View on GitHub

Learn from attacks that bypass your preventions

I know, no kidding, right? Thanks, Captain Obvious!

I find that we are trusting our commercial tools too much. If you take the “trust but verify” approach to attack detection, you will learn so much. If you apply what you learn, you will detect future attacks that bypass your preventions.

There are several ways to get started. Starting with antivirus alerts is one simple way, since the attack made it to the endpoint. Regardless of how you start, the important aspect is being able to answer the question, “how was it delivered?” By attempting to answer that question, you will learn where you have visibility gaps and where your attacks are originating from. In addition to understanding the delivery vector of an attack, it is also important to classify the threat by risk level for your business. This information will allow you to make a data driven decision on where to focus your efforts.

For us, email was the highest volume and highest risk delivery vector. While we had IDS in addition to IPS, as well as EDR along with antivirus, we only had an email prevention system, without a detection system. We decided to build our own.

By implementing, and continually improving the Intel, Detect, Response process, we have not only become knowledgeable, but we now detect over 480 email attacks that bypass our email filter monthly. This represents a total population of 12,000 employees. Additionally, we are alerted when an employee clicks a link or opens an attachment related to the phish. This data provides us actual click rates, not just data from a phishing simulation.

We continued to automate our manual processes, improving our ability to work more alerts with the same number of employees. We created detection systems and managed attack related data which fed our detection.

Alerts and Intelligence over time

To kick-start our program, we initially focused on externally sourced intelligence in addition to answering the delivery vector question. While we continue to collect external intelligence, we prioritize those sources by focusing on high risk threats. As we have matured, we focus most of our efforts on internally sourced intelligence. It is the most relevant, contextual, reliable, and credible source of intelligence available. Managing and applying that data is the key to a highly capable program.

As we streamlined the process of detection -> response -> intelligence -> detection for attacks bypassing our preventions, we started to detect more threats quarter over quarter. The system began feeding itself.

There is no silver bullet and taking the time to learn all of the systems, data, and priorities was a journey, but it has been a journey that has made us very knowledgeable and improved our capability.

The great news is that this approach is reproducible. _________________________________

Previous Posts

Learn from attacks that bypass your preventions
Treat every alert like a dollar in your budget
I love not doing things
Are You Winning?
Custom Phish Detection For The Win
Move to a Free First strategy
Opensource is well positioned for security automation
The Process

Treat every alert like a dollar in your budget

Security 101:

1) Buy a security platform (SIEM or similar)
2) Pump data into the system
3) Create a SOC (make sure to have many large screens, 24x7, follow-the-sun setup)
4) Thousands of alerts daily, with no context.
5) SOC submits ticket to IT team
6) IT team closes ticket
7) Go to step 4, repeat until breach.
8) Buy new wizbang security technology
9) Go to step 4. repeat until breach.
10) Fire CISO
11) Hire a service which does 1-9

Dave Ramsey says that when budgeting, every dollar should have a job and a purpose. This means that each dollar has an understood opportunity cost.

Alerts have an opportunity cost too. If it isn’t valuable, tune it or get rid of it. If it is valuable, it should be highlighted. Alerts should be easy to tune and even easier to turn off (if bad).

False positives are a way of life. False positives that add no value or take too long to analyze are like incurring high interest debt.

“You must gain control over your money (alerts) or the lack of it will forever control you.”

Find Alert Peace.


Alert triage is similar to troubleshooting an IT problem. The more information collected up-front, the easier it is to find answers, the quicker the problem gets resolved. Security alerts are similar, the more understanding of why the alert fired, what it might represent, and the ability to find additional information drive quicker analysis.

The goal is for every alert to have all the information required by a human to disposition the alert with confidence quickly, thereby reducing manual effort and time. Additionally, a tuning sub-process should be implemented within the normal flow of alert triage. This will not only help with alert fatigue, but improve coverage, and get your team thinking the right way.

If you can answer these questions, your alerts, and SOC, are working for you.

I love not doing things

and I love that by not doing things we can do more things

Things that use to be hard, or tedious, no longer are. This provides us the opportunity to work on the next hard thing.

Why not have ACE do things, so your team can do more things?

Let’s join forces and automate the ordinary!

(Ok and maybe the extraordinary too)

Are You Winning?

What does winning look like in cybersecurity?

- No business operations disruption? 
- No financial loss? 
- No loss of important data? 
- No brand negativity? 

If you are winning, how well are you winning?

What if you measured every attack that gets around at least one of your preventions? What if, for every one of these attacks you measured how far the attack made it in the attack cycle?

Dispositioning your security alerts by attack cycle provides this insight.

