Share this page!

Paul Melson Profile picture
Twitter logo
23 Aug, 5 tweets, 1 min read
THREAD:
If you work in cyber, you should understand the basic mechanics of risk. I don’t mean RISK = IMPACT * LIKELIHOOD. I mean, what can you do about a risk once you know about it? There are 4 basic strategies:
1. Avoid - Don’t do the thing that introduces the risk in the first place. In cyber, this requires being part of purchasing and/or design decisions *with* *decision* *authority*. This is the rarest, but also the most effective risk management strategy.
2. Transfer - Make it someone else’s problem. This is cyber insurance and outsourcing. Thing is, it only works for monetary or legal liabilities. It doesn’t do diddly for reputation or disruption. It’s naive to think you can buy your way out of risk in cyber.
3. Accept - Decide to live with the risk. This should only be used when other options are completely exhausted. In reality, this happens more often when risks are poorly quantified and/or not effectively communicated, or when security orgs are politically weak.
4. Reduce (aka mitigate, compensate) - Do something to reduce impact or likelihood that doesn’t eliminate the risk entirely. This is where you earn your pay in cyber. There’s almost always something you can do about any risk provided you know enough about it.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Paul Melson

Paul Melson Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @pmelson

Paul Melson Profile picture
24 Aug
THREAD
Prompted by a thread earlier today, I've compiled a few presentations that Target's cybersecurity team members have given over the years that I think are particularly interesting or novel, mostly aligned to the themes of maturity and innovation.
Target alumni @jshlbrd presenting on file analysis with Strelka* at @BSidesSF 2019:
Target team members @malz_intel and Paul Hutelmeyer talking about detection with Strelka* and introducing some new scanning modules at FIRSTCon 2021:
Read 9 tweets
Paul Melson Profile picture
30 Mar
THREAD
Let's analyze a malicious VBA macro payload. On visual inspection, we can easily see that the macro performs string concatenation and then uses Shell() to execute a PowerShell script. It declares AutoOpen() & Workbook_Open() in order to execute when the document is opened.
Once we decode the base64 script from the macro, we can see that it further obfuscates its intention with more base64 encoding and gzip compression.
When we decode & decompress the long string, we get the final PowerShell payload. This script creates a byte array containing shellcode from another base64 encoded string, which it will then reflectively load into kernel32.dll running in memory.
Read 6 tweets
Paul Melson Profile picture
16 Jan
THREAD
Let's talk about detection philosophy a little bit. There are 2 main competing approaches; 1) Define Normal, Detect Abnormal, and 2) Find Evil. 1/7
First, let's acknowledge this is a false choice. You can do both. The key is to know which approach is superior in which context. In general, I prefer Find Evil. Let me tell you why. 2/7
To make Find Evil work, you need to think of attackers as groups with motivations and goals, then frame that in the context of a process, lifecycle, or even a cyber kill chain. Seriously, this is key. 3/7
Read 7 tweets
Paul Melson Profile picture
21 May 20
THREAD for beginning malware/SOC analysts
When analyzing interpreted languages like PowerShell, JavaScript, VBA/VBS, there are some handy shortcuts to dealing with obfuscated code. (NOTE: Always do this kind of analysis in a sandbox VM off of your corporate network.)
Let's use this PowerShell script as an example (raw code on the right). The code is triggered with an obfuscated 'IEX' command that is reconstructed from a predictable PowerShell environment variable, $PSHome.
To de-obfuscate the rest of of the script, replace 'IEX' with 'Write-Host'. This general approach, replacing an execution command with a print/write command, works in basically all interpreted languages. In this case, the output is more obfuscated PowerShell.
Read 7 tweets
Paul Melson Profile picture
21 Aug 18
THREAD
A quick walk-through of analyzing a PowerShell backdoor using Python.
Here's the backdoor if you want to play along at home: pastebin.com/JbYwq9WJ
1. Looking at the raw payload, we can see powershell.exe is invoked and a base64-encoded script is passed for execution.
2. Open Python, import the base64 module, create a string of the original encoded script, and another string (step1) of the decoded script.
Read 8 tweets
Paul Melson Profile picture
23 Jul 17
This thread got me thinking about DefCon, hacker culture, and insecurity. 1/
My first con of any kind was DC6 in 1998. At the time, I worked for a school, fixing Macs and LaserJets, resetting passwords, etc 2/
I knew some folks from IRC, but approaching them IRL seemed hard. I was really intimidated. So I hung with the local BBSers I came with. 3/
Read 22 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @pmelson has new unrolls!

Check out other threads from @pmelson!

Read all threads by @pmelson

:(