https://briandeitch.com Security insights, Zero Trust deep dives, and unfiltered takes. en-us briandeitch@gmail.com (Brian Deitch) briandeitch@gmail.com (Brian Deitch) Mon, 25 May 2026 00:00:00 GMT https://briandeitch.com/blog/nobody-reads-blog-posts-anymore/ https://briandeitch.com/blog/nobody-reads-blog-posts-anymore/ Mon, 25 May 2026 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) Let's be honest, we're both surprised you made it this far. Uncategorized https://briandeitch.com/blog/wow-just-wow/ https://briandeitch.com/blog/wow-just-wow/ Wed, 20 Aug 2025 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) Caught in 4K: You ditched the keynote for this? Weak. Uncategorized https://briandeitch.com/blog/you-knew-better/ https://briandeitch.com/blog/you-knew-better/ Sun, 23 Mar 2025 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) Now imagine your users clicking that link. It could have been anything. Phishing, malware, ransomware, or a Zero Day. Uncategorized https://briandeitch.com/blog/what-are-you-doing-here/ https://briandeitch.com/blog/what-are-you-doing-here/ Wed, 09 Oct 2024 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) !(https://briandeitch.com/wp-content/uploads/2024/10/Pointing-Attitude-Request-2-1020x1024.jpeg) Uncategorized https://briandeitch.com/blog/podcast-blog-posts-change-my-mind/ https://briandeitch.com/blog/podcast-blog-posts-change-my-mind/ Tue, 16 Nov 2021 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) I know, I know, it's been a hot minute since I have posted. Instead of posting my random comments, you can just listen to me ramble on my Podcast. SSL/TLS Inspection https://briandeitch.com/blog/cracking-open-that-tls-connection/ https://briandeitch.com/blog/cracking-open-that-tls-connection/ Thu, 11 Jul 2019 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) Thanks to wikileaks(https://en.wikipedia.org/wiki/WikiLeaks), HTTPS Everywhere(https://www.eff.org/https-everywhere), and Let's Encrypt(https://letsencrypt.org/), adoption of encryption (HTTPS) has skyrocketed in the past couple of years. According to the Google Transparency Report(https://transparencyreport.google.com/?hl=en), they are seeing as much as 90%+ adoption with traffic headed to google: SSL/TLS Decryption SSL/TLS Inspection https://briandeitch.com/blog/dns-flag-day-are-you-ready/ https://briandeitch.com/blog/dns-flag-day-are-you-ready/ Mon, 21 Jan 2019 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) You might asking yourself, what the heck is DNS Flag Day anyways? Before you go Google it yourself, let me break it down for you. On or around February 1st, 2019 major DNS service providers are going to start enforcing EDNS. Which DNS service providers you ask? DNS https://briandeitch.com/blog/tls-1-3-is-coming-in-hot/ https://briandeitch.com/blog/tls-1-3-is-coming-in-hot/ Fri, 16 Nov 2018 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) > Editor Note: In December 2021, Zscaler(wplinkplaceholder) rolled out full inspection of TLS 1.3 across all clouds. This was done transparently to all users and was enabled by default. We are talking 10 of millions of users and a cloud moving 2+ tbps with zero support tickets opened. That's just how they do it over there; inspect all traffic, stop the bad guys, and look good doing it. TLS 1.3(https://www.ietf.org/blog/tls13/) was finalized in April of 2018 with the promises of privacy, security, and performance and unlike its predecessors, adoption of this protocol might be coming in sooner than you think. In a post on reddit(https://www.reddit.com/r/paloaltonetworks/comments/9qqn2v/ifyourunssldecryptionupgradeto8148014or/), PAN indicates that Google Chrome will be implementing a strict TLS 1.3 in January of 2019: > ...using web browsers that implement strict TLS 1.3 compliance. We have been informed that Google Chrome is planning to implement strict TLS 1.3 compliance in their upcoming version 72. The stable build of Google Chrome version 72 may be available in January 2019... I have poked around looking for actual documentation from google, specifically around the wording "strict TLS 1.3 compliance" on the interwebs and haven't found anything. Why? There is a key difference between supporting TLS 1.3 and going strict TLS 1.3. The former means the client can still negotiate the connection and most likely if the client doesn't support TLS 1.3, the connection will be downgraded to TLS 1.2. The latter indicates that Chrome and Google based applications, such as gmail, will only work over TLS 1.3. The closest documentation(https://www.chromium.org/Home/tls13) that I was able to find that supports PANs claim was on The Chromium Project. The article makes no mention of strict TLS 1.3 or timelines but does mention this: > Gmail fails to load with ERRSSLVERSIONINTERFERENCE or ERRTLS13DOWNGRADEDETECTED. !