Jekyll2023-07-16T19:23:04+00:00https://cyberlibrarian.ca/feed.xmlThe Cybersecurity LibrarianCataloguing Threats, Classifying Risks, and Building Security LiteracyMichael McDonnellmichael@cyberlibrarian.caManually Import CrowdStrike Falcon Events to Splunk2023-03-26T00:00:00+00:002023-03-26T00:00:00+00:00https://cyberlibrarian.ca/blog/2023/03/26/importing-crowdstrike-events-into-splunk<p>Do you use CrowdStrike Event search heavily? Do you come up against the 7-day data retention limit? Do you want to keep some data longer and still search it? This article explains how to manualy export events from CrowdStrike Falcon Event Search and then import that into Splunk for correlation, preservation, or further analysis.</p>
<p>Note: I will update this post with screenshots at a later date.</p>
<p>Detailed CrowdStrike events are only searchable for seven days for most customers. Whenever I have an investigation, the first thing I do is export ALL CrowdStrike events to a JSON file to preserve them. Recently, I wanted to load an old and complex investigation for review and training. But I wanted to show others how to search and interpret CrowdStrike fields. My solution was to load the JSON into Splunk: with a little custom configuration, the events look nearly identical in Splunk as they do in CrowdStrike Event Search.</p>
<p>I like CrowdStrike Falcon Event Search. It’s based on Splunk and I rely on it heavily when performing incident response, extracting observables for threat intelligence, and threat hunting. You can use the Falcon Data Replicator service to automatically import these events to Splunk, but that can get costly and duplicates the data. This may be beneficial for correlation at scale, but you might not have that option.</p>
<h2 id="step-1-perform-an-event-search-in-crowdstrike">Step 1: Perform an Event Search in CrowdStrike</h2>
<p>When my purpose for exporting CrowdStrike events is to preserve them, or to load them into Splunk for further analysis, I always export <em>all</em> events with no statistical summarization. This means no “|table” and no “|stats”. I want the native CrowdStrike event fields, and I want all of them.</p>
<p>However, there limits to how many records can be returned from a search. You cannot change these settings: they are set by CrowdStrike in their internal Splunk instance (Event Search is based on Splunk currently). For me, that limit is 50,000 events. The visual sign that your search did not return all records can be subtle and you <em>might</em> miss it.</p>
<p>My strategy to ensure I do miss any data is to perform one search per ComputerName per day. For most Windows endpoints that is under the limit. However, I have had investigations where I had to perform searches for 8 hour time ranges to keep the events until the search limit.</p>
<p>I also search by ComputerName <em>not</em> aid. Why not aid? Because some events like “DetectionSummary” do not have an aid. They only have ComputerName. I have found that all the events I want do have a ComputerName. <em>If you know of events this will not catch, please email me and I will update this guide.</em></p>
<p><code class="language-plaintext highlighter-rouge">ComputerName="EVILCOMPUTER" earliest="3/22/2023:00:00:00" latest="3/23/2023:00:00:00"</code></p>
<p>That’s it. That’s the search. Of course, you can do any search. If you know what you are looking for and you have verified that all results were returned, and you don’t care about preserving <em>all</em> events, you can change this. You can also use the UI time-picker instead of <em>earliest</em> and <em>latest</em>. I prefered to be precise rather than depending on the UI.</p>
<h2 id="step-2-export-the-results-as-json">Step 2: Export the results as JSON</h2>
<p>Be aware that there are limits to how many records can be exported. Historically, I have had a few probably where large exports might fail. I have not experienced that in 2023.</p>
<p>From the event search page, look for the “down arrow” icon: this will export your search results. A dialog box will open asking you for the name of the export file and the format. I always name my files “YYYY-MM-DD-COMPUTERNAME.json” for clarity. Make sure you select JSON as the format: the default is CSV.</p>
<p>Note: there can be a long time between when you click “OK” and when the download starts.</p>
<h2 id="step-3-configure-a-splunk-datasource">Step 3: Configure a Splunk Datasource</h2>
<p>Before you can import this into Splunk you will need to configure a source type. This configuration will ensure that the search-time field extraction works and produces the same field names you are used to in CrowdStrike event search. Note: these instructions do not result in <em>indexed field extraction</em>. If you come up an easy solution for that, please let me know.</p>
<ol>
<li>From the Setting Menu, select “Source Types”</li>
<li>Select the “New Source Type” button</li>
<li>In the Create Source Type dialog box enter the following
<ul>
<li>Name: crowdstrike:result:json</li>
<li>Description: CrowdStrike Event Search Export as JSON</li>
<li>Destination app: “Search & Reporting” (I recommend you create an app specically to collect your custom source types)</li>
<li>Category: Network & Security</li>
<li>Indexed extractions: none (this is important)</li>
</ul>
</li>
<li>Event Breaks
<ul>
<li>Event-breaking Policy: Regex</li>
<li>Pattern: (}?[\r\n]*{“preview”:false(,”offset”:\d+)?,”result”:)</li>
</ul>
</li>
<li>Timestamp
<ul>
<li>Extraction: Advanced</li>
<li>Time zone: GMT</li>
<li>Timestamp format: %O (BSD/Unix)</li>
<li>Timestamp prefix: timestamp</li>
</ul>
</li>
<li>Advanced
<ul>
<li>Select “New Setting” 3 times</li>
<li>KV_MODE: json</li>
<li>SEDCMD-rename-raw: s/”_raw”/”orig_raw”/</li>
<li>SEDCMD-rename-time: s/”_time”/”orig_time”/</li>
<li>SEDCMD-rename-sourcetype: s/”sourcetype”/”orig_sourcetype”/</li>
<li>SEDCMD-rename-eventtype: s/”eventtype”/”orig_eventtype”/</li>
<li>SEDCMD-rename-splunkserver: s/”splunk_server”/”orig_splunk_server”/</li>
<li>SEDCMD-rename-host: s/”host”/”orig_host”/</li>
<li>SEDCMD-rename-source: s/”source”/”orig_source”/</li>
<li>SEDCMD-rename-index: s/”index”/”orig_index”/</li>
</ul>
</li>
</ol>
<p><img src="/assets/images/2023-03-26_13-51-55.png" alt="Splunk source type settings for crowdstrike:result:json" /></p>
<p>What do these settings do? Read below.</p>
<h3 id="event-breaks">Event Breaks</h3>
<p>This is the the part that really matters. When you export search results from CrowdStrike Event search, the JSON includes a “wrapper” around the results that I want to remove. You can import this very simply without my changes by setting “Indexed Extractions” to JSON. But you will get the prefix “result.” in from every field name.</p>
<p>To remove that we treat the JSON “wrapper” as a Line Breaker. That leaves us with just the search “result” fields and preserves the same field names we use in CrowdStrike.</p>
<p><code class="language-plaintext highlighter-rouge">(\}?[\r\n]*\{"preview":false(,"offset":\d+)?,"result":)</code></p>
<p>We are removing <code class="language-plaintext highlighter-rouge">{"preview":false,"offset":2,"result":</code> from every record. Sometimes “offset” is not present. And the <code class="language-plaintext highlighter-rouge">\}[\r\n]*</code> handles the very end of every record.</p>
<p>We have to specify “KV_MODE=json” in order to allow the JSON fields to be parse out at search time. We have to sacrifice index-time field extraction, but I find that acceptable given I don’t need to load a lot of data usually.</p>
<h3 id="timestamp">Timestamp</h3>
<p>There are multiple timestamps in our exported JSON but we want the one called “timestamp” in BSD/Unix format. In Splunk that is <em>%O</em>.</p>
<p><img src="/assets/images/2023-03-26_13-52-05.png" alt="Timestamp setting for Splunk source type" /></p>
<h3 id="renaming-conflicting-fields">Renaming conflicting fields</h3>
<p>But this</p>
<p>Note for Splunk datasource developers: Setting “INDEXED_EXTRACTION=json” will give you fields that start with “result.” and while that is workable, I prefer not to have that. We don’t want the CrowdStrike “_raw” and “_time” fields clobbering the Splunk ones (which will be populated when the data is indexed by Splunk). The same is true of other standard Splunk fields that are added during indexing: host, splunk_server, source, sourcetype, and index.</p>
<p>That is where the two “SEDCMD” settings come in. These will search-and-replace the text (using sed syntax) before they are indexed.</p>
<h2 id="step-4-import-the-json-into-splunk">Step 4: Import the JSON into Splunk</h2>
<p>Be aware that there is a 500MB limit on manually uploaded data. However, if you exported at most 50,000 records following my earlier instructions, you should have files that are at most 100MB of JSON.</p>
<p>Now that you have created the sourcetype, you can import your CrowdStrike JSON file.</p>
<ol>
<li>In Splunk, from the <em>Settings</em> menu, select the “Add Data” icon on the left hand side.</li>
<li>Select the “Upload” (files from my computer) icon</li>
<li>Choose “Select File” and upload your file.</li>
<li>Wait for the upload to finish</li>
<li>On the “Set Source Type” page, select “Network & Security > crowdstrike:result:json” from the drop-down</li>
<li>You should NOT see an orange exclaimation mark and the timestamps should be correctly extracted.</li>
<li>Each record SHOULD NOT start with ‘{“preview”:’ (our sourcetype is working if this is stripped out)</li>
<li>Select the “Next>” button at the top-right of the page</li>
<li>Select an index. I recommend using an index that does not expire data.</li>
