Profile picture
Jake Williams @MalwareJake
, 11 tweets, 3 min read Read on Twitter
Just had some fun at the office. An esx server had an issue earlier today and crashed. Admin brought everything back up and powered on all the VMs. Everything looked good. I went to use a VM and can't get to it. Can't ping it. Nmap to it and something's there. 1/n
Problem is that it's not the right something. I ask our admin and he checks the VM from the ESX server console. He says "it shows a duplicate IP." This is a problem because it's a static assignment - so what has my IP?! 2/n
Also, I hear someone in the SOC say "oh <expletive deleted>! Guys, we've got a problem!" They saw the nmap scan and alerted on it immediately. It looked super sketch because of how I did it. Bottom line, I'm happy I have our SOC for our customers AND watching us. 3/n
So we identify the rogue asset's MAC address, dump switch MAC tables, and figure out the conflict is on the ESX server itself. Huh?! It turns out we still had a few legacy VMs on the ESX server that the admin powered on in a rush. One of them had the same static assignment. 4/n
Obviously we updated documentation on what VMs to power on after an event (ESX crashes thankfully don't happen every day), changed some IPs, and even got rid of two legacy VMs. 5/n
But there's more to this story. We run asset inventory daily, so the legacy VMs would have been found and reported in the next 24 hours. But is that okay? My legacy VMs are obviously not being patched since they were powered off. Obviously these are vulnerable. 6/n
Given that the SOC saw my nmap scan, I'm confident that they would have seen any exploit attempts as well. Now, guess the number of organizations our size with 24*7 monitoring? Yeah, that number is pretty tiny. This event has me thinking more about security exposures. 7/n
We know that APT actors are trying to compromise security service providers to get to their customers. I got a first-hand chance today to see how easy it is for even a security minded shop to end up with a pretty massive internal exposure. So what's the takeaway? 8/n
1. Change management. Every legacy VM is a ticking time bomb waiting to be powered on. We know this from both our penetration tests and our IR work.
2. Monitoring saves your butt. I wouldn't have seen this 3 years ago (and I'm horrified by that). I'm happy I see it today. 9/n
Let my close by saying log review is NOT a substitute for monitoring. In this case, the only place you would see logs is the legacy server - the one you aren't using. We got lucky because of an IP conflict. But monitoring is my safety net. Do you have a net? 10/10
Actually one more: I'm sure somewhere, someone will judge my org for sharing this ("OMG, they suck"). But every org has challenges. Most of them have lessons. We learned some today and I want to share them with you. I hope this helps convince someone they need 24*7 monitoring.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jake Williams
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @MalwareJake see all

Profile picture
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except China hacking Tibet.

The IPS were strung by the egress with care,
In hopes that St WannaCry soon would be stopped there.
1/n
The children were nestled all snug in their beds,
While IoT devices mined the dreams from their heads.

Mama with her EDR and I with my IDS
Were ready to tackle an infosec mess.

Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter 2/
This thing had better work, it cost so much cash.
But gosh darnit, I can’t use it until I update Adobe Flash…

Pondering the alarms I thought “Oh heck no!”
That’s because the threshold for alerting was configured so low.
3/n
Read 14 tweets
Profile picture
I certainly don't agree with everything in this thread, but it is very thought provoking nonetheless. I tell clients regularly that cyber security IS warfare if APT is in your threat model. We often fight nation state hackers with nearly infinite resources by deploying a CEH. 1/n
This obviously doesn't work. When you step back and look at resources that APT groups have, it's obvious they can comrpomise almost any organization. My favorite example is the China/Bit9 example. Picture being an attacker who can't get into a top tier target. 2/n
Now imagine that you think "Bit 9 is standing in our way, so we'll 'just' go comrpomise them." Um, that's a moonshot. Ask yourself:
1. What kind of organization dedicates resources to moonshots?
2. How many moonshots do we not know about?
3. How valuable was that target?
3/n
Read 7 tweets
Profile picture
I'm writing a new blog post but I need some help. We have a problem in the tech industry with consent vs. informed consent. Problems with confusing the two are not unique to infosec. Medicine has been practiced for millennia, but informed consent is at best ~50 years old. 1/n
Legalese terms of service can't be comprehended by a large percentage of a user base. Even if you understand what is being collected, do you understand how it will be used? A patient can't give informed consent without a discussion of risk. 2/n
Doctors don't routinely downplay risk in a procedure. This comes from two sources:
1. Liability
2. In most cases (electives are a counter-example), the doctor has a product (the procedure) the patient needs

