MongoDB recently experienced a significant data breach that has raised concerns in the cybersecurity community. 

Timeline and Discovery
The breach was detected on the evening of December 13, 2023. MongoDB noticed suspicious activity on its corporate systems, which led to an immediate investigation​​​​.

Nature of the Breach
The attackers gained unauthorized access to MongoDB's corporate systems. This led to the exposure of customer account metadata and contact information​​​​. Importantly, there is currently no evidence to suggest that data stored in MongoDB Atlas, the company's cloud database service, was affected​​​​.
​
Response and Communication
MongoDB's Chief Information Security Officer (CISO), Lena Smart, sent an email to MongoDB customers, detailing the breach and urging caution against potential social engineering and phishing attacks​​.
MongoDB has activated its incident response process and is conducting a thorough investigation of the breach. They have also notified relevant authorities​​.

​Precautionary Measures

• MongoDB recommends that all customers enable multi-factor authentication (MFA) and regularly rotate their passwords as precautionary measures​​​​.
• The company also warns its customers to be vigilant about potential phishing attacks and social engineering tactics that could exploit the exposed information​​.

Additional Issues
Following the breach, MongoDB reported a spike in login attempts, which caused issues for customers trying to access MongoDB Atlas and the Support Portal. However, the company clarified that this was not related to the security incident​​.

Ongoing Investigation
MongoDB is still investigating the incident and is expected to provide further updates as they continue to uncover more details​​​​.
​
Implications
This breach is significant given MongoDB's role as a leading database management company. The exposure of customer account metadata and contact information is a serious concern, as it could potentially be misused. The breach serves as a stark reminder of the constant threats faced by digital companies and underscores the importance of robust cybersecurity measures.

The Securities and Exchange Commission (SEC) has alleged that SolarWinds concealed cybersecurity defense issues before a December 2020 attack linked to APT29, the Russian Foreign Intelligence Service (SVR) hacking division. Hackers found a way to insert malware into a version of the company's Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets. They used the access to deploy additional malware to compromise internal and cloud-based systems and steal sensitive information over several months. The SEC claims that its CISO Timothy G. Brown was aware of the cyber security risks and poor practices, but SolarWinds failed to notify its investors. Instead, the company reportedly disclosed only broad and theoretical risks to its investors. 
​
SEC says a Solar Winds Internal Document that the engineering teams could no longer keep up with a long list of new security issues they had to address.SolarWinds has denied the SEC's charges and says it deliberately chose to speak candidly and frequently about security by sharing what it learned to help others become more secure. This lawsuit marks the first time the SEC has held a CISO personally accountable for cybersecurity failures. The charges will reignite concerns among CISOs about the liabilities associated with the role.
Source

​CISO/Security Leaders Dilemma - The general viewpoint is the CISO is responsible for all the security issues. Still, in practice, CISOs often need more power and authority to get things issues fixed.  In most organizations, the CISO will report to the CLO, CTO, or CRO, which is counterproductive.  The CISO should report directly to the CEO and the board of directors' cybersecurity committee to be effective. It's well-known in the industry that the CISO does not get the same Compensation indemnity as the other benefits that the other leaders, like the CEO or CPO, get.  The reality is that without any significant incidents, business leaders often see information security as a cost center.

In most cases, the CISO and the Security Leadership team are aware of significant security gaps. The critical issue is that the business leadership does not prioritize the security issues as it's not revenue-generating efforts. Vulnerability Management, Bug Bounty, Appsec, Pentest, Red team, and CSIRT Teams detect many security gaps quickly. Still, they often hear that the sheer volume of security issues being identified is much higher than the capacity of Engineering teams to resolve them. Often, project managers deprioritize the security issues over the new features. To Solve this, Leaders should implement a couple of following things:

• Risk Management Program - All the identified risks should be documented in the risk register and managed actively. Security Team should only *accept* the risk if the likelihood of exploitation is low. A good measure of the security program is also the number of risks accepted by the leaders. There should be a committee with the stakeholders from all the different departments/units in an organization. Accepted risk should have a timeline, taken only after a detailed discussion and documentation. Every risk should have a timeline to fix it. 
• Security Architecture Program - All new app/feature/tool development work should undergo a detailed threat modeling process in the design phase. All the identified risks should be mitigated before moving to the development phase. 
• Data Driven Security -Security Issues, Bugs, and Vulnerability should be measured weekly, and insights should be regularly shared with the executive team.
• Red Team - Most security leaders will not consider starting a red team earlier in the security programs. In reality, the Red team is often the most effective team to find the security issues in the company. The red team should be given enough freedom & support to operate and emulate adversary behaviors.

