Raksha Manay’s Post

Agreed. Every discipline should bake cyber security principles into everything that they do to start with. And be “on-call” for remediation should the need arise.

🚀 Day 25 of the 30-Day SOC Analyst Challenge with MyDFiR! 🚀 Today, we took a big step forward by integrating osTicket with Elastic Stack to streamline alert tracking and incident management in our SOC environment. This integration allows us to automatically create tickets for any alerts generated by Elastic, enhancing our incident response capabilities. Let’s break down the process! Step 1: Set Up the osTicket API -Logged into osTicket and navigated to the Admin Panel. -Created a new API key, allowing Elastic Stack to generate tickets automatically. Used the ELK server’s private IP within the same VPC to ensure secure communication. -Stored the API key for later use during integration with Elastic. Step 2: Configure Elastic Stack -In Elastic Stack, enabled the 30-day free trial to unlock API and third-party integrations. -Created a Webhook Connector in Elastic Stack to communicate with osTicket. The webhook URL included the osTicket server’s public IP and API endpoint. -Configured an HTTP header to authenticate the connection using the API key generated in osTicket. Step 3: Define Payload and Test the Connection -Configured a custom payload in Elastic Stack to define the details sent to osTicket, including alert subject, message, and contact information. -Successfully tested the connection by sending a test alert, confirming that osTicket received and processed the alert correctly. Step 4: Troubleshoot Connectivity Issues -Verified network connectivity between the Elastic and osTicket servers by using tools like PowerShell and SSH to confirm IP settings. -Resolved any connectivity issues by assigning static private IP addresses and checking network adapter configurations in the VPC. Step 5: Final Test and Ticket Generation -After ensuring network connectivity, ran a final test in Elastic Stack. -Checked the osTicket Agent Panel to confirm that a ticket was automatically created based on the alert from Elastic Stack. Success! By integrating osTicket into Elastic Stack, we’ve automated the creation of support tickets for security alerts, improving our ability to manage incidents and ensuring accountability across our SOC. Recap of the 30-Day Challenge So Far: -Day 1–10: Set up Elastic Stack, Kibana, and agents on Windows and Linux servers. -Day 11–20: Created alerts and dashboards for detecting brute force and command-and-control activities. -Day 21–25: Integrated osTicket for automated alert tracking and ticket generation. In the upcoming days, we’ll dive into investigating specific security alerts, starting with SSH brute force detection. Stay tuned for more hands-on experience as we continue to build out our SOC skills! #SOCAnalyst #Cybersecurity #osTicket #ElasticStack #IncidentResponse #Automation #30DayChallenge #MyDFIR #SecurityOperations #AlertTracking #LogManagement MyDFIR.com

Personally, I believe the red teamers should prioritize tactics focusing on initial access and techniques focusing on living off the land. This is because before any attacker could launch an attack against an organization, after gathering all information, they still need to infiltrate into the company's infrastructure before proceeding to cause more harm. I believe focusing on the initial access tactics would help mitigating against that and would help the blue teamers to know where the gaps are and act accordingly. Also, I believe so many enterprise organizations are investing heavily on people, process and technology to fortify their environment. With this, if an attacker finds his or her way into the organization's environment, installing external tools or communicating with his or her own C2 servers may be somewhat difficult because of the technology and people that are present. Instead of this, the attacker may want to result to legitimate services, processes and technologies to evade detection and also have a safe way in carrying out other malicious activities. Because of this, I believe red teamers should prioritize the living off the land technique as part of their adversary emulations.

Are you trying to staff a defense contract but not got enough cleared talent?    We have successfully helped a number of end clients and intermediaries find tech engineers across in the US & Europe for several years now. In 2024, this is really starting to pick up! The key engineers you should consider for your project if you don’t have them are:   ✔ Embedded software engineers   ✔ System engineers   ✔ Cloud/DevOps engineers ✔  Cyber/Security engineers    ✔  AI/ML engineers   Will you need all of these as consultants? Likely not, as you will have some skills in house, and can move your FT engineers around depending on the projects you have available. However, all our customers would normally hire at least 2 out of these 4 to ensure their project(s) are successful as the last thing you want is to have to do hire in a frenzy or realize its too late.   The most important thing is that you have someone on your team that has worked on a similar project(s) before. If you don’t, you'll lose out on the 'hit-the-ground-running' mentality of a contractor and it might take some time before they can truly add value.   If you would like to discuss any of the above further, please don’t hesitate to reach out! loui.cowles@vividresourcing.com #clearedjobs #clearedengineers #softwareengineers

This is a great post for modern security leaders on why it’s important to have engineers in your security team (or a security engineering team): https://lnkd.in/gXW6qUgr My security team writes code to do: * firewall management * firewall ruleset review * infrastructure as code * infrastructure as code policy review * IAM policies * IAM policies mappings to SSO groups * IAM annual/realtime review * Privileged ID - just in time access * DevSecOps - tools * DevSecOps - gates to check the tools * K8n admission controllers * auth * I could go on and on… Everyone in my security engineering team codes… if you are a modern security leader and your team isn’t an engineering team, tick tock. #cloudsecurity

