Daily Archives: January 13, 2019

Ep. 113 – Nutrition Facts for Online Information with Clint Watts

Misinformation is a powerful tool. As we enter 2019 we invite on a fascinating guest, Clint Watts, who has spend his career learning all about how to use it and how it is used. – Jan 14, 2019

Contents Download Get Involved

Download

Ep. 113 – Nutrition Facts for Online Information with Clint Watts

Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form!

Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music

And check out a schedule for all our training at Social-Engineer.Com

Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 113 – Nutrition Facts for Online Information with Clint Watts appeared first on Security Through Education.

5 Reasons to Mark a False Positive in ThreatConnect

By taking an intelligence-driven approach, we can start to connect the dots in a more interesting fashion

ThreatConnect allows you to curate almost every facet of your intelligence — including indicator reputation. One of the best ways you can help keep a tidy shop is to flag an indicator as a False Positive (FP) when you encounter it. Notionally we’re all familiar with what this should do: it tells your colleagues (both human and software) that this indicator isn’t actually a threat and can be skipped in your day-to-day analysis.

By taking an intelligence-driven approach however, we can start to connect the dots in a more interesting fashion. Beyond signaling your coworkers, flagging an indicator as a False Positive has some interesting and far-reaching implications. Read on to see what impact you can have across the world with a single button click!

 

1. Decrease in ThreatAssess Score

An indicator’s ThreatAssess Score is greatly affected by the amount of False Positive reported.

Our ThreatAssess algorithm leverages input from users to fine-tune an indicator’s reputation. The most immediate impact of clicking the False Positive button is that it will affect the score of an indicator. On a 1000-point scale, an indicator will drop as it continues to accrue FP votes. This will include votes within your organization, votes across organizations, and account for the age of votes over time!  The ThreatAssess score has an impact on how your team can quickly understand and triage indicators, and can also impact integrations downstream.

 

2. False Positive Filters

Quickly identify which indicators have had FP votes directly from the Browse screen.

As FP votes accumulate on an indicator, there are controls built across the platform to allow you to sort data accordingly. Since FP’s are a valuable form of context around your intelligence, we want to make sure you can access it in meaningful ways that help you inform decisions:

  • Use filters on the Browse screen to remove indicators with FP votes and clean up your workflow
  • Create Dashboard cards to identify which feeds and data sources are resulting in high concentrations of FP’s in your network
  • Leverage our API and integration-based filters to fine-tune your tolerance for suspected FP indicators across your ecosystem

 

3. Global CAL counts

Quickly determine how many FPs have been submitted and how many times an indicator has been observed by global CAL users.

If you’re participating in ThreatConnect’s CAL™ (Collective Analytics Layer), all of the FP votes on an indicator will be sent to be anonymized and aggregated. These totals are what drive the rows you see in the Analytics card on an indicator’s Details Page. This provides valuable insight into how all analysts view an indicator. In addition to informing (and being informed) by your team, you can benefit from the analysis of the entire ThreatConnect user base.

 

4. Feed Evaluation

ThreatConnect’s Intelligence Report Card helps you better understand and prioritize feeds.

CAL doesn’t just count all of the FP votes, it puts them to work. One of CAL’s key uses for FP votes is feed evaluation, in the form of Report Cards. If you’re ever wondering which open source feeds to enable in your system, Report Cards are there to help! CAL computes key metrics of how each feed is performing across the ThreatConnect ecosystem, and your FP votes can help inform the Reliability Score of a feed. As I discussed in our blog post about Report Cards, Reliability Score is a measure of how many, and how egregious, the FP’s are within a given feed. We’re all familiar with the garbage in/garbage out problem, this is one of our best ways of identifying the big offenders!

 

5. CAL Analytics

Drill further down into additional CAL Insights

There are multiple other analytics that CAL runs based on FP votes, each of which could fill its own blog post. CAL incorporates FP votes at a fundamental level into things like indicator reputation, classification, indicator status, and more!  There’s more to consider than just the number of FP votes, so CAL uses its massive dataset and computing power to weigh additional factors such as FP vote timeliness, consensus, and other things we find to be significant.

The more data CAL accumulates, the smarter these analytics get!

 

The post 5 Reasons to Mark a False Positive in ThreatConnect appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Howto install Bitwarden in a LXC container (e.g. Proxmox)

As many of you know me, I’m quite serious about security and therefore a believer in the theory that a service which is not reachable (e.g. from the Internet) cannot be attacked as easily as one that it. Looking at password managers this makes choosing not that easy. Sure there is Keepass and the descendants, but they have the problem that the security is based solely on the master password and the end device security. Knowing friends that use Google Drive for syncing the password file between their devices, I looked at that option, but it was not right for me (e.g. Browser integration, 2FA, …).

Password managers like Lastpass or 1Password are also not the right solution for me. Yes, I believe that their crypto is good, and they never see the passwords of their users, but the 2FA is only as good as the lost password/2FA reset feature is. I’ve read and seen to many attacks on that to rely on it.

All of this leads to Bitwarden, it provides the same level of functionality as Lastpass or 1Password but is OpenSource and can be hosted on my own server. Not opening it up to Internet and using it from remote only via VPN (which I have anyway) make for a real small attack surface. This blog post shows how I installed it within a Proxmox LXC container, which I did to isolated it from other stuff and therefore there are no dependencies, if I need to upgrade something. I don’t like to install anything on the Proxmox host itself. As this is my first try, and I run into a problem with an unprivileged container and docker within it, this setup works currently only with a privileged container. I know this is not that good, but in this case it is a risk I can accept. If you find a solution to get it running in an unprivileged container please send me an email or write a comment.

LXC container

After creating the LXC container (2Gb RAM, >5GB HD) with Debian 9, don’t start the container at once. You need to add following to /etc/modules-load.d/modules.conf

aufs
overlay

And if you don’t want to boot load the modules with

modprobe aufs
modprobe overlay

If you don’t do this your installation will get gigantic (over 30gb). Now we just need to add following to /etc/pve/lxc/<vid>.conf

#insert docker part below
lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:

Now you can start the container and enter it, we’ll check later if all was correct, but we need docker for this.

Docker and Docker Composer

Some requirements for docker

apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common

and now we can add the repository for docker

curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"

and now we can install it with

apt-get update apt-get install docker-ce

The Docker Composer which is shipped with Debian is too old to work with this docker, so we need following:

curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

and add /usr/local/bin/ to the path variable by adding

PATH=/usr/local/bin:$PATH

to .bashrc and calling it directly in the bash to get it set without starting a new bash instance. I know that a package would be better, couldn’t find one, so this is a temporary solution. If someone finds a better one, leave it in the comments below.

Now we need to check if the overlay stuff is working by calling docker info and hopefully you get also overlay2 as storage driver:

Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 18.06.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file

Bitwarden

Now we just need following:

curl -s -o bitwarden.sh https://raw.githubusercontent.com/bitwarden/core/master/scripts/bitwarden.sh
chmod +x bitwarden.sh
./bitwarden.sh install
./bitwarden.sh start
./bitwarden.sh updatedb

And now you’re done, you’ve your own password manager server which also supports Google Authenticator (Time-based One-time Password Algorithm (TOTP) as second factor. Maybe I’ll write a blogpost how to setup a Yubikey as 2FA (desktop and mobile) later.