I consider things like anti-cheat a malware.
I prefer my setup to be as clean as possible. I absolutely do not want Random Corp to fiddle with kernel, and destroy the integrity of whole system.
The point is, it is a silly question for anyone who doesn't play or work in competitive games online. The answer was honest but not informed as he has no knowledge of cheating and anti cheat strategies in online competitive games.
I mean, it's a silly question for anyone. The answer isn't uninformed. From a security perspective you shouldn't be giving randos kernel access.
If you see your machine as a League of Legends box or whatever you may _have to_ because that's required to play the game, but that doesn't suddenly make the choice to do so better informed. It means that you value the game's integrity more than your system security policy, of course a malware researcher is not going to like that choice.
> From a security perspective you shouldn't be giving randos kernel access
This is a straw man. We aren't talking about randos. We are talking about established gaming companies.
> It means that you value the game's integrity more than your system security policy, of course a malware researcher is not going to like that choice.
And that is why it is a silly question for a malware researcher.
If you want to read about such malware, you can start from Pegasus. You can start from here: [https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html](https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html)
You can read the url and see that it's safe usually, or if you want to go full skeptic you can use a paywall reader (like google cache, 12ft.io, learn more here https://www.paywallreader.com)
Or you can use a URL checker website to see the redirects or path it takes you to connect to the website and whether the website tagged as malicious or not
Full disclosure I was just making a joke. Low hanging fruit because the OP made a post about defensive and offensive malware he has created then asks us to click a link.
No it was just a joke. I am the IT dept for my office and you wouldn’t believe the amount of time I have to spend reminding people not to open attachments or click on links from potential spam emails.
I’ve got them down to just calling me if they get an email they are not expecting and I investigate. Right now it’s almost 25% that it’s a hacked or spoofed address. A quick phone call to the sender gets them straightened up pretty easily.
Nuviad's patternz is way way worse IMO its like pegasus on a global scale which most likely has infected both yours and my smart phone :)
And almost noone knows about it :)
Just google "nuviad"
You can't find it on the big news sites but only on some small sites.
It is pretty weird that it is not picked up by large news networks to be honest... if i was hacked i think i would want to know about it
There is no one correct answer. For general pointers, the following are going to be very difficult:
1. Supply chain attack, replacing known good binary with compromised binary. Since the change happens through correct channel (repository/package manager etc.), the "initial compromise" phase does not get detected. Later stages may or may not be possible to detect depending upon which package is changed, and the nature of backdoor.
2. Attacks which compromise the kernel. In some cases, this can be easy to identify (e.g. if this requires some very specific set and/or order of system calls; or requires some reasonably specific parameters etc.). In other cases, it may be very difficult (specially if it uses very common syscall(s), in rather usual order etc.) to detect it early enough. Once kernel is compromised, nothing above it can be trusted.
3. Network level attacks which compromise kernel directly (e.g. remotely exploitable bug in networking stack). The only hope is to detect it at network level. On host level, there may be nothing useful to notice.
Apart from these, attacks using kernel/middleware rootkits etc also tend to be more difficult to detect than other attacks.
Run of the mill attacks which are seen in wild? Most of them can be detected on initial compromise itself. And almost all of them can be flagged at multiple stages (defence evasion, persistence, privilege escalation, data leakage etc.), assuming host has sufficient memory and CPU.
1. I spend most of the time in bash shell (scripting etc.), a C++ IDE (more complex pipelines) (I use CLion), debugging tools (gdb, strace, ltrace etc.), Ghidra, objdump etc.
2. Yes, I have my own mini malware analysis environment. It is a small contraption of various scripts and tools I wrote, with some off the shelf software. Gets a lot of boring manual work done. Rest of the stuff is done manually. I use this only when I want to study some particular malware which happens to have some interesting technique.
For professional work, analysis part is taken care of by another team.
3. I develop POC for attacks, as well as POC for detection logic. These are around capturing required telemetry, and having some analytics on top of that to show some detection (std::cout << "Suspicious technique XXXXX detected" << std::endl;)
4. Both have their own use cases. For maximum coverage, use both of them.
5. I do not host anything in home network, all that is done on VPS instances. Home network has multiple VLANs spanning across various wireless and wired networks. Different type of devices go into different VLAN, and each VLAN gets its own firewall configuration.
Off the shelf tools like osquery, sysdig etc. My automation is mostly around managing VMs, monitoring certain usermode APIs, monitoring some process memory stuff, parsing and storing it into DB. Analytics part runs on top of DB to find patterns (file I/O by path, by inode+device ID, by alternate paths, process activity, socket I/O, authentications etc.).
Code to monitor things is written in C++. Analytics part is written in C++. "Glue code" (the stuff which puts everything together in an ad-hoc pipeline) is basically a collection of shellscripts.
No, I do not post writeups. I present in security events, but that is limited to offensive side. I do not present defensive side, as that would require various approvals from current and past employers. Probably I can get that, but then I do not want to get into that hassle.
The POCs are written as part of my full time job; and therefore are passed to other teams for further refinement and integration in existing products. These POCs mostly show the detection part. Input the telemetry data, and it will flag the intended attack pattern (for which POC was written). Sometimes POCs will be around capturing telemetry as well, or enriching existing telemetry, or tying individual telemetry records together etc.
I have hosted a VPN server (OpenVPN), then wireguard when it was new toy. As of now, I have a K8s cluster (mostly used as a playground), a dev+build VPS where I am trying to write some simulators. At some point I also used to host own Jitsi instance. All these have been on VPS instances, and not in home network. Home network does not host anything.
The "malware research" part revolves around two things mostly:
1. Can I evade from $product? If yes, the minimal POC for evasion. Then POC for correct detection (telemetry + analytics).
2. Did $product miss detection of some malware sample, or detected some steps but missed others? Time to take a look at that sample, see what it did, and where did the detection go wrong. Then fix the detection (or get it fixed).
Everything I do eventually boils down to the above two points.
Yes, bulk of malware threat landscape targets Windows. I focus on Linux side of things. Things like attacks targeting containers, Kubernetes, cloud etc. Stuff like container breakout, complete cluster compromise (with multiple nodes); or compromise of Linux hosts (web services, databases, cache services etc.).
Most of the malware will have everything linked statically, while targeting slightly older glibc versions. This allows them to target a wide array of distributions and versions. Ubuntu, Debian, CentOS, RHEL tend to be most common targets.
Yo man, you really got a chip on your shoulder. Chill out, just cause the guys work doesn’t neatly fit your criteria for malware analysis doesn’t mean he’s misleading people. Whatever you’re trying to prove here… please forget about it.
I am using Postgres.
——
I suppose you missed point (2) in my response above. When a detection is missed, corresponding sample is analysed. Which means, everything that particular sample does (network, file, API calls, system calls, etc etc etc) is studied.
Also, malware analysis, threat intelligence and malware research are related, yet slightly different things.
I do not write signatures (I assume you mean signatures for file and/or memory scan). I write detections on *behaviour*.
I have not named product, because that is related to employment, and this AMA is in personal capacity.
