Blue

This is another short piece of the “Strictly Theoretical” mini series in which I put insensible historical incident management and suspicious behaviour patterns under the microscope reflecting on how the “inner” and “outer” world continuously interact with each other forming the everyday life of the production environment.

RemComSvc

RemCom is a free tool that provides remote management capabilities. It is included in various legitimate softwares and by default it sends RemComSvc.exe to a remote computer, which then uses the named pipe in the place of PsExec’s named pipe. This can be very confusing from a blue team prospective and may take some time to establish an appropriate baseline for alert levels, as the number of investigations could result in business disruptions if not handled correctly. For example, the following is just a remote software installation process that is usually completely legitimate to this business environment and circumstances.

What needs to be done

Typically, the process needs to be confirmed by the user and certain adjustments are good enough to eliminate future instances.

Thanks for reading and as always, any feedback is most welcome.

This is another short piece of the “Strictly Theoretical” mini series in which I put insensible historical incident management and suspicious behaviour patterns under the microscope reflecting on how the “inner” and “outer” world continuously interact with each other forming the everyday life of the production environment.

Third Party Alerts

Many times SIEM solution tools can integrate with third party vendors in order to generate alerts. This could be important if the organization is on a tighter budget, so with a more robust library of third-party integrations all the alerts from endpoints, networks and users can be channelled into a single platform, facilitating easier surveillance and analysis. The obvious drawback of this is having even more  un-prioritized alerts.

We can see that there was a moderately high number of login attempts.

This is why it’s important to keep fine-tuning new and existing rules to effectively draw attention to only the more relevant threat vectors.

What next

Well, there are usually two main groups of tasks after attacks like this. First, it is clear that immediate remediation by the third party is critical. It could mean the blocking of source IP-address for at least 24 hours, password changes, whitelist adjustements etc. However from the point of view of our SIEM the alert should also be treated as per our needs, prioritized, suppressed etc. to reduce the number of alerts or to make it more prosilient in the future.

Thanks for reading and as always, any feedback is most welcome.

This is another short piece of the “Strictly Theoretical” mini series in which I put insensible historical incident management and suspicious behaviour patterns under the microscope reflecting on how the “inner” and “outer” world continuously interact with each other forming the everyday life of the production environment.

Some pros and cons of cloud security

Cloud security companies offer a great range of cyber security solutions. One of the core products of these enterprises is access control through their numerous web gateways. This is great in general as loads of potential attack vectors can be blocked in this way, but what if other security related systems are in place as well. If these screening tools are not fully aligned or are in the baselining phase, they may work against each other increasing the level of noise.

User authenticates from different geolocations

If a user’s location is close to a number of gateways of the applied cloud security tool, a case might occur when the tool would try to authenticate the user via different gateways in a short period of time. There might be several reason for this like load balancing, the user’s personal VPN or other routing issues. In a situation like this screening tools would start clamouring as the timeframe is just too narrow for a real life journey for the user to travel between these geographical locations hence, this is suspicious.

After the confirmation of the circumstances with even potentially with the user as well, there is nothing else to do is just noting up the alert and potentially fine-tuning the workflow automation for such an alerts. The most important data to identify in these alerts is the “organization”. If it is matches with the name of the cloud security tool hopefully there is not much to worry about.

Thanks for reading and as always, any feedback is most welcome.