Okta Support System was compromised, allowing unauthorized access to the sensitive HTTP Archive (HAR) files uploaded by the Customers. HAR Files contain sensitive data like Session Token, which the Okta Support team uses for impersonation. The Threat Actor used HAR Files to gain access to the system.

In March 2022, Okta disclosed an internal system breach from the hacking group LAPSUS$. In a recent attack, the Okta team has not yet revealed the name of the threat actor, but they believe this is an adversary they have seen before. 
​

When we think of threats to our businesses, the image that might come to mind is a masked hacker typing away in a dimly lit room, infiltrating our systems remotely. Yet, a less conspicuous but equally dangerous adversary exists, the insider threat.
What is an Insider Threat?An insider threat arises when someone within the organization who has inside information concerning its security practices, data, and computer systems misuses, which somehow leads to harm to the organization. This can encompass employees, former employees, contractors, or business partners.
Why is it Significant?Unlike external threats, insiders have access to critical systems and data. They understand the internal processes, know the weak spots, and can exploit them effectively. Insiders may inadvertently leak sensitive information, while others might have malicious intentions driven by personal vendettas, financial gain, or espionage.
Types of Insider Threats:

1. Negligent insiders: Those who inadvertently cause harm by not following security protocols, falling for phishing schemes, or sharing sensitive data unintentionally.
2. Malicious insiders: Individuals who intentionally harm the organization through theft, sabotage, or espionage.
3. Credential thieves: External actors who steal the credentials of an insider to exploit their access. Though technically an external threat, they operate with the privileges of an insider.

Detecting the Threat:Detecting insider threats is difficult since the perpetrators know your organization's practices. However, some signs include:

• Unusual or unauthorized data transfers
• Drastic changes in employee behavior or work patterns
• Frequent or unusual after-hours system access
• Unauthorized installation of software

Mitigating Insider Threats:

1. Education and Training: Ensure that all employees are aware of security best practices. Regular training can prevent inadvertent breaches by making employees aware of the potential risks of their actions.
2. Limit Access: Implement the principle of least privilege (PoLP). Grant employees access only to the information they need to perform their tasks.
3. Regular Audits: Conduct periodic audits of access logs and data transfers to spot unusual patterns or unauthorized access.
4. Technical Measures: Employ data loss prevention (DLP) tools, user behavior analytics (UBA), and other technologies that can help detect and prevent malicious activities.
5. Exit Strategies: When employees leave or change roles, ensure their access is modified or revoked accordingly.
6. Whistleblower Policies: Encourage employees to report suspicious activities by guaranteeing anonymity and protection for whistleblowers.
7. Build a Positive Work Culture: A positive work environment can deter potential malicious insiders. If employees feel valued and treated fairly, they are less likely to harm the company.

Navigating the Challenges:Dealing with insider threats requires a delicate balance. On the one hand, businesses must be vigilant and monitor for potential breaches. Conversely, it's crucial not to create an environment of mistrust, as this can hamper productivity and morale.
By staying informed, leveraging technology, fostering open communication, and building solid relationships with employees, businesses can prevent insider threats and create an atmosphere of trust and collaboration.
In the digital age, where data is a prized asset and threats lurk around every corner, disregarding insider threats is not an option. It's crucial to acknowledge, understand, and actively work against these risks to safeguard the future of any organization.

Data Exfiltration and Data Loss Prevention (DLP) is one of key topic of our discussion today. One of the ways to detect APT Groups and advanced ransomwares at early stage is by analyzing the outbound traffics. Most of the advanced treats will try to establish a C2 connection. 
Profile 'outbound' traffic data:

• how much data is sent? 
• who usually sends the data?
• where are we sending the data (IP, Port)?
• When it's usually sent?

You can use Flow Logs or NGFW logs to get the insights. Try to see if you can find outliers.
Some outliers can be: 

• 24/7 Outbound Connection (Keep an eye)
• Unauthorized C2 or VPN Connections
• Insiders malicious activities 

Dashboards are the good starting point.With the flow data you can develop a 'Top Level Domain(TLD) Dashboard' and look for following traffic patterns: 

• High Bandwidth TLD
• Low Level TLD
• Top 10 TLD By Bandwidth
• Top 10 Second Level Domain by Bandwidth

#Comment if you have additional tips.

