and you!) on the lessons learned I made.

#1: VSCode is awesome

In the past 2 years I’ve began to love VSCode especially when dealing with PowerShell (C# is another story, for now; the new remote-development feature is amazing though so maybe soon that needs to be rethought!). …


Incident Response and Containment

Anyone who does Incident Response (IR), or any Digital Forensics Incident Response (DFIR) process knows that collecting Indicators of Compromise (IOC) is only half the story. Eventually, you’ll need to recover the environment, which inherently means you best have confidence in the IOCs and have a plan to evict the adversary.

Image for post
Image for post

Before we go into detail on just how to do that, it is paramount to talk about containment. Anytime a recovery team comes in and takes intel from the IR team, a plan must be executed while being sensitive to the control-plane an adversary should have after a step has been executed. For example, if Exchange environment and the general Users population gets compromised, one should not just cleanup the Exchange environment, but they should also protect it from being re-contaminated by potentially other compromised areas of the environment. …

About

Ciberesponce

Securing cyberspace, evicting the adversary

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store