IT Security

Hunting A Process Making Network Connections

Monitoring your network traffic and sniffing packets for rouge connections is an important step to determine if data-ex filtration is happening on your network.  Monitoring traffic can also uncover legitimate processes that are broadcasting or poking around your network.  Wireshark, tshark, or tcpdump can monitor network traffic  and a more robust Network Intrusion detection System (NIDS) can attempt to detect and parse out anomaly traffic.  If the process is legitimate, you may want to simply disable it, and if its not legitimate, initiate an incident response process . But how to determine what process is initiating the network traffic?  Wireshark does provide any process ID (PID) or name. This following examples show how to get the process ID and name on a client that has open connections and is also attempting to make a remote connections to two different servers on the local network. You can see that the processes…

Read more

Building Your IT Security News Pipeline

If you are responsible for securing a network, you should know that monitoring reliable IT security news is now critical to mitigating threats on your precious goods. Prioritizing that news landscape and rolling out a timely response is also critical to a solid recipe for security. While it is not realistic to expect security architects to have that kind of response time, if you are ignoring IT security news, you  might need those backups you have been diligently maintaining or worse. Building a solid incoming information pipeline requires an analysis of the IT security news landscape.  The most fundamental elements of this landscape includes threat advisories & guidelines, updates to best-practices and standardization recommendations,  and changing legal requirements if they apply to your organizational assets.  Threat analysis reports and newly released Common Vulnerability Exposure details (CVEs) are critical secondary elements that relay more detailed information about vulnerabilities affecting specific software. …

Read more

Sources of Red Team Education

What is red-teaming? A important term in IT security context, a red team (red cell) is a group of hackers with various skill-sets, who simulate attacks on the network infrastructure.  By contrast the blue team’s job is to defend the network.  Red teams follow a specific set of rules known as the rules of engagement which stipulate what types of attacks are allowed and points in the attack when they should stop and reporting should be done.  The attacks may employ technical, physical, social or process-based attack vectors.  This intends to cover all aspects of a organization’s security controls such as physical,  administrative, and technical.  The red team helps step 4 of the NIST Risk Management Framework to assess the security controls. Taking the steps of the cyber-kill-chain into account (reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives), the red team may simply seek to gain reconnaissance…

Read more