Antivirus is Bad

What is Antivirus/AV/NGAV? Is AV “useless”? What AV should I use? I’ve been asked all of the above by non-IT and IT users. Usually they fall into two groups. Either AV is useless or AV is the only security required. As usual, the truth is more nuanced. AV is an often unappreciated foundational security control for endpoints. What is the purpose of AV? AV is a scalable platform to block known attack methods/artifacts that increases the cost of attacking and persisting on an endpoint....

27 July, 2022 · 3 min · 462 words · JD

HSTS and Preloading

HSTS directs the browser to use HTTPS for certain domains (optionally subdomains). This mitigates some MitM attacks by upgrading HTTP connections to HTTPS. HSTS Preloading The native implementation of HSTS communicates the HSTS policy to the browser via an HTTP response header Strict-Transport-Security: max-age=31536000; includeSubDomains. HSTS requires a user to visit a website once before HSTS protection is cached. But what if HTTP is used on the first visit or a user clears their cache frequently?...

24 June, 2022 · 2 min · 272 words · JD

Egress Filtering

Summary Egress filtering limits traffic leaving the network perimeter. Why? Egress filtering is good security architecture as it prevents computers on the network from sending unwanted traffic to the internet. Limiting the attack surface protects against low-skill opportunistic attacks while reducing the breath of things to monitor. C2 communication Exposing information to attackers - e.g. stealing NetNTLMv2 hashes by coercing a client to authenticate to an attacker controlled SMB share Network traffic Analysis solutions such as Elastiflow can provide data on ports/IPs being used....

18 May, 2022 · 2 min · 244 words · JD

Wpad Security

What is WPAD? WPAD stands for Windows Proxy Auto-Discovery. It is a protocol to obtain the URL for a PAC file. WPAD uses the following methods in order to discover the PAC file URL: DHCP DNS WINS LLMNR NetBIOS Hosts Lmhosts The PAC file tells the host where to direct network traffic. This is usually used to force traffic through a web proxy. Why is it insecure? When DHCP or DNS is misconfigured or not configured, an attacker can provide the client with a PAC file that directs traffic to a compromised server....

20 March, 2022 · 1 min · 203 words · JD

Remote Credential Guard

Summary RCG protects admin credentials by ensuring they are not passed over the network to the target device. Details Clients with RCG enabled do not send primary credentials to the target machine. This mitigates the risk of stolen credentials if the target is compromised. In RCG, the client LSA acts as a reverse proxy for ticket requests from the target. Hence, the target never needs to store primary credentials. RCG will not allow NTLM fallback....

19 March, 2022 · 3 min · 459 words · JD