
Threat Hunting
Threat Hunting in a nutshell. No Big Red Easy button. Not something that can be automated. Need analysts, trained analysts. Not an automated process, not something ML can do, regardless of what vendor xyz tells you. Has some similarities to law enforcement. Sometimes discoveries come on a hunch... Something just ... Read More
Nmap Basics Part 2
Nmap Basics Part 2TargetsNmap can take a variety of different target ranges. CIDR notation is still supported as in 12.30.2.0/24. You can also specify a custom range, like 12.302.1-64. You can mix and match specifications, so 12.30.2.0/24 12.30.3.1-128 would be valid as well. You can also feed a file to nmap with a ... Read More
Nmap Basics Part 1
Nmap 101 TutorialTwo common types of scans, syn scan and full connect scan-sS - Syn scan send a syn packet, if it receives a sysn-ack marks the packet as open and sends a reset and tears down the session. Must be root to run a Syn scan, as it manipulates ... Read More
BPFs
Introduction What are Berkeley Packet Filters? BPF’s are a raw (protocol independent) socket interface to the data link layer that allows filtering of packets in a very granular fashion1. BPFs were first introduced in 1990 by Steven McCanne of Lawrence Berkeley Laboratory, according to the FreeBSD man page on bpf2 ... Read More
Packet Captures in the Age of TLS
Ten to fifteen years ago, a company having FPC (full packet capture) was an indicator of the seriousness of the company's information security efforts. Having trained analysts that could use those packets to analyze alerts from NSM devices was an even better indicator. Today, the network landscape has changed to the ... Read More

Pcaps and the Tools That Love Them Part 3 of ???
From here, with header diagram in hand, you should know be able to look at a packet dump and find the value you need, by counting from offset 0 to the correct field. Some of the things you'll want to look for (like IPv6 traffic or only ICMP traffic or a ... Read More

Pcaps and the Tools That Love Them Part 2 of ???
There's more to a primitive under the surface, and once we discover what it's actually doing, it opens up a whole new way for us to inspect and filter packets. Lets use the TCP primitive as an example. What is it actually doing? How does it show us only TCP packets? To ... Read More
Pcaps and the Tools That Love Them Part 1 of ???
There are many pcap tools available and which ones you use really depends on what you're using them for. Some are very good at just giving you the raw data, others parse the data and show you certain types of packets..But maybe we should back up one step and define ... Read More
Being a Defender
1. Be a student of (information security, network security, cyber security). Always strive to know what the latest tactics, trends, and tools are and implement that knowledge into Operations.2. Never allow a vendor to define what your greatest risk is. It will undoubtably be something their product detects well but ... Read More
Intrusion Analysis 101
If you're new to NetSec, you'll quickly find out network security is one of many silos in information security, and network security itself has many different roles. One of these roles is the intrusion analyst.What exactly is an intrusion analyst? Duties can differ according to the size of the team ... Read More