-
What Actually Matters in Authentication Logs
What matters in authentication logs heavily depends on the context of the environment. At the analyst level, a core objective is to filter out importance from nonsense. Human filtering to determine what the baseline of normal is for the environment is a first step. Classification of alerts then provides the opportunity to flag automatic systems to prioritize threats that are likely genuine.
Tools like Spur, multifactor authentication services as a second reference, and the account logs themselves are mainly used. In Microsoft Defender itself, the most core aspects are: date, application type, authentication success, and location. Double checking location with Spur, attachments and links with VirusTotal, but also online forums for what scams are popular.
Some of the questions I wrestle with when analyzing security logs are:
- Is travel normal for this type of account?
- What is the likelihood a factor of authentication was forged?
- How can I trace the steps a system went through after malicious attachments or links were interacted with?
- What actually happened here, prior to, during, and after the incident?
Security artifacts blended with experience allow me to paint a story of what actually occurred. My intuition as a first year security analyst was weak compared to my third. That’s because I became more familiar with pinpointing how the environment worked: which systems were connected, how Microsoft establishes connections, multifactor authentication protocol, and how our institution structure yielded an increase in certain types of attacks. Together, these components highlight the story of a given alert. The story is only as reliable as the analyst reading it.
-
What Mapping PCI to NIST Actually Taught Me
Doing a crosswalk between safeguarding standards made it painfully clear that legislation will never be enough to keep systems secure. The amount of threats is always too constant. Governing bodies enforce these with the objective of keeping the system safe enough for industry to stay afloat. Adversaries want to exploit systems for personal gain. If an organization is simply adhering to what they are required to do, as opposed to constantly playing defense, they will undoubtedly fall victim.
The game of cybersecurity requires anticipation as well as proactiveness. One needs to be proactive in creating detections, educating themselves on current news, keeping scripting skills up to date, and utilizing the technologies available to exponentiate workload, once the baseline is set with human logic and understanding.
-
When You Can’t Run the Experiment: Security Under Constraints
Months of my devotion were put into a malware analysis project that was to be done under the supervision of my thesis advisor. I researched the malware of interest, metrics that were important to understand, tools available for the feat, possible areas of concern, and the best practices for creating a strong environment to run my analysis in. Then, I proudly sent an email to the institution’s IT department in search of collaboration. My desire was for them to either tell me it was a solid plan and give me instructions on which network would be the best to connect to. Another strong hope was that maybe my initial analysis wasn’t perfect, and I would get to work with a more senior engineer on why it wasn’t perfect. That way my understanding was strong enough to conduct these analyses in a real world environment.
The reality of the situation was that I just didn’t get a response from my institution’s IT department. They sent me to the student-facing IT director, who supported me and thought it was a strong idea, but prohibited me from using my personal device. He instead said the school should be able to provide one, with approval from higher officials. Officials that did not at all respond to my request.
This is the reality of operating in a space where you are the first to do something. The IT department never had to support students in this way because there were no students in the past who had interest. So, it was of minimal importance to support me. That did not stop me, though. It fueled my fire, with the knowingness that one day I will return to my institution and aid them in creating a comprehensive cybersecurity program for technically inclined students. I kept at my scripting, because regardless of institutional capacity to support me personally, I support myself fully in this journey. It is only a matter of time before I can source an end of life device to segment a portion of the network and see if my hypothesis is correct regarding the malware.