Think Like a Green Beret: Problem Solving | Loadout Room

This article has a good example of the right mindset. I'm finding more and more that having the right focus, the right mindset will take you further and help you in a small team environment.

Many times, military problems must be solved with the application of force. Green Berets are not afraid to get their hands dirty, but they understand the power of working with and through others.

/

osascript: for local phishing

A little digital foo for the saturday: osascipt.

FuzzyNop wrote:

Lately I've been finding myself on victim's laptops and they have all been OSX. I found that instead of key-logging I could simply prompt the end user for whatever password I needed using applescript.

The way we do this is with osascript, Apples built in executor for applescript and other OSA (Open Scripting Architecture) languages. Applescript provides a convenient way to interact with GUI elements within OSX so this little trick is likely only scratching the surface of what is possible.

So straight to it, the command i'm using to do this looks like this:

osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'

Follow the link to read all the article.

/

Red Teaming the Plans

One of the most important things you can do when you have a plan is to make sure it will survive Mr. Murphy, to the best of your effort.
We've talked about this many times in the blog, but here's a small brain dump of what Red Teaming the plans would look like. your mileage may vary, thought, depending on the plan.

Once you have a plan in place, bring your team and identify the risks, threats and vulnerabilities.

  • Risk: is the the likelihood of being targeted by a given attack.
  • Threat: is what could happen.
  • Vulnerability: is the weakness that an adversary will exploit to make the attack successful.

Translated to the plan: what could break the plan, how and by what.

There are three steps to follow now.

  1. Identify the key aspects of the plan.
  2. Identify threats most likely to impact those parts of the plan.
  3. Determine the vulnerabilities that might make those threats real.

Start by listing the most important parts of the plan, those parts that would cause it to fail if they don't happen. Rank them by criticality:

  • Critical: the plan will fail.
  • Essential: the plan might fail but you can still run a contingency.
  • Non-Essential: good to have, but it if doesn't happen the plan will still succeed.

Write them on a whiteboard, make a table listing each one by critical ranking.

Next, ID the threats. Ask questions like: What can happen? When? What is most likely to happen? How? Write the questions and the answers next to each part identified. Give a probability rank to those threats:

  • High: this will most likely happen.
  • Medium: there is a chance of this happening, but we have mitigating controls.
  • Low: it will rarely happen.

You should have in front of you now, a table with the most important parts of the plan, how critical they are and the threats to those parts marked by probability. You can begin to see already the parts that are most likely to fail and how important they are.

The next step is thinking about the vulnerabilities. Which of the threats identified above have the greatest likelihood of disrupting the plan? How? What is the thing that can break that would cause that threat to become real? Things like equipment failure due to batteries, weather causing traffic and delaying execution, etc.

Add them to the table you are drawing.
You should have, at this point, a clear picture of the things that could go wrong with the plan.

Now focus on the critical parts and high probability threats. Discard for now anything else. List the possible solutions for those and add them to the plan.

When you are done, bring the 10th man. Bring an external party and show him/her the entire plan. Check what he/she can see. Now you are ready.

Remember Rule 29: If you’re happy with your security, so are the bad guys.

Oh, and don't forget to play with the CARVER Matrix.

Cyber Defense Review

Here's a new blog with interesting information for red teamers. The new website is sponsored by the Army Cyber Institute and U.S. Marine Corps Forces Cyberspace Command (MARFORCYBER).

If you put aside the overuse of the "C" word, it's a good place to go get information.

/

Extra quote of the day

"Money doesn't necessarily buy you a true state of security. It is the method by which you approach it and the culture you create. From that you can build a strong security program."

-- Mike Walls

/

Quote of the day

"It is about creating a vigilant and aware employee on what the threats are and what is going on, bringing to light what the actual threats are, who is looking to gain data and what tactics they are using. If we can do this and create a more knowledgeable and aware workforce, then we have just mitigated the vulnerability and potential for an incident in a huge way because 80% of the breaches happen when the bad actor exploits the person at the keyboard."

-- Mike Walls

Is it time to adopt a military-style approach to cyber security? | Networkworld

Sent by DM, an old time reader. Linda Musthaler made some good points when she talked to Mike Walls.

He also stresses the human aspect of the process. "Human interaction is absolutely critical in my opinion," says Walls. "Automation is important – you can't do this stuff without automation, there is no question about that – but my personal experience with a cyber warfighting context is that if you don't have analysts with the right skillsets really looking at those 2% of events that are anomalous behavior, you are going to miss something. And when I say a warfighting context, I'm talking about fighting very worthy adversaries, not just a bunch of criminal hackers."

...

Companies need to have a security mindset, says Worden. "I'm not talking about technical stuff or software or configurations. I'm talking about protocols and behaviors within your business and among your employees. There are a lot of things in today's environment that people need to be mindful of. I am impassioned about education and training and awareness. In the military we call that OpSec or operational security. It is about creating a vigilant and aware employee on what the threats are and what is going on, bringing to light what the actual threats are, who is looking to gain data and what tactics they are using. If we can do this and create a more knowledgeable and aware workforce, then we have just mitigated the vulnerability and potential for an incident in a huge way because 80% of the breaches happen when the bad actor exploits the person at the keyboard."

/

Patrick Rhone: Situational Awareness

One of the ideas that pops up in almost every lesson in military training is that extreme attention to detail matters. That in every situation, focused and unbroken awareness matters. That, in the worst cases, it is the difference between life and death. And so this level of attention to detail is stressed at every turn.

A very short, non technical and to the point post my one of our friends.

/