Posts on Shadow Engineering

Jupyter Notebooks and Pandas for Security Analysis

Sat, 03 Dec 2022 02:49:03 +0000

Jupyter Notebooks
#

Jupyter Notebooks are an interactive way to run python commands alongside documenting with rich text. This means we can methodically execute code, track actions undertaken, and recreate events. While the original intent was mainly directed at data scientists, as you can imagine, this is pretty appealing to security analysts.

It doesn’t matter whether you’re a threat hunter, or a forensic analysis - collecting artefacts from multiple sources, and correlating them is a pretty common process. Jupyter notebooks allow us to do this, record the results and potentially manipulate our data to extrapolate additional information.

SOC Automation with Inspector Gadget

Sat, 28 May 2022 11:30:03 +0000

Inspector Gadget is a tool to help SOCs scale and automate augmention of alerts. Whether that’s through an analyst leveraging Inspector Gadget directly, or through a Security Orchestration, Automation and Response (SOAR) platform.

It’s a proxy API endpoint, that can communicate to other API endpoints. This means that given a particular Indicator of Attack (IOA), it can connect to multiple API endpoints for third party services to provide more information and context around it, and help make a better assessment to the validity or malicious nature of it.

It’s built upon FastAPI and httpx, meaning it’s designed with parallelism in mind, then thanks to Celery/Redis it can scale to meet your demands while still maintaining that quick response. Even the core library that maps indicator types to third party API endpoints (ioclib) is built with asynchronous actions for speed.

Cloud Run Website with GCP

Sat, 23 Apr 2022 11:30:03 +0000

As I outlined in Iterations of this Site, a time had come when I wanted to repurpose this domain, and use it to share some of the knowledge I had gained from experimentation and projects I had worked on.

A common approach that a lot of people recommend is using a static site generator like Jekyll or Hugo, pushing that to a GitHub Pages repository and then using Cloudflare Workers to mask that behind a domain name of your choosing.

I really liked the approach, and it made some vast improvements over my previous methodology. But it would mean that a lot of the little easter eggs I had developed over the years would be lost.

Iterations of this Site

Sat, 23 Apr 2022 11:30:03 +0000

In 2018 I applied for a position at Google, to start the day long series of interviews I got asked one simple question:

How would you create a secure web page?

I responded at first about securing the host, implementing SELinux, putting SSH on a high port with a certificate, sticking it behind a WAF. I had started to go into detail about the CI/CD pipeline when I was interrupted by the interviewer asking if I had heard of things such as HSTS and HKPI. I confessed that I hadn’t, and knew there must have been a whole world of things that I simply hadn’t had exposure to, so I took a mental note to go away, build myself a website and to try and experiment.

Diagnosing Difficult Network Issues

Mon, 07 Mar 2022 11:30:03 +0000

Background
#

This is the story of a case I worked a long time ago. At the time I was working in an infrastructure development team. We had a VMWare vCenter 5.5 cluster that started as a prototype, but soon became mission critical (as is the way for those systems sometime). Other than overutilising the hardware with random VMs it had been functioning seemlessly with no issues for a long time, and then developed an interesting fault. The vCenter cluster would disconnect from the storage multiple times an hour.

Easter Eggs

Tue, 23 Nov 2021 17:00:00 +1000

As I outlined in Iterations of this Site, this website has been a project for me to learn and experiment. As a part of that I’ve included 10 easter eggs littered around the site in various places, they’re not overly complex, but they provide a chance for others to learn about some of the different elements of the site like I have in building it.

If you’ve uncovered all 10 of them, I’d love for you to let me know, send me a message to my twitter

For those keen on a bigger challenge, I provide the below. Some bafoon has attempted to encrypt a super sensitive file, but it appears they’ve done it in the worst way possible!

Building my first Keyboard

Tue, 09 Nov 2021 11:30:03 +0000

Background
#

Like many I had grown up with an old IBM keyboard growing up. I’ve always appreciated a good keyboard and throughout the years I’ve used many brands: logitech, Razer, and Ducky to name a few. So I can’t necessarily remember how I discovered the world of custom mechanical keyboards, it could have been that I stumbled onto r/MechanicalKeyboards or I’d found a set of keycaps that peaked my interest.

