David Brenner Jr's Random Things

In January 2020 I learned about the results of a contest at DEFCON 2019 where hackers were challenged to come up with counter-offensive solutions to machine learning. One prize winner proved that machine learning could be 100% evaded by mimicking the behaviors of software that produce whitelisted events, and further proved that any whitelisting in machine learning is a vulnerability. Unfortunately I haven't found an exact source for this information. Simply removing the capability to perform whitelisting on an endpoint usually doesn't change the base code of software that uses machine learning since whitelisting (or ignoring patterns found in machine data from an endpoint) is done prior to ingesting machine data used for training. Alternatively I would argue that any kind of function that ignores input or filters input (like regex) from a user is whitelisting. Do you have a suggestion about how to improve this blog? Let's talk about it. Contact me at David.Brenner.Jr@G...

You can investigate suspicious activity that could be a zero-day attack by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data: General system-wide error messages from /var/log/syslog Auditing logs of application rulesets Auditing logs of security contexts Auditing logs of login attempts from /var/log/auth.log Auditing logs of user management or group manageme...

You can investigate escalated privileges by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application rulesets Auditing logs of security contexts Auditing logs of login attempts from /var/log/aut...

You can investigate suspicious activity that could be distributed denial of service by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest the following machine data: Application specific logs from /var/log Raw dumps from sniffing at Layers 2-3 Raw dumps from /proc of kernel data structures Raw dumps of kernel routing tables General system-wide error messages from /var/log/syslog D...

You can monitor application behaviors by collecting relevant machine data from your endpoint. You can use the machine data to investigate suspicious activity and create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application rulesets Auditing logs of security contexts Auditing logs of ...

You can investigate suspicious activity that could be a behavior anomaly by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data: General system-wide error messages from /var/log/syslog Auditing logs of application rulesets Auditing logs of security contexts Auditing logs of login attempts from /var/log/auth.log Auditing logs of user management or group manage...

You can investigate suspicious activity that could be Advanced Persistent Threat (APT) by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. And ingest one or more of the following machine data from Category #3. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of app...

You can investigate suspicious activity that could be fileless malware by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. And ingest one or more of the following machine data from Category #3. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application ruleset...

You can perform forensics investigations of suspicious activity by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data: General system-wide error messages from /var/log/syslog Auditing logs of application rulesets Auditing logs of security contexts Auditing logs of login attempts from /var/log/auth.log Auditing logs of user management or group management ...

You can investigate suspicious activity in your network traffic by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data: Application specific logs from /var/log Raw dumps from sniffing at Layers 2-3 Raw dumps from /proc of kernel data structures Raw dumps of kernel routing tables General system-wide error messages from /var/log/syslog Do you...

You can investigate suspicious activity that could be a network attack by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. And ingest one or more of the following machine data from Category #3. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application ruleset...

You can investigate suspicious activity that could be polymorphic malware by collecting relevant machine data from your endpoint. You can use the machine data to create your own analysis. Before you start your investigation you will need to determine normal activity on your endpoint. Normal activity is the scope of functionality of the software on your endpoint during periods of low activity and high activity. You will need some kind of software that periodically collects specific machine data from your endpoint like my software developed in Python that's available for free download at https://github.com/davidbrennerjr/server-stats-collector Ingest one or more of the following machine data from Category #1. Ingest one or more of the following machine data from Category #2. And ingest one or more of the following machine data from Category #3. Category #1 General system-wide error messages from /var/log/syslog Auditing logs of application rule...

Machine data is information automatically generated by computer software in the form of a log message, debug message, error message, or status message, as a response to an event. Usuallly the information was generated for the purpose of troubleshooting computer software and computer hardware. Machine data includes informative information about the performance of an operating system from services and processes like package management, resource utilization, and network management. AWS Logs Informative data from support service monitoring, alarms and a dashboards for metrics, and can also track security-relevant activities, such as login and logout events. Authentication Authentication data can help identify users that are struggling to log in to applications and provide insight into potentially anomalous behaviors, such as activities from different locations within a specified time period. Firewall Firewall data can provide visibility into blocked traffic in case an applicatio...

Principal Component Analysis (PCA) is a common technique in statistical analysis, widely used for pattern recognition, data compression, image preprocessing, signal-noise analysis, and high resolution spectrum analysis. Principal Component Analysis transforms a group of activites into a set of unique components, where each component has a numerical degree of distance and relatedness from an agreed on centered component. The first component has the largest possible variance (it accounts for most of the variability in the group). Each succeeding component has the highest variance that is orthogonal to the preceding components. The transformation of the group proceeds linearly from a group with a high degree of dimensionality to a group with a low degree of dimensionality of which the components of the group with a low degree of dimensionality are uncorrelated. Principal Component Analysis is also used in the forecast of a most likely outcome through time-series analysis and regress...

Network attacks can be divided into two main categories, active attacks and passive attacks. Active attacks involve a malicious actor actively manipulating the design of a network in order to exploit some sort of vulnerability in a targeted endpoint. Active attacks involve things like packet generation, code injection, man-in-the-middle, and denial of service. Passive attacks involve a malicious actor staying hidden while reading and saving information of interest exchanged by various nodes on a network. Passive attacks include things like traffic analysis, traffic sniffing, and key logging. Active Attacks Packet Generation: Replay Attack, Masquerading Code Injection: 0-day Attack, Malware, Spyware, Phishing Packet Alteration: Man-In-The-Middle, Session Hijacking Service Compromise: Denial of Service, Distributed Denial of Service, SQL Injection Passive Attacks Eavesdropping & Interception: Traffic Analysis, Traffic Sniffing, Key Logging

In the generalized sense an attack vector is a path or means by which a hacker can gain unauthorized access to an endpoint in order to deliver a payload or to facilitate a crime. Attack vectors enable hackers to exploit vulnerabilities in the design of a network through the manipulation of applications and protocols. Attack vectors typically manipulate the software installed in the operating system of an endpoint. Examples of attack vectors are email attachments, pop-up windows, instant messages, service configurations, new software, and firewall modifications. Human ignorance or weaknesses could also be used for engineering attack vectors. For example, users could be fooled into weakening network defenses during times of remote collaboration and file sharing. Anti-virus software and firewalls do provide some defense or block attack vectors to some extent. Some of the mitigation measures used to thwart hackers usage of attack vectors include deep packet inspection, IP source trackers...