I have to build many SOC teams in my professional career. In this post, I’d like to declutter some of the myths about SOC. Let’s start with the basics.

One of the most important questions is why your organization needs a SOC?

Enterprise often collects a large amount of data in the form of logs. Simply storing the data is not valuable. The humongous amount of information needs to be searched for malicious activities. If there is malicious activity, you need a human to respond to it intelligently. SOC team members will do the Detection, Investigation, and Response to the incident. Another critical aspect of the SOC team (often overlooked) is the post-incident reviews. 

What are the sub-team/sub-group in a SOC?

Fully Outsourced SOC: Hiring, Building, and retaining SOC Teams are challenging and expensive. There are not a lot of experienced Cyber Security Analyst and Engineers out there in the market. It’s honestly a new career option. To avoid the hassle, the organization often decide to outsource the security operation fully to Managed Security Service Providers (MSSP).

There are a few advantages and disadvantages of having a fully outsourced SOC. The most significant benefit is the speed; you can have someone start looking at your data/alerts as soon as you sign the contract.In there is any anamoly, MSSP will do the hunt, investigation and escalated it to you pretty quickly.

​The biggest downside is the knowledge gap. All the knowledge/intelligence about your network/endpoint stays with the MSSP. As soon as you cancel the contract, it’s gone. Another significant disadvantage is the MSSP is expensive. You have to pay a lot of money out of your budget  for the SOC. In some cases, the quality of the investigation can be poor too.  

Even after outsourcing your SOC, mitigating a malicious and compliance stays with the organization only. Usually, companies in the early stage will go for this model. MSSP will care more about the SLA’s rather that the quality of the investigation. If you are adopting this model, please ensure to discuss all the norms upfront, including the resume/profiles fo the Analysts.

Hybrid SOC: It’s a combination of the MSSP + In-house SOC team. Usually, the Detection, response, and forensics team will be in-house, and the Tier-1 & 2 Analyst will outsource. The majority of the pros and cons of MSSP mentioned above applies here as well. The benefit is you keep your institutional knowledge. If your want to run your SOC 24/7 and your security team is only in one country this model will be helpful in terms of coverage and control.

In-house SOC: Fully In-house SOC Teams are high, usually big size organizations with big budgets will go for this model. I’d say having a functional in-house SOC is a sign of maturity of an overall cybersecurity program. If your company is global, you may want to have your SOC team in mutiple time zones.

Key Responsibilities of SOC

• Implement, Manage, and Propose Security Tools: SIEM, EDR, SOAR are the primary tools SOC uses, but they responsible for proposing new security gaps and devices to the business as well. If an alert/incident has made to the SIEM application, it must have bypassed specific security controls. SOC Analysts should always think about solutions to reduce the number of alerts/cases. A typical example is proposing an email security tool for reducing the number of phishing alerts.
• Investigate, Respond, Contain, and Remediate Suspicious alerts: The core function of the SOC is to investigate the malicious activity. SOC cannot wholly rely on preventive and detective controls. A successful SOC is always on a Hunt.
• Cyber Security Strategy: SOC is responsible for the overall Cyber Security strategy of the company. SOC should develop playbooks, SOP’s, Policies to respond to certain types of alerts. For example, SOC should develop a Cyber Security Incident Response Plan, Escalating the polity of HR/Legal, etc.

In this blogpost, we will discuss about the high quality Open source NSM Tools. Security Onion is one of the most common and popular NSM distribution. 

Security Onion has Ubuntu based Linux distribution. It comes with a bunch of softwares:

• NIDS - Snort, Suricata
• Asset Data - PRADS
• Full Packet Capture - netsniff-ng
• SIEM - ELK
• Additional tools - Wireshark, Nmap 

Web Sessions are usually managed by a "Session Token". Session hijacking is a way of exploiting the web session control mechanism.It's a way to get an unauthorized access to the web-server by stealing a valid token.

Session Hijacking is a type of attack and it can use accomplished by using various techniques like Session Sniffing, Clint Side Attacks like XSS, Man in the middle/browser type of attacks.