Share this page!

Mick Douglas 🇺🇦🌻 Profile picture
Twitter logo
Mar 3 7 tweets 2 min read
Sigh.

I try to be nice... but when I see people giving flat out wrong advice... it's trying.

Complaint du jour:
q: we're struggling with patching
"expert": yes, it's hard. Just do it more... harder and faster for a bit. You'll get caught up, then it's easier.

1
That's NOT how that works! It sounds reasonable.. and the person asking won't know they got a HORRIBLE answer.

If someone is in a hole, telling them to do X, but only more. Is NOT going to get them out of that hole.

They have to change strategy AND tactics.

2
If you've fallen behind patches, just stop for a week. YES, you read that right. STOP applying patches and just think. What about your patching is broken? Does it take too long to test? Push? Verify? Reporting? What?

3
You don't have a patching problem. You have a patching symptom. Find out what your slow patching symptom shows. Fix that.

If you cannot find root cause, get outside help.

I'm assuming you didn't deliberately say "let's suck at patching" so you likely need the external help

4
The -=MOUNTAINS=- of bad advice given to folks lately is making me *very* concerned about not just our industry... but specifically the orgs that some of these "helpful experts" work at. Maybe you're low key trolling... but likely this is the "help" you give at your job.

5
IT and security is HARD. Anyone who claims otherwise is selling you something. If anyone tells you "oh it's as easy as..." just stop listening to them. It might be easy for them, but at a minimum, they've got not enough empathy to coach you properly.

6
I'm 100% impacted by this problem too. I reached out to three working groups for a question about a Windows forensics issue about 24hrs ago. Thing is, one of those groups gave me "it's easy.."

The other two gave DANK and pointed advice.

Find those who *really* help you.
fin.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mick Douglas 🇺🇦🌻

Mick Douglas 🇺🇦🌻 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @bettersafetynet

Mick Douglas 🇺🇦🌻 Profile picture
Mar 5
Got off the strangest call just now.

Company called me for advice for dealing with "the cyber war"

A few min into the call I realized there were differing opinions of some of the people on the call.

I'm sharing an anonymized version. There's LOTS to unpack.

1
q: is anything different? Are attacks going up?
a: outside of Eastern Europe, it's shockingly calm (at least to me). Things have ramped up a bit, but mostly in the form of scams (donate now type stuff)

so far, it's been quieter than I'd expect

2
That said, it's always a good idea to be evaluating your defensive posture. I think it's safe to say that the status quo is fragile, and things can get bad fast. If you have reasonable/credible reason to believe you are the target of a nation state, please re-up your d now.

3
Read 13 tweets
Mick Douglas 🇺🇦🌻 Profile picture
Mar 3
Got an interesting DM on what I think Purple Teaming is.

Purple teaming is when you have the red (attackers) sitting (or online) with the blue (defenders)

It's slower than a pen test (red has to constantly check in on blue)

But it has LOTS of advantages.

1
In a few other tweets today I said pen testing is specialized QA. It's all about "do the controls work as we expect them to?"

Unlike waiting for a formal report, in a purple engagement blue is show some stuff live and real time.

2
Blue learns:
- does the control work?
- how do attackers bypass the control?
- what steps are needed to do the bypass (this is huge btw. Lots are shocked how easy it is to trick tools)
- how attacker view networks/systems
- goals of the attacker

3
Read 5 tweets
Mick Douglas 🇺🇦🌻 Profile picture
Feb 23
I've had 3 calls so far today (it's not even 10) about defending against Russian cyber ops

I'm tired of having the same call... so... here's what I've told everyone. This is the playbook you need... but it's not going to be what you think it will be.

Ready? Lets go!
1
Watch your egress. Firewalls work both ways. Carefully monitor outbound traffic. DMZ servers RESPOND to external requests. Look for DMZ systems initiating outbound. This is what "phoning home" (aka C2) looks like.

2
Note: you will have a handful of DMZ servers initiating outbound. File xfer systems, any mail server (you likely shouldn't be running your own). Some web services may also initiate outbound.

But it's rare.

Most orgs? Your exception list will fit on a single sheet of paper.

3
Read 22 tweets
Mick Douglas 🇺🇦🌻 Profile picture
Feb 21
There was a LOT of interest when What2Log.com launched. Far more than we would have dared to dream!

EVERYONE wanted to directly contribute... but we weren't setup for that... until now.

We have converted the entire W2L platform over to TOML and opened up the repo!
1
This means you (yes *you*) can generate TOMLs that will be reviewed by the W2L crew. As long as you follow the template guides, your content will be included in the releases.

This is _huge_ and should allow W2L to scale almost vertically in terms of community involvement.
2
I'm super hopeful that we get a TON of contributions. We've done so much care and attention to the input we've had already.

Here's some notable things:
3
Read 10 tweets
Mick Douglas 🇺🇦🌻 Profile picture
Jan 24
Have a DLP solution? Want to **REALLY** make it actually... useful?

Scan the endpoints for sensitive info. You'll get a report with the data on that host.

Work with risk and legal to assign any arbitrary point value to this sensitive info.

1
Example:
PCI data is 5 points per record
PII is 3 points per record
PHI is 10 points per record

Note: your points will be based on your orgs concern over exposure of each record type. Don't let anyone else tell you what points you should use. You're measuring your risk

2
Now calculate the total risk points per endpoint. Get ready for some shocks!

There are some tools that do this already, but now you have a fancier DLP risk report tool.

Here's what almost nobody does though... :-)

3
Read 10 tweets
Mick Douglas 🇺🇦🌻 Profile picture
Jan 17
You have network monitoring capabilities. Great! But what are you looking for?

All too often folks start focusing on individual attacks. And yes, it's important that you can catch the latest RAT from Grid Iguana (from Hacksylvania)

Don't lose sight of the big picture.
1
Monitor for DMZ outbound traffic.
Almost all DMZ systems are responding to some request from remote user. Your DMZ systems are the destination, not the source. An early indicator an attack worked is a DMZ system phoning home to the C2 network. Your machine is a source here.
2
Like all things, this isn't 100%. There will be a few DMZ systems that do originate outbound traffic... but it should be rare enough that you can detect on this alone and have a short exception list for known outbound originators.
3
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @bettersafetynet has new unrolls!

Check out other threads from @bettersafetynet!

Read all threads by @bettersafetynet

:(