Notices by Taggart :donor: (mttaggart@infosec.exchange)

I don't think I've ever been as incredulous about a technique's efficacy as I am with ClickFix. Like you look at it through the lens of expertise and it seems preposterous—who would think Win+R for a CAPTCHA is legit?

But it works. Users believe it. It's shockingly effective.

I love users, but the degree to which most of them barely comprehend (and are kind of afraid of) what's going on in the thinking sand can't be overstated.

@ryanc @da_667 @Viss I'll try to whip that one into shape soon. Here are a few other toys I cobbled together, including SSH session spying and instakilling shells from service accounts. https://codeberg.org/mttaggart/bluebpf

@Viss I wasn't thinking about hardware, but maybe. I was more in the space of like, an aggressive software tripwire that fires off the fallback defense in the event that EDR is tampered with or some other condition.

@Viss To be really clear, I am talking about computers not physical defense.

I was thinking more about something that does better than EDR at getting good data going, and that isn't where the TAs will look to kill. Something that kicks off packet capture and like Velociraptor under certain conditions.

@Viss Additional context: our response time is good enough that I often find myself in knife fights with the TA on a system. But there's lots of room for improvement. I want to increase visibility on the field and make the terrain actively hostile to the adversary without them knowing it.

@Viss I don't disagree, but "if they're good" is not most of the time (at least in my world), and then we're in perfect as enemy of the good territory. I really do think there's value in a more deceptive approach to active defense.

@da_667 @Viss I was playing with eBPF to lie to attackers about data. So like, you run ps aux as anyone but root, you just get nonsense back. That's Linux-specific, but there are a lot of possibilities there since you can intercept function returns as a kernel feature

@da_667 @Viss Now we're talkin'

There's this scene in "The Rock," (I know) I think about way more than is reasonable. One of the bad guy Marines is showing off his custom motion detector that presents as a laser interrupt system, but is actually a vibration detector that will be disturbed when an adversary tries to cut the laser.

I'm thinking a lot about a sort of "Dead Man's Switch" for defense. I've long theorized about such a mechanism for ransomware, but never seen it in practice. For defense, I like the idea of a response system that doesn't require the ping-pong of SOAR.

@Viss Hahaha I meant like...endpoint defense, but yeah! Home Alone style.

So many vendors have killed RSS and/or Cloudflared their stuff that maintaining visibility keeps getting harder. But I won't give up without a fight.

Oh neat, intel.taggartinstitute.org caught today's Apple patches with the custom web scraper!

@GossiTheDog @brahms Better for whom? Seriously, what obligations would one fulfill by unorganized, performative protest?

Who's more moral?

• The person who implodes job opportunities by being stridently outspoken in fora where those opinions fall on deaf ears, thereby imperiling themselves and their family

• The person who organizes with others and uses their position and income to empower effective resistance?

I agree individuals should take action. I just don't think posting online has many upsides for most, and plenty of downsides.

@GossiTheDog @brahms Well now we're back to expectations. LinkedIn is a clambering mass of the desperate looking to claw their way up over others. Seeking water in the desert, looking for moral courage on that hellsite.

@GossiTheDog @brahms I'm seeing lots of folks, including you and me, reacting negatively to this. I guess you mean people inside companies that do business with the US government? Individuals without organization are very easy targets for regimes, and what they accomplish by individual action is outweighed by potential harm.

Let's say I work for a cybersecurity company that does business with the federal government. Now let's say I publicly protest the the treatment of Chris Krebs (which, btw, I personally have done, but I don't meet the first condition). I am fired for my actions. I have caused harm to my family and myself by my actions, and made no impact on the effective power of the regime. Perhaps I've satisfied some deontological imperative, but that's a whole other can of beans.

Organization precedes effective action. If you are concerned about performative protest, individual action without impact should fall into that category.

But all this is between other goalposts than the OP, which was about the corporate entities.

@GossiTheDog @brahms This is an incredibly easy thing to say when the Eye of Sauron does not risk pointing at you. There's a reason resistance movements have covert arms.

Also, I think it's worth distinguishing "people" from "companies," which is the point here. Do you want Mandiant, for example, to condemn this action by the President, and forfeit its government business? I would love to see that, but I have no reason to expect it. And just as with lawfirms, every security company is now in a twisted Prisoner's Dilemma. What's more, public companies are bound by fiduciary duty, not morality. I do not particularly enjoy this reality, but I must acknowledge it rather than wait for a corporate superhero to stand up to the regime.

There are moral, upstanding people in the cybersecurity industry.

This does not make the cybersecurity industry moral and upstanding.

Many of us arrived in infosec because we wanted to protect people. Protecting others often invites risk to ourselves. "Smart" businesses do not invite risk.

You can not and should not expect anyone who can profit from the regime to stand up to it.

We are all about to get really good at maintaining old computer equipment.

@cR0w @buherator I wish a company that decided to rebuild their edge device code in Rust would be handsomely rewarded by the market, but I know that almost nobody actually cares about these vulns, and even fewer about true systemic fixes.

Today's CISA release has one big takeaway for me:

Establish. DNS. Authority.

If you can see and stop DNS queries in your environment, this "technique" is cut off at the knees.

In fact, I'd say DNS data is one of the most valuable telemetry sources you can collect as a defender. But DNS authority also means forcing your assets to use DNS servers of your choosing. If hosts can pick Quad 8 or whatever, you can see the query, but you can't stop it. Same goes for DNS-over-HTTPS.

Between DHCP, host, and firewall configuration, guarantee that all DNS queries in your network lass through a resolver under your control.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a