Recently I have encountered an error I wasn't too familiar with how to resolve, working with the ELK Stack. This specific error is the "[circuit_breaking_exception] [parent] Data too large, data for [<http_request>]". It is not directly visible where the error originates from, but with some sleuthing I discovered that it is caused by Elasticsearch preventing some requests from executing to avoid possible out of memory errors, as detailed in Elasticsearch Circuit Breaker documentation.
ReadIn everyday life we need to constantly keep ourselves reminded of important information. Some people write this information on post-it notes, notebooks or using programs such as Microsoft Word or Google Notes. The problem is, that information is in itself transitive- one piece of data or a note can lead to another one and it can become cumbersome and difficult to follow the trail of information. Our brain works the same way, usually we store information by association- to remember a fact, we try to think, for example, of where we learned the fact, or who told it to us, and follow the links to the information we try to remember.
ReadIn modern network infrastructures, there are a lot of sources of data, that can be of interest for collection and analysis, to see if possible suspicious activity is present in the network. More often than not, this data is collected and send to a Security Information and Event Management (SIEM) tool, running on the network, where it can be processed and reviewed by domain specialists.
ReadManaging big networks can be quite complicated- many inbound and outbound requests, network traffic, email correspondence and other activities that need to be monitored. It is quite easy for an attacker to obfuscate his actions, when we are confronted with large amounts of network data to analyze. Luckily there are ways to aggregate all this data and store it so it can be reviewed and hopefully discover any abnormal activity. Of course, I am talking about the use of a Security Information and Event Management (SIEM) framework. One such framework that has gained a lot of popularity, because of its modularity and open-source nature, is the ElasticSearch/Logstash/Kibana framework.
ReadAs I mentioned in the previous blog posts on the subject of the GHOSTS framework, I often use virtual machines to set up and run my tests. In the case of GHOSTS, i have the main GHOSTS server API running on a Linux VM with docker and docker-compose, and the GHOSTS client is running on a Windows 10 virtual machine. If you are interested to read about it, you can find the previous blogs at the following links:
ReadFor years, there has been an OS war between Linux, Windows and macOS for dominance. Each side would vehemently defend their OS of choice and disregard any positive sides of their "opponents". Of course, each operating system has its benefits and drawbacks and it is not my job or place to say which is the best.
ReadIn recent years we have witnessed multiple organised attacks against countries and companies using malicious code that was distributed via a legitimate website. These types of attacks are called "watering hole attacks" as they target well known and used websites and compromising them. You could compare this to dumping poison or other dangerous chemicals in a pond or well, where your intentions are to target any and all that use that source. One of the more famous such attacks was the CCleaner Watering Hole attack, which used the well-known tool CCleaner to distribute its malicious code.
ReadIn part I of our look into the GHOSTS framework, we managed to set up the GHOSTS servers on our computer and connect a simple Windows VM, running the client code, to the GHOSTS API server. The next step is to configure properly our Windows Client to simulate the activity of a real user. To do that we will set up multiple programs and tools that can be run automatically and define their behaviour.
ReadWhen we want to test some detection algorithm we are developing, or we want to prepare a nice in-depth exercise for our students, we need to set up an ecosystem that closely resembles that of the real world. This can lead to some difficulties as in a real network we have multiple users, each with the own computer, surfing the net, working with files, or typing commands and sending requests to the network's centralized server. It could pose a big challenge to model this if we don't have a group of people available who we can task with sitting behind a computer and clicking on their mouse every so often to simulate real computer behaviour. There are tools available that help automate that, but in most cases they can be quite rudimentary.
ReadNextcloud is a great tool for self-hosting your data in the vein of Dropbox. It facilitates exchange of information and files in a team, with the extra benefit of providing a robust monitoring and protection capabilities. There are Nextcloud clients available for Windows, Linux and MacOS, which are easy to install and use. With one click you can upload your files to your personal cloud and share them. But sometimes the need arises to upload files from machines that don't use a Graphical user Interface (for example Ubuntu Server distribution). Luckily there exists a way to still be able to upload your files to Nextcloud using the command line and Curl.
ReadSometimes we might want to play with python scripts that are usefull for us when ran locally. But othertimes the script you have been playing with starts to be more and more important and involved in different projects. In such cases it is an interessting option to upload the python script to an internet repository so it can easily be accessed by you, your team members or other people that might need the same functionalities your script offers.
Read