ACE not only provides you the ability to automate the ordinary, it also collects the data you need to understand your threats and risk, as part of the normal security operations process.

Do you understand your security operations?

Security Operations Metrics

Can you show you are winning?

Attack Penetration

Do you know what threats are getting past your defenses? How well do you detect and prevent these threats?

Your Threats

Custom Phish Detection For The Win

Catch phish, clean’em, and use’em as bait

Ok, so phishing is not new, but waves of relentless phishing continue and bypass email prevention systems daily. It is odd that year over year the number of phishing attacks getting past prevention systems continues to increase.

From Business Email Compromise, to credential harvesters, to malicious attachments, and links to all sorts of malicious files; phishing is still the easiest, lowest cost delivery vector for attackers. Good thing for us it is also the easiest to detect (believe it!).

In my experience if you have a good phishing prevention system and a good phishing awareness program, you are still missing attacks…a lot of attacks. While prevention is the ultimate goal, there is so much additional value gained by detecting and learning from the phish that bypass your preventions!

“Give a Man a Phish, and You Feed Him for a Day. Teach a Man To Phish, and You Feed Him for a Lifetime.”

The barrier to entry is low. This is what you get for free. We hope you join us to build on the existing capabilities.

Move to Free First

Moving to a “Free First” approach for cybersecurity

Step 1: call salesperson, Step 2: get quotes, Step 3: compare functionality.

Remember the days when the strategy was to look for a commercial tool first? That strategy has led to quite a few purchases, some that we are now stuck with, some that we still get value from.

But, as I look at the opensource security system landscape, I’m thinking we need to move to a “Free First” mindset. Getting involved with opensource, seeing projects grow into extremely capable systems, and seeing how quickly they are becoming mainstream…why not take a little time to research opensource before you buy? What’s the downside? For good opensource projects the time investment is relatively small. Setup a proof of concept to understand the functionality and learn how it fits into your security program (without the marketing FUD). Worst case, you become more educated and better prepared for determining the value of the commerical tools.

Maybe you are looking to buy automation tools. Maybe you are thinking about a SIEM.

Maybe you should go “Free First”.

Opensource is well positioned for security automation

Some interesting quotes about SOAR related to the opportunities, limitations for integrations, unrealized out-of-the-box value, and adoption predictions here

SOAR is all about connecting systems into a cohesive process. Who is in the position to accomplish this the best? Every company has different systems they use and rely on. Who is best positioned to create the integrations & systems necessary to connect them?

I believe the teams that rely on those technologies and use them every day to accomplish a mission are in the best position to continually improve & maintain those technologies. Unfortunately, I don’t believe a commercial solution is best suited to provide this. How many integrations can a commercial solution actually support, test, and maintain as systems change? How do they prioritize the integrations? How quickly can one company do this? Does it align with your needs? In my experience, this is a bottleneck to success. Conversely, this is the value of opensource; connecting not only disparate systems, but teams, your specific priorities, and processes into a cohesive solution.

We have a great foundation that supports a mature process. We’ve learned from and implemented systems based on both our every day experience, as well as collaboration with best in class companies. Take security collaboration to a new, meaningful level. Join us!

#opensourceftw #collaboration #improvecybersecurity #forthemasses #worktogether #flexible #ownyourprocess

The Process

The Why, and how it fits together

Our goal is not the creation of code, it is the streamlining of this process. With that said, to enable the capability & effectiveness of this process we have created and integrated systems. Creating smart systems to improve this process has been our key to success.

All of the tools required to accomplish this process are now available from Integral Defense for free. Join us!

The short and skinny…

The Process

Additional details…

More Words

Where the tools fit into the process… Free systems and tools to accomplish the process


integral systems for cyber defense

There are many good security tools across the computing landscape, from email, network, and endpoint, to log aggregation, machine learning, case management, vulnerability management, and many more. Connecting these systems together in an efficient and meaningful way is still a major challenge within a security ecosystem. This github site contains a variety of code, including productivity tools, integration scripts, sophisticated detection capabilities, alert management, and an analysis correlation engine (ACE).

Every company is different. The combination of technology stacks, attack surfaces, and threat actors are not consistent across companies. Much of the code within this repo can be easily enhanced to accommodate specific technologies and allow you to make strides towards lean, efficient processes for your security program…not to mention the killer out of the open-box capabilities!

Your friends,
Integral Defense

Code long and prosper
Take a penny, leave a penny
“For a bunch of hairless apes, we’ve actually managed to invent some pretty incredible things”
“I know that the future is scary at times. But there’s just no escaping it”