(https://briandeitch.com/wp-content/uploads/2018/11/seeing.gif) SSL/TLS Decryption SSL/TLS Inspection https://briandeitch.com/blog/crypto-mining-and-ios/ https://briandeitch.com/blog/crypto-mining-and-ios/ Thu, 01 Nov 2018 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) While I can think of a hundred other things to do with my phone, crypto mining(https://en.wikipedia.org/wiki/Cryptocurrencymining) has never been one of them.  Which is why I was surprised to see  in June of this year(https://appleinsider.com/articles/18/06/11/apple-bans-cryptocurrency-mining-on-the-iphone-and-ipad), Apple banned crypto mining apps from the App Store.  Who knew crypto mining on iOS was even a thing? Crypto Mining SSL/TLS Inspection Zscaler https://briandeitch.com/blog/caught-on-tape-malware-distribution-techniques/ https://briandeitch.com/blog/caught-on-tape-malware-distribution-techniques/ Wed, 26 Sep 2018 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) If you haven't already done so, you should read the Verizon Data Breach Investigations Report that they publish annually. In the 2018 Verizon DBIR(https://www.verizonenterprise.com/resources/reports/rpDBIR2018Reportenxg.pdf), it is chock-full of good reading around the specifics of breaches in 2017 and provides an insight to the Who, How, Why, What, and When. In the report you can read about the internal threat actors down to how malware was distributed. In all, Verizon has dotted all the I's and crossed all of the T's and provided you visibility into 53,000 incidents and 2,216 confirmed breaches across all verticals in 2017. Historically I have used these reports to help educate myself and my customers on the threat landscape as well as leverage the information to help justify spend on security related products, tools, or services to help keep the enterprise safe. Malware SSL/TLS Inspection Verzion https://briandeitch.com/blog/executing-security-at-scale/ https://briandeitch.com/blog/executing-security-at-scale/ Mon, 19 Jun 2017 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) Raise your hand if you're using any or all of these technologies: Zscaler https://briandeitch.com/blog/bots-and-users-beware-googles-recaptcha-goes-invisible/ https://briandeitch.com/blog/bots-and-users-beware-googles-recaptcha-goes-invisible/ Sat, 18 Mar 2017 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) When CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart)  first came out I think we can all agree that it was a giant pain in the ass but some times it was comical. L7 Web Application Security https://briandeitch.com/blog/cloudbleed-guess-what-there-was-0-day-protection-for-this-type-of-vulnerability/ https://briandeitch.com/blog/cloudbleed-guess-what-there-was-0-day-protection-for-this-type-of-vulnerability/ Fri, 24 Feb 2017 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) If you aren't familiar with CloudBleed, take a moment to read the following articles to get an understanding how it was found, what happened, and what PII/PCI data was (possibly) leaked: Account Takeover Protection Anti-Fraud L7 Web Application Security https://briandeitch.com/blog/counter-strike-mirai-with-f5-irules/ https://briandeitch.com/blog/counter-strike-mirai-with-f5-irules/ Wed, 02 Nov 2016 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) David Holmes(https://twitter.com/dholmesf5) from F5 is back with one bad-ass iRule to combat Mirai. After reviewing the source code(https://github.com/jgamblin/Mirai-Source-Code) for Mirai and a post by Scott Tenaglia(https://www.invincealabs.com/blog/2016/10/killing-mirai/) David put together an iRule to cause Mirai to do a bad memory move and crash. Check out his post here: > https://devcentral.f5.com/articles/mirai-strikeback-an-irule-to-kill-iot-bot-processes-from-your-f5-22644(https://devcentral.f5.com/articles/mirai-strikeback-an-irule-to-kill-iot-bot-processes-from-your-f5-22644) Lastly, the iRule in question: IoT iRules https://briandeitch.com/blog/stolen-credential-stuffing-protection/ https://briandeitch.com/blog/stolen-credential-stuffing-protection/ Tue, 16 Aug 2016 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) Before we can jump into Stolen Credential Stuffing protection (Account Takeover Protection) or mitigation we must first understand why this is an issue.  