Never the less in October 2019 I discovered GeekHack, a great source for all sorts of custom keyboard components. Specifically this thread on GMK Dracula caught my eye. I loved the set, and was a huge fan of the Dracula (if you haven’t realised from this site alone).

Project Chaos

Sun, 04 Apr 2021 11:30:03 +0000

Meet Scarlett Reynolds, a new starting ICT Sales Representative, for a small technology start up named Eigar Technologies, that’s based in Sydney, Australia.

She studied at Arthur Phillip High School in Parramatta, before graduating in a double degree in IT and Business from UTS in 2013. She’s a virgo and her first car was a ‘96 Corolla, and she doesn’t exist.

Neither does Eigar Technologies. In fact, the name Eigar Technologies is a portmanteau of Eiger, a mountain in the Swiss Alps, and EICAR, the test file associated with Antivirus program validation.

Python Debugging with Decorators

Fri, 06 Nov 2020 11:30:03 +0000

Decorators
#

Often times while writing python code you may encounter a logical error, one that won’t be caught in compilation or execution, but rather during run time. Perhaps something didn’t execute or return as expected, or maybe a function executed and returned the anticipated result, but took an astounding long time to do it.

Test driven development will catch these kind of issues as we work, but traditionally a lot of people will just throw a whole lot of print statements throughout their code. This could create more issues that we’re fixing.

Chaos Analyst

Sat, 01 Feb 2020 00:00:00 +1000

Abstract
#

As organisations look to new methodologies to increase, test, and verify resiliency of infrastructure and applications, so can SOCs look to new methodologies to validate integrity of logging, tools, platforms, analysis and re-enforce forensic tradecraft, as they incorporate automation tools into their arsenals. Chaos Analyst is a new methodology for SOCs which looks at implementing scenarios that force analysts to overcome obstacles that impact their ability to address alerts, or in more advanced scenarios, validate potentially compromised logs and data. This can be incorporated into red team activity to mimic more sophisticated attackers and manipulation, improving the ability of response, the tradecraft and preparedness of the SOC in detecting and preventing actors from compromising all elements of the business.

Adventures from the Other Side of Phishing

Tue, 01 Oct 2019 00:00:00 +1000

Background
#

I know it may be hard to believe, but this poor looking website above is not the legitimate NAB website, it’s a poor mockery of a NABs internet banking portal based off a phishing kit we’ve seen. How do I know this? Because I made it.

It stemmed from a weird need, we often need to showcase our phishing capability to seniors in the bank and as a good educational piece to students and employees. Depending on who we’re showcasing to we’re either demonstrating how we respond and manage the risk to customers, or educating users for simple things they can identify to determine the legitimacy. It also helps to showcase the other side of the phishers themselves; a lot of people don’t seem to realise what’s being gathered.

Electric Blue - Lessons from a blue team securing Azure

Sun, 07 Apr 2019 17:00:00 +1000

At the end of 2018, NAB built out it’s extensive cloud environment. As a security analyst who had not had a lot of exposure to cloud environments, it provided new challenges and lessons and I wanted to share that with the world. Thanks to Crikeycon and NAB for letting me share those lessons.

Slides: PDF | PPXT

Posts on Shadow Engineering

Jupyter Notebooks and Pandas for Security Analysis

Jupyter Notebooks #

SOC Automation with Inspector Gadget

Cloud Run Website with GCP

Iterations of this Site

Diagnosing Difficult Network Issues

Background #

Easter Eggs

Building my first Keyboard

Background #

Project Chaos

Python Debugging with Decorators

Decorators #

Chaos Analyst

Abstract #

Adventures from the Other Side of Phishing

Background #

Electric Blue - Lessons from a blue team securing Azure

Jupyter Notebooks
#

Background
#

Background
#

Decorators
#

Abstract
#

Background
#