JOIN US FOR EPISODE-010:
To Agent, or not to Agent, that is the question
Join our #Slack Channel! Email us at email@example.com or or DM us on Twitter @brakesec
Libsyn Feed - http://www.brakeingdownir.libsyn.com/
SPONSORS OF OUR PODCAST
Mitre ATT&CK: What is it, how to use, and apply it to your organization
When - April 9th - 1 Day
Where - HouSecCon - Houston Texas
Malware Discovery and Basic Analysis - Michael Gough
When - April 10th-11th - 2 Days
Where - BSidesOK - Tulsa Oklahoma
Insurance Company refuses to pay NotPetrya Bill, says it was an act of war, company sues for $100m
Update to the story we covered
2-Factor Auth bypassed ???
773 Milllllion passwords circulating the Internet from past breaches
21 Million unique passwords ????? 2.7% unique WhaaaAAAAA
Use a a Password manager anyone? Anyone???? Generate unique passwords for every Internet website or this WILL be you !!!
Check your emails at - HaveIBeenPwned.com (Troy Hunt)
Bypass blacklisted words filter (or firewalls) via wildcards
C:\>powershell C:\??*?\*3?\c?lc.?x? calc
C:\>powershell C:\*\*2\n??e*d.* notepad
C:\>powershell C:\*\*2\t?s*r.* taskmgr
1. Malware Archaeology - Home of the ‘WIndows Logging Cheat Sheet(s)‘
Windows and Windows Advanced Logging Cheat Sheets updated
BDIR - HaveIBeenPwned.com
2. BDIR - LastPass or equivalent
MALWARE OF THE MONTH
First Sednit UEFI Rootkit Unveiled
Drops rpcnetp.exe into \system32 - installs as a service
Injects Dll into svchost and then Internet Explorer
Replaces Autochk.exe - Checks your disks, so DISK ACCESS !!!
Drops Autoche which becomes AutoChk.exe
Found another binary named info_efi.exe on some systems with LoJack
Found RWEverything Kernel driver tool
Found ReWriter_read.exe to dump SPI Flash memory
Found ReWriter_binary.exe.. You guessed it, adds rootkit to the firmware
Modifies Registry %WINDIR%\System32\config\SYSTEM
Changes “autocheck autochk*” to “autocheck autoche*”
Enable Secure Boot
Firmware Security Assessments using CHIPSEC
TZWorks suite of bootdisk tools
TOPIC OF THE DAY
To Agent, or NOT to agent, that is the question
So you were copied on a Twitter conversation by Frank McGovern…
It started out from Florian Roth talking about CrowdStrike’s dividing endpoint solution into 3 categories
But it morphed into something else. Anton Chuvakin replied to your copy and then Richard Bejtlich (BateLick) chimed in about quantity of agents and it went from there and also included Thomas Fischer and Greg Barnes too….
So describe how the conversation started and then went
So it took a turn into how many agents are acceptable or wanted on any individual system
Who decides what agents get used and installed?
Would a pilot and testing help here?
And why I asked about scheduled tasks running occasional checks
So whatever endpoint solution(s) you choose, make them easy and simple, wishfully set and forget
We have to seriously look at an approach to securing our endpoints, maybe an agent for everything is not desirable, what other options do we have?
Your AV/EDR choices should get you 80% there
What do we do about the last 20%?
Focus on Detection and Threat Hunting using the tools, maybe agentless solutions to avoid agent bloat
None this month, look up the Twitter conversation