In 2015, there was 780 breaches along with 177 million user credentials (source(http://www.idtheftcenter.org/images/breach/ITRCBreachReport2015.pdf)). While not every data breach has an email and password associated, the fact of the matter remains that there are some. If I am a bad guy, I am banking on the average user to reuse the same email address and password across multiple sites. The cool part about being the bad guy in this scenario is, I don't have to be the l33t hack3r who breached your site. Often these data breaches are sold on the black markets or distributed thru various channels such as tor, pastebin, social media, torrents, etc. Moving forward in this scenario, let's say I was able to get my hands on the AshleyMadison data that is available out on torrents. I can dump the database into a text file and use the email addresses and passwords to see if they work on non AshleyMadison websites.  Next step, profile my victim. Account Takeover Protection Anti-Fraud Brute Force L7 Web Application Security https://briandeitch.com/blog/asm-proactive-bot-detection-selective-urls/ https://briandeitch.com/blog/asm-proactive-bot-detection-selective-urls/ Mon, 15 Aug 2016 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) I would love to say that all URLs are created equal but that is not always the case. The same could be said about applying a security policy. Sometimes the logic behind one URL needs to be completely different. With the power of ASM + iRules, we can kick that logic up a notch. DoS iRules L7 Web Application Security https://briandeitch.com/blog/irule-captcha-challenge-during-brute-force-attack/ https://briandeitch.com/blog/irule-captcha-challenge-during-brute-force-attack/ Sun, 12 Jun 2016 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) Brute force attacks(https://en.wikipedia.org/wiki/Brute-forceattack) can be painful especially if your application has no logic to help mitigate the attack. Since December of 2015 I have seen several brute force attacks that have traversed multiple business verticals. Brute Force DDoS iRules L7 Web Application Security https://briandeitch.com/blog/android-phones-spying-on-you/ https://briandeitch.com/blog/android-phones-spying-on-you/ Sun, 10 Apr 2016 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) !(https://briandeitch.com/wp-content/uploads/2016/04/silverpush-300x104.png) WTF-Security News https://briandeitch.com/blog/why-a-3gbps-dos-can-take-out-your-40gbps-ngfw-and-20gbps-internet-circuit/ https://briandeitch.com/blog/why-a-3gbps-dos-can-take-out-your-40gbps-ngfw-and-20gbps-internet-circuit/ Mon, 21 Mar 2016 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) Denial of Service (DoS Attack(https://en.wikipedia.org/wiki/Denial-of-serviceattack)) or Distributed Denial of Service (DDoS attack(https://en.wikipedia.org/wiki/Denial-of-serviceattack)) is still a hot topic in 2016 even though it was discovered in 1994 and began being seen in the wild in September of 1996(https://tools.ietf.org/html/rfc4987). There are many solutions that counter these attacks via on premise and off premise solutions. Let's expand on on-premise solutions. DDoS DoS L3/L4 Network Security https://briandeitch.com/blog/irule-insert-client-certificate-into-http-header/ https://briandeitch.com/blog/irule-insert-client-certificate-into-http-header/ Mon, 14 Mar 2016 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) This iRule should be used when the back end server requires to see the client certificate presented to a VIP where SSL is being terminated and client authentication is being enforced. This iRule will do the following: iRules https://briandeitch.com/blog/irule-101-ip-reputation-based-on-x-forwarded-for/ https://briandeitch.com/blog/irule-101-ip-reputation-based-on-x-forwarded-for/ Thu, 10 Mar 2016 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) Recently I had a customer that wanted to use the IP Reputation Database on the F5 WAF however the client IP address was being proxied by an upstream device. Luckily for us, the client IP address was being sent in the X-Forwaded-For(https://en.wikipedia.org/wiki/X-Forwarded-For) HTTP Header and we were able to hone in on that information and apply the IP Reputation logic via iRules(https://devcentral.f5.com/irules). iRules L7 Web Application Security https://briandeitch.com/blog/irules-dynamic-load-balancing-via-uri/ https://briandeitch.com/blog/irules-dynamic-load-balancing-via-uri/ Mon, 07 Mar 2016 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) The purpose of this iRule is to create a method of load balancing via the URI that is fully dynamic and never requires updating. Example: The URL https://briandeitch.com/gateway/ should be load balanced to the pool poolgateway The URL https://briandeitch.com/pictures/ should be load balanced to the pool poolpictures Here is the old iRule: iRules https://briandeitch.com/blog/rsac-2106-the-countdown-to-let-down/ https://briandeitch.com/blog/rsac-2106-the-countdown-to-let-down/ Sat, 05 Mar 2016 00:00:00 GMT briandeitch@gmail.com (Brian Deitch) !(https://briandeitch.com/wp-content/uploads/2016/03/image-300x300.png) Conferences