<li>Select the “Next>” button</li>
<li>Select the “Submit>” button</li>
<li>Wait for the data to be imported</li>
</ol>
<h2 id="step-5-verify-the-events-in-splunk-are-correct">Step 5: Verify the events in Splunk are correct</h2>
<p>You data is now loaded and you can search the index you stored it in for <em>sourcetype=”crowdstrike:result:json”</em></p>
<p>A search like this should work now. You should be able to use the same fields you do in CrowdStrike Event Search.</p>
<p><code class="language-plaintext highlighter-rouge">index=crowdstrike sourcetype=crowdstrike:result:json
| table _time ComputerName event_simpleName CommandLine
</code></p>
<h2 id="step-6-optional-enrich-with-splunk-enterprise-security">Step 6: (Optional) Enrich with Splunk Enterprise Security</h2>
<p>So why would we want to do this again? One reason is to preserve the data in a Splunk index for more than the 7 days that CrowdStrike supports. Another reason is to enrich the data using Splunk Enterprise Security or your own add-ons. In Splunk Enterprise Security, I have asset and identity data as well as enrichments for Threat Intelligence and more.</p>
<p>So, I might lookup how the ComputerName is categorized or find out if the UserName is a VIP or on a watchlist due to risky behaviour observed in other
apps.</p>
<p><code class="language-plaintext highlighter-rouge">index=crowdstrike sourcetype=crowdstrike:result:json UserName=*
| lookup identity_lookup_ identity as UserName
| table _time UserName event_simpleName managedBy CommandLine
</code></p>michaelDo you use CrowdStrike Event search heavily? Do you come up against the 7-day data retention limit? Do you want to keep some data longer and still search it? This article explains how to manualy export events from CrowdStrike Falcon Event Search and then import that into Splunk for correlation, preservation, or further analysis. Note: I will update this post with screenshots at a later date. Detailed CrowdStrike events are only searchable for seven days for most customers. Whenever I have an investigation, the first thing I do is export ALL CrowdStrike events to a JSON file to preserve them. Recently, I wanted to load an old and complex investigation for review and training. But I wanted to show others how to search and interpret CrowdStrike fields. My solution was to load the JSON into Splunk: with a little custom configuration, the events look nearly identical in Splunk as they do in CrowdStrike Event Search. I like CrowdStrike Falcon Event Search. It’s based on Splunk and I rely on it heavily when performing incident response, extracting observables for threat intelligence, and threat hunting. You can use the Falcon Data Replicator service to automatically import these events to Splunk, but that can get costly and duplicates the data. This may be beneficial for correlation at scale, but you might not have that option. Step 1: Perform an Event Search in CrowdStrike When my purpose for exporting CrowdStrike events is to preserve them, or to load them into Splunk for further analysis, I always export all events with no statistical summarization. This means no “|table” and no “|stats”. I want the native CrowdStrike event fields, and I want all of them. However, there limits to how many records can be returned from a search. You cannot change these settings: they are set by CrowdStrike in their internal Splunk instance (Event Search is based on Splunk currently). For me, that limit is 50,000 events. The visual sign that your search did not return all records can be subtle and you might miss it. My strategy to ensure I do miss any data is to perform one search per ComputerName per day. For most Windows endpoints that is under the limit. However, I have had investigations where I had to perform searches for 8 hour time ranges to keep the events until the search limit. I also search by ComputerName not aid. Why not aid? Because some events like “DetectionSummary” do not have an aid. They only have ComputerName. I have found that all the events I want do have a ComputerName. If you know of events this will not catch, please email me and I will update this guide. ComputerName="EVILCOMPUTER" earliest="3/22/2023:00:00:00" latest="3/23/2023:00:00:00" That’s it. That’s the search. Of course, you can do any search. If you know what you are looking for and you have verified that all results were returned, and you don’t care about preserving all events, you can change this. You can also use the UI time-picker instead of earliest and latest. I prefered to be precise rather than depending on the UI. Step 2: Export the results as JSON Be aware that there are limits to how many records can be exported. Historically, I have had a few probably where large exports might fail. I have not experienced that in 2023. From the event search page, look for the “down arrow” icon: this will export your search results. A dialog box will open asking you for the name of the export file and the format. I always name my files “YYYY-MM-DD-COMPUTERNAME.json” for clarity. Make sure you select JSON as the format: the default is CSV. Note: there can be a long time between when you click “OK” and when the download starts. Step 3: Configure a Splunk Datasource Before you can import this into Splunk you will need to configure a source type. This configuration will ensure that the search-time field extraction works and produces the same field names you are used to in CrowdStrike event search. Note: these instructions do not result in indexed field extraction. If you come up an easy solution for that, please let me know. From the Setting Menu, select “Source Types” Select the “New Source Type” button In the Create Source Type dialog box enter the following Name: crowdstrike:result:json Description: CrowdStrike Event Search Export as JSON Destination app: “Search & Reporting” (I recommend you create an app specically to collect your custom source types) Category: Network & Security Indexed extractions: none (this is important) Event Breaks Event-breaking Policy: Regex Pattern: (}?[\r\n]*{“preview”:false(,”offset”:\d+)?,”result”:) Timestamp Extraction: Advanced Time zone: GMT Timestamp format: %O (BSD/Unix) Timestamp prefix: timestamp Advanced Select “New Setting” 3 times KV_MODE: json SEDCMD-rename-raw: s/”_raw”/”orig_raw”/ SEDCMD-rename-time: s/”_time”/”orig_time”/ SEDCMD-rename-sourcetype: s/”sourcetype”/”orig_sourcetype”/ SEDCMD-rename-eventtype: s/”eventtype”/”orig_eventtype”/ SEDCMD-rename-splunkserver: s/”splunk_server”/”orig_splunk_server”/ SEDCMD-rename-host: s/”host”/”orig_host”/ SEDCMD-rename-source: s/”source”/”orig_source”/ SEDCMD-rename-index: s/”index”/”orig_index”/ What do these settings do? Read below. Event Breaks This is the the part that really matters. When you export search results from CrowdStrike Event search, the JSON includes a “wrapper” around the results that I want to remove. You can import this very simply without my changes by setting “Indexed Extractions” to JSON. But you will get the prefix “result.” in from every field name. To remove that we treat the JSON “wrapper” as a Line Breaker. That leaves us with just the search “result” fields and preserves the same field names we use in CrowdStrike. (\}?[\r\n]*\{"preview":false(,"offset":\d+)?,"result":) We are removing {"preview":false,"offset":2,"result": from every record. Sometimes “offset” is not present. And the \}[\r\n]* handles the very end of every record. We have to specify “KV_MODE=json” in order to allow the JSON fields to be parse out at search time. We have to sacrifice index-time field extraction, but I find that acceptable given I don’t need to load a lot of data usually. Timestamp There are multiple timestamps in our exported JSON but we want the one called “timestamp” in BSD/Unix format. In Splunk that is %O. Renaming conflicting fields But this Note for Splunk datasource developers: Setting “INDEXED_EXTRACTION=json” will give you fields that start with “result.” and while that is workable, I prefer not to have that. We don’t want the CrowdStrike “_raw” and “_time” fields clobbering the Splunk ones (which will be populated when the data is indexed by Splunk). The same is true of other standard Splunk fields that are added during indexing: host, splunk_server, source, sourcetype, and index. That is where the two “SEDCMD” settings come in. These will search-and-replace the text (using sed syntax) before they are indexed. Step 4: Import the JSON into Splunk Be aware that there is a 500MB limit on manually uploaded data. However, if you exported at most 50,000 records following my earlier instructions, you should have files that are at most 100MB of JSON. Now that you have created the sourcetype, you can import your CrowdStrike JSON file. In Splunk, from the Settings menu, select the “Add Data” icon on the left hand side. Select the “Upload” (files from my computer) icon Choose “Select File” and upload your file. Wait for the upload to finish On the “Set Source Type” page, select “Network & Security > crowdstrike:result:json” from the drop-down You should NOT see an orange exclaimation mark and the timestamps should be correctly extracted. Each record SHOULD NOT start with ‘{“preview”:’ (our sourcetype is working if this is stripped out) Select the “Next>” button at the top-right of the page Select an index. I recommend using an index that does not expire data. Select the “Next>” button Select the “Submit>” button Wait for the data to be imported Step 5: Verify the events in Splunk are correct You data is now loaded and you can search the index you stored it in for sourcetype=”crowdstrike:result:json” A search like this should work now. You should be able to use the same fields you do in CrowdStrike Event Search. index=crowdstrike sourcetype=crowdstrike:result:json | table _time ComputerName event_simpleName CommandLine Step 6: (Optional) Enrich with Splunk Enterprise Security So why would we want to do this again? One reason is to preserve the data in a Splunk index for more than the 7 days that CrowdStrike supports. Another reason is to enrich the data using Splunk Enterprise Security or your own add-ons. In Splunk Enterprise Security, I have asset and identity data as well as enrichments for Threat Intelligence and more. So, I might lookup how the ComputerName is categorized or find out if the UserName is a VIP or on a watchlist due to risky behaviour observed in other apps. index=crowdstrike sourcetype=crowdstrike:result:json UserName=* | lookup identity_lookup_ identity as UserName | table _time UserName event_simpleName managedBy CommandLineDetection Engineering Notes Update2023-03-19T00:00:00+00:002023-03-19T00:00:00+00:00https://cyberlibrarian.ca/blog/2023/03/19/detection-engineering-notes-update<p>I have created a page to track my notes as I develop a better understanding of Detection Engineering. I am doing my best to be a good librarian and curate authoritative references, frameworks, articles, books, courses, standards, and more. If you want to learn or improve your Detection Engineering practices, I hope this helps expedite your journey!