Brianne Fahey

diagram

Defending with Graphs

by

Visualizations are powerful. When talking about data relationships, graphs are of keen interest. This spring I spent 4 months building out an idea and writing a whitepaper that is now published on the SANS Reading Room.

The paper is called Defending with Graphs: Create a Graph Data Map to Visualize Pivot Paths.

How about a two sentence synopsis?

The tl;dr is that there are several well developed examples of attackers thinking in graphs (see John Lambert’s article) and room for more ideas for how to defend with graphs. I wanted to demonstrate a use case for security defenders building a graph data map representation of their environment and querying it to improve their ability to respond quickly and directly to an incident.

A look at an image from my results.

I hope you will peruse this work and find it useful. It builds on the work of several researchers, developers, and thought leaders including Chris Sanders’ pivotmap tool, Colin O’Brien’s grapl platform, and Olaf Hartong’s ATTACK datamap tool.

Space to Work

by

There are a lot of influences on an event.  Each of us have our own set of internal and external forces working on us as well.

My goal is to be able to draw from my headspace or my heartspace.

You know those days when your senses tingle to lead you to your lost keys and there’s no actual logic or reason to your discovery?  That’s your heartspace. Your intuition, instinct, and natural internal abilities drive from the heart.  You can close your eyes and lead from your heartspace with nothing but an idea and some imagination.

At other times nothing but numbers drive what you do next. You work smart with the tools you have at hand. You follow a procedure and endeavor to produce predictable results. You make a plan based on the likeliest outcome and use a tried and true technique to get there.  Some days you don’t want to chase a guess so you follow a trusted formula and lead with your headspace.

Both of these methods are good methods.  Finding a blend is even better.

I’m really in The Zone when I can work from both my headspace and heartspace. If I can build a plan based on the research, pay attention to the fails and the changes and then pivot into a new idea or a variation on the primary, I can persevere.  Work with your peers and mentors,  dig in to your headspace and your heartspace.  Make questions and find answers and keep trying – be it forward, backward, or sideways – till you get your conclusive point.

 

I put together the above image with my free trial of MindJet Mind Manager 2018.  I consider this a Venn diagram of the things that live within my own headspace and heartspace.

Find a Zone that works for you and build up your material understanding and experiential inclinations to grow it and support it.

Reputation by Site

by

Websites can get a reputation from the material they contain, the company they feature or attract, as well as from the internet reputation machines that scan and crawl them. My hypothesis is that if I can do some legwork to positively impact the machines and databases of the internet, it will help buy goodwill and trust that helps bridge into a more positive personal reputation.

What do the internet respectability engines think about BrianneFahey.com?

I like to come to a conclusion from an aggregate of data, so let’s check a few different options and put together a story of my website’s reputation. Two of the common sources of website safety information are included in the anti-virus and computer protection packages from McAfee and Symantec/Norton.  Having one of these programs installed allows you to see some immediate feedback when you search for a website before you go to that site. It’s like looking through the peephole before deciding whether to open the door.

I would definitely be more comfortable visiting a site with a green check mark than a grey question mark or that evil red x. I installed the browser extension for both McAfee WebAdvisor and Norton Safe Search and navigated to BrianneFahey.com.  Both plugins are greyed out, and when I mouse over them, they indeed say they are registering no reputation feedback. I’m relieved to not have to overcome any negative reputation marks, but to get to green we need to fill in this blank slate with facts.

The good news is that my reputation is mine to influence at this point.

Web crawlers can use the information posted on the site including text and images and other files to rank you, but they are not sentient so they may not be able to determine the intent of your site.  It’s up to you to convince them that you have good intent and wish no harm on the people of the internet and you deserve a green check mark. My plan to establish a good reputation involves visiting the machines that are generating, collecting, and providing this information to make sure they are understanding my intent.

Review and Correct the Reputation and Categorization

Internet filters and proxies can rely on website categorization to determine what blocks of URLs to allow and what block to deny. You can review what the engines have categorized your site as and suggest a more appropriate category.  If you start a small business and create a quick website – you need to be aware of whether entire enterprises are being blocked form viewing your website inside their corporate network because it is misclassified as Gambling or Adult/Mature Content or worse. There is some risk in being unclassified as well because some filters might be set to default block unclassified or very new sites to protect themselves from domain generating algorithms (DGA) that spin up and disappear within weeks to facilitate phishing attacks. You’re going to want to review the available categories and their definitions to make the most appropriate choice as any petitions to recategorize a site will be reviewed before they are accepted.

  • Symantec Norton SafeWeb
    • I registered as the owner of my site and Norton sent me an email with a method to validate.
  • Symantec BlueCoat Web Pulse
    • BrianneFahey.com was initially categorized as “Search Engines/Portals”.  I submitted a request to have it classified as “Personal Sites” and “Computer/Information Security”.
  • WebSense ForcePoint
    • BrianneFahey.com was initially uncategorized. I submitted a request to have it classified as “Societies and Lifestyles: Blogs and Personal Sites”
  • Trend Micro Site Safety Center
    • BrianneFahey.com was initially categorized as “Untested” and “Newly Observed Domain”. I requested the site be retested and submitted that it be classified as “Personal Sites” and “Computers/Internet”.

Check the Pulse

Websites change and reputations evolve.  It’s a good idea to regularly check in on your site’s ratings and feedback. A simple way to generically have the web checked for you is to setup Google Alerts for your domain and name.

Beyond the sites and tools mentioned above, here are a few other open sources of intelligence (OSINT) tracking website reputation and safety.

Website Name Potential Feedback
URL Void
Virus Total
Google Safe Browsing
RiskIQ Passive Total

Good luck protecting your web domain’s reputation!

I like to go through an exercise of putting thoughts into a visual model that makes sense while I’m working through something.  Time does not always allow (and alert queues are not always forgiving) but it leaves me with clarity and the easier ability to repeat a procedure if needed.  I’m utilizing a 30-day free trial of Mindjet MindManager 2018.  It is fantastic, but pricey for individual home use so I’ll evaluate my needs and priorities and I will miss it when it’s gone.  Made use of MindManager by assembling a visual procedure to summarize the steps described in this post.

 

Find a Flow

by

If you can see it, you can get to it.

When I think through the parts of an event analysis, I look to put things in order and in perspective on my way from a hypothesis to a conclusion. Putting together a thought outline that works for me was a good excuse to test out LucidChart.

In my example, I start by enumerating the actor’s profile and the activity that generated a signal.  If I can source, trace, and verify the details pulled out of the logs to connect activities to an IP or a piece of hardware or an application or a procedure or an owner, I can work to build out the story and resolve my questions. When the case requires input from an investigation partner like human resources, you’ll have a solid frame of notes and findings to rely on for that discussion.

One of the reasons I chose this scenario as an example is because I believe a successful analysis is a complete analysis. Thorough, of course – to your personal quality level, but not necessarily ending the the proving out of malicious activity. Vetting that activity can be anomalous and still acceptable is a decent outcome.

You don’t have to catch a bad guy to do a good job.

Build a structure that works for you.  Once you establish your flow and create a template, you’ll start to save some time without sacrificing quality. Find your flow and go catch yourself some answers.