This means you (yes *you*) can generate TOMLs that will be reviewed by the W2L crew. As long as you follow the template guides, your content will be included in the releases.
This is _huge_ and should allow W2L to scale almost vertically in terms of community involvement.
2
I'm super hopeful that we get a TON of contributions. We've done so much care and attention to the input we've had already.
Here's some notable things:
3
Privacy:
we had some EU based folks freak out that we didn't put cookie notices on W2L. The issue is... we don't have cookies. Not a one.
It's none of our business what logs you're making.
So use this site knowing we're not tracking you.
4
Transparency:
Some folks wondered how we prioritize stuff. Now that the W2L repo is up and open, feel free to enter issues yourself!
Getting started:
with a *very* careful eye to making community involvement easier, we fought (and fought some more) on how to accept input. We settled on TOML formatting because it is very rich and allows features that JSON and YAML doesn't
6
Getting started
The main thing we have though is templates. LOTS of templates. If you want to run your own local instance of W2L to test how our nuxt based scripts will parse them, do so with either your own local dev or "production" release.
7
Getting started:
Do the templates not do it? (they should! we spent tons of time on them!) github.com/InfoSecInnovat…
But if that's not enough, just copy any existing log to suit your needs and kick it up to us via a pull request. github.com/InfoSecInnovat…
8
But wait there's more!!
If that sounds like too much work, just submit an issue and ask for what logs you want. We will take on requests this way. (Please understand there may be a little lag as we get to your request though)
In closing, we're sorry it took so long. We had to completely rebuild the entire W2L platform from scratch. There's nothing that remains from the original launch. We're hope you're as excited as we are. We think the wait was worth it.
It's going to be a party. Join us!
10
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I've had 3 calls so far today (it's not even 10) about defending against Russian cyber ops
I'm tired of having the same call... so... here's what I've told everyone. This is the playbook you need... but it's not going to be what you think it will be.
Ready? Lets go!
1
Watch your egress. Firewalls work both ways. Carefully monitor outbound traffic. DMZ servers RESPOND to external requests. Look for DMZ systems initiating outbound. This is what "phoning home" (aka C2) looks like.
2
Note: you will have a handful of DMZ servers initiating outbound. File xfer systems, any mail server (you likely shouldn't be running your own). Some web services may also initiate outbound.
But it's rare.
Most orgs? Your exception list will fit on a single sheet of paper.
Have a DLP solution? Want to **REALLY** make it actually... useful?
Scan the endpoints for sensitive info. You'll get a report with the data on that host.
Work with risk and legal to assign any arbitrary point value to this sensitive info.
1
Example:
PCI data is 5 points per record
PII is 3 points per record
PHI is 10 points per record
Note: your points will be based on your orgs concern over exposure of each record type. Don't let anyone else tell you what points you should use. You're measuring your risk
2
Now calculate the total risk points per endpoint. Get ready for some shocks!
There are some tools that do this already, but now you have a fancier DLP risk report tool.
You have network monitoring capabilities. Great! But what are you looking for?
All too often folks start focusing on individual attacks. And yes, it's important that you can catch the latest RAT from Grid Iguana (from Hacksylvania)
Don't lose sight of the big picture.
1
Monitor for DMZ outbound traffic.
Almost all DMZ systems are responding to some request from remote user. Your DMZ systems are the destination, not the source. An early indicator an attack worked is a DMZ system phoning home to the C2 network. Your machine is a source here.
2
Like all things, this isn't 100%. There will be a few DMZ systems that do originate outbound traffic... but it should be rare enough that you can detect on this alone and have a short exception list for known outbound originators.
3
I've got several DMs where folks are telling me it's hard to get logs. Yes. I agree. It's also table stakes. If you cannot get logs, hire someone who can... or get a contractor to help. Saying "it's hard" is true... but you 100% need those logs.
1
It's uncharacteristically harsh of me to say this... I don't care if it's hard for you to get those logs. GET THEM. If you cannot get them you no shot of stopping attackers.
Prevent is great, but it's not nearly enough. You must be able to detect. Logs are how you do this.
2
If your org isn't allowing you to get the logs for $reasons, maybe you need to leave. This is a no excuses thing. I cannot overstate this. I cannot believe I'm having folks argue this. I take comfort that they're embarrassed enough to only do this in DMs. They know it's bad.
3
It's awesome that you're logging. That's the first step. Now here's the cool stuff to look for that the vendor didn't tell you about.
1
Pay careful attention to logs that stop coming in. If it's worth logging, it's worth monitoring when the logs stop flowing. (how long a gap you'll accept is up to you, but I rarely allow for over an hour)
2
Watch out for log sources where the time changes too much. (except for daylight savings changes)
Time drift is one of the most critical things to account for in log analysis. That's a given... but...
3
Pen testers, we need to talk. Please listen up, take notes... and above all, ask questions.
A non-trivial part of my service portfolio is now reviewing the reports of other firms and either adjusting or providing missing context.
Read on for the common issues...
1
Most important: you need to give clients multiple options on how to fix something. MULTIPLE. At least 3. Telling them "fix the code" when it's from a vendor that's closed, doesn't help at all.
2
Show your work. There's a few firms that hide what they're doing. Some to the point where they just show a "ta da!" screenshot and don't explain how they did it... and frankly, that's weaksauce.
3