SlideShare a Scribd company logo

Poor mans spy vs spy using open source tools to detect attackers

D
Derek Banks

Using free and open source tools and configuration to detect host cyber attacks.

Technology
1 of 37
Download to read offline
RedvsBlue - 2017 Poor Man’s Spy vs. Spy Free and Open Source Tools and Methods to Detect Modern Attackers
RedvsBlue - 2017 About • Can free and open source tools to monitor and defend against a cyber attack? • Incident Response on a shoestring budget • Standard disclaimer of one size does not fit all and your mileage may vary
RedvsBlue - 2017 Bio Troy • Incident Responder/Lead Analyst at NNS-HII • Host/Network Forensics • (H|N)IDS • Malware Taste Tester • IOC Hunter/Gatherer • Purveyor of non-traditional thoughts
RedvsBlue - 2017 Bio Derek • Security Analyst at Black Hills Information Security • Previous Blue Team, now mostly Red Team • CitySec Meetup Organizer – TidewaterSec (Hampton, VA) • Avid OWA enthusiast
RedvsBlue - 2017 Detection vs Prevention • Prevention is ideal but detection is a must • Preventive measures can be bypassed • Preventive solutions potentially cost more money • Many detective solutions can be done for “free” • Detective solutions are essential in identifying the “full picture” on an incident
RedvsBlue - 2017 Value of Time • Open source and free software is not cost free if you value your time • Trade offs for figuring out vs. ability to call the vendor • If you go with completely free and open source solutions, you may be on your own to figure it out and make it work • But your security Kung Fu will get better because of this
RedvsBlue - 2017 Core Monitoring and IR Components • Network Monitoring • Host Based Monitoring (monitoring edge devices) • Forensics at Scale (one analyst to many systems) • Centralized Logging • Log Correlation and alerting (SIEM)
RedvsBlue - 2017 Intelz lockheedmartin.com/cyber Cyber Kill Chain®
RedvsBlue - 2017 Where are you in the Kill Chain? IR Life Cycle
RedvsBlue - 2017 Network Monitoring • Bro vs. Snort - Apples and oranges • Bro is network protocol decoding at scale o Forensic ground truth of what happens on the network • Snort matches packets to signatures to detect potentially bad traffic • They have different use cases – use the right tool for the job
RedvsBlue - 2017 Network Monitoring • What about Full Packet Capture? • Can be done for with open source software o Moloch o Tcpdump and scripting • Hardware and storage a concern o Dedicated capture card o 1Gbps saturated link will need ~6TB storage per day
RedvsBlue - 2017 Host Based Monitoring • With cloud and mobile, increasingly more important to gain edge device visibility • Sysmon is an easy win to deploy to Windows Endpoints o Process creation with full command line o Hash of process o Network Connections o File creation time changes
RedvsBlue - 2017 Sysmon By Default: • Process create (with SHA1) • Process terminate • Driver loaded • File creation time changed • RawAccessRead • CreateRemoteThread • Sysmon service state changed
RedvsBlue - 2017 Sysmon Process Create: UtcTime: 2017-06-09 00:57:42.516 ProcessGuid: {3f6cf078-f286-5939-0000-001096ec2a00} ProcessId: 3232 Image: C:WindowsSystem32WindowsPowerShellv1.0powershell.exe CommandLine: powershell /HeLlo CurrentDirectory: C:UsersBruce L. Roy User: WIN-OK4HSK4QBPHBruce L. Roy LogonGuid: {3f6cf078-30ec-5938-0000-002031df1000} LogonId: 0x10df31 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D ParentProcessGuid: {3f6cf078-f27b-5939-0000-001026e22a00} ParentProcessId: 3364 ParentImage: C:WindowsSystem32cmd.exe ParentCommandLine: "C:Windowssystem32cmd.exe"
