Securely Insecure


Monitoring and Alerting with SGT. and StreamAlert - Part 1

Published at February 17, 2018 ·  5 min read

SGT is focused on managing Osquery endpoints and collecting data. StreamAlert is focused on ingesting data, processing and alerting. Together, these two systems form an amazingly powerful monitoring and alerting stack which can scale from tiny environments from a few systems, to thousands of endpoints across an entire company’s production and corporate infrastructure. In this series of posts, I’ll walk through how to set both projects up, gather some data from our endpoints and write some alerts to notify when certain events are triggered....

Deploying Osquery Part 2 - The basics, cont.

Published at December 10, 2017 ·  5 min read

Wecome to part 2! In part 1 we looked at the first part of the osquery configuration and the options used to set osquery’s behavior. In this post, we’ll finish up looking at the config so we can move on to more interesting things in subsequent posts! Schedule Next up is the “schedule” section. Once again we’ll clean out the comments, since we can comment in the blog instead....

Deploying Osquery Part 1 - The basics

Published at December 3, 2017 ·  7 min read

Getting started with osquery Ok, so you’ve done some quick reading or perhaps someone told you about how friggin awesome osquery is and how they’ve used it to solve world hunger in their new fancy startup. Maybe you read a cool article on <random infosec news site>. Osquery sounds really awesome and you’re ready to go hog-wild. Let’s DO THIS!! Perfect. That’s what this series of blog posts is for....

Lambdabot

Published at November 27, 2017 ·  2 min read

TLDR: Serverless slackbot deployed via a python terraform wrapper. git clone https://github.com/securityclippy/lambdabot.git cd lambdabot cp lambdabot_config.json.example lambdabot.conf edit lambdabot.conf with your specific info and save python3 manage.py --apply TL: Recently I’ve found myself with a number of projects that could really benefit from an easily accessible method of interaction. Typically this interaction takes the form of a command line program with one or two imputs, which then runs some form of a lookup, transform or other process....

Holiday Hack 2015, Part 3

Published at January 15, 2016 ·  2 min read

Gnome in Your Home - The 2015 SANS Holiday Hack Challenge Part 3: Let it Gnome! Let it Gnome! Let it Gnome! Internet-Wide Scavenger Hunt Answer these two questions: 5) What are the IP addresses of the five SuperGnomes scattered around the world, as verified by Tom Hessman in the Dosis neighborhood? 6) Where is each SuperGnome located geographically? Part three of the HHC is really barely worthy of its own post, but here it is....

Holiday Hack 2015, Part 2

Published at January 12, 2016 ·  3 min read

Gnome in Your Home - The 2015 SANS Holiday Hack Challenge Part 2: I?ll be Gnome for Christmas: Firmware Analysis for Fun and Profit Answer the following: 1. What operating system and CPU type are used in the Gnome? What type of web framework is the Gnome web interface built in? 2.What kind of a database engine is used to support the Gnome web interface? What is the plaintext password stored in the Gnome database?...

Holiday Hack 2015, Part 1

Published at January 10, 2015 ·  6 min read

Gnome in Your Home - The 2015 SANS Holiday Hack Challenge Our first tasks: Answer the following Which commands are sent across the Gnome’s command-and-control channel? What image appears in the photo the Gnome sent across the channel from the Dosis home? After obtaining our pcap from Josh Dosis, it’s time to do a quick analysis of what’s in our pcap! Opening the pcap in wireshark, a few things immediately jump out....