Paul Vann

Tired of getting your reports marked as N/A or informational or Duplicate ? I come across many bug hunters who are fairly new into BBH like myself and they find it very frustrating to get almost all of their reports marked as either N/A, Informational or Duplicate. So I decided to share some of my personal tips on how I approached and addressed this problem early on. 1) To avoid getting N/A , informational: Whenever you come across a bug or a quirk / unintended behavior always ask yourself the question "What can an actual attacker do with this" or "What can an attacker achieve using this bug". If you have an answer to that then that's your potential impact of the bug. 2) Dealing with Duplicates: Duplicates hurts the most because you know the bug is valid but you weren't the first one to submit it. There's only one solution to this and that is to "Escalate, Escalate and Escalate". Whenever you come across a bug make sure to always Escalate it to its maximum impact, this way you'd drastically reduce the amount of duplicates you get and because you escalated a bug means that it's going to have a higher impact which means more $$$. One of the tools that I use to get escalation suggestion and calculate cvss is "cvssadvisor.com" developed by @bebiksior on ( X, twitter) These were some of the things I learned Bi idhnillah that helped me overcome those problems. I hope this is going to be helpful to people that are new into BBH or have some what experience but still struggling with those problems 😃 #bugbounty #bugbountytips

1

The biggest mistake I see MSPs make when trying to have the risk conversation with clients. (And it's not what you think) The risk discussion shouldn't start with risk: Huh? 🤔 ❌ You're at risk of breach ❌ You're at risk of losing revenue ❌ You're at risk of falling behind in your industry These all may be true... But they haven't happened yet. The business just doesn't care, sorry to say. These approaches bring up the client's shields. "No thanks, we'll take our chances." - they'll say to you. Right? A perpetual cycle of cleanup after the fact. Instead... Start with the positives. Show how your MSP service is ALREADY providing basic security foundations: ✅ Asset Management ✅ Patching/AV ✅ Backups Show where they would be without that. "𝗪𝗶𝘁𝗵𝗼𝘂𝘁 𝗼𝘂𝗿 𝗠𝗦𝗣 𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀, 𝘆𝗼𝘂'𝗱 𝗯𝗲 𝗮𝘁 𝗮𝗯𝗼𝘂𝘁 𝟵𝟬% 𝗿𝗶𝘀𝗸. 𝗖𝘂𝗿𝗿𝗲𝗻𝘁𝗹𝘆, 𝘆𝗼𝘂'𝗿𝗲 𝗮𝘁 𝟳𝟬%" You're showing them you're on their side. You're also effectively neutralizing the "we thought you did this for us already" comment. Now you can say: 'We see clients in your range at risk for a cyber breach - here are the services we use to prevent that." Feel the difference? You literally said the same thing, but... Instead of an attack, it's a consultation. 🤯 TL;DR - Think rhetorically; play the long game; win as a trusted risk advisor for your clients. ------------------------------------------ 👋 Hi there; my name's Jesse. 🚀 I help MSPs crack the code for profitable vCISO services. ------------------------------------------

47

23 Comments

DFIR Triage Guide: When Every Second Matters! Triage isn't optional unless you like playing 'Guess what just crashed! During an active cyber incident, every minute counts. Triage helps quickly assess the data to identify potential leads, prioritize evidence, and allocate resources accordingly. It also helps identify the most critical systems and data to focus on, minimizing damage and preventing further compromise. Here are the key reasons why triage is critical: • Time Sensitivity • Resource Management • Containment and Mitigation • Evidence Preservation • Focused Investigation Here is an excellent article by Terryn Valikodath that explains Why Triage is Not Optional: https://lnkd.in/gYid_g8W Triage helps us act fast, but data analysis ensures we act right! Discover over 10 essential data analysis techniques for effective threat hunting in my "Cyber Threat Hunt 101" YouTube series, explained simply: https://lnkd.in/gkVB6B2j Please share and subscribe if you enjoy the content! #cybersecurity #threathunting #threatdetection #blueteam #soc #socanalyst #skillsdevelopment #careergrowth #IR #DataAnalysis #IncidentResponse

73

20 Comments

There are many charts out there depicting the rapid growth in published vulnerabilities (CVEs) over the years. But far fewer of them trend the number or proportion of vulnerabilities with known exploitation in the wild. Here's one from the upcoming #EPSS study that gives both. The left chart in the figure below shows steady growth in the number of vulnerabilities with known exploitation in the wild. Keep in mind that this doesn’t mean that ~14,000 vulnerabilities are actively being exploited right now. It shows that we know of ~14,000 CVEs that have, at some point in their history, been reported as exploited by primary sources. While the total number keeps rising, the right chart shows that the proportion of published CVEs known to be exploited remains fairly steady, fluctuating around the 6% mark. The apparent decline over the last few years isn’t so much a decline as it is a delay. The majority of vulnerabilities aren’t immediately exploited when initially published. It can take time for attackers to discover them, develop exploits, and for defenders to detect exploitation activity. Monitoring these precursors of exploitation via its many data contributors is what drives updates to EPSS scores on a daily basis. Looking forward to sharing this one with you. Sign up here to receive notification when this and other Cyentia Institute research pubs: https://lnkd.in/ez-zWpUW #vulnerabilitymanagement #cybersecurity #infosecurity #cyberattacks

96

9 Comments

"The National Vulnerability Database is broken, and there isn't an easy fix." This is another canary in the coalmine visual. There are currently 10190 CVE's awaiting analysis (as of 8:53 am EST on 5/14/2024). Last month alone 3704 were received for analysis, 223 were analyzed (~6%). That's a significant backlog.. We don't know what we won't know for a considerable amount of time... That's concerning... https://lnkd.in/e5DCVwvr https://lnkd.in/eSBJEHg4 #penetrationtesting #vulnerabilitymanagement #infosc #cybersecurity #riskmanagement #resiliency #resilience #compliance #healthcare #HITRUST #HIPAA #criticalinfrastructure #risktolerance #NVD

2