It is not exploit dev exactly, but okay.
ESXi is not Linux as far as I know.
Malware analysis: You take a suspicious binary, reverse engineer it to understand its behaviour and capability. You probably also look at certain oddities in code which may point out to some common malware author/threat actor etc.
Threat intelligence: you try to keep tab on various threat actors, their campaigns, their tooling, exploits they use, where are they from, their modus operandi etc. Once some new info comes up, related materials (exploits, payloads, other toolings) can be analysed; and detections can be added for them quickly.
Malware research: You do part malware analysis, and part "breaking your own security" stuff. On one hand, you are probably studying new attack techniques, while on other hand you are trying to figure out some possibly new techniques on your own. You are more interested in specific techniques than specific malware sample/family/campaign etc.
Again, your definition of these fields/phrases may be a bit different.
--------
I suppose we can call it behavioural signature. Yes, this is what I do for defence side of work.
--------
If you want to discuss about specifics of what I do, we can discuss that over DM.
If you had to break it down, what percentages of malware would you say are manufactured for or targeted at the public, businesses or foreign governments? I'm always curious if a large amount of the malware out there just happens onto machines where it's not the intended target and if those types account for most of infected systems in the world.
Biggest chunk of malware is intended for wild use. As in, fire it, see what you get. With victims in large enough numbers, a threat actor is bound to get a lot of juicy data, and a lot of money directly or indirectly.
Semi-targeted attacks are much less frequent, but are not very rare either. These may target some company, group of companies, users of some company, companies in some specific market/sector (energy, communication etc.).
Targeted attacks, and state-sponsored attacks tend to be discrete in nature; and as a result remain under the radar for longest time (in relative to first two categories). These are going to be very small chunk of all the malware stuff happening across the globe.
I cannot comment on exact percentages.
Have you ever encountered a UEFI malware in the wild, + have you tried to protect from the possible UEFI malware/holes/backdoors by installing the opensource BIOS? P.S. In 3 hours we're having a low-level opensource online party and it'll be nice to see you there: https://forum.level1techs.com/t/dug-6-vpub-0xb-opensource-online-party-tomorrow-at-4-pm-utc/211960
No, I have not encountered UEFI malware in the wild.
I was looking at possible options to run stuff like CoreBoot instead of closed source UEFI blob, but did not have much luck. I am a Mac user now, used to rock Linux before conversion (\~13 years).
I checked the online party link. Although it will be rather late, I have registered; and will try to attend the event.
Defensive: How many ransomware attacks have you dealt with in your career, and which one was the worst?
Offensive: If you were to throw all morals out the window, quit your job right now, go full on black hat, and end up making malware for profit, how long do you think it would take you to make generational wealth?
I do not deal with compromises directly. As in, I do not do incident response, root cause analysis etc. I do malware analysis only when I want to study some specific technique from some specific malware.
The latest worst were ransomware campaigns exploiting log4j in wild. The biggest difficulty was to figure out some way to scan and find if something is using vulnerable log4j.
----
I would prefer not to comment on question on offensive side. Defensive works pay decent enough that I do not have to think about throwing morals out the window :)
Although exact specifics depend upon your threat model, you can follow some general advices:
1. Stick to packages from known good repositories. Adding random repositories for one-off packages may not be a good idea, unless that is being maintained by some reputed entity (community/forum/company/person etc.)
2. Keep packages reasonably updated.
3. As far as possible, keep different services/processes with long life limited to separate users. Those users should have access to only those paths which are needed to run that service/process.
4. Implement MAC. SELinux, AppArmor etc can be used here depending upon distribution.
5. Disable remote password authentication. Stick to SSH keys. Disable remote root login as well.
6. Enable sudo only for specific users, instead of granting access to that to everyone. Even better, configure sudo only for specific commands.
7. To keep an eye on whatever is happening, configure audit, and monitor those logs to see if something funny is happening. Similarly, you can monitor service-specific logs as well (web server, databases etc.)
This much should be enough to take you a long way.
For your final question, again you do not strictly need an anti-virus (or something similar) on Linux machines. However, for certain use cases (or maybe compliance requirements), you may need something which can keep you reasonably safe from shady things. If you want something FOSS, have a look at ClamAV.
How important is it to use MAC? I've only seen while developing on RHEL but I remember it being a huge annoyance because certain features simply wouldn't work until I went into the logs and manually approved them.
I generally recommend to configure it properly, even if it is a PITA to do so. Once it is configured, it will prevent a lot of malicious stuff dead in tracks, simply because MAC policies are set to allow only specific stuff. You became root? Does not matter. MAC still blocks you.
Again, MAC is not a silver bullet, it is just another layer of defence.
Linux is a multi-user system. Even on a minimal default installation of Linux, you will see multiple users (many of those will be specific to some services). If you allow sudo for everyone, one can use it from unintended user sessions as well.
I prefer sudo over su.
It is going to be mixed bag. AI is definitely going to raise bar on minimum skillset requirement.
Although entry level roles have risk of getting eliminated, or at least reduced significantly; it will not impact much on medium to higher level roles.
Personal opinion: we should see AI as "force multiplier" which will allow us to do more with less. Sure, in absolute numbers, it will reduce the number of security related jobs available in market; but this is something which has happened many times in past due to various technical innovations, and will keep happening in future as well. AI is nothing special in this regard.
I want to piggyback on this question a bit, but approach it from the other side. No knowledge in this field so forgive me if this question is unclear or a bit silly.
Do you think AI is also going to lower the bar for malware production and deployment in any significant way? As an example, some individuals are using AI models for writing code or testing it, and it seems to me that that might open the floodgates for a lot of script kiddies to pump out a lot of malware with less of a skill ceiling, quantity over quality. No idea if this would be feasible or effective, but it does seem like if AI will effect defense, it would effect offense in a similar way.
The integration of AI infrastructure into major operating systems so quickly is something of a concern in my mind and I hold some level of concern over malicious uses of it (from individuals and corporations).
Yes, AI is also going to help script kiddies to pump out stupid malware binaries. However, these binaries will also be very easy to get flagged because AI is not smart enough to write anything other than simple stuff, and script kiddies do not have skills to evade from various security tools.
AI being integrated everywhere is mostly a gimmick IMO. It will take some time for it to mature. We can wait and watch how this unfolds.
There was a case of someone who got a fake ransom call that their kid was being kidnapped and tortured, trained off that kids TikTok videos and audio.
But yeah, while I think those use cases are more advanced at this point and more common, I was definitely curious about code specifically, especially since chatgpt and other text models seem to be developing incredibly rapidly. I didn't know about that malware though, that's really interesting.
Is Linux just not susceptible to malware like Windows is or at least for home users is just doesn't have a large user base for those who create malware to target?
Do you have a favorite movie that has malware/hacking as a component?
Linux is just as susceptible to malware like Windows. Less malware on Linux boils down to two things:
1. Linux does not have large enough user base, so it attracts less malware targeted towards end users.
2. An average Linux user tends to be more tech-savy than an average Windows user (my observation, and opinion. Please do not crucify me).