When you check all the boxes... well, almost. So, I recently had an interview that I thought I "nailed". 10 years as a Senior Network Security Engineer, Cisco Data Centre expertise – check. Handling complex security challenges – check. But when it came down to automation, they felt I wasn't quite there yet. Now, don't get me wrong – automation isn't foreign to me. I've implemented it from a "network security" perspective. But apparently, that wasn't enough. They were looking for a master coder, and well, that’s not me (yet). Is this the new hiring norm? No matter how much experience or adaptability you bring to the table, you're still measured on one checkbox? But hey, let’s give credit where it’s due. If there’s one thing I’ve learned from 10 years in this industry, it’s that nothing is beyond learning – and I’m up for the challenge. To all hiring managers out there – give people the chance to grow with you. Experience is important, but so is the willingness to learn and adapt. After all, isn't that what innovation is all about? #NetworkSecurity #InterviewStories #LearningNeverStops #Adaptability

𝐑𝐞𝐜𝐞𝐧𝐭 𝐂𝐫𝐨𝐰𝐝𝐒𝐭𝐫𝐢𝐤𝐞 𝐨𝐮𝐭𝐚𝐠𝐞 𝐚 𝐰𝐚𝐤𝐞-𝐮𝐩 𝐜𝐚𝐥𝐥 𝐟𝐨𝐫 𝐛𝐮𝐬𝐢𝐧𝐞𝐬𝐬𝐞𝐬! 🚨 A 𝐬𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐠𝐥𝐢𝐭𝐜𝐡 brought down a major cybersecurity platform, highlighting the critical need for robust testing and incident response plans. The outage was caused by a defect in a Falcon content update for Windows hosts. This update, intended to enhance threat detection, introduced a logic error that triggered system crashes. The issue was isolated to Windows systems and did not affect Mac or Linux. This incident serves as a stark reminder of the importance of having a comprehensive incident response plan in place. 𝐁𝐲 𝐟𝐨𝐥𝐥𝐨𝐰𝐢𝐧𝐠 𝐭𝐡𝐞𝐬𝐞 𝐬𝐭𝐞𝐩𝐬, 𝐲𝐨𝐮𝐫 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧 𝐜𝐚𝐧 𝐛𝐞𝐭𝐭𝐞𝐫 𝐩𝐫𝐞𝐩𝐚𝐫𝐞 𝐟𝐨𝐫 𝐚𝐧𝐝 𝐫𝐞𝐬𝐩𝐨𝐧𝐝 𝐭𝐨 𝐬𝐢𝐦𝐢𝐥𝐚𝐫 𝐨𝐮𝐭𝐚𝐠𝐞𝐬: •𝐒𝐭𝐫𝐞𝐧𝐠𝐭𝐡𝐞𝐧 𝐲𝐨𝐮𝐫 𝐭𝐞𝐬𝐭𝐢𝐧𝐠 𝐩𝐫𝐨𝐭𝐨𝐜𝐨𝐥𝐬: Rigorous testing of software updates, including beta testing and simulated real-world scenarios, can help identify potential issues before deployment. •𝐃𝐞𝐯𝐞𝐥𝐨𝐩 𝐜𝐨𝐦𝐩𝐫𝐞𝐡𝐞𝐧𝐬𝐢𝐯𝐞 𝐢𝐧𝐜𝐢𝐝𝐞𝐧𝐭 𝐫𝐞𝐬𝐩𝐨𝐧𝐬𝐞 𝐩𝐥𝐚𝐧𝐬: Establish clear communication channels to inform stakeholders and customers about the situation, and have procedures in place for mitigating the impact of an outage and restoring normal operations. •𝐃𝐢𝐯𝐞𝐫𝐬𝐢𝐟𝐲 𝐲𝐨𝐮𝐫 𝐯𝐞𝐧𝐝𝐨𝐫 𝐞𝐜𝐨𝐬𝐲𝐬𝐭𝐞𝐦: Relying on a single vendor for critical services can increase risk. Consider using multiple providers for redundancy. •𝐈𝐧𝐯𝐞𝐬𝐭 𝐢𝐧 𝐦𝐨𝐧𝐢𝐭𝐨𝐫𝐢𝐧𝐠 𝐚𝐧𝐝 𝐚𝐥𝐞𝐫𝐭𝐢𝐧𝐠 𝐬𝐲𝐬𝐭𝐞𝐦𝐬: Continuously monitor system performance and identify anomalies, and implement alerts to notify relevant teams of potential issues. Let's discuss how to build resilience into your IT infrastructure. #cybersecurity #outage #IT #riskmanagement #businesscontinuity #startup #hiring #devops #ai #microsoft #crowdstrike #resource #security

Types of Logs Understanding the types of logs is very important for a SOC analyst.

Serious question: why do we treat incident response differently for production issues and security breaches? If you search for ‘incident response’ online, you'll find definitions from both perspectives—operations and security. Wouldn't it make sense to have a unified response plan that brings these teams together? It feels like the perfect #DevSecOps opportunity: streamlined responses, faster recovery, and better collaboration. What steps can we take to make this happen? #InfoSec #DevOps #SRE #IncidentResponse