Saa$y MSP Community Call | 1.23.25
HTML-код
- Опубликовано: 6 фев 2025
- Addressing Security Incidents and Risks
Andy shared an experience where a customer bought a batch of 15 used laptops, which turned out to be preloaded with ransomware. The team also discussed a case where a customer's credit card deposits were routed to a different account, potentially due to a business email compromise. The team agreed that these incidents highlight the need for better validation processes and internal IT capabilities. They also discussed the importance of verifying email addresses and the need for more robust security measures.
Starlink IP Address Identification Issue
Greg reported a recent issue where some clients using Starlink were being incorrectly identified as being outside the US by their IP addresses. This was particularly frustrating as it required him to make exceptions in both Conditional Access and whitelisting. Chip suggested that this could be due to Starlink's recent expansion in the West Coast, particularly California, and the time it takes for IP data to be updated by carriers. Chip encouraged Greg to continue submitting these issues to their support team for validation and updating.
Power Filter for Whitelisting Development
Adam presented a new feature in development, a 'power filter' for whitelisting, aimed at reducing noise from Microsoft data center data movement events. The feature will allow users to add filters at different levels, including global, organization and user levels. It will also include a toggle for inheritance of filter rules. The feature is planned to be released soon, with further enhancements, such as time-based filters, to be added in the future. The team discussed the potential for adding filters based on work roles and groups, with Andy suggesting the inclusion of a category for work roles.
Wildcard Filters for Ransomware Detection
Amanda discussed the imminent release of a new feature that allows for wildcard filters in the filters. Ben demonstrated how this feature could be used to monitor for certain file names or extensions, which could be useful in detecting ransomware activity. The team also discussed the ability to monitor for changes in specific folders or file paths. Andy asked if the system would be scanning the SharePoint site or file names regularly, to which Ben clarified that the system would be monitoring ongoing events, not past ones.
Implementing Wildcards and IoCs Discussion
The team discussed the implementation of wildcards in their system to enhance granularity and prevent unintended consequences. They considered the possibility of testing the wildcards against a 24-hour sample to ensure their effectiveness. The idea of a dynamic word list or threat feed was also proposed for future development. The team also introduced the concept of Indicators of Compromise (IoCs) as a custom event builder, with the long-term plan to move all aggregated events into IoCs for modification and adjustment. The team also discussed the introduction of templates as part of this new system.
Phishing Attacks and Detection Strategies
Ben discussed a significant increase in phishing attacks, particularly from Global Internet Solutions, a Russian-owned company with IP addresses in Arizona. He explained that these attacks often involve stolen tokens, which are then used to create mailbox forwarding rules and send out large amounts of email. Ben noted that this attack technique has affected around 2,600 individual email accounts over the last 30 days, with a notable uptick in January. Liran shared an IoC that could be used to detect these attacks, and Andrew suggested sharing these IoCs among SaaS Alerts users to create a more effective defense system.
Developing Ecosystem for Threat Hunters
Andrew, Liran and Jim discussed the development of an ecosystem for 2,500 partners and threat hunters, including Ben's team. The aim is to quickly disseminate identified Indicators of Compromise (IoCs) to the community for immediate benefit. Jim emphasized the importance of a community-driven approach, rather than a black-box approach, to foster trust and collaboration. Andrew suggested incorporating this into the SaaS Alerts call once Liran's project is more developed, and the idea of an "IoC of the week" was proposed. Liran then presented a new concept for their project, which includes a selector for IoCs and the ability to add specific information to each event using short codes.
New Feature for Threat Analysis
Liran presented a new feature for analyzing threats, which includes a preview mode, a summary, and the ability to convert an Indicator of Compromise (IoC) to a response event. The feature also allows users to submit IoC templates for community use. Andrew suggested the inclusion of a traffic light protocol for sharing IoCs. Rpeters proposed an AI-driven domain spoofing analysis to automatically blacklist similar domains. Andrew praised the innovation and thanked the development team.