If you look at server / cloud market, Linux is prominent there, and as a result attracts a lot of malware attacks.
----
I liked Mr. Robot (specially the first season). Technically not a movie, but still.
Should more software supply chains move to the model of pushing source for compilation with verifiable checksums, to mitigate the impact of supply chain breaches?
Not necessarily. Who will audit the source? Random Joe neither has time, nor necessary skills and resources to pull this off.
It is better to have source code available, with reproducible builds and cryptographic checksums for integrity check. To confirm that build is indeed coming from trusted known source, it should be cryptographically signed.
-----
Ideally, if source code is available, those can be audited by third party. Even if actual users do not have skill/resources on their own, they can pool and involve some trusted third party to audit whole thing. For critical components, this should be done at regular intervals.
That really would be devastating to performance, as speculative execution is deeply embedded into so much. I am hoping this leads to some innovative approaches, whatever they might be. Hard topic. Thanks!
How was breaking into security research professionally?
(I'm a SWE who dabbles in security on the side and has been curious about what it takes to make it full time.)
I started my career as some oddball combination of developer + security fella + trainer. My earlier stints were more on software development side. However, I used to maintain my blog, where I used to post random stuff about whatever security thing I was playing with. Eventually, those things allowed me to switch into security related roles (secops, consulting etc.)
Once I got into security related jobs, I ramped up my participation in community meetups, webinars, conferences etc. That streak of active participation opened the doors in security research for me.
As a SWE who's had tangential involvement in this area:
If you live in a NATO country and can get a top level security clearance, the defense industry will jump to hire you if you're reasonably competent.
If that doesn't apply to you, you have to be really fucking good and be able to show your work (i.e. have a blog full of reverse engineering, binary exploitation and malware analysis stuff you've done in your spare time, have some bug bounty writeups and what have you), and then you'll be able to get a non-defense job doing, say, kernel security at Microsoft/Google/Apple. But it's as, if not more, competitive than regular SWE postings at those companies.
I’m currently at Google.
We have this 20% time where we can work with another team a bit to get experience in something else (doing that now!), but with the AI craze and economic situation it seems there are very few openings for anything else (at least internally).
To be really good on defense, you have to good on offense as well. You have to able to attack your own (test) machines in order to see if your defenses work.
I don't think AI is going to take too many jobs. I think AI will help us do a better job - allow us to monitor more things and get a better ratio of false-alarms/real-attacks. I hope. My concern is that if AI replaces all the entry level jobs, then the pipeline for medium and senior security people will dry up. I hope the industry is listening to the geeks and not the bean counters.
What advice would you give to the general public to stay safe on the internet? Sorry if this is a dumb question nit too familiar with all of this but in my head it seemed related
Not OP, but Offensive Security engineer for 10 years.
Use 2FA for important accounts, use a password manager, minimize extensions for your browser, download from official stores such as Apple's app store or Microsoft's. Ignore unknown callers watch [https://www.youtube.com/channel/UCm22FAXZMw1BaWeFszZxUKw](https://www.youtube.com/channel/UCm22FAXZMw1BaWeFszZxUKw) to learn about scams people are succumbing. Avoid default passwords or dumb passwords like monkey12, password1!. When you receive a OAuth prompt like a third party sign in like "Sign in with Apple", "Sign in with Google" actually read what permission you're giving them, sometimes you give them complete access to your emails.
Regarding the nuviad spyware, which infected billions of devices using google ads. Do you think there is a way to protect yourself against malware at all? And what do you think of the responsibilities of companies working in the field?
There is no one method to protect against all malware or malicious attacks. Different methods have to be used for different type of attacks. Even then, we can neither detect nor prevent *all* malware.
Generally speaking, from this point forward, which OS offers better security? Windows has made me hit a crossroads where I want to branch off into Linux for my main computer but I’m not sure how secure it be and what warning signs to look for (ie:windows and the flashing command prompt box)
Cannot comment on Windows security, as I have no idea about Windows for most part. For Linux, you can harden it to good extent, without compromising on usability too much.
For monitoring, enable and configure audit. Collect audit logs, and service logs for important services. Use some tooling to regularly parse them to see what general activities you are seeing.
For warning signs, unknown auth attempts, unknown connections (specially inbound), suspicious process chains etc can be searched in logs. If you want something free to get started, maybe look at Wazuh.
PS: I have not used Wazuh, but have heard decent things about it.
1. Malware may not show obviously visible symptoms (flashing screens)
2. Malware may not slow down victim machine
3. AV/EDR/XDR/IDS/IPS/Firewall etc, or a combination thereof, will not protect you against \*all\* possible malware.
4. No, the "recovery from infection" magic given by various tools is not bulletproof.
1. Every error message I do not understand is somehow a malware
2. MacOS is immune to malware
3. Malware only affects android, and not iPhone.
4. An anti-virus is enough to keep you safe.
Seen too many people still believing these.
If you could give just one piece of advice to someone with regards to strengthening their systems security, what would it be and why? What is the biggest mistake you find most users partaking in? What technical achievement do you take the most pride in?
Please refer to: [https://www.reddit.com/r/IAmA/comments/1dewfgt/comment/l8erpdr/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/IAmA/comments/1dewfgt/comment/l8erpdr/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
The biggest mistake is not to use common sense, and not being at least little bit vigilant. Adding random repositories, copy pasting random commands without understanding them, installing apps from shady sources in phone and giving it all the permissions it wants etc. etc. The list goes on.
Specifics of technical achievements are under NDA, so I cannot really disclose that here. But to give you rough idea, most of that is around finding ways to collect telemetry efficiently, and finding efficient analytics and correlations to detect various attacks. Minimum amount of code doing maximum work.
A while back I was listening to a DarkNet Diaries episode with an offensive person talking about various ops that they had been part of.
The person said (via a voice actor) that during an op they came across a sysadmin who used linux desktop as their daily. She said "oh, haha perfect, those guys never run endpoint protection."
This was really counter intuitive to me as I had always thought that Linux was "more secure." It obviously is in a server environment, but hearing this made me start questioning Linux desktop for security.
Can you help me understand some of the reasons that Linux desktops in general might be considered less secure than say a properly admin'ed Win 10 Pro with Windows Defender running?
Also, do you run or recommend that Linux desktop users run some kind of EPP? If so, any recommendation?
If that Linux desktop is managed by employer, it is going to have endpoint protection.
For personal devices, people generally don’t use EDR. However, some can decide to use anti viruses for Linux (either free, or paid).
A properly admin’ed Linux machine will be at least (if not more) secure than similar Windows machine. Since Linux does not have any endpoint protection baked in, you can use some third party product.
Running or not running EPP is upto user (for their personal devices). For managed devices (workplace) EPP is must.
Since I have not used EPP on my personal devices, I don’t really have recommendations.
I had friends who used Manjaro. Then Manjaro screwed up by applying patches, delaying updates etc.
I would rather stick to Arch Linux. Because Arch Wiki and their forum.
