Category Archives: Preaching

Why you should sit and study for CISSP

Posted on by

Almost every day I see people on social media whining about the antivirus or firewall being outdated, not working, etc.

This puzzles me.

Logs of these security controls show these controls work just fine. They detect, block and remove a lot of stuff.

Not everything, but lots of it.

This is how security controls work. They cover lots, but not everything.

The fact 0days are being found in the security software does not change the fact they are offering a huge benefit to any organization that runs an open ecosystem (people can install or run code w/o any restriction). Imagine the world w/o them and the internet and all services delivered via this channel collapse.

I start to think that most of people who complain about security controls don’t really understand their function.

Enter CISSP.

I advocate that every single IT security specialist should study CISSP material. You may sit the exam if you want, or not – who cares – but fundamentally, at least eyeball the material to get familiar with the security concepts presented there.

They are the core concepts.

They tell you that the world is NOT perfect and teach you what expectations you should have towards security controls.

They prepare you to recognize threats and manage risk.

They convert you from a techie frog sitting in a comfortable well of your personal interest and hobby into a professional connected to a real imperfect world where shit happens on regular basis, no matter what you do. It’s all about handling it gracefully.

Why PUA/PUP are bad for you a.k.a. the evil of environment fingerprinting

Posted on by

In my post about sample targeting EDR I mentioned that the sample is a PUA/PUP. Looking at the code of many PUA/PUP/adware samples created in last few years it’s easy to see how far they go nowadays in fingerprinting the environments.

This is why many of them should be treated as malware & should not be ignored in ‘business as usual’ IR activities.

In the aforementioned post I listed a couple of routine names that that particular sample used. All these routines are called one by one, and a final string is generated containing reference numbers associated with each ‘discovered’ piece in the environment.

fingerprintingThis is no longer just a sandbox detection.

EDR, VPN, AV, security tools, often list of updates, hotfixes, full software list from registry, etc. is added too. Someone, somewhere populates some large databases with a lot of this ‘goodness’.

One can imagine that this data may be a very valuable piece of information – it could be sold not only to advertisers, software writers, even companies whose products are being profiled (competition/market research), but also – of course – on a darker side – to random malware authors, and guys specializing in targeted attacks. If you think of it, a good PUP/PUA campaign could be even orchestrated by the actual BAD guys.

If 0days allow a way in, a database with an information about used software may simplify and speed up a lateral movement. And why bother doing all the time-consuming illegal hacking/malware infestation/recon if you can simply deploy borderline software first. Let it populate a huge matrix including lots of information about as many hosts as possible in as many organizations as possible. And then, with such precise information about installed software & deployed countermeasures it can be leveraged to simplify many hacking operations (and targeting).

This is of course scaremongering on my side and a conspiracy theory in the making, but the only reason I am writing this is that if you are ever looking for arguments to treat PUA/PUP as malware… or someone argues that PUA/PUP can be ignored in your AV alerts then the massive fingerprinting they do nowadays is the big one…