Updating still

I’m still going through updating the old links. The good news is that my RSS feed didn’t start bringing back the old posts that I’ve been updating. The bad news is that I had to delete my feed from The Old Reader and re-add my RSS feed.

I do plan on getting back to writing soon. I’ve opened the FAIR and CTI posts. I want to get back to those. I also want to write up some of the Honeypot stuff I’ve been working on over the last several years. I don’t think I ever did a book review on Chris Sanders’ book Intrusion Detection Honeypots, which got me started and I’ve been expanding on. Also, I want to compare and contrast Intrusion Detection Honeypots running NetCat listeners vs. OpenCanary.

* Note the amazon links above are alffilate links, for which I earn a commission from qualifying purchases.

Issue with the WordPress server.

Oh hey, look… a post. 🙂

Anyway, a couple of weeks ago, two at the time of this writing, I updated my Debian Gnu\Linux server running this site. It broke things. Instead of showing the site, the Apache server showed the text in index.php.

I was running WordPress 6.2 with PHP 8.2. Those two key points are essential because most of the documentation out there for the problem talks about Old versions of WordPress and Old versions of PHP. Neither of which fit me.

Going through sites, I found the fixes. The first was ensuring that PHP was set up in the Apache modules. The easiest way to set it up was to install Libapache2-mod-php8.2.

 

This command changed the error from the index.php to an error:
Your PHP installation appears to be missing the MySQL extension, which is required by WordPress. Please check that the mysqli PHP extension is installed and enabled.

Again, searching said to update WP and PHP (both were already at the newest), so little help. Luckily I found something pointing to  the WP support forum; someone with WP 6.2 and PHP 8.2 having the same issue. The volunteer support person, Steven Stern (sterndata) (@sterndata), said to check php-mysqlnd. The command he used, for that thread’s OP Centos box.

So one search and installation later, I’m back in business and updated to WP 6.2.2.

Now if I could just find my notes and remember everything, I was writing about CTI in January of 2022.

For those interested in root cause analysis: My last upgrade was for Testing to the newest level. It looks like some things with MySQL and php didn’t get updated right and broke the site. I just didn’t think to check if my site was working after the update.

Using FAIR with CTI – The Intelligence Models/Processes

This post is part of the FAIR and CTI related blog posts; an event back in January made me want to add this to the mix.

I was interviewing for a Cyber Threat Intelligence Manager position, and part of the interview process was to talk to the person doing intelligence for the Physical Threat Intelligence space. During the interview, I asked which Intelligence models they used in case I had to brush up on one or learn something new. Part of the role was sharing data between the two intelligence groups. Even though the interviewer previously worked in Military Intelligence, they said they didn’t know what I was talking about.

That gave me pause because I went to a DoD-backed program in Undergrad, and we learned multiple Intelligence Processes/Models. I covered them in most of my Threat intelligence presentations and when I was teaching at the same DoD-backed program after I got my master’s degrees. Even after walking through the three, I knew the best; the person I was talking to didn’t know what I was talking about.

So, as I said, I thought I’d go through them into here, for people that haven’t been exposed to them yet. I’ve always figured people reading my blog would be familiar with at least a couple of the models.

Continue reading

Walking Through Applied Network Security Monitoring – Forward through Chapter 1

Back in December, it really doesn’t feel that long ago, I talked about how I was prepping for a project.

The end goal is to brush up on Network Security Monitoring (NSM) and use it to better monitor my home network. I occasionally check the logs but think I would be more active if I had a centralized tool to help. Right now, I have a log of blocked domain alerts in my PFSense Firewall’s PFBlocker-NG reports screen. Most of the entries are tracking related that the Pi-Hole isn’t blocking and is getting to the second block list on the firewall.

Note: I say my home network, not my home lab. As I said in the past, I no longer maintain a home lab due to cost and space. I have parts of my network isolated, but I wouldn’t call that a lab.

Continue reading

Using FAIR with CTI – Some key definitions

Using FAIR with CTI – Some key definitions

This post won’t cover all the Factor Analysis of Information Risk (FAIR) definitions. It will provide the ones I think are vital for using FAIR with Threat Intelligence (TI) and Cyber Threat Intelligence (CTI). I’m paraphrasing several sources, but it’s the way I understand the definitions I learned over the years. If you want in-depth/exact definitions from my sources, for FAIR, lookup: Measuring and Managing Information’s Risk, The Open Group’s Open FAIR Risk Taxonomy and Risk Analysis whitepapers, the RiskLens FAIR study guide (provided as part of the course). For Threat Intelligence, lookup: Effective Threat Intelligence, and Intelligence Analysis 6th edition.

Continue reading

Hello php8.1, thank you for breaking things.