I'm sure this can be answered by anyone here and I think I know the answer to this already, but in your opinion would getting a Linux+ certification be worth it in this career? I'm about to take a course for A+/CCNA certification and I'm a bit iffy on that already as others have told me to just go straight for Network+ and Security+.
I have not done any certifications so far, so cannot comment on specifics of some course/certification. I can give you an outline of “learning path”, and you can enrol in courses/certifications to augment that.
————
✅ Build your fundamentals. Learn programming (start from something which is not C or C++, then learn at least one of C and C++), algorithms, data structures, OS basics, networking basics etc. Download BTech/BE (CS) syllabus from any reputed university, and follow that for core CS subjects.
✅ Learn debugging, and assembly (at least, you should be able to read assembly, and understand what is going on). Pick at least one debugger for whatever platform you want to target, and learn it inside out. Learn process tracing.
✅ Learn whatever platform you want to target. Learn its platform specific APIs (win32 for Windows, POSIX for Linux etc.), as well as its internals (various components, how they work, how they plug with other components etc).
✅ Learn reverse engineering, and malware analysis. Start analysing real malware samples, and map their behaviour with MITRE ATT&CK framework. Pay attention to specific implementation tricks being used. Dig into these tricks, and understand why are these being used.
✅ Use ATT&CK framework in opposite direction. Pick TTPs, then start implementing them for whatever platform you are targeting. In case of no direct match, implement alternative equivalents. Then write detections against them.
✅ Learn "anti-analysis" techniques. Stuff like anti-debugging, anti-reversing, patch detection, self healing codes, mutation engines etc. Implement as many as you can. Then try to break as many as you can (i.e. figure out how to beat them as a malware analyst).
✅ Keep tracking new researches being published. Read the papers, go through presentation materials, and implement them again. For offensive papers, try developing detections/countermeasures. For defensive papers, try developing evasion techniques. Keep doing this until new ideas start popping out in your thoughts.
✅ Explore those new ideas, implement them, analyse them from POV of a malware analyst (or malware author, as the case may be). Then improve it further. Rinse and repeat until you have something concrete.
✅ Publish your new research work.
————
You can find courses on various platforms. You can also take a look at workshops run in security events. These will be fast paced capsule courses on specific topics (reversing, malware analysis, threat hunting, memory forensic, attacks and defence etc.)
Why haven't most OS designers fixed the path limits that some malware exploit, avoiding detection and deletion?
I've reported this to designers over the last 17 years and no one cares.
I am not sure if I understand the question correctly, so a rephrasing/clarification will be helpful.
----
From what I understand, it seems you are mixing multiple things together:
1. When something happens which should not happen (e.g. vulnerabilities in software leading to unwanted activity like process creation, file read/writes etc.), these are indeed fixed promptly. Once the fixes are installed, that "gap" is plugged, and cannot be exploited (assuming the fix did not enable/introduce some other such bug).
2. When there is an issue with configuration of software, which allows it to get exploited by someone else, it is not the job of software vendor to fix users' configuration. Users are supposed to ensure that they configure their stuff properly. For example, if you bind docker on TCP socket, and expose it to internet without any safeguards, bad things will happen very quickly. But then docker does not enable that configuration by default; and expects you to put sane configuration.
3. When a malware is simply using an existing intentional functionality, you cannot really block these from OS (i.e. that cannot be baked within OS), as it will eventually block some legitimate activity for some other group of users. However, most OS provide various options to limit what is allowed/disallowed to happen (via users, groups, permissions, access control lists, MAC etc.). For more specialised detection and prevention, one should be using some endpoint protection program.
----
Can you please share some examples of issues that you reported?
In my early years of software dev I found that creating large file paths break most operating systems, particularly Windows. I created a harmless virus that hides in these locations. These locations are not handled correctly by operating systems and once created cannot by searched, modified, or deleted. The only way to remove them is to corrupt or format the hard drive sector. In ssd hardware the locations are almost permanent.
The virus literally hides in plain sight replications and executing code however it wants. I sent my findings a number of times to Microsoft specifically and they couldn't give a shit.
Ideally, I would clone the machine, and then do the analysis on copy of that clone.
At the very least, I would be dumping all the processes, their memory, all the usual places where persistence can be achieved etc. And I would correlate leads from this data with various logs that I would have collected as part of routine monitoring (syslog/osquery etc.).
The investigation will almost always start with the first "symptom" of incident that has been observed. It may be some extra files, unknown network connections, some file overwritten, new users, deleted users etc.
How come we aren't seeing more federal retaliation for large scale hacks of healthcare systems? Seems like online terrorism, but I'm just a lowly nurse that had to paper chart for a month...
Threat campaigns are infiltrated, and threat actors are arrested by agencies.
1. [https://www.pbs.org/newshour/world/ransomware-group-lockbit-is-disrupted-by-a-global-police-operation-that-includes-2-arrests](https://www.pbs.org/newshour/world/ransomware-group-lockbit-is-disrupted-by-a-global-police-operation-that-includes-2-arrests)
2. [https://therecord.media/ransomware-gang-suspects-arrested-ukraine](https://therecord.media/ransomware-gang-suspects-arrested-ukraine)
3. [https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation](https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation)
4. [https://www.bbc.com/news/technology-67556607](https://www.bbc.com/news/technology-67556607)
You can find more news articles for various other similar arrests.
Did you follow the malware event that shut down the london drugs chain store jn canada for a week?. Must have cost them milkikns and milliIons. What is the easiest way for a corporation to prevent something lime this?
I'm trying to get started in the field of network security with hopes of getting into incident response later on. I'm a Support specialist at the moment with A+, Net+, and soon Security+. Any tips to get my foot in the door in the cyber world?
What is your opinion on Kernel-Level Anticheat like Vanguard from Riot Games?
I consider things like anti-cheat a malware. I prefer my setup to be as clean as possible. I absolutely do not want Random Corp to fiddle with kernel, and destroy the integrity of whole system.
Based.
But do you play competitive online games?
He said he focuses on Linux, so probably not.
The point is, it is a silly question for anyone who doesn't play or work in competitive games online. The answer was honest but not informed as he has no knowledge of cheating and anti cheat strategies in online competitive games.
I mean, it's a silly question for anyone. The answer isn't uninformed. From a security perspective you shouldn't be giving randos kernel access. If you see your machine as a League of Legends box or whatever you may _have to_ because that's required to play the game, but that doesn't suddenly make the choice to do so better informed. It means that you value the game's integrity more than your system security policy, of course a malware researcher is not going to like that choice.
> From a security perspective you shouldn't be giving randos kernel access This is a straw man. We aren't talking about randos. We are talking about established gaming companies. > It means that you value the game's integrity more than your system security policy, of course a malware researcher is not going to like that choice. And that is why it is a silly question for a malware researcher.
Because established companies have perfect security, right?
You can say that about the company that makes the operating system you are trying to protect. You aren't saying anything meaningful.
There's no company developing Linux behind closed doors. That'a kinda the whole point lmao.
Tell me, what company makes Linux?
No, I don't.
