SecByT̷͔̼̯̖̟͔͎͑̽o̶͚̠̰͚̩̻̝̰͂̿̔̄̊́͘m̷̡̟̍́̏̔

Unique *certificate per client

I definitely left that part out, but in my head the mTLS layer is at C2 channel level, not as part of the protocol it’s embedded in. mTLS with unique certain per client means we get knowledge of where and when it was delivered when the server starts to communicate.

Sorry for the complete and total tangent, but I’m curious. There are obvious opsec downsides to mtls, but why is it not more common in c2 tooling?

Last thought: while I'm on a tradecraft+capability separation kick, I intend Crystal Palace as an open-ended object/PIC stitching sandbox. Keep playing with it. Try different ideas. It's really cool. This is what organic cross-inspiration and conversation looks like. I pivot when inspired too.

Oh hey, the first video is now available!

Check out Steve Shelton’s keynote for #BSides312, the abstract for which had me sobbing.

Maximum echo please.

Astronomers may have just discovered the third interstellar object passing through the Solar System!

ESA’s Planetary Defenders are observing the object, provisionally known as #A11pl3Z, right now using telescopes around the world.

This is 100% going into my private C2 www.procustodibus.com/blog/2024/04...

I’m proud of you all. GG.

Do not sleep on my blue team 💪🏻

Usually they just need a reminder 😅

Furthermore, if your ceded access involves a fictitious user or other story components that cannot be validated and investigated as normal, then you have set yourself up for failure in evaluation of your incident response.

Your red team should provide a plausible story to explain why the user executed the payload and how they obtained the payload initially. This story should be provided by the user to your incident response team when they contact the user during incident response.

If your red team does not provide a plausible and verifiable explanation of how that assumed compromise initially occurred, then your blue team rightfully will stop their investigation. Once they determine how the initial access was gained.

When your red team begins with an assumed compromise, it is my opinion that one of the goals of your red team is to evaluate the effectiveness of your blue teams incident response.

A lot about what I’m going to say, comes back to what role you view the red team fulfilling inside of your organization. Let’s talk about assumed compromise.

One for every 5Ghz channel.

Over 300 in attendance today, and more than 100GB of Internets slurped. @bsides312.org was a huge success. Lots of growth from last year. I can’t wait to see everyone again next year!

I’m a huge fan. Also try ramen wasabi sometime! (Less loud music and cats though).

Honestly, at least it’s touchless?

@lintile.lol TIL “hodling” is actually 4 letters?

Wedding planning and sharing the palate in hex, like any self respecting hacker would.

Good morning, @thotcon

I’m super excited to be part of a team that just earned the BHIS Honey Badger award!

You make a really good point here. I think I’ve been fortunate enough to work inside orgs where this was more of a benchmark for “the red team reveals risks worth addressing” and sometimes even “worth this much time vs other projects” but I totally agree that building metrics is rife with trouble.

Measure Success via Velocity
Yep.

Actually though, what are some good metrics? A favorite of mine is projects actually making it across the line to remediate red team findings.

🤞
Really hoping for no issues.

🤨

I wonder what this would mean for investigation tools looking at phishing and payload delivery sites.

I suspect the plan is to implement mechanisms which attempt to distinguish between legitimate user agents and spoofed user agents.