</p>
<h3 id="what-is-detection-engineering">What is Detection Engineering?</h3>
<blockquote>
<p>Detection engineering is the process of identifying threats before they can do significant damage. Detection engineering is about creating a culture, as well as a process of developing, evolving, and tuning detections to defend against current threats. – CrowdStrike</p>
</blockquote>
<h2 id="my-detection-engineering-notes"><a href="/detection-engineering-notes">My Detection Engineering Notes</a></h2>
<p><a href="/detection-engineering-notes">Follow this link to my permanent notes page</a></p>michaelI have created a page to track my notes as I develop a better understanding of Detection Engineering. I am doing my best to be a good librarian and curate authoritative references, frameworks, articles, books, courses, standards, and more. If you want to learn or improve your Detection Engineering practices, I hope this helps expedite your journey! What is Detection Engineering? Detection engineering is the process of identifying threats before they can do significant damage. Detection engineering is about creating a culture, as well as a process of developing, evolving, and tuning detections to defend against current threats. – CrowdStrike My Detection Engineering Notes Follow this link to my permanent notes pageDocumentation for Detection Engineering2023-03-19T00:00:00+00:002023-03-19T00:00:00+00:00https://cyberlibrarian.ca/blog/2023/03/19/documentation-for-detection-engineering<p>Did you know that the MITRE book <a href="https://www.mitre.org/news-insights/publication/11-strategies-world-class-cybersecurity-operations-center">11 Strategies of a World-Class Cybersecurity Operations Center</a> has appendices outlining the documentation framework need for Security Operations. This includes Detection Engineering!</p>
<p>Last year, <a href="https://www.linkedin.com/in/deryck-bodnarchuk/">Deryck Bodnarchuk</a> and I made a pact to improve the documentation of our threat detection systems. This would include documenting an inventory of detection systems, how to access them, how they are configured, a maintenance schedule to keep them updated, procedures for that maintenance, detection rule logic and content, datasource documentation, and helpful search guides for help incident handlers use the systems better. Deryck worked on the systems side, I worked on the “detection content and datasource” side.</p>
<p>Deryck did a much better job than I did! His documentation was well structured and organized. Mine less so: I generated a lot of documents, but only a few stuck with a consistent layout, naming convention, or organization.</p>
<p>I was lacking a framework, and I knew that one must exist. Today, I found it (or close to it)!</p>
<p>I was re-reading the 2nd Edition of <a href="https://www.mitre.org/news-insights/publication/11-strategies-world-class-cybersecurity-operations-center">11 Strategies of a World-Class Cybersecurity Operations Center</a> looking for Detection Engineering practices. <em>Then it hit me</em>… I had been overlooking the appendices.</p>
<p>On Page 404, Appendix C.3, there is a table of documentation for “Engineering and System Administration”. I was reaffirming to see it matches very closely to what Deryck and I came up with on our own. I was delighted to see that it also fills in some of the gaps I was missing!</p>
<p>They don’t call this a “documentation framework” but they should. It only lacks some core processes needed to continuously created and maintain the documentation and a metadata taxonomy to make it a complete framework.</p>
<p>This key document types for SOC Engineering are:</p>
<ul>
<li>Monitoring Architecture</li>
<li>Internal Change Management Processes</li>
<li>Systems and Sensors Maintenance and Build Instructions</li>
<li>Operational, Functional, and Systems Requirements</li>
<li>Budget and current spending (capital and operational expenditures)</li>
<li>Unfunded Requirements</li>
<li>Sensor and SIEM Detections/Analytics/Content Lists(s)</li>
<li>SOC System Inventory</li>
<li>Network Diagrams</li>
</ul>
<p>Deryck, I think you read this, your mind will be blown. As always, you knew the “best practices” before I can find the standard proving it.</p>
<h2 id="detection-engineering-notes"><a href="/detection-engineering-notes">Detection Engineering Notes</a></h2>
<p>I have put additional details in my <a href="/detection-engineering-notes">Detection Engineering Notes</a> page, along with commentary and my own experiences/practices. I’m working on a framework of DE tasks that would align with documented artifacts.</p>michaelDid you know that the MITRE book 11 Strategies of a World-Class Cybersecurity Operations Center has appendices outlining the documentation framework need for Security Operations. This includes Detection Engineering! Last year, Deryck Bodnarchuk and I made a pact to improve the documentation of our threat detection systems. This would include documenting an inventory of detection systems, how to access them, how they are configured, a maintenance schedule to keep them updated, procedures for that maintenance, detection rule logic and content, datasource documentation, and helpful search guides for help incident handlers use the systems better. Deryck worked on the systems side, I worked on the “detection content and datasource” side. Deryck did a much better job than I did! His documentation was well structured and organized. Mine less so: I generated a lot of documents, but only a few stuck with a consistent layout, naming convention, or organization. I was lacking a framework, and I knew that one must exist. Today, I found it (or close to it)! I was re-reading the 2nd Edition of 11 Strategies of a World-Class Cybersecurity Operations Center looking for Detection Engineering practices. Then it hit me… I had been overlooking the appendices. On Page 404, Appendix C.3, there is a table of documentation for “Engineering and System Administration”. I was reaffirming to see it matches very closely to what Deryck and I came up with on our own. I was delighted to see that it also fills in some of the gaps I was missing! They don’t call this a “documentation framework” but they should. It only lacks some core processes needed to continuously created and maintain the documentation and a metadata taxonomy to make it a complete framework. This key document types for SOC Engineering are: Monitoring Architecture Internal Change Management Processes Systems and Sensors Maintenance and Build Instructions Operational, Functional, and Systems Requirements Budget and current spending (capital and operational expenditures) Unfunded Requirements Sensor and SIEM Detections/Analytics/Content Lists(s) SOC System Inventory Network Diagrams Deryck, I think you read this, your mind will be blown. As always, you knew the “best practices” before I can find the standard proving it. Detection Engineering Notes I have put additional details in my Detection Engineering Notes page, along with commentary and my own experiences/practices. I’m working on a framework of DE tasks that would align with documented artifacts.Investigating DNS and IP Addresses2023-03-18T00:00:00+00:002023-03-18T00:00:00+00:00https://cyberlibrarian.ca/blog/2023/03/18/investigating-dns-and-ip-addresses<p>In Security Operations we frequently have to investigate DNS and IP addresses to determine if they are known threat or to attribute them to some activity or owner. This article contains a list of free, trial, or open-source resources for performing address analysis.</p>
<h2 id="note-2023-03-18">NOTE: 2023-03-18</h2>
<p>I’m publishing this early so Emily and others can get a list of resources. I will be making frequent updates over the next few weeks. Expect poor organization. Enjoy!</p>
<h2 id="hasnt-someone-else-written-a-better-guide">Hasn’t someone else written a better guide?</h2>
<p>Yes! Here is a cyberlibrarian curated list of guides to DNS and IP intelligence guides.</p>
<ul>
<li><a href="https://securitytrails.com/blog/domain-tools">Domain Tools: top DNS, IP and Domain utilities to investigate any website</a></li>