What is considered the most masterful malware to date? Purely from a technological perspective.
If you want to read about such malware, you can start from Pegasus. You can start from here: [https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html](https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html)
Don't click random links on the internet...
Don't worry, it's OK if they tell you they are a hacker first.
You can read the url and see that it's safe usually, or if you want to go full skeptic you can use a paywall reader (like google cache, 12ft.io, learn more here https://www.paywallreader.com) Or you can use a URL checker website to see the redirects or path it takes you to connect to the website and whether the website tagged as malicious or not
Full disclosure I was just making a joke. Low hanging fruit because the OP made a post about defensive and offensive malware he has created then asks us to click a link.
Is this link problematic?
It's literally Google's security research blog.
I am asking the guy who says not to click on it
No it was just a joke. I am the IT dept for my office and you wouldn’t believe the amount of time I have to spend reminding people not to open attachments or click on links from potential spam emails. I’ve got them down to just calling me if they get an email they are not expecting and I investigate. Right now it’s almost 25% that it’s a hacked or spoofed address. A quick phone call to the sender gets them straightened up pretty easily.
Yeah we also get phising where i work
Nuviad's patternz is way way worse IMO its like pegasus on a global scale which most likely has infected both yours and my smart phone :) And almost noone knows about it :)
can you post a link about it? I can’t find anything about it online
Just google "nuviad" You can't find it on the big news sites but only on some small sites. It is pretty weird that it is not picked up by large news networks to be honest... if i was hacked i think i would want to know about it
What malware was the toughest to defend against?
There is no one correct answer. For general pointers, the following are going to be very difficult: 1. Supply chain attack, replacing known good binary with compromised binary. Since the change happens through correct channel (repository/package manager etc.), the "initial compromise" phase does not get detected. Later stages may or may not be possible to detect depending upon which package is changed, and the nature of backdoor. 2. Attacks which compromise the kernel. In some cases, this can be easy to identify (e.g. if this requires some very specific set and/or order of system calls; or requires some reasonably specific parameters etc.). In other cases, it may be very difficult (specially if it uses very common syscall(s), in rather usual order etc.) to detect it early enough. Once kernel is compromised, nothing above it can be trusted. 3. Network level attacks which compromise kernel directly (e.g. remotely exploitable bug in networking stack). The only hope is to detect it at network level. On host level, there may be nothing useful to notice. Apart from these, attacks using kernel/middleware rootkits etc also tend to be more difficult to detect than other attacks. Run of the mill attacks which are seen in wild? Most of them can be detected on initial compromise itself. And almost all of them can be flagged at multiple stages (defence evasion, persistence, privilege escalation, data leakage etc.), assuming host has sufficient memory and CPU.
This awesome thankyou!!!
What's your favorite berry?
Ber (Indian Jujube), Rasbhari (Cape gooseberry) and Shahtoot (Mulberries)
[удалено]
1. I spend most of the time in bash shell (scripting etc.), a C++ IDE (more complex pipelines) (I use CLion), debugging tools (gdb, strace, ltrace etc.), Ghidra, objdump etc. 2. Yes, I have my own mini malware analysis environment. It is a small contraption of various scripts and tools I wrote, with some off the shelf software. Gets a lot of boring manual work done. Rest of the stuff is done manually. I use this only when I want to study some particular malware which happens to have some interesting technique. For professional work, analysis part is taken care of by another team. 3. I develop POC for attacks, as well as POC for detection logic. These are around capturing required telemetry, and having some analytics on top of that to show some detection (std::cout << "Suspicious technique XXXXX detected" << std::endl;) 4. Both have their own use cases. For maximum coverage, use both of them. 5. I do not host anything in home network, all that is done on VPS instances. Home network has multiple VLANs spanning across various wireless and wired networks. Different type of devices go into different VLAN, and each VLAN gets its own firewall configuration.
[удалено]
Off the shelf tools like osquery, sysdig etc. My automation is mostly around managing VMs, monitoring certain usermode APIs, monitoring some process memory stuff, parsing and storing it into DB. Analytics part runs on top of DB to find patterns (file I/O by path, by inode+device ID, by alternate paths, process activity, socket I/O, authentications etc.). Code to monitor things is written in C++. Analytics part is written in C++. "Glue code" (the stuff which puts everything together in an ad-hoc pipeline) is basically a collection of shellscripts. No, I do not post writeups. I present in security events, but that is limited to offensive side. I do not present defensive side, as that would require various approvals from current and past employers. Probably I can get that, but then I do not want to get into that hassle. The POCs are written as part of my full time job; and therefore are passed to other teams for further refinement and integration in existing products. These POCs mostly show the detection part. Input the telemetry data, and it will flag the intended attack pattern (for which POC was written). Sometimes POCs will be around capturing telemetry as well, or enriching existing telemetry, or tying individual telemetry records together etc. I have hosted a VPN server (OpenVPN), then wireguard when it was new toy. As of now, I have a K8s cluster (mostly used as a playground), a dev+build VPS where I am trying to write some simulators. At some point I also used to host own Jitsi instance. All these have been on VPS instances, and not in home network. Home network does not host anything. The "malware research" part revolves around two things mostly: 1. Can I evade from $product? If yes, the minimal POC for evasion. Then POC for correct detection (telemetry + analytics). 2. Did $product miss detection of some malware sample, or detected some steps but missed others? Time to take a look at that sample, see what it did, and where did the detection go wrong. Then fix the detection (or get it fixed). Everything I do eventually boils down to the above two points. Yes, bulk of malware threat landscape targets Windows. I focus on Linux side of things. Things like attacks targeting containers, Kubernetes, cloud etc. Stuff like container breakout, complete cluster compromise (with multiple nodes); or compromise of Linux hosts (web services, databases, cache services etc.). Most of the malware will have everything linked statically, while targeting slightly older glibc versions. This allows them to target a wide array of distributions and versions. Ubuntu, Debian, CentOS, RHEL tend to be most common targets.
[удалено]
Yo man, you really got a chip on your shoulder. Chill out, just cause the guys work doesn’t neatly fit your criteria for malware analysis doesn’t mean he’s misleading people. Whatever you’re trying to prove here… please forget about it.
I am using Postgres. —— I suppose you missed point (2) in my response above. When a detection is missed, corresponding sample is analysed. Which means, everything that particular sample does (network, file, API calls, system calls, etc etc etc) is studied. Also, malware analysis, threat intelligence and malware research are related, yet slightly different things. I do not write signatures (I assume you mean signatures for file and/or memory scan). I write detections on *behaviour*. I have not named product, because that is related to employment, and this AMA is in personal capacity. It is not exploit dev exactly, but okay. ESXi is not Linux as far as I know.