These do not hold true in the technology field. 3/n
Read 7 tweets

Related threads

Profile picture
protest events are officially underway in Portland, as about 60-70 people march behind this Democratic Socialists of America banner on their way to counterprotest a Patriot Prayer/Proud Boys-related “him too” protest in downtown Portland. follow along at this thread for updates
Schrunk Plaza, federal property where the him too rally will be held, is now a restricted access area. part of Chapman Square, where many of the counterprotesters will congregate, is closed for the protest. im told by police nearby that despite the crime scene tape theres no crme
Portland Police Bureau cops are now patrolling around the counterprotest
Read 48 tweets
Profile picture
1. Churnalism in action:
en.wikipedia.org/wiki/Churnalism

- Former white supremacist claims in reddit AMA that neo-Nazis use Fortnight to recruit.

reddit.com/r/IAmA/comment…
2.
 - 6/28/18: reddit AMA mentioned on a video game forum.

resetera.com/threads/former…
3.
- 6/29/18: Niche comics website runs story about claims. Does not fact check or ask Epic Games for comment but tells readers "It's something that we all need to be aware of, especially those of us who have children of our own who play games online."

comicbook.com/gaming/2018/06…
Read 112 tweets
Profile picture
A quick story about the hardest bug I ever debugged. My first job in high school was working at a Houston-based ISP called NeoSoft. I was writing a multi-platform web server in Tcl/Tk (w/ OTcl) called NeoWebScript 1/
I noticed that the server was crashing, and the stack trace was really unhelpful (an exception but no actual error or error message). After debugging for several hours, I showed it to my coworkers and it magically started working! Hurray! But wait... 2/
After a few productive hours of working on the server, I went home. The next morning, the same thing happened all over again--a hard crash, a vague exception, and no stack trace. After debugging for a couple hours, it just started working again. ARGH. 3/
Read 9 tweets
Profile picture
Rosenstein is a central figure in the unredacted OIG rpt for FISA abuses among other things which is why he's been stalling. Ryan said “there’s going to be action on the floor of the House this week if FBI and DOJ do not comply with our subpoena request.” foxnews.com/politics/2018/…
2. "Mr Rosenstein / Mr Wray have 2 decide ~ r they going 2 be "part of the clean-up crew" or "part of the cover-up crew?"
3. I'm more & more convinced Eric Schmidt is cooperating & has turned over proof of Gmail draft comms btwn the 13 mbrs of Hussein's Admin incl Hussein. They know @POTUS has everything. The unredacted report will reveal all. POTUS has EO to compel release ready to go if needed.
Read 15 tweets
Profile picture
1/The abuse allegations against Chris Hardwick are a major breakthrough for discussions on domestic abuse & what behaviors it entails. I spent all of high school in a physically violent & emotionally abusive relationship that I have only just begun to look at as an adult,
2/thanks to the #MeToo movement. When I first got into the relationship, I was only 14 years old. He was my first love (and only male partner I've ever had). The abuse started slow, with controlling behavior. First it was "Don't talk to that guy, he's a loser" then it became
3/"Don't talk to that female friend of yours. She's a loser. I don't want people thinking I'm with a loser." Soon I had alienated all of my friends. My mom and a few other adults expressed concern over my dwindling friendships, but I played it off like we'd just grown apart. Then
Read 38 tweets
Profile picture
Alright, I've blistered through the entire Fusion GPS transcript. All 300+ pages of it.

No matter how this thread turns out, just remember: it was better than reading that maddening tome from end to end.

Grab a beverage... and off we go.

1/
First, a disclaimer: I'm going full stream o' consciousness here so be gentle in your critiques.

Light pinching is okay. Open-handed smacking is frowned upon...

...and, oh, there will be typos.

2/
So, as quick setup, "The Transcript" is the full stenography of an epic 10-hour long testimony given by Glenn Simpson, founder of Fusion GPS, to select members of the Senate committee "investigating" Trump-Russia.

3/
Read 57 tweets

Trending hashtags

#dontwanttoforgetaboutthemuffins #cnpoli #60sScoop #NewYearsResolutions #heirloomapplereview #bcpoil #ImmigrationWhitePaper #metoo #mariellepresente #tanacon #HeartTalk #BDS #cdnpli #QueueJumpers #Advent #canada #NC09 #PersonalInterest #NewYearsResolution #RescueOurRights #HostileEnvironment #Audacious #IndigenousRights #foodsecurity #SiteC

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!