This server runs Debian’s Testing release. Yes, Testing changes a lot and is not meant for long-term production servers. But I like to be a little more up-to-date on the software packages, and there are times when Debian Stable is too far out of date for what I need or want to run on this server. I do use it as a shell server too. And yes, I know bastion hosts, one “process” per server. That assumes one has a budget for multiple servers.

Anyway, I updated the server, and it pulled PHP 8.1. Previously I was running PHP7.4. Well, something interesting happened during the upgrade. I rebooted the server to get the new kernel loaded, and when everything came back up, I had the “White Page of Death” on the WordPress page. This is a self-hosted server, no CPanel, phpAdmin, or anything like that. If I have to fix a problem, it’s the command line and me.

Continue reading

Using FAIR with CTI (Intro)

As I mentioned in the past, I taught a Graduate level Risk Management and Incident response course. In my first term, I was literally hired three days before the term started. The grad class was new, with no framework or anything else to build off of, and I had to build it on the fly.

So, I went with what I learned in grad school elsewhere, which was the NIST documentation. During my first term teaching the class, I kept telling myself there must be something better. NIST SP 800-53 and the related documents have been around for a while, yet we still see breaches. It builds a framework around an organization, but something is missing. With the frameworks in place, breaches still happen and missing ways to help prioritize objectives.

Driving home after teaching class one night, I heard an interview with Jack Jones talking about Factor Analysis in Information Risk (FAIR). It made sense, and FAIR can tie actual monetary loss to things. So, I got a copy of the book but didn’t change the class in the middle of the term; I just waited for the next term the class was offered (it was only offered once a year).

When going through “Measuring and Managing Information Risk: A FAIR approach” by Jack Freund and Jack Jones, the book mentioned Threat intelligence several times, asking the Threat Intelligence experts, working with threat intelligence vendors, etc. And that part spoke to me too. Using the FAIR framework creates better planning/requirements and direction steps to speak to the threats a company faces.

In FAIR, threats don’t mean all the uses that we have in IT/Cyber Security, which boils down to speaking to an adverse event or action when something is exploited or compromised. In FAIR, a Threat is someone or something that can take independent action against an asset in a way that changes value. That made sense, too;  it gave better, tighter definitions to work with.

As I read and thought more about FAIR, cybersecurity, and Threat Intelligence, I realized that Risk and Incident Response are two sides of the same coin. More or less. The Risk Management side is the expected annualized loss based on things happening. The Incident Response side is how an organization responds to materialized risk, or what the company does when the risk actually happens. And I thought about how Threat Intelligence plays into both Risk and Incident Response.

And while staring at the FAIR Framework, I came up with the below image. It is a modified version of the framework applied to areas of influence I see belonging in whole or in part to Threat Intelligence / Cyber Threat Intelligence showing the highlighted sections:

I’ll walk through the different parts and how I see Threat Intelligence’s role in each in future posts. They’re probably going to be mixed in with other things, but I’ll have a link page like I did the Building an OSINT box series that links to each part in order.

Prepping for a project

I’m getting ready for a fun little project with a friend. Several years ago, while doing my undergrad, I got a copy of Chris Sander’s “Applied Network Security Monitoring.” I was going to do a book study group at school when it came out, but it turns out it was a required text for my Incident Response course.

Sadly, that class was a mess, and I don’t think we used the book in it at all. A different friend and I referenced the book to build a project for one of our other classes. We used it to build several honey pots, with what was supposed to be centralized logging. That, however, failed due to the Data Center we put the logging server in. The DC we picked for the log server didn’t allow logging to that DC for some reason. The other ones through the VPS provider would have worked fine. Just not that one. No clue why. We did complete the project with the honey pots but had to monitor each one instead of having central logs.

Anyway, talking about burnout recently with friend one mentioned above, we both feel burnt out. We don’t want to do anything computer-related after work. Studying, Udemy, Coursera, Hack-in-The-Box, Try Hack Me, scripting, blogging, etc. To get around this, we’re going to work through Applied Network Monitoring, and we’re also going to blog about it.
Before confirming this was the book and project we would do, we asked Chris Sanders via Twitter if the book material was still relevant. He said the concepts would be, but the tools would be different now.

It should be fun.

Once my friend gets his blog set up, I’ll link to it too. And yes, I know I still have some OpenFAIR/CTI/OSINT related content I want to blog about; see the comment about being burnt out above.

Open FAIR Exam Quick Follow-Up

In my Passed the Open FAIR Exam post, I mentioned there were some issues with some of the questions on the exam not matching what I studied. Since I wrote the blog post, I printed and did quick reviews of the O-RA v2.0  and the O-RT v3.0.

The questions I remember struggling with did come from the newer versions of the Knowledge Body. So if you’re going to study for the Certification Exam, even though the Certification Page still lists the old documents, you’ll want to study the new standards.