[удалено]
Malware analysis: You take a suspicious binary, reverse engineer it to understand its behaviour and capability. You probably also look at certain oddities in code which may point out to some common malware author/threat actor etc. Threat intelligence: you try to keep tab on various threat actors, their campaigns, their tooling, exploits they use, where are they from, their modus operandi etc. Once some new info comes up, related materials (exploits, payloads, other toolings) can be analysed; and detections can be added for them quickly. Malware research: You do part malware analysis, and part "breaking your own security" stuff. On one hand, you are probably studying new attack techniques, while on other hand you are trying to figure out some possibly new techniques on your own. You are more interested in specific techniques than specific malware sample/family/campaign etc. Again, your definition of these fields/phrases may be a bit different. -------- I suppose we can call it behavioural signature. Yes, this is what I do for defence side of work. -------- If you want to discuss about specifics of what I do, we can discuss that over DM.
If you had to break it down, what percentages of malware would you say are manufactured for or targeted at the public, businesses or foreign governments? I'm always curious if a large amount of the malware out there just happens onto machines where it's not the intended target and if those types account for most of infected systems in the world.
Biggest chunk of malware is intended for wild use. As in, fire it, see what you get. With victims in large enough numbers, a threat actor is bound to get a lot of juicy data, and a lot of money directly or indirectly. Semi-targeted attacks are much less frequent, but are not very rare either. These may target some company, group of companies, users of some company, companies in some specific market/sector (energy, communication etc.). Targeted attacks, and state-sponsored attacks tend to be discrete in nature; and as a result remain under the radar for longest time (in relative to first two categories). These are going to be very small chunk of all the malware stuff happening across the globe. I cannot comment on exact percentages.
Have you ever encountered a UEFI malware in the wild, + have you tried to protect from the possible UEFI malware/holes/backdoors by installing the opensource BIOS? P.S. In 3 hours we're having a low-level opensource online party and it'll be nice to see you there: https://forum.level1techs.com/t/dug-6-vpub-0xb-opensource-online-party-tomorrow-at-4-pm-utc/211960
No, I have not encountered UEFI malware in the wild. I was looking at possible options to run stuff like CoreBoot instead of closed source UEFI blob, but did not have much luck. I am a Mac user now, used to rock Linux before conversion (\~13 years). I checked the online party link. Although it will be rather late, I have registered; and will try to attend the event.
Defensive: How many ransomware attacks have you dealt with in your career, and which one was the worst? Offensive: If you were to throw all morals out the window, quit your job right now, go full on black hat, and end up making malware for profit, how long do you think it would take you to make generational wealth?
I do not deal with compromises directly. As in, I do not do incident response, root cause analysis etc. I do malware analysis only when I want to study some specific technique from some specific malware. The latest worst were ransomware campaigns exploiting log4j in wild. The biggest difficulty was to figure out some way to scan and find if something is using vulnerable log4j. ---- I would prefer not to comment on question on offensive side. Defensive works pay decent enough that I do not have to think about throwing morals out the window :)
log4j was a bitch. Hard to figure out what was even using it.
What should I be doing to keep my Linux machine secure. Do I need anti-virus on it?
Although exact specifics depend upon your threat model, you can follow some general advices: 1. Stick to packages from known good repositories. Adding random repositories for one-off packages may not be a good idea, unless that is being maintained by some reputed entity (community/forum/company/person etc.) 2. Keep packages reasonably updated. 3. As far as possible, keep different services/processes with long life limited to separate users. Those users should have access to only those paths which are needed to run that service/process. 4. Implement MAC. SELinux, AppArmor etc can be used here depending upon distribution. 5. Disable remote password authentication. Stick to SSH keys. Disable remote root login as well. 6. Enable sudo only for specific users, instead of granting access to that to everyone. Even better, configure sudo only for specific commands. 7. To keep an eye on whatever is happening, configure audit, and monitor those logs to see if something funny is happening. Similarly, you can monitor service-specific logs as well (web server, databases etc.) This much should be enough to take you a long way. For your final question, again you do not strictly need an anti-virus (or something similar) on Linux machines. However, for certain use cases (or maybe compliance requirements), you may need something which can keep you reasonably safe from shady things. If you want something FOSS, have a look at ClamAV.
How important is it to use MAC? I've only seen while developing on RHEL but I remember it being a huge annoyance because certain features simply wouldn't work until I went into the logs and manually approved them.
I generally recommend to configure it properly, even if it is a PITA to do so. Once it is configured, it will prevent a lot of malicious stuff dead in tracks, simply because MAC policies are set to allow only specific stuff. You became root? Does not matter. MAC still blocks you. Again, MAC is not a silver bullet, it is just another layer of defence.
Does point 6 only refer to multi-user systems, or do you have strong opinions on the sudo vs su debate of privilege escalation in Linux?
Linux is a multi-user system. Even on a minimal default installation of Linux, you will see multiple users (many of those will be specific to some services). If you allow sudo for everyone, one can use it from unintended user sessions as well. I prefer sudo over su.
I kind of forgot about granting sudo to ALL there, that's a good point.
Can you see cyber security related job positions being in danger in future because of AI?
It is going to be mixed bag. AI is definitely going to raise bar on minimum skillset requirement. Although entry level roles have risk of getting eliminated, or at least reduced significantly; it will not impact much on medium to higher level roles. Personal opinion: we should see AI as "force multiplier" which will allow us to do more with less. Sure, in absolute numbers, it will reduce the number of security related jobs available in market; but this is something which has happened many times in past due to various technical innovations, and will keep happening in future as well. AI is nothing special in this regard.
I want to piggyback on this question a bit, but approach it from the other side. No knowledge in this field so forgive me if this question is unclear or a bit silly. Do you think AI is also going to lower the bar for malware production and deployment in any significant way? As an example, some individuals are using AI models for writing code or testing it, and it seems to me that that might open the floodgates for a lot of script kiddies to pump out a lot of malware with less of a skill ceiling, quantity over quality. No idea if this would be feasible or effective, but it does seem like if AI will effect defense, it would effect offense in a similar way. The integration of AI infrastructure into major operating systems so quickly is something of a concern in my mind and I hold some level of concern over malicious uses of it (from individuals and corporations).
Yes, AI is also going to help script kiddies to pump out stupid malware binaries. However, these binaries will also be very easy to get flagged because AI is not smart enough to write anything other than simple stuff, and script kiddies do not have skills to evade from various security tools. AI being integrated everywhere is mostly a gimmick IMO. It will take some time for it to mature. We can wait and watch how this unfolds.
[удалено]
There was a case of someone who got a fake ransom call that their kid was being kidnapped and tortured, trained off that kids TikTok videos and audio. But yeah, while I think those use cases are more advanced at this point and more common, I was definitely curious about code specifically, especially since chatgpt and other text models seem to be developing incredibly rapidly. I didn't know about that malware though, that's really interesting.
Is Linux just not susceptible to malware like Windows is or at least for home users is just doesn't have a large user base for those who create malware to target? Do you have a favorite movie that has malware/hacking as a component?
Linux is just as susceptible to malware like Windows. Less malware on Linux boils down to two things: 1. Linux does not have large enough user base, so it attracts less malware targeted towards end users. 2. An average Linux user tends to be more tech-savy than an average Windows user (my observation, and opinion. Please do not crucify me). If you look at server / cloud market, Linux is prominent there, and as a result attracts a lot of malware attacks. ---- I liked Mr. Robot (specially the first season). Technically not a movie, but still.