RedvsBlue - 2017 Don’t Ignore Known Good Process Create: UtcTime: 2017-06-09 01:03:28.404 ProcessGuid: {3f6cf078-f3e0-5939-0000-0010eb2e2c00} ProcessId: 3700 Image: C:UsersBruce L. RoyAppDataLocalTempnot_malware.exe CommandLine: .not_malware.exe CurrentDirectory: c:UsersBruce L. RoyAppDataLocalTemp User: WIN-OK4HSK4QBPHBruce L. Roy LogonGuid: {3f6cf078-30ec-5938-0000-002031df1000} LogonId: 0x10df31 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D ParentProcessGuid: {3f6cf078-f27b-5939-0000-001026e22a00} ParentProcessId: 3364 ParentImage: C:WindowsSystem32cmd.exe ParentCommandLine: "C:Windowssystem32cmd.exe"
RedvsBlue - 2017 Log Consolidation • Centralize log collection from all edge devices and boundary devices • Syslog client on Linux systems • NXLog supports syslog shipping of Windows Event Logs • Microsoft Windows Event Collector • Boundary device syslog (Firewall, proxies, etc.)
RedvsBlue - 2017 SIEM for Free? • Any DIY SIEM solution is going to be time and labor intensive • Elastic Logstash Kibana (ELK) / Elastic Stack • Graylog • If you have budget and have to choose where to spend, this may be the best place • If you are not centralizing logs now start simple o Consolidate device and endpoint logs into syslog with nxlog
RedvsBlue - 2017 Forensics at Scale • Ability for IR and forensics staff to quickly and remotely acquire necessary evidence to analyze an attack • Can be difficult and time consuming to image RAM and disk evidence for every investigation • F-Response (not free) • Possible with PowerShell • Google GRR o Incident Response Framework
RedvsBlue - 2017 Operation WannaBe • Model a “real world” attack • Phish > gain foothold > move lateral… • Encrypted C2 • Exfil sensitive data
RedvsBlue - 2017 The Lab • Win7-5x(4-64,1-32) • Win10 • Server2012 (DC) • Server2012 (Sql-2012) • Server 2008-R2 (fileshare) • Ubuntu16 (Grr Server) • Ubuntu16 (rsyslog) • PFSense FW • Bro • Sysmon • Nxlog • GRR • Deployment through GPO
RedvsBlue - 2017 The Attack
RedvsBlue - 2017 What Happened? • Bro notice log SSL invalid certificate with apparently random Common Name of erpyja
RedvsBlue - 2017 What Happened? • Internal IP address 192.168.2.171 made the connection to 162.243.44.94 • Bro connection log showed many connections to 162.243.44.94 on both TCP 443 and TCP 4444
RedvsBlue - 2017 What Happened? • Sysmon on suspect endpoint logged macro execution • Base64 encoded PowerShell command suspicious • Invoice.xlsm opened just prior to connection • TCP 443 connections to 162.243.44.94 at interval
RedvsBlue - 2017 What Happened? • Subsequent net commands run on 192.168.2.171 o net users /DOMAIN o net accounts /DOMAIN • Abnormal number of consecutive LDAP requests to Domain Controller
RedvsBlue - 2017 What Happened? • Google GRR used to remotely retrieve the potential malicious document
RedvsBlue - 2017 What Happened? • Were there other systems that talked to 162.243.44.94? • Sysmon log showed the SQL01 Server where all the company secrets are kept!
RedvsBlue - 2017 What Happened? • Security Event log from SQL01 showed successful remote login Event from infected system • Corresponding connection from infected system to SQL01 over TCP 445 in Sysmon log
RedvsBlue - 2017 What Happened? • Bro connection log showed SSL connection from SQL01 Server to 162.243.44.94 with a large amount of bytes transferred
RedvsBlue - 2017 Oops! Process Create: UtcTime: 2017-06-09 00:54:24.907 ProcessGuid: {3f6cf078-f1c0-5939-0000-0010b6742900} ProcessId: 3124 Image: C:WindowsSystem32WindowsPowerShellv1.0powershell.exe CommandLine: "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" -w 1 - C "sv WaR -;sv Fss ec;sv nMNx ((gv WaR).value.toString()+(gv Fss).value.toString());powershell (gv nMNx).value.toString() ('JAB0AGgARQAgAD0AIAAnACQAQgBYAG8ARgAgAD0AIAAnACcAWwBEAGwAbABJA… CurrentDirectory: IA'+'AkAGUAIgA7AH0A')" User: C:UsersBruce L. RoyDocuments LogonGuid: {00490057-004e-002d-4f00-4b0034004800} LogonId: 0x510034004b0053 TerminalSessionId: 5242946 IntegrityLevel: HBruce L. Roy Hashes: x㽬レ夸 ParentProcessGuid: {df312000-0010-df31-1000-000000000100} ParentProcessId: 5046272 ParentImage: edium ParentCommandLine: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48