<li><a href="https://securityskeptic.typepad.com/the-security-skeptic/investigatingdnsabuse.html">Useful Resources for Investigating DNS Abuse/Misuse</a></li>
<li><a href="https://dnsdumpster.com/footprinting-reconnaissance/">DNS Dumpster > Get Started; Footprint and Reconnaissance</a></li>
</ul>
<h2 id="what-can-dns-and-ip-addresses-tell-us">What can DNS and IP Addresses tell us?</h2>
<p>When you are investigating a security event, you often when to know more about the DNS and IP addresses involved. For examples:</p>
<ul>
<li>Your server received a brute-force password guessing attack on SSH and you know the IP address of the attacker.</li>
<li>A suspicious process was detected on an employee’s laptop and you have a list of all DNS requests that laptop has made.</li>
<li>You have discovered malware that was sent to a VIP and you want to know what that malware would have done. You extract a series of IP address and DNS names that were embedded in the malware.</li>
<li>An employee receives a phishing email containing a link to a website. You have the URL which includes the DNS name of the server.</li>
<li>An employee clicked on a innocent looking link, but was redirect multiple times before being directed to a fraudulent imposter site. You have the DNS names of all the redirect sites.</li>
</ul>
<p>In all of these cases you may want to assess whether the IP or DNS names represent a threat, or are simply “normal”. Frequently, you may want to attribute the threat to a known threat actor or campaign. Has anyone else ever seen that IP address or DNS name?</p>
<p>DNS and IP Address intelligence can tell us:</p>
<ul>
<li>if anyone has seen those addresses and if they have been associated with malicious or non-malicious activity.</li>
<li>who “owns” the address, and often if there were recent changes to the address or it’s ownership.</li>
<li>if there are other addresses associated with the one you are interested</li>
<li>the country or city associated with the address</li>
<li>the ISP that is hosting the systems the address represents</li>
<li>the abuse and reporting contacts for the address</li>
</ul>
<h2 id="passive-dns">Passive DNS</h2>
<p>Passive DNS refers to collections of historic DNS records. DNS can change frequently. Today www.cyberlibrarian.ca might be IP address 1.2.3.4 but tomorrow it might an alias (CNAME) for evil.cybrarian.ca. Or it might even be deleted all together.</p>
<p>Passive DNS will show us a history of all the changes to the DNS records.</p>
<p>Passive DNS can help us discover other DNS records for a domain we are investigating. For example, imagine you observed the DNS name “evil.cybrarian.ca” but want to know if there are other DNS names for “cybrarian.ca”. Passive DNS can tell you.</p>
<p>Most Passive DNS services are commercial and can be costly. However, there are free, trial, and open-source versions:</p>
<h3 id="passive-dns-free-trials">Passive DNS Free Trials</h3>
<p>I am grateful for these vendors who offer a “free tier”. How do you know if you need Passive DNS services? Being able to learn how to benefit from them with hands-on experience is a great form of marketing! Yes, they have limits, but for learners these are great.</p>
<ul>
<li><a href="https://community.riskiq.com/login">RiskIQ Community</a>
– RiskIQ has always had a free option that gives you limited access to their great dataset. You can get some history for IPs and DNS names, but it won’t got back that far. It’s quite useful even with the limits.</li>
<li><a href="https://www.domaintools.com/products/platform/iris-investigate/">Iris Investigate</a> from DomainTools
– DomainTools has other useful DNS intelligence offerings. Iris includes DNS intelligence and risk scoring. Is that IP evil? The risk score can tell you.</li>
<li><a href="https://securitytrails.com/">SecurityTrails</a>
– You get 50 queries per month for free. Historic DNS records, domain and IP data. Suitable for experiments, learning, and causual investigations.</li>
<li><a href="https://dnslytics.com/">DNSlytics</a>
– I have not reviewed this but it has a free (no account required) search, and an inexpensive monthly subscription.</li>
</ul>
<h3 id="free-dns-intelligence-tools">Free DNS Intelligence Tools</h3>
<ul>
<li><a href="https://dnsdumpster.com/">dnsdumpster</a></li>
</ul>
<h2 id="references">References</h2>
<ul>
<li><a href="https://securitytrails.com/blog/threat-hunting-using-passive-dns">How to Perform Threat Hunting with Passive DNS</a>
– A detailed set of instructions for using SecurityTrails API, with simple-to-execute CLI commands (curl) to get JSON data.</li>
</ul>michaelIn Security Operations we frequently have to investigate DNS and IP addresses to determine if they are known threat or to attribute them to some activity or owner. This article contains a list of free, trial, or open-source resources for performing address analysis. NOTE: 2023-03-18 I’m publishing this early so Emily and others can get a list of resources. I will be making frequent updates over the next few weeks. Expect poor organization. Enjoy! Hasn’t someone else written a better guide? Yes! Here is a cyberlibrarian curated list of guides to DNS and IP intelligence guides. Domain Tools: top DNS, IP and Domain utilities to investigate any website Useful Resources for Investigating DNS Abuse/Misuse DNS Dumpster > Get Started; Footprint and Reconnaissance What can DNS and IP Addresses tell us? When you are investigating a security event, you often when to know more about the DNS and IP addresses involved. For examples: Your server received a brute-force password guessing attack on SSH and you know the IP address of the attacker. A suspicious process was detected on an employee’s laptop and you have a list of all DNS requests that laptop has made. You have discovered malware that was sent to a VIP and you want to know what that malware would have done. You extract a series of IP address and DNS names that were embedded in the malware. An employee receives a phishing email containing a link to a website. You have the URL which includes the DNS name of the server. An employee clicked on a innocent looking link, but was redirect multiple times before being directed to a fraudulent imposter site. You have the DNS names of all the redirect sites. In all of these cases you may want to assess whether the IP or DNS names represent a threat, or are simply “normal”. Frequently, you may want to attribute the threat to a known threat actor or campaign. Has anyone else ever seen that IP address or DNS name? DNS and IP Address intelligence can tell us: if anyone has seen those addresses and if they have been associated with malicious or non-malicious activity. who “owns” the address, and often if there were recent changes to the address or it’s ownership. if there are other addresses associated with the one you are interested the country or city associated with the address the ISP that is hosting the systems the address represents the abuse and reporting contacts for the address Passive DNS Passive DNS refers to collections of historic DNS records. DNS can change frequently. Today www.cyberlibrarian.ca might be IP address 1.2.3.4 but tomorrow it might an alias (CNAME) for evil.cybrarian.ca. Or it might even be deleted all together. Passive DNS will show us a history of all the changes to the DNS records. Passive DNS can help us discover other DNS records for a domain we are investigating. For example, imagine you observed the DNS name “evil.cybrarian.ca” but want to know if there are other DNS names for “cybrarian.ca”. Passive DNS can tell you. Most Passive DNS services are commercial and can be costly. However, there are free, trial, and open-source versions: Passive DNS Free Trials I am grateful for these vendors who offer a “free tier”. How do you know if you need Passive DNS services? Being able to learn how to benefit from them with hands-on experience is a great form of marketing! Yes, they have limits, but for learners these are great. RiskIQ Community – RiskIQ has always had a free option that gives you limited access to their great dataset. You can get some history for IPs and DNS names, but it won’t got back that far. It’s quite useful even with the limits. Iris Investigate from DomainTools – DomainTools has other useful DNS intelligence offerings. Iris includes DNS intelligence and risk scoring. Is that IP evil? The risk score can tell you. SecurityTrails – You get 50 queries per month for free. Historic DNS records, domain and IP data. Suitable for experiments, learning, and causual investigations. DNSlytics – I have not reviewed this but it has a free (no account required) search, and an inexpensive monthly subscription. Free DNS Intelligence Tools dnsdumpster References How to Perform Threat Hunting with Passive DNS – A detailed set of instructions for using SecurityTrails API, with simple-to-execute CLI commands (curl) to get JSON data.Do attackers really attack printers?2023-03-04T00:00:00+00:002023-03-04T00:00:00+00:00https://cyberlibrarian.ca/blog/2023/03/04/printer-honeypot-part1<p>Emily and Michael put a printer honeypot on the Internet to see who would attack it and how. It didn’t turn out as expected! Our honeypot experiment suggests exposed printers are not a target for cyber-attacks.</p>
<p><img src="/assets/images/printer-honeypots.png" alt="Graphic image of the title of this blog post" /></p>
<h2 id="background">Background</h2>
<p>Printers are a potential attack vector to get onto a network. Modern
printers support a wide variety of features and can include storing
documents on the printer, authenticating users, integrating with
Active Directory, and accessing network storage using stored credentials.
