Hello Everyone, my name is Josh Rickard and I have just joined Swimlane as a Security Research Engineer. My focus will be around creating new & exciting open-source tooling, interacting with the Security Operations community, and expanding the use cases for automation.
I have previous experience as a System Administrator, Digital Forensics & Incident Response, Windows internals, PowerShell, and Python. Additionally, I have experience with Continuous Delivery, Continuous Integration, and Continuous Availability. You can reach out to me here or via one of the following methods:
I believe that if you have to do a task more than 3 times a week then it should be automated! I asked this on Twitter, but I would like to get everyone’s thoughts here as well.
What’s your biggest daily / consistent task you have to do and want to stop?
Please feel free to reach out to me at any point!
2 Likes
Repetitive task to automate; Collecting traffic captures, verifying no authenticated traffic to service APIs and adding host IP to blacklists. Some of this is automated, but we see alerts in other tools like Snort/Security Onion. Pretty specific. Don’t know if that’s valuable to anyone?
1 Like
Hey @ejosterberg, welcome! This is definitely valuable information to me! So, if i’m understanding right the alerts you see coming from Snort/Security Onion have not been automated yet? That is definitely not easy, since most are based on context but do you have a plan or thoughts on how you would automate it if you could?
Generally curious; I’ve worked with Snort previously but never was responsible for it.
Thanks!
Hi Josh,
My name is Nhan Tran with Perspecta.
My pain is quarterly privilege users audit.
I hope you have tools to automate the capturing of privilege users information on Windows and Linux platforms. The users’s account may be domain or local. The attributes are full name, account id, email, active/inactive, roles, rights, last login date, last password changes date, manager.
Thanks,
Nhan Tran
ntran@perspecta.com
240-672-3269
Hello @NhanTran, nice to meet you virtually!
Are you wanting to gather information from your endpoints/servers about users that are currently considered privileged users or do you have a list of users (and their attributes) already?
If i’m not mistaken, I believe you want to gather information about who has privileged (administrator/Domain Admin/ etc.) access from your remote systems. If so, then you have a couple of different approaches to consider.
- Pull information about users permissions from Active Directory or LDAP (or Azure Active Directory) - depending on your organizational structure.
- Run remote commands (e.g. Windows PowerShell or PowerShell Core, SSH, etc.) to gather this information.
- Use a in-house tool/product (e.g. EDR, other management tools, etc.) to retrieve this information.
If my organization was a traditional Active Directory shop, then I would first look at all the information I can within Active Directory itself. For example, who is in Domain Admins, Administrators, Backup Operators, Remote Desktop Users, Server Operators, Enterprise Admins, Schema Admins, etc. These are highly privileged accounts (plus more) in an Active Directory environment. Restrict them as much as possible.
On endpoints/servers I would opt for the PowerShell Remoting avenue but you also need to consider what does a “privileged user” account look like in your environment.
You can also audit your Group Policy objects as well, but that is a bit harder to explain.
I hope this helps! If you have any other questions (or if I didn’t answer what you were looking for) let me know!
Thanks!