Jon Hencinski (@jhencinski) / X

Jon Hencinski

2,069 posts

Jon Hencinski

@jhencinski

Head of SecOps @ProphetSec

Virginia, USA

Joined September 2016

Pinned
Jon Hencinski
@jhencinski
Nov 6, 2021
A good alert includes: - Detection context - Investigation/response context - Orchestration actions - Prevalence info - Environmental context (e.g, src IP is scanner) - Pivots/visual to understand what else happened - Able to answer, "Is host already under investigation?"
Jon Hencinski
@jhencinski
Mar 6, 2019
Six steps to #blueteam progress: 1. Open PS 2. wmic /node:localhost process call create "cmd.exe /c notepad" 3. winrs:localhost "cmd.exe /c calc" 4. schtasks /create /tn legit /sc daily /tr c:\users\ <user>\appdata\legit.exe 5. Interrogate your SIEM and EDR 6. Review & improve
Jon Hencinski
@jhencinski
Aug 22, 2020
In every #SOC analyst interview I’ll ask: I open my web browser, type a url and hit enter. In as much detail as possible, what happens? For visual learners (like me) here’s a great guide.
Kamran Ahmed
@nilbuild
Aug 22, 2020
What happens when you type in a URL in an Address bar in a browser h/t @manekinekko
Jon Hencinski
@jhencinski
Dec 21, 2019
Recent #redteam tactics from the front lines @expel_io: - .HTA for entry - BEACON for remote access - Domain front in Azure & Cloudfront - C#/.NET tradecraft ➡️Covenant - PowerUp to elevate - ProcDump, MIMIKATZ to grab creds - Bloodhound to enum - WMI, WinRm, RDP, SMB to move
Jon Hencinski
@jhencinski
Jul 16, 2020
NOT a #twitter hot take but a #mindmap for detection and response in #AWS from the team @expel_io How to interpret 🤔: - Based on #CloudTrail logs - ATT&CK cloud matrix technique - Mapped to AWS service(s) - Mapped to common API calls we've seen used by #redteam and attackers
Jon Hencinski
@jhencinski
Aug 5, 2022
NEW! #mindmap for detection and investigation in Google Cloud Platform (GCP). Grab a copy using the link below. We also breakdown the attacker tactics we see used most often in #GCP. expel.com/blog/mitre-att…
Jon Hencinski
@jhencinski
Jun 20, 2023
Recent pre-ransomware incident identified by our #SOC: - Initial access: Remote access using compromised credentials - Enumeration: AdvancedIPScanner, net commands - Lateral movement: PsExec, RDP, SMB - Defense Evasion: AmsiScanBuffer bypass, cleared Windows event logs -
111K
Jon Hencinski
@jhencinski
Dec 1, 2020
Recently we chased a skilled red team in #AWS that: - bypassed MFA - intercepted user sessions w/ #Evilginx - deployed python-based backdoors on EC2 instances - located key creds on Redshift db - escalated privs via role assumptions More details here: expel.io/blog/evilginx-…
Jon Hencinski
@jhencinski
Dec 2, 2021
Great (free!) resources for #SOC analysts of all experience levels: Learn pcap analysis: malware-traffic-analysis.net TA tactics: cobaltstrike.com/training Malware RE 101: malwareunicorn.org/workshops/re10… AWS CTF: flaws.cloud SANs holiday hack challenges: sans.org/mlp/holiday-ha…
Jon Hencinski
@jhencinski
Jul 6, 2023
You’re *almost* done with your SOC analyst interview. You’re asked, “Do you have any questions for us?” Here’s a couple to consider if not covered as part of the interview process (hint: they should be). 1. A year from now, this person has come in and absolutely knocked it
111K
Jon Hencinski
@jhencinski
Feb 22, 2022
Once a month we get in front of our exec/senior leadership team and talk about #SOC performance relative to our business goals (grow ARR, retain customers, improve gross margin). A 🧵on how we translate business objectives to SOC metrics.
Jon Hencinski
@jhencinski
Sep 22, 2020
A lot of #SOC burnout is due to bad ops mgmt. A #SOC can be a great place to work - but it requires highly effective mgmt. Next Tues (9/29) we'll release the 1st of a 3-part series to cover all things SOC efficiency & #leadership. Excited to share this with the community.
Jon Hencinski
@jhencinski
Jun 20, 2020
1. Take care of the team 2. Study metrics 3. Set direction 4. Delegate 5. Influence 6. Build relationships 7. Listen *really* hard 8. Ask questions 9. Learn 10. Fail 11. Admit I don't know 12. Get out of the way 13. Give feedback 14. Coach 15. Give credit 16. Inspire
Emma Heffernan
@3mm4h3ff
Jun 19, 2020
If you work in an #infosec role: what does a typical day look like for you?
Jon Hencinski
@jhencinski
Jul 3, 2023
20 tips for aspiring #SOC analysts. TL;DR - Candor, curiosity, passion for learning, humility, leading with empathy and being a good teammate can take you very far. 1. Candor is a strength, not a weakness. It’s OK to admit you don’t know. Learning what you don’t know is a gift,
80K