Further, many printers run on embedded operating systems and amount to
mini-servers.</p>
<p>When a printer is exposed to the Internet, the features pose a risk. An
attacker has an opportunity to remotely exploit any vulnerbility that
might be present in the printer: whether due to a bug or a misconfiguration.</p>
<p>Periodically, concerns are published raising the alarm that printers may
be used an as attack vector. Yet, real-world examples of publicly
disclosed attacks against printers are not common: they do occur but do
no seem to match the rhetoric.</p>
<p>We were inspired by a <a href="https://www.forbes.com/sites/leemathews/2020/08/31/800000-printers-vulnerable-28000-hacked/?sh=55722e5cd8a9">A CyberNews Article explaining how journalists “hijacked 28,000 unsecured printers”</a>
The authors of this article scanned common printer ports and used common
printer protocols. They identified 800,000 printers accessible over the
Internet and 28,000 that had security vulnerabilities. They notified
those at risk by printing <a href="https://cybernews.com/security/printer-security/">their own article on how to secure printers</a>.</p>
<p>While the CyberNews authors cited past incidents (<a href="https://www.bleepingcomputer.com/news/security/a-hacker-just-pwned-over-150-000-printers-left-exposed-online/">1</a>, <a href="https://www.forbes.com/sites/thomasbrewster/2018/12/03/a-hacker-forced-50000-printers-to-spread-pewdiepie-propagandaand-the-problem-is-much-bigger-than-you-know/?sh=278395083819">2</a>)
of mass hacking of printers, we noted that the impact of those incidents
was low: offensive text printed with no lasting or severe impact. Yet,
the possibility of doing worse is possible.</p>
<p>Do exposed printers <em>really</em> get attacked?</p>
<p>To answer this question, we decided to setup a honeypot and see how
often it was attacked and what attackers would choose to do.</p>
<p>This is part 1 of our experiment.</p>
<h2 id="methods">Methods</h2>
<p>The honeypot we used was created with <a href="https://github.com/sa7mon/miniprint">miniprint by Dan Salman</a>
and we ran it for 36 days in our first attempt.</p>
<p>Miniprint behaves as if it were a vulnerable printer exposed on a public network.
Miniprint is written in python and listens on port 9100 for TCP connections.
It simulates a printer responding to <a href="https://developers.hp.com/hp-printer-command-languages-pcl/doc/print-job-language-pjl#:~:text=jpg,remotely%20control%20Hewlett%2DPackard%20printers.">PJL commands</a>
with raw network protocol to communicate.</p>
<p>It supports PJL commands that allow printing and directory traversal,
and has a fully functioning file system. These include:</p>
<ul>
<li>info status, which returns status of the printer,</li>
<li>info id, which returns a numerical printer identification,</li>
<li>echo, which sends a specified message back to the host,</li>
<li>pjl_command,</li>
<li>Fsdirlit, which provides a list of directories in the filesystem,</li>
<li>fsmkdir, which creates a directory</li>
<li>fsquery, which allows traversal,</li>
<li>fsupload, which allows for upload of a file,</li>
<li>ustatusoff, which stops host from recieving job messages,</li>
<li>and rdymsg which formats the CMS ready message.</li>
</ul>
<p>Miniprint captures IP’s, strings, and executed commands and logged them. If
someone attempts to print a document, miniprint will save a copy of the file
sent to the printer.</p>
<p>We created a Digital Ocean Droplet running Ubuntu Linux. Digital Ocean
gives us the opportunity to select the geography that we want to run our
host in, allowing us to check if some geographies are most likely to be
attacked than others.</p>
<p>Amsterdam was selected as a geographical location for our first honeypot.</p>
<p>We occasionally port scanned the honeypot to ensure smooth operation.</p>
<h2 id="results">Results</h2>
<p>Our results suggest that printers are a neglected attack vector.</p>
<p>We observed few PJL connections, nothing significantly malicious.
Noteably, no attempts were made to print anything with the honeypot.</p>
<p>During one month of running our honeypot we found very few connections
to our printer. Most connections were obvious scans for open proxies. Some
connections were attempting to conned to a CORBA service that also uses
Port 9100 as its standard port.</p>
<p>Most of the connections were not PJL (not looking for a printer) and
the ones that were PJL typically just checked for the type of printer
or it’s status.</p>
<p>Did we see <em>attacks</em>? Any attempts at exploitation or abuse. Yes, but
they were insignificant. For example, we saw one attempt to change
the honeypot printer’s “Ready Message”: something for which there are
widely available scripts, including as part of NMAP.</p>
<h3 id="timeline-of-connections">Timeline of Connections</h3>
<p>The following table shows a timeline of all connections to our honeypot
along with date, attribution (IP, country, etc), request (truncated), and
our interpretation of what the adversary was attempting to do.</p>
<p><img src="/assets/images/2023-03-04_13-13-16.png" alt="Screenshot of Spreadsheet of Connections to miniprint honeypot" /></p>
<h3 id="selected-examples">Selected Examples</h3>
<p>These section each show details of our observations for specific
selected examples. Many connections had similar or duplicate observables and
we only show a single example in those cases.</p>
<h4 id="corba-giop-scans">CORBA GIOP Scans</h4>
<p>We observe TODO N connections that were clearly scanning for CORBA GIOP
services.</p>
<p>These scans use general inter-orb (GIOP) protocol. It is used by object
request brokers to communicate on a network. We can’t decide conclusively
what the first string is for, but we have several guesses. Could this be
a NOP sled attempting exploitation of a GIOP service? We think another
possibility is more likely. It is possible that the protocol used has
fields required. The string may be filling those fields with null strings.
We don’t understand CORBA so this is a mystery.</p>
<p>The following strings were captured by the honeypot:</p>
<p>b’GIOP\x01\x00\x00\x00\x00\x00\x00<\x00\x00\x00\x01\x00\x00\x00\x11\x00\x00<br />
x00\x02\x00\x02\x00\x00\x00\x00\x00\x05\x01\x00\x00\x00\x00\x00\x00\x04INIT
\x00\x00\x00\x04get\x00\x00\x00\x00\x00\x00\x00\x00\x0cNameService\x00’</p>
<h4 id="socks5-proxy-scans">SOCKS5 Proxy Scans</h4>
<p>Criminals are constantly looking for open proxies on the Internet. Socks Proxies
are particularily popular. You can create them using SSH or other server software.
