Managing SIEM Log Collectors at Scale with Ansible and GitHub Actions – Part 1

A Security Operations Center (SOC) watches an organization’s IT systems for cyber threats 24/7. It quickly finds and fixes security problems and uses Security Information and Event Management (SIEM) tools to collect and analyze alerts and logs. SIEMs depend on log Collectors servers, which gather data from many sources and send it to the SIEM. … Continue reading Managing SIEM Log Collectors at Scale with Ansible and GitHub Actions – Part 1 →

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

NVISO reports a new development in the Contagious Interview campaign. The threat actors have recently resorted to utilizing legitimate JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects, with the lure being a use case or demo project as part of an interview process. Background Contagious … Continue reading Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery →

Detection Engineering: Practicing Detection-as-Code – Monitoring – Part 7

In this part, we are going to introduce automation to effectively monitor our deployed detections. By setting up automations at this phase we adopt a proactive approach towards maintenance, allowing our team to take action before a blowout of alerts or an untuned detection is escalated by the SOC.

Lunar Spider Expands their Web via FakeCaptcha

Key Findings Lunar Spider has expanded its initial access methods by compromising vulnerable websites, particularly in Europe, using Cross-Origin Resource Sharing (CORS) vulnerabilities. These websites are then injected with a FakeCaptcha framework. The FakeCaptcha framework is introduced via a JavaScript script that generates an iframe, overlaying the original site's content with the attacker's FakeCaptcha page. … Continue reading Lunar Spider Expands their Web via FakeCaptcha →

Securing Microsoft Entra ID: Lessons from the Field – Part 1

This multipart blog series is focused on the real-world lessons learned while securing Microsoft Entra ID. Based on hands-on experience across various environments and organizations, we’ll explore the practical, high-impact strategies that work and more importantly, the common misconfigurations, overlooked settings, and pitfalls that can expose your identity perimeter. Throughout the series, we’ll cover both … Continue reading Securing Microsoft Entra ID: Lessons from the Field – Part 1 →

Detection Engineering: Practicing Detection-as-Code – Deployment – Part 6

The deployment phase is one of the most challenging steps in the Detection Development Life Cycle due to its implementation complexity. In this part, we will explore the principles and practices of deploying rules to target platforms. Additionally, we will go through some of the challenges encountered when designing and implementing a deployment pipeline, along with suggestions on how to overcome them, to ensure that our Continuous Deployment pipeline operates smoothly.