deanfourie
Occasional Visitor
So im curious on the methods you would use to identify and pinpoint exposed devices. Unplug everything and plug one device in at a time etc? What methods would you use to find said infected device.
Im curious as obviously with the sophistication of todays malware, detection can be near impossible or just plain DIFFICULT. So, from your perspective or experience, what's the best approach and method to really identify a compromised device. Im a big fan of GitHub tools too if you wanna throw me a bone
Im also interested to hear your thoughts on hardware level infections such as BIOS, NIC, switches and APs etc. How likely is it for a devices BIOS to be infected, causing continued infection on every new install of a OS.
Im currently using ntopng and viewing live flows. I would like to know what the acceptable amount of flows / DNS requests would be for say 2 connected windows devices.
Also, how common would a ISP level targeted (or untargeted) attack be. I'm talking someone on the inside of the ISP say pushing configs with TR069. Do ISPs actually limit or restrict this type of stuff? Is this like actually hard for an employee to do?
How possible would a MITM attack be to actually push infected windows updates? Say if someone was able to intercept DNS and point the windows update hostname to a hosted server, then push a Windows Update containing vulnerabilities? Again possible be linked to an inside job at the ISP to reroute the DNS to a dodgy resolver.
Look forward to hearing your thoughts.
Thanks
Im curious as obviously with the sophistication of todays malware, detection can be near impossible or just plain DIFFICULT. So, from your perspective or experience, what's the best approach and method to really identify a compromised device. Im a big fan of GitHub tools too if you wanna throw me a bone
Im also interested to hear your thoughts on hardware level infections such as BIOS, NIC, switches and APs etc. How likely is it for a devices BIOS to be infected, causing continued infection on every new install of a OS.
Im currently using ntopng and viewing live flows. I would like to know what the acceptable amount of flows / DNS requests would be for say 2 connected windows devices.
Also, how common would a ISP level targeted (or untargeted) attack be. I'm talking someone on the inside of the ISP say pushing configs with TR069. Do ISPs actually limit or restrict this type of stuff? Is this like actually hard for an employee to do?
How possible would a MITM attack be to actually push infected windows updates? Say if someone was able to intercept DNS and point the windows update hostname to a hosted server, then push a Windows Update containing vulnerabilities? Again possible be linked to an inside job at the ISP to reroute the DNS to a dodgy resolver.
Look forward to hearing your thoughts.
Thanks