February 24

Webinar takeaway – How to Detect and Respond to Business Email (M365) Compromise

Email, Security

0 comments

My key takeaways

BEC external-to-internal passes all technical security measures like SPF, DKIM and DMARC
BEC internal-to-internal bypasses anti-spam solutions
Get comfy with PowerShell to interact with M365
since Jan 2019 MS enabled mailbox auditing for Exchange Online
CrowdStrike Reporting Tool also reviews excessive permissions in Azure AD
If you are suspiscous to have a compromised account, start with a tenant wide investigation
less frequently used folders like Archive, Junk Mail and RSS Feeds are common for the attacker to store juicy mail in it for futher investigation
Many threat actors operate in +03 UTC, may be a good indicator
Mitigate by long passwords (15+ chars), MFA and disable auto forward to external domains

Env

Provided by BHIS
Speaker
- Derek Banks
- Troy Wojewoda
- Hal Denton

additional links

Video

What Fantasy Role-Playing Games Can Teach Us About Cybersecurity Roles

— And why your SOC might actually need a Bard 🐉⚔️ Cybersecurity teams are often compared to armies, fire brigades, or special forces. Personally? I think they’re much closer to a party of heroes in a classic fantasy role-playing game. No matter how many frameworks, SIEMs, or AI tools we summon, defending a digital kingdom

Webinar takeaway: Hacking Packet Captures: The Foundations of Network Security

My key takeaways Zeek does not capture whole packets but saves summaries of all conversations it sees to log files saves time and space "You wouldn’t normally use Zeek for packet capture, instead you use it for analysis." – Bill Stearn Sending a lot more data then recieving might indicate malicious traffic use NetworkMiner to

Jean-Christoph von Oertzen

Blog

Infosec glossary