RedvsBlue - 2017 Volatility ftw Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------------------ ------ ------ ------ -------- ------------ -------------------- -------------------- Volatile Systems Volatility Framework 2.2 0x85ebc770 powershell.exe 3912 1680 9 229 1 0 2017-06-07 10:56:57 0x844e5030 powershell.exe 1560 3912 9 235 1 0 2017-06-07 10:56:59 0x84483850 powershell.exe 1240 1560 16 465 1 0 2017-06-07 10:56:59 root@SIFT-Workstation:/mnt/hgfs/mal/2017-06-07_wannaBe# vol.py pslist -f Windows 7-860dc55b.vmem --profile=Win7SP1x86 |grep1680 Volatile Systems Volatility Framework 2.2 0x84c08638 EXCEL.EXE 1680 2600 22 663 1 0 2017-06-07 10:56:42 0x85ebc770 powershell.exe 3912 1680 9 229 1 0 2017-06-07 10:56:57 == root@SIFT-Workstation:/mnt/hgfs/mal/2017-06-07_wannaBe# vol.py pslist -f Windows 7-860dc55b.vmem --profile=Win7SP1x86 |grep2600 Volatile Systems Volatility Framework 2.2 0x8563b518 explorer.exe 2600 2568 31 869 1 0 2017-02-27 15:58:36 0x84c08638 EXCEL.EXE 1680 2600 22 663 1 0 2017-06-07 10:56:42 == root@SIFT-Workstation:/mnt/hgfs/mal/2017-06-07_wannaBe# vol.py pslist -f Windows 7-860dc55b.vmem --profile=Win7SP1x86 |grep3912 Volatile Systems Volatility Framework 2.2 0x85ebc770 powershell.exe 3912 1680 9 229 1 0 2017-06-07 10:56:57 0x844e5030 powershell.exe 1560 3912 9 235 1 0 2017-06-07 10:56:59 root@SIFT-Workstation:/mnt/hgfs/mal/2017-06-07_wannaBe# vol.py pslist -f Windows 7-860dc55b.vmem --profile=Win7SP1x86 |grep1560 Volatile Systems Volatility Framework 2.2 0x844e5030 powershell.exe 1560 3912 9 235 1 0 2017-06-07 10:56:59 0x84483850 powershell.exe 1240 1560 16 465 1 0 2017-06-07 10:56:59
RedvsBlue - 2017 What about prevention? • What does not work? The same old advice, have these and you’re good: o Antivirus o Firewall o IDS • Yes these are necessary, but they are not enough
RedvsBlue - 2017 What about prevention? • Configuration changes can be effective prevention o Strong password policy • 15 characters min for users • 27 for service and administrator accounts o 2FA on all external facing portals o Restrict administrative access • LAPS • Microsoft Tiered Architecture Approach o Restrict client-to-client communication
RedvsBlue - 2017 What about prevention? • Windows 10 Enterprise features o Device Guard – attempts to prevent malicious code from ever running, only known good code can run o Credential Guard – hardening of key user and system secrets, attempted mitigation of credential based attacks • Both use Virtual Secure Mode (VMS) • Both require planning and deployment
RedvsBlue - 2017 Resources • Network Monitoring o www.bro.org o snort.org o molo.ch • Host Based Monitoring o Sysmon - technet.microsoft.com/en- us/sysinternals/bb545021.aspx o Sysmon Config: https://github.com/SwiftOnSecu rity/sysmon-config o Nxlog: nxlog.co • Live response at scale o Google GRR: https://github.com/google/grr • Log Correlation o Elastic: https://www.elastic.co/ o Graylog: https://www.graylog.org/ • Microsoft Environment Configuration o LAPS: https://www.microsoft.com/en- us/download/details.aspx?id=46899 o AD Tiered Model: https://docs.microsoft.com/en- us/windows-server/identity/securing- privileged-access/securing-privileged- access-reference-material
RedvsBlue - 2017 Conclusions • Free and Open Source solutions can effectively be used for monitoring, detection, and live response • Edge based host monitoring with centralized logging is a powerful combination • Configuration changes are an important aspect of preventing compromise
RedvsBlue - 2017 Summary and Conclusions • Derek Banks - @0xderuke o Black Hills Information Security • @BHInfoSecurity– http://www.blackhillsinfosec.com • Troy Wojewoda - @wojeblaze o Newport News Shipbuilding - HII • Questions?

