Tuesday, August 09, 2016

Time is on your Side talk and links

Links from the talk:

Friday, April 01, 2016

Quality not Quantity talk, commands, and links

Quality not Quantity: Continuous Monitoring's  Deadliest Events


Search service creation events and errors:
PS> Get-WinEvent -FilterHashtable @{logname='system'; id=7045,7030}

User creation events and users added to local and global security-enabled group:
PS> Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4732,4728}

Full command line of all processes (requires https://support.microsoft.com/en-us/kb/3004375):
PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

AppLocker Events (requires AppLocker):
PS> Get-WinEvent -FilterHashTable @{LogName="Microsoft-Windows-AppLocker/EXE and DLL"; ID=8003,8004}

Detect when EMET blocks malware (requires EMET):
PS> Get-WinEvent -FilterHashtable @{LogName="application"; ProviderName="EMET"; id=2}


  1. Mandiant M-Trends 2016: https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
  2. Verizon DBIR: http://www.verizonenterprise.com/DBIR/2015/
  3. USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers https://www.youtube.com/watch?v=bDJb8WOJYdA
  4. Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data: http://www.bloomberg.com/news/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data
  5. The ASD 35 Strategies to Mitigate Targeted Cyber Intrusions: http://www.asd.gov.au/infosec/top-mitigations/mitigations-2014-table.htm
  6. Patch-crazy Aust Govt fought off EVERY hacker since 2013 http://www.theregister.co.uk/2015/06/02/patchcrazy_aust_govt_fought_off_every_hacker_since_2013/
  7. CIS Critical Security Controls: https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015
  8. AppLocker: https://technet.microsoft.com/en-us/library/mt431813(v=vs.85).aspx
  9. AppLocker CSP: https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx
  10. Windows 10 Enterprise 90-day Trial: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
  11. Microsoft EMET: https://support.microsoft.com/en-us/kb/2458544
  12. Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375 
  13. Windows Commands Abused by Attackers http://blog.jpcert.or.jp/.s/2016/01/windows-commands-abused-by-attackers.html

    Friday, December 11, 2015

    CISSP Study Guide 3E - Shipping Now

    Just a note to say the CISSP Study Guide 3E is in stock and shipping from Amazon.

    Electronic editions should be available in January. We are working on the 11th Hour CISSP Study Guide update now, chapters are due by April (but I hope to have it done before then).

    Monday, November 23, 2015

    CISSP Study Guide 3E is Complete

    Lots of people have asked me for the release date of the CISSP Study Guide 3E. Amazon (now) lists December 29th, but it will be sooner.

    I can confirm the book done and is at the printers now. I ordered copies as a surprise Christmas gift for students of my MGT 414 class coming up at SANS CDI in 3 weeks, and Syngress has confirmed the books will ship by then.

    Tuesday, April 21, 2015

    MGT 414 and CISSP Study Guide Third Edition

    ISC2 recently updated the CISSP® exam, effective April 15th 2015. The biggest change: they went from 10 to 8 domains.

    SANS MGT 414 has been fully updated:
    Course authors Eric Conrad and Seth Misenar have revised MGT414 to take into account the 2015 updates to the CISSP® exam and prepare students to navigate all types of questions included in the new version. 
    MGT414 focuses solely on the 8 domains of knowledge as determined by (ISC)2 that form a critical part of CISSP® exam. Each domain of knowledge is dissected into its critical components, and those components are then discussed in terms of their relationship with one another and with other areas of information security.
    We are also working on the CISSP® Study Guide Third Edition. It is due out in November 2015. We will update the Eleventh Hour CISSP Study Guide after that.
    I have received a lot of questions regarding CISSP® Study Guide version 2E (and other books that predate this update). Here's ISC2's take:
    Q: Since the CISSP has changed from 10 to 8 domains, was some content deleted?
    A: No. Content was not removed from the exam and/or training material, but rather refreshed and reorganized to include the most current information and best practices relevant to the global information security industry.

    So all of the CISSP® Study Guide Second Edition material still applies, but new concepts have been added. See the CISSP® 2015 Candidate Information Bulletin for specific details on the testable topics. Here's Clement Dupuis' take on cccure.training.

    Clement also has a fantastic guide to the changes (with links to online sources of new material).