Part of our job at Recon relies on fine tuning our threat signatures that make up the bulk of our pipeline rules in our Graylog environment. Because of this, they are constantly changing, growing, being tuned, and ultimately becoming more effective over time at detecting anomalous activity.…
The Recon incident response team recently worked an intrusion case involving a Confluence web application server that was affected by CVE-2019-3396. The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3…
In this long overdue post, we'll share a few tricks that we use to heavily secure our own ZeroTier networks to not only restrict communication to authorized hosts on a directional basis but even capture and inspect packets!…
Join us at BlackHat 2019 where we will be offering NDR Crucible -- our premier 4-day Network Defense Range training!…
To the delight of most Graylog users, geolocation is automatically built into the platform via the "GeoIP Resolver" plugin. All that is needed is a MaxMind database and you are ready to roll. However, there is a better way of going about geolocation that might be worth implementing…
Guidance on securing your organization's G Suite environment…
Part 1 of a three-part series on digital forensics and incident response in Google's GSuite.…
An easy-to-understand break down of TA18-106A.…
An executive summary on the Meltdown and Spectre vulnerabilities affecting computer processors all over the world.…
Over time and for various reasons, I've amassed quite the catalog of cloud-hosted servers. This has caused much anxiety in the form of rapidly expanding attack surface which I've met painstakingly with manually managed firewall rules and nginx ACLs... Not anymore! OpenVPN hub-and-spoke setup (old school) Out with OpenVPN My…