We observed TODO N scans looking for SOCKS 5 proxies. They look like this:
\x05\x01\x00</p>
<h4 id="web-server-scans">Web Server Scans</h4>
<p>Many connections were connecting using HTTP. Perhaps they were attempting
to determine if our port was a web server. A typical example is:</p>
<p>GET / HTTP/1.1\r\nHost: 167.99.211.61:9100\r\nAccept: <em>/</em>’</p>
<h4 id="pjl-scans">PJL Scans</h4>
<p>‘@PJL INFO STATUS\r\nCODE= 10001\r\nDISPLAY=”Ready”\r\nONLINE=True’</p>
<p>@PJL INFO ID\r\nhp LaserJet 4200\r\n\x1b</p>
<p>@PJL RDYMSG DISPLAY = “rdymsgarg”\r\n@PJL INFO STATUS
@PJL INFO STATUS\r\nCODE=10001\r\nDISPLAY=”rdymsgarg”\r\nONLINE=True</p>
<h2 id="discussion">Discussion</h2>
<p>The IP’s gathered were searched using virustotal and reverseDNSlookup.
Locations logged include: Amsterdam, Haug, St.petersburg , Hanoi , and Hong Kong.
Most of the IP addresses we observed were from data centers, <em>None</em> from
ranges we could associate with home networks, cable modems or retail/home
Internet service providers.</p>
<p>If miniprint had been a real printer, an attacker would have been completely
capable of printing an uploaded file. At its most juvenile, an attacker
could use a print job to deplete ink and paper as well as carry out an
office prank.</p>
<p>Attackers could have attempted to list file names. Printed file names
can themselves reveal sensitive infomation of the contents of the
document being printed.</p>
<p>An attacker could have attempted exploitation of vulnerabilities in the
software listening on Port 9100. Some printers have vulnerabilities.
Presumabily, when an attacker checks the ID of the printer, and gets
the model of printer as a response, they have enough to narrow down
the exploits they might try. If successfully exploited on port 9100,
the attack could use the printer to intercept data or for lateral movement.</p>
<p>We didn’t see any of those attacks.</p>
<h3 id="limitations">Limitations</h3>
<p>Miniprint was a good starting point, but we noticed that it would frequently
crash. There appear to be unhandled exceptions for some types of input. We
have not attempted to correct this bug but will attempt to auto-restart it
in our next phase of experiments.</p>
<p>During our first month of experiements, we simply checked every day or two
and restarted miniprint if it had crashed.</p>
<p>This left us with some gaps in our data collection but we ran the experiment
for additional days (36 days instead of 30 days) to compenstate.</p>
<h2 id="expansion">Expansion</h2>
<p>A next possible step would be to add other honeypots onto the network,
to capture lateral movement of an attacker.</p>
<p>Previous printer exploits have been documented, including critical level
vulnerabilities. An attacker may search for a specific vulnerable model
before launching an attack. Another possible setup would be to create
multiple honeypots, with a randomized list of different printers.</p>
<p>These could be commonly used printers or printers with critical level
exploits. Printer-specific results may be more likely.</p>
<p>An example of this would be CVE-2022-3942. This is a critical level
vulnerability that allows for remote cross site scripting. This is
caused by unknown processing php-sms/?p=request_quote in the sourceCodester
Sanitization Management System. Models affected include LaserJet Pro,
Pagewide Pro, OfficeJet, Enterprise, Large Format, and DeskJet.</p>
<h2 id="references">References</h2>
<ul>
<li>https://github.com/sa7mon/miniprint</li>
<li>
<p>https://cybernews.com/security/we-hacked-28000-unsecured-printers-to-raise-awareness-of-printer-security-issues/</p>
</li>
<li>https://nvd.nist.gov/vuln/detail/CVE-2022-3942.</li>
<li>https://www.bleepingcomputer.com/news/security/hundreds-of-hp-printer-models-vulnerable-to-remote-code-execution/</li>
</ul>michaelEmily and Michael put a printer honeypot on the Internet to see who would attack it and how. It didn’t turn out as expected! Our honeypot experiment suggests exposed printers are not a target for cyber-attacks.Next Level Mentorship Part 22020-10-15T19:00:00+00:002020-10-15T19:00:00+00:00https://cyberlibrarian.ca/moro%20and%20mike/2020/10/15/Next-Level-Mentorship-Part-2<p>Moro & Mike will be joined by <a href="https://www.linkedin.com/in/kristin-mcveigh-5267284a/">Kristin McVeigh</a>, IABC Calgary Co-Director for Mentorship Career Services (<a href="http://iabccalgary.com/">International Association of Business Communicators, Calgary Chapter</a> ).</p>
<p>This is Part 2 in our series on mentorship.</p>
<p>Cybersecurity lacks the same tradition of mentorship found in other established professions. What can we do to take mentorship to the next level?</p>
<p>Kristin comes from a professional society that has an established program for encouraging mentorship and matching mentors and mentees. I love it when we bring people from outside IT and cybersecurity in to show us how other professions do things. Join us as Kristin shares her perspective!</p>
<p><a href="https://youtu.be/xs4RUSvDIRQ" title="Next Level Mentorship Part 2"><img src="/assets/images/2020-10-15.png" alt="thumbnail for Next Level Mentorship Part 2 youtube video" /></a></p>
<h1 id="references">References</h1>
<p><a href="https://iabccalgary.com/learn/mentorship-program/">Mentorship Program at IABC</a></p>michaelMoro & Mike will be joined by Kristin McVeigh, IABC Calgary Co-Director for Mentorship Career Services (International Association of Business Communicators, Calgary Chapter ).Threat Intelligence Oct 20202020-10-01T19:00:00+00:002020-10-01T19:00:00+00:00https://cyberlibrarian.ca/moro%20and%20mike/2020/10/01/threat-intelligence-oct-2020<p>Cybersecurity Analysts Alec and Chris are back to presents some of the latest cyber-threats and discuss cybersecurity news for October 2020.</p>
<p>Join us for a LIVE discussion and Q&A at the end. We will be discussing numerous aspects of the Twitter Hack and taking your questions.</p>
<p>As usual, we thought we knew what the big story was… and then it got real. Zerologon? That’s bad right… well then hackers started killing people. :-/</p>
<p><a href="https://youtu.be/DsipV0lO_gg" title="Threat Intelligence Oct 2020"><img src="/assets/images/2020-10-01.png" alt="thumbnail for Threat Intelligence Oct 2020 youtube video" /></a></p>michaelCybersecurity Analysts Alec and Chris are back to presents some of the latest cyber-threats and discuss cybersecurity news for October 2020.Next Level Mentorship2020-08-20T19:00:00+00:002020-08-20T19:00:00+00:00https://cyberlibrarian.ca/moro%20and%20mike/2020/08/20/Next-Level-Mentorship<p>Moro & Mike will be joined by <a href="https://www.linkedin.com/in/pattiblackstaffe/">Patti Blackstaffe C.P.C, (she/her/hers)</a> to discuss mentorship.</p>
<p><em>LIVE on Thu Aug 20, 2020 at 7 PM MDT</em></p>
<p>Cybersecurity lacks the same tradition of mentorship found in other established professions. What can we do to take mentorship to the next level?</p>
<p>Join as we learn from Patti’s experience, and take your LIVE questions.</p>
<p><a href="https://youtu.be/pNHP_uusl1g" title="Next Level Mentorship"><img src="/assets/images/2020-08-20.png" alt="thumbnail for Next Level Mentorship youtube video" /></a></p>
<h1 id="references">References</h1>
<p>Faber, S. [2009]. <a href="https://www.goodreads.com/book/show/6072142-greater-than-yourself">Greater Than Yourself</a>. <em>Crown Business</em>. <a href="https://www.goodreads.com/book/show/6072142-greater-than-yourself">https://www.goodreads.com/book/show/6072142-greater-than-yourself</a></p>
<p>Staff. [May 13, 2020]. <a href="https://blog.isc2.org/isc2_blog/2020/05/3-ways-to-find-a-cybersecurity-mentor.html">3 Ways to Find a Cybersecurity Mentor</a>. <em>ISC2 Blog</em>. <a href="https://blog.isc2.org/isc2_blog/2020/05/3-ways-to-find-a-cybersecurity-mentor.html">https://blog.isc2.org/isc2_blog/2020/05/3-ways-to-find-a-cybersecurity-mentor.html</a></p>
<p><a href="https://engage.isaca.org/vancouverchapter/mentorship7">ISACA Vancouver Chapter Mentorship Program</a>. <em>ISACA</em>. <a href="https://engage.isaca.org/vancouverchapter/mentorship7">https://engage.isaca.org/vancouverchapter/mentorship7</a></p>
<p>Greater than yourself
<a href="https://www.amazon.ca/dp/B001NLL4S2/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1">https://www.amazon.ca/dp/B001NLL4S2/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1</a></p>
<p>Sign up to keep abreast of the book launch
<a href="https://lp.constantcontactpages.com/su/YNA9l4w">https://lp.constantcontactpages.com/su/YNA9l4w</a></p>
<p>European Mentoring and Coaching Council EMCC Code of ethics
<a href="https://www.emccglobal.org/wp-content/uploads/sites/6/2018/01/4.pdf">https://www.emccglobal.org/wp-content/uploads/sites/6/2018/01/4.pdf</a></p>
<p>Other links that may be of interest??