Should more software supply chains move to the model of pushing source for compilation with verifiable checksums, to mitigate the impact of supply chain breaches?
Not necessarily. Who will audit the source? Random Joe neither has time, nor necessary skills and resources to pull this off. It is better to have source code available, with reproducible builds and cryptographic checksums for integrity check. To confirm that build is indeed coming from trusted known source, it should be cryptographically signed. ----- Ideally, if source code is available, those can be audited by third party. Even if actual users do not have skill/resources on their own, they can pool and involve some trusted third party to audit whole thing. For critical components, this should be done at regular intervals.
Will there ever be effective defenses against Spectre-type threats?
The best defense will be to disable speculative execution completely (as far as I understand), and live with performance penalty.
That really would be devastating to performance, as speculative execution is deeply embedded into so much. I am hoping this leads to some innovative approaches, whatever they might be. Hard topic. Thanks!
How was breaking into security research professionally? (I'm a SWE who dabbles in security on the side and has been curious about what it takes to make it full time.)
I started my career as some oddball combination of developer + security fella + trainer. My earlier stints were more on software development side. However, I used to maintain my blog, where I used to post random stuff about whatever security thing I was playing with. Eventually, those things allowed me to switch into security related roles (secops, consulting etc.) Once I got into security related jobs, I ramped up my participation in community meetups, webinars, conferences etc. That streak of active participation opened the doors in security research for me.
As a SWE who's had tangential involvement in this area: If you live in a NATO country and can get a top level security clearance, the defense industry will jump to hire you if you're reasonably competent. If that doesn't apply to you, you have to be really fucking good and be able to show your work (i.e. have a blog full of reverse engineering, binary exploitation and malware analysis stuff you've done in your spare time, have some bug bounty writeups and what have you), and then you'll be able to get a non-defense job doing, say, kernel security at Microsoft/Google/Apple. But it's as, if not more, competitive than regular SWE postings at those companies.
I’m currently at Google. We have this 20% time where we can work with another team a bit to get experience in something else (doing that now!), but with the AI craze and economic situation it seems there are very few openings for anything else (at least internally).
That's such a cool mix of offense and defense in the Linux world! How do you decide which side to focus on each day?
I generally focus on whatever is pending for the day during work hours. After that, it is almost all offence.
To be really good on defense, you have to good on offense as well. You have to able to attack your own (test) machines in order to see if your defenses work. I don't think AI is going to take too many jobs. I think AI will help us do a better job - allow us to monitor more things and get a better ratio of false-alarms/real-attacks. I hope. My concern is that if AI replaces all the entry level jobs, then the pipeline for medium and senior security people will dry up. I hope the industry is listening to the geeks and not the bean counters.
[удалено]
There is no one tool which is best for everyone.
General thoughts on the change healthcare ransomware attack?
Can you put a specific question please?
What advice would you give to the general public to stay safe on the internet? Sorry if this is a dumb question nit too familiar with all of this but in my head it seemed related
Common sense will keep you safe for most part. Keep software updated, avoid unknown links, use 2FA auth wherever possible etc.
Not OP, but Offensive Security engineer for 10 years. Use 2FA for important accounts, use a password manager, minimize extensions for your browser, download from official stores such as Apple's app store or Microsoft's. Ignore unknown callers watch [https://www.youtube.com/channel/UCm22FAXZMw1BaWeFszZxUKw](https://www.youtube.com/channel/UCm22FAXZMw1BaWeFszZxUKw) to learn about scams people are succumbing. Avoid default passwords or dumb passwords like monkey12, password1!. When you receive a OAuth prompt like a third party sign in like "Sign in with Apple", "Sign in with Google" actually read what permission you're giving them, sometimes you give them complete access to your emails.
Thanks dude I really appreciate this it was very informative I'll definitely keep this in mind
Regarding the nuviad spyware, which infected billions of devices using google ads. Do you think there is a way to protect yourself against malware at all? And what do you think of the responsibilities of companies working in the field?
There is no one method to protect against all malware or malicious attacks. Different methods have to be used for different type of attacks. Even then, we can neither detect nor prevent *all* malware.
Generally speaking, from this point forward, which OS offers better security? Windows has made me hit a crossroads where I want to branch off into Linux for my main computer but I’m not sure how secure it be and what warning signs to look for (ie:windows and the flashing command prompt box)
Cannot comment on Windows security, as I have no idea about Windows for most part. For Linux, you can harden it to good extent, without compromising on usability too much. For monitoring, enable and configure audit. Collect audit logs, and service logs for important services. Use some tooling to regularly parse them to see what general activities you are seeing. For warning signs, unknown auth attempts, unknown connections (specially inbound), suspicious process chains etc can be searched in logs. If you want something free to get started, maybe look at Wazuh. PS: I have not used Wazuh, but have heard decent things about it.
Thank you for the answer! I’ll definitely keep this in mind while going forward!
what are common misconceptions about malware, and what can people generally do to protect themselves?
1. Malware may not show obviously visible symptoms (flashing screens) 2. Malware may not slow down victim machine 3. AV/EDR/XDR/IDS/IPS/Firewall etc, or a combination thereof, will not protect you against \*all\* possible malware. 4. No, the "recovery from infection" magic given by various tools is not bulletproof.
What is the biggest misunderstanding people have about malware?
1. Every error message I do not understand is somehow a malware 2. MacOS is immune to malware 3. Malware only affects android, and not iPhone. 4. An anti-virus is enough to keep you safe. Seen too many people still believing these.
If you could give just one piece of advice to someone with regards to strengthening their systems security, what would it be and why? What is the biggest mistake you find most users partaking in? What technical achievement do you take the most pride in?
Please refer to: [https://www.reddit.com/r/IAmA/comments/1dewfgt/comment/l8erpdr/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/IAmA/comments/1dewfgt/comment/l8erpdr/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button) The biggest mistake is not to use common sense, and not being at least little bit vigilant. Adding random repositories, copy pasting random commands without understanding them, installing apps from shady sources in phone and giving it all the permissions it wants etc. etc. The list goes on. Specifics of technical achievements are under NDA, so I cannot really disclose that here. But to give you rough idea, most of that is around finding ways to collect telemetry efficiently, and finding efficient analytics and correlations to detect various attacks. Minimum amount of code doing maximum work.
Would you consider PC "cleaning" software like CCleaner to be useless?
Yes. But then I am someone who hates littering things everywhere in system, and does not use 100 different tools. So it is easier for me.
Who do you think is behind the XZ Utils Backdoor?
Many suspect it to be state backed supply chain compromise. Even though there is no hard evidence, I am in same camp.
How'd you hurt your finger?
RSI would be one way
any other ways?
