Purpose Configure a hardened cyber threat intelligence (CTI) environment to reduce attack surface and attributable information that could lead back to the researcher. This threat model will focus on security and privacy alike. Virtualization Software Selection VMWare, Oracle VirtualBox, or QEMU are all options. VMWare and VirtualBox favor ease of configuration, however there are many QEMU front-ends that are available for simplifying/automating the use of QEMU. While most analysts will largely be confined to doing the majority of their research from a guest VM on top of their host, some situations may allow for access to a private virtual private server (VPS) that provides separation or a proxy for intelligence probing.

Intro Many incident responders struggle with Linux as exposure is limited, considering that corporate environments rarely have user interaction within a Linux desktop environment (outside of the occasional sysadmin). This prevents analysts from “knowing normal”, thus the processes and activity quickly become an enigma. Attacks in these environments rarely have a delivery mechanism tailored towards users, such as maldocs contained in emails or staged on compromised/malicious sites. Most attacks inevitably occur from misconfigured or unpatched services that interface with the public web, which commonly are vulnerabilities within components of web applications or respective plugins.

Intro Most security researchers gloss over the monolithic kernel that continually supports more and more architecture and rarely if ever purges support for the legacy. It’s unfortunate, however “it just works” is the argument to be made. In the kernel space, usability trumps security. Linux security projects in particular should place more of an emphasis on the kernel, one that borders fixation. Kernel security has been largely ignored. It contains classes of vulnerabilities, and the solutions are quick-fix patches that don’t address the trend at large.

Intro There has been a lot of hype around the latest player in the operating system market. PlagueOS is designed to be a security-centric distribution built on Void Linux. Currently, the market with secure computing is limited to Whonix, TAILS, Qubes, and now the addition of Plague. Background According to the main developer (arcanedev), Void Linux was selected primarily due to the MUSL codebase and use of runit service manager by default.