<a href="https://www.youtube.com/channel/UCr53yxLJjTintGvccowj4LA">Keeping the Learning On (KTLOLearn)</a> Episodes, YouTube. Conversations on technology and humanity</p>
<p><a href="https://www.brighttalk.com/webcast/8855/399154?utm_campaign=viewing-history&utm_source=brighttalk-portal&utm_medium=web">Bright Talk Strategic Approach Webinar</a> free with login – learn strategy and a systematic lessons learned</p>
<p><a href="https://www.scopism.com/the-jigsaw-organization-putting-the-pieces-back-together/">The Jigsaw Organization Download</a> – Future Forward steps in a new complex world</p>
<h1 id="pattis-bio">Patti’s BIO</h1>
<p>Helping leaders balance technology and humanity, because our world and our businesses are not binary. 20 years in IT, working internationally on large infrastructure control systems and since 2008 helping companies adopt technology and lead change. Currently working with executive technology leaders in creating the kind of organization that takes balancing technology and humanity seriously. From leadership and governance to training and consulting on organizational structures that support technology meeting business strategy. Geek, artist, writer, and loves dancing.</p>
<h2 id="pattis-projects-and-companies">Patti’s Projects and Companies</h2>
<p><a href="https://strategicsense.com/">https://strategicsense.com/</a></p>
<p><a href="https://globalsway.com/">https://globalsway.com/</a></p>
<p><a href="https://www.youtube.com/channel/UCr53yxLJjTintGvccowj4LA/videos">https://www.youtube.com/channel/UCr53yxLJjTintGvccowj4LA/videos</a></p>
<p><a href="https://ktlolearn.com/">https://ktlolearn.com/</a></p>michaelMoro & Mike will be joined by Patti Blackstaffe C.P.C, (she/her/hers) to discuss mentorship.Futurism2020-08-13T19:00:00+00:002020-08-13T19:00:00+00:00https://cyberlibrarian.ca/moro%20and%20mike/2020/08/13/Futurism<p>In this livestream we are joined by Warren Lafountain to discuss Futurism and Futurist topics.</p>
<ul>
<li>Artificial Intelligence</li>
<li>CRISPR</li>
<li>Self-driving Cars</li>
<li>Blockchain</li>
</ul>
<p>Futurism is not about predicting the future: It is about reducing uncertainty by engaging discussions about unpredictable outcomes. We all know that disruptive change will come, but how should be treat it? What value can be derived by speculating about the future? What methods can serve us well in reducing uncertainty?</p>
<p><a href="https://youtu.be/NPuBAQ395iw" title="Futurism"><img src="/assets/images/2020-08-13.png" alt="thumbnail for Futurism youtube video" /></a></p>
<h1 id="rule-1-forget-about-predictions">Rule 1: Forget about Predictions</h1>
<p>Rule #1 of Futures Thinking is forget about predictions. Futures Thinking is about reducing uncertainty, and building readiness for an uncertain future. By exploring our goals, desires, and beliefs about the future we can uncover patterns, recognize signals of disruption, and promote readiness.</p>
<h1 id="references">References</h1>
<h2 id="blockchain">Blockchain</h2>
<p><a href="http://graphics.reuters.com/TECHNOLOGY-BLOCKCHAIN/010070P11GN/index.html">http://graphics.reuters.com/TECHNOLOGY-BLOCKCHAIN/010070P11GN/index.html</a></p>
<h2 id="futurism-and-futures-thinking">Futurism and Futures Thinking</h2>
<p>Gorbis, M. [Mar 11, 2019]. <a href="https://er.educause.edu/articles/2019/3/five-principles-for-thinking-like-a-futurist">Five Principles for Thinking Like a Futurist</a>. <em>EDUCAUSE Review</em>. <a href="https://er.educause.edu/articles/2019/3/five-principles-for-thinking-like-a-futurist">https://er.educause.edu/articles/2019/3/five-principles-for-thinking-like-a-futurist</a></p>
<p><a href="https://www.goodreads.com/list/show/118684._Un_Ethical_Futures_Conference_Reading_List_2017">(Un)Ethical Futures Conference Reading List 2017</a></p>
<p><a href="https://www.goodreads.com/book/show/25823558-surfing-uncertainty">Surfing Uncertainty: Prediction, Action, and the Embodied Mind</a></p>
<p><a href="https://futurism.com/">Futurism.com</a> <a href="https://futurism.com/">https://futurism.com/</a></p>
<p>Webb, A. [Mar 11, 2020]. <a href="https://medium.com/swlh/how-futurists-cope-with-uncertainty-a4fbdff4b8c6">How Futurists Cope with Uncertainty</a>. <em>The Startup</em>. <a href="https://medium.com/swlh/how-futurists-cope-with-uncertainty-a4fbdff4b8c6">https://medium.com/swlh/how-futurists-cope-with-uncertainty-a4fbdff4b8c6</a></p>
<p>No Author. [Aug, 2019]. <a href="https://futuretodayinstitute.com/mu_uploads/2019/08/FTI_Axes.pdf">The Axes of Uncertainty</a>. <em>Future Today Institute</em>. <a href="https://futuretodayinstitute.com/mu_uploads/2019/08/FTI_Axes.pdf">https://futuretodayinstitute.com/mu_uploads/2019/08/FTI_Axes.pdf</a></p>
<h2 id="crispr">CRISPR</h2>
<p>Molteni, M., Huckins, G. [Aug 1, 2020]. <a href="https://www.wired.com/story/wired-guide-to-crispr/">The WIRED Guide to Cripr</a>. <em>Wired Magazine</em>. <a href="https://www.wired.com/story/wired-guide-to-crispr/">https://www.wired.com/story/wired-guide-to-crispr/</a></p>
<p>No Author. [n.d.] <a href="https://www.broadinstitute.org/what-broad/areas-focus/project-spotlight/questions-and-answers-about-crispr">Questions and Answers about CRISPR</a>. <em>The Broad Institute</em>. <a href="https://www.broadinstitute.org/what-broad/areas-focus/project-spotlight/questions-and-answers-about-crispr">https://www.broadinstitute.org/what-broad/areas-focus/project-spotlight/questions-and-answers-about-crispr</a></p>
<p>Cohen, J. [n.d.] <a href="https://www.sciencemag.org/topic/crispr">CRISPR Articles</a>. <em>Science</em>. <a href="https://www.sciencemag.org/topic/crispr">https://www.sciencemag.org/topic/crispr</a></p>
<h2 id="machine-learning">Machine Learning</h2>
<p>Martin, S. [Sep 2, 2019]. <a href="https://towardsdatascience.com/top-7-machine-learning-methods-that-every-data-scientist-must-know-84f5e5352ae1">Top 7 Machine Learning Methods that Every Data Scientist Must Know</a>. <em>Towards Data Science</em>. <a href="https://towardsdatascience.com/top-7-machine-learning-methods-that-every-data-scientist-must-know-84f5e5352ae1">https://towardsdatascience.com/top-7-machine-learning-methods-that-every-data-scientist-must-know-84f5e5352ae1</a></p>
<p>Castanon, J. [May 1, 2019]. <a href="https://towardsdatascience.com/10-machine-learning-methods-that-every-data-scientist-should-know-3cc96e0eeee9">10 Machine Learning Methods that Every Data Scientist Should Know</a>. <em>Toward Data Science</em>. <a href="https://towardsdatascience.com/10-machine-learning-methods-that-every-data-scientist-should-know-3cc96e0eeee9">https://towardsdatascience.com/10-machine-learning-methods-that-every-data-scientist-should-know-3cc96e0eeee9</a></p>
<p>Kaggle. [n.d.]. <a href="https://www.kaggle.com/learn/intro-to-machine-learning">Intro to Machine Learning</a>. <em>Kaggle Website</em>. <a href="https://www.kaggle.com/learn/intro-to-machine-learning">https://www.kaggle.com/learn/intro-to-machine-learning</a></p>