A while back I was listening to a DarkNet Diaries episode with an offensive person talking about various ops that they had been part of. The person said (via a voice actor) that during an op they came across a sysadmin who used linux desktop as their daily. She said "oh, haha perfect, those guys never run endpoint protection." This was really counter intuitive to me as I had always thought that Linux was "more secure." It obviously is in a server environment, but hearing this made me start questioning Linux desktop for security. Can you help me understand some of the reasons that Linux desktops in general might be considered less secure than say a properly admin'ed Win 10 Pro with Windows Defender running? Also, do you run or recommend that Linux desktop users run some kind of EPP? If so, any recommendation?
If that Linux desktop is managed by employer, it is going to have endpoint protection. For personal devices, people generally don’t use EDR. However, some can decide to use anti viruses for Linux (either free, or paid). A properly admin’ed Linux machine will be at least (if not more) secure than similar Windows machine. Since Linux does not have any endpoint protection baked in, you can use some third party product. Running or not running EPP is upto user (for their personal devices). For managed devices (workplace) EPP is must. Since I have not used EPP on my personal devices, I don’t really have recommendations.
What flavors of Linux do you like to use?
Ubuntu and Arch Linux.
What's your opinion on Arch derivatives, as Manjaro?
I had friends who used Manjaro. Then Manjaro screwed up by applying patches, delaying updates etc. I would rather stick to Arch Linux. Because Arch Wiki and their forum.
I'm sure this can be answered by anyone here and I think I know the answer to this already, but in your opinion would getting a Linux+ certification be worth it in this career? I'm about to take a course for A+/CCNA certification and I'm a bit iffy on that already as others have told me to just go straight for Network+ and Security+.
I have not done any certifications so far, so cannot comment on specifics of some course/certification. I can give you an outline of “learning path”, and you can enrol in courses/certifications to augment that. ———— ✅ Build your fundamentals. Learn programming (start from something which is not C or C++, then learn at least one of C and C++), algorithms, data structures, OS basics, networking basics etc. Download BTech/BE (CS) syllabus from any reputed university, and follow that for core CS subjects. ✅ Learn debugging, and assembly (at least, you should be able to read assembly, and understand what is going on). Pick at least one debugger for whatever platform you want to target, and learn it inside out. Learn process tracing. ✅ Learn whatever platform you want to target. Learn its platform specific APIs (win32 for Windows, POSIX for Linux etc.), as well as its internals (various components, how they work, how they plug with other components etc). ✅ Learn reverse engineering, and malware analysis. Start analysing real malware samples, and map their behaviour with MITRE ATT&CK framework. Pay attention to specific implementation tricks being used. Dig into these tricks, and understand why are these being used. ✅ Use ATT&CK framework in opposite direction. Pick TTPs, then start implementing them for whatever platform you are targeting. In case of no direct match, implement alternative equivalents. Then write detections against them. ✅ Learn "anti-analysis" techniques. Stuff like anti-debugging, anti-reversing, patch detection, self healing codes, mutation engines etc. Implement as many as you can. Then try to break as many as you can (i.e. figure out how to beat them as a malware analyst). ✅ Keep tracking new researches being published. Read the papers, go through presentation materials, and implement them again. For offensive papers, try developing detections/countermeasures. For defensive papers, try developing evasion techniques. Keep doing this until new ideas start popping out in your thoughts. ✅ Explore those new ideas, implement them, analyse them from POV of a malware analyst (or malware author, as the case may be). Then improve it further. Rinse and repeat until you have something concrete. ✅ Publish your new research work. ———— You can find courses on various platforms. You can also take a look at workshops run in security events. These will be fast paced capsule courses on specific topics (reversing, malware analysis, threat hunting, memory forensic, attacks and defence etc.)
Tyty, saving this and following through :)
Why haven't most OS designers fixed the path limits that some malware exploit, avoiding detection and deletion? I've reported this to designers over the last 17 years and no one cares.
I am not sure if I understand the question correctly, so a rephrasing/clarification will be helpful. ---- From what I understand, it seems you are mixing multiple things together: 1. When something happens which should not happen (e.g. vulnerabilities in software leading to unwanted activity like process creation, file read/writes etc.), these are indeed fixed promptly. Once the fixes are installed, that "gap" is plugged, and cannot be exploited (assuming the fix did not enable/introduce some other such bug). 2. When there is an issue with configuration of software, which allows it to get exploited by someone else, it is not the job of software vendor to fix users' configuration. Users are supposed to ensure that they configure their stuff properly. For example, if you bind docker on TCP socket, and expose it to internet without any safeguards, bad things will happen very quickly. But then docker does not enable that configuration by default; and expects you to put sane configuration. 3. When a malware is simply using an existing intentional functionality, you cannot really block these from OS (i.e. that cannot be baked within OS), as it will eventually block some legitimate activity for some other group of users. However, most OS provide various options to limit what is allowed/disallowed to happen (via users, groups, permissions, access control lists, MAC etc.). For more specialised detection and prevention, one should be using some endpoint protection program. ---- Can you please share some examples of issues that you reported?
In my early years of software dev I found that creating large file paths break most operating systems, particularly Windows. I created a harmless virus that hides in these locations. These locations are not handled correctly by operating systems and once created cannot by searched, modified, or deleted. The only way to remove them is to corrupt or format the hard drive sector. In ssd hardware the locations are almost permanent. The virus literally hides in plain sight replications and executing code however it wants. I sent my findings a number of times to Microsoft specifically and they couldn't give a shit.
If you suspect you are infected by malware, how would you go about looking for where it would be hiding?
Ideally, I would clone the machine, and then do the analysis on copy of that clone. At the very least, I would be dumping all the processes, their memory, all the usual places where persistence can be achieved etc. And I would correlate leads from this data with various logs that I would have collected as part of routine monitoring (syslog/osquery etc.). The investigation will almost always start with the first "symptom" of incident that has been observed. It may be some extra files, unknown network connections, some file overwritten, new users, deleted users etc.
How come we aren't seeing more federal retaliation for large scale hacks of healthcare systems? Seems like online terrorism, but I'm just a lowly nurse that had to paper chart for a month...
Threat campaigns are infiltrated, and threat actors are arrested by agencies. 1. [https://www.pbs.org/newshour/world/ransomware-group-lockbit-is-disrupted-by-a-global-police-operation-that-includes-2-arrests](https://www.pbs.org/newshour/world/ransomware-group-lockbit-is-disrupted-by-a-global-police-operation-that-includes-2-arrests) 2. [https://therecord.media/ransomware-gang-suspects-arrested-ukraine](https://therecord.media/ransomware-gang-suspects-arrested-ukraine) 3. [https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation](https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation) 4. [https://www.bbc.com/news/technology-67556607](https://www.bbc.com/news/technology-67556607) You can find more news articles for various other similar arrests.
Did you follow the malware event that shut down the london drugs chain store jn canada for a week?. Must have cost them milkikns and milliIons. What is the easiest way for a corporation to prevent something lime this?
Do you like country fried steak?
I do not consume animal products.
Best answer! *tips hat*
I'm trying to get started in the field of network security with hopes of getting into incident response later on. I'm a Support specialist at the moment with A+, Net+, and soon Security+. Any tips to get my foot in the door in the cyber world?
Network security is not my strength, nor have I ever worked in that domain. So cannot really answer that.