<p>No Author. [n.d.]. <a href="https://www.educba.com/machine-learning-methods/">Introduction to Machine Learning Methods</a>. <em>EDUCBA Website</em>. <a href="https://www.educba.com/machine-learning-methods/">https://www.educba.com/machine-learning-methods/</a></p>
<p>Piper, K. [Aug 13, 2020]. <a href="https://www.vox.com/future-perfect/21355768/gpt-3-ai-openai-turing-test-language">GPT-3, explained: This new language AI is uncanny, funny - and a big deal</a>. <em>Vox</em>. <a href="https://www.vox.com/future-perfect/21355768/gpt-3-ai-openai-turing-test-language">https://www.vox.com/future-perfect/21355768/gpt-3-ai-openai-turing-test-language</a></p>
<h2 id="decision-intelligence--decision-science">Decision Intelligence / Decision Science</h2>
<p>Kozyrkov, C. [Mar 19, 2020]. <a href="https://towardsdatascience.com/introduction-to-decision-intelligence-5d147ddab767">What does uncertainty mean</a>. <em>Towards Data Science</em>. <a href="https://towardsdatascience.com/introduction-to-decision-intelligence-5d147ddab767">https://towardsdatascience.com/introduction-to-decision-intelligence-5d147ddab767</a></p>
<p>Kozyrkov, C. [Aug 2, 2019]. <a href="https://towardsdatascience.com/introduction-to-decision-intelligence-5d147ddab767">Introduction to Decision Intelligence</a>. <em>Towards Data Science</em>. <a href="https://towardsdatascience.com/introduction-to-decision-intelligence-5d147ddab767">https://towardsdatascience.com/introduction-to-decision-intelligence-5d147ddab767</a></p>
<p>Dowsett, C. [Jan 24, 2019]. <a href="https://towardsdatascience.com/data-science-vs-decision-science-8f8d53ce25da">Data Science vs Decision Science</a>. <em>Towards Data Science</em>. <a href="https://towardsdatascience.com/data-science-vs-decision-science-8f8d53ce25da">https://towardsdatascience.com/data-science-vs-decision-science-8f8d53ce25da</a></p>
<h2 id="nanotechnology">Nanotechnology</h2>
<p><a href="https://www.goodreads.com/book/show/1428029.Engines_of_Creation_2_0?from_search=true&from_srp=true&qid=BKir9uyKcB&rank=2">Engines of Creation 2.0: The Coming Era of Nanotechnology</a></p>
<p><a href="https://foresight.org/">The Foresight Institute</a> <a href="https://foresight.org/">https://foresight.org/</a></p>
<h2 id="transhumanism">Transhumanism</h2>
<p><a href="https://www.goodreads.com/book/show/170465.Natural_Born_Cyborgs?ac=1&from_search=true&qid=A8kydc7yNu&rank=1">Natural-Born Cyborgs: Minds, Technologies, and the Future of Human Intelligence</a></p>
<p><a href="https://www.goodreads.com/book/show/291290.Being_There">Being There: Putting Brain, Body, and World Together Again</a></p>
<p><a href="https://www.goodreads.com/book/show/665412.Great_Mambo_Chicken_And_The_Transhuman_Condition?from_search=true&from_srp=true&qid=Fl6yo6BbMw&rank=1">Great Mambo Chicken and the Transhuman Condition: Science Slightly Over the Edge</a></p>michaelIn this livestream we are joined by Warren Lafountain to discuss Futurism and Futurist topics.Handling Rejection2020-08-06T19:00:00+00:002020-08-06T19:00:00+00:00https://cyberlibrarian.ca/moro%20and%20mike/2020/08/06/handling-rejection<p>In this livestream we are joined by <a href="https://www.linkedin.com/in/emilievincentyyc/">Emilie Vincent, RPR</a> to discuss how to deal with rejection both as a job seeker and as a hiring manager. Emilie is known for her deliberate and thoughtful approach to providing feedback to job candidates and for advising hiring managers and on how to be more actively involved in the hiring process.</p>
<p>With advise and wisdom from Emilie we will discuss the “behind the scenes” view of how strong candidates get rejected over other strong candidates.</p>
<p>In <a href="https://business.linkedin.com/content/dam/business/talent-solutions/global/en_us/c/pdfs/global-talent-trends-report.pdf">a 2015 survey from LinkedIn Talent Solutions</a> 95% of jobs candidates expect feedback, but only 41% get any and 43% never hear anything at all after applying for a job. The experience of job seeking and hiring involves rejection. As a job seeker you will experience feelings of rejection and proceed with no feedback.</p>
<p>As hiring manager, your behaviour can directly impact your future ability to hire. LinkedIn’s survey found that 66% of candidates developed negative feelings toward the hirer when there is no feedback.</p>
<p>Questions we will tackle:</p>
<ul>
<li>How can job seekers deal with feelings of rejection?</li>
<li>How can hiring managers provide meaningful feedback to job seekers?</li>
<li>What should you say when someone doesn’t get the job?</li>
<li>What can you say when someone doesn’t get the job?</li>
<li>“I thought was perfect for that role? How did I not get it? Why won’t they tell me?”</li>
</ul>
<p>As always we will take your LIVE Questions and answer them!</p>
<p>Join us Thu Aug 6 at 7 PM MDT.</p>
<p><a href="https://youtu.be/Rdh0pXzout8" title="Handling Rejection"><img src="/assets/images/2020-08-06.png" alt="thumbnail for Handling Rejection youtube video" /></a></p>
<h2 id="references">References</h2>
<p>No Author. [2015]. <a href="https://business.linkedin.com/content/dam/business/talent-solutions/global/en_us/c/pdfs/global-talent-trends-report.pdf">2015 Talent Trends</a>. <em>LinkedIn Talent Solutions</em>. <a href="https://business.linkedin.com/content/dam/business/talent-solutions/global/en_us/c/pdfs/global-talent-trends-report.pdf">https://business.linkedin.com/content/dam/business/talent-solutions/global/en_us/c/pdfs/global-talent-trends-report.pdf</a></p>
<p>Heathfield, S. [Nov 7, 2019]. <a href="https://www.thebalancecareers.com/must-employers-tell-applicants-why-they-weren-t-hired-1919151">Employers Don’t Supply Feedback to Rejected Job Candidates</a>. <em>The Balance Careers Website</em>. <a href="https://www.thebalancecareers.com/must-employers-tell-applicants-why-they-weren-t-hired-1919151">https://www.thebalancecareers.com/must-employers-tell-applicants-why-they-weren-t-hired-1919151</a></p>
<p>Chawla, N., Gabriel, A., Veiga, S., and Slaughter, J. [Feb 20, 2019]. <a href="https://onlinelibrary.wiley.com/doi/abs/10.1111/peps.12320">Does feedback matter for job search self-regulation? It depends on feedback quality</a>. <em>Personnel Psychology</em>. <a href="https://onlinelibrary.wiley.com/doi/abs/10.1111/peps.12320">https://onlinelibrary.wiley.com/doi/abs/10.1111/peps.12320</a></p>
<p>Reeve, C. and Schultz, L. [Dec 15, 2004]. [Job-Seeker Reactions to Selection Process Information in Job Ads](https://onlinelibrary.wiley.com/doi/abs/10.1111/j.0965-075X.2004.00289.x). <em>International Journal of Selection and Assessment</em>. <a href="https://onlinelibrary.wiley.com/doi/abs/10.1111/j.0965-075X.2004.00289.x">https://onlinelibrary.wiley.com/doi/abs/10.1111/j.0965-075X.2004.00289.x</a></p>michaelIn this livestream we are joined by Emilie Vincent, RPR to discuss how to deal with rejection both as a job seeker and as a hiring manager. Emilie is known for her deliberate and thoughtful approach to providing feedback to job candidates and for advising hiring managers and on how to be more actively involved in the hiring process.