Recommended

Incident response on a shoestring budget
Incident response on a shoestring budgetIncident response on a shoestring budget
Incident response on a shoestring budgetDerek Banks
 
CredDefense Toolkit
CredDefense ToolkitCredDefense Toolkit
CredDefense ToolkitDerek Banks
 
Professional incident response
Professional incident responseProfessional incident response
Professional incident responseBrooks Garrett
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real WorldBrooks Garrett
 
How mature are your processes? The stages of eDiscovery evolution
How mature are your processes? The stages of eDiscovery evolutionHow mature are your processes? The stages of eDiscovery evolution
How mature are your processes? The stages of eDiscovery evolutionMatthew Altass
 
Altlaw competitors checklist
Altlaw competitors checklistAltlaw competitors checklist
Altlaw competitors checklistMatthew Altass
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsThreatConnect
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingEric Jernigan MSIA, CISSP, CISM, CRISC
 

Recommended

Incident response on a shoestring budget
Incident response on a shoestring budgetIncident response on a shoestring budget
Incident response on a shoestring budgetDerek Banks
 
CredDefense Toolkit
CredDefense ToolkitCredDefense Toolkit
CredDefense ToolkitDerek Banks
 
Professional incident response
Professional incident responseProfessional incident response
Professional incident responseBrooks Garrett
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real WorldBrooks Garrett
 
How mature are your processes? The stages of eDiscovery evolution
How mature are your processes? The stages of eDiscovery evolutionHow mature are your processes? The stages of eDiscovery evolution
How mature are your processes? The stages of eDiscovery evolutionMatthew Altass
 
Altlaw competitors checklist
Altlaw competitors checklistAltlaw competitors checklist
Altlaw competitors checklistMatthew Altass
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsThreatConnect
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingEric Jernigan MSIA, CISSP, CISM, CRISC
 
Grc t17
Grc t17Grc t17
Grc t17SelectedPresentations
 
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineTroubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineSagi Brody
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityDell EMC World
 
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...North Texas Chapter of the ISSA
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worsecentralohioissa
 
Preparing a Next Generation IT Strategy
Preparing a Next Generation IT StrategyPreparing a Next Generation IT Strategy
Preparing a Next Generation IT StrategyBishop Fox
 
Collaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingCollaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingBlack Duck by Synopsys
 
Getting Started in the Nonprofit Cloud
Getting Started in the Nonprofit CloudGetting Started in the Nonprofit Cloud
Getting Started in the Nonprofit CloudAbila
 
Calgary security road show master deck final
Calgary security road show master deck finalCalgary security road show master deck final
Calgary security road show master deck finalScalar Decisions
 
And the new System Center is here... what's actually new?
And the new System Center is here... what's actually new?And the new System Center is here... what's actually new?
And the new System Center is here... what's actually new?Tomica Kaniski
 
Digital transformation - DevOps Day - 02/02/2017
Digital transformation - DevOps Day - 02/02/2017Digital transformation - DevOps Day - 02/02/2017
Digital transformation - DevOps Day - 02/02/2017Clara Feuillet
 
A4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiencyA4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiencyDr. Wilfred Lin (Ph.D.)
 
Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...
Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...
Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...Lucas Jellema
 
Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015
Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015
Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015Jessica DuVerneay
 
Bennett raglinphotography
Bennett raglinphotographyBennett raglinphotography
Bennett raglinphotographyBR Photo Creations, Inc.
 
Grade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guideGrade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guideEmily Kissner
 
SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...
SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...
SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...Splunk
 
02 a holistic approach to big data
02 a holistic approach to big data02 a holistic approach to big data
02 a holistic approach to big dataRaul Chong
 
Software Engineering College 6 -timeseries data
Software Engineering College 6 -timeseries dataSoftware Engineering College 6 -timeseries data
Software Engineering College 6 -timeseries dataJurjen Helmus
 
C1 keynote creating_your_enterprise_cloud_strategy
C1 keynote creating_your_enterprise_cloud_strategyC1 keynote creating_your_enterprise_cloud_strategy
C1 keynote creating_your_enterprise_cloud_strategyDr. Wilfred Lin (Ph.D.)
 
Hadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBI
Hadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBIHadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBI
Hadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBIAllen Day, PhD
 
Experimental Photography Artist Research
Experimental Photography Artist ResearchExperimental Photography Artist Research
Experimental Photography Artist ResearchJaskirt Boora
 

More Related Content

What's hot

Troubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineTroubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineSagi Brody
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityDell EMC World
 
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...North Texas Chapter of the ISSA
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worsecentralohioissa
 
Preparing a Next Generation IT Strategy
Preparing a Next Generation IT StrategyPreparing a Next Generation IT Strategy
Preparing a Next Generation IT StrategyBishop Fox
 
Collaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingCollaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingBlack Duck by Synopsys
 
Getting Started in the Nonprofit Cloud
Getting Started in the Nonprofit CloudGetting Started in the Nonprofit Cloud
Getting Started in the Nonprofit CloudAbila
 
Calgary security road show master deck final
Calgary security road show master deck finalCalgary security road show master deck final
Calgary security road show master deck finalScalar Decisions
 

What's hot (9)

Grc t17
Grc t17Grc t17
Grc t17
 
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineTroubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
 
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worse
 
Preparing a Next Generation IT Strategy
Preparing a Next Generation IT StrategyPreparing a Next Generation IT Strategy
Preparing a Next Generation IT Strategy
 
Collaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingCollaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on Giving
 
Getting Started in the Nonprofit Cloud
Getting Started in the Nonprofit CloudGetting Started in the Nonprofit Cloud
Getting Started in the Nonprofit Cloud
 
Calgary security road show master deck final
Calgary security road show master deck finalCalgary security road show master deck final
Calgary security road show master deck final
 

Viewers also liked

And the new System Center is here... what's actually new?
And the new System Center is here... what's actually new?And the new System Center is here... what's actually new?
And the new System Center is here... what's actually new?Tomica Kaniski
 
Digital transformation - DevOps Day - 02/02/2017
Digital transformation - DevOps Day - 02/02/2017Digital transformation - DevOps Day - 02/02/2017
Digital transformation - DevOps Day - 02/02/2017Clara Feuillet
 
A4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiencyA4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiencyDr. Wilfred Lin (Ph.D.)
 
Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...
Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...
Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...Lucas Jellema
 
Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015
Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015
Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015Jessica DuVerneay
 
Grade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guideGrade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guideEmily Kissner
 
SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...
SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...
SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...Splunk
 
02 a holistic approach to big data
02 a holistic approach to big data02 a holistic approach to big data
02 a holistic approach to big dataRaul Chong
 
Software Engineering College 6 -timeseries data
Software Engineering College 6 -timeseries dataSoftware Engineering College 6 -timeseries data
Software Engineering College 6 -timeseries dataJurjen Helmus
 
C1 keynote creating_your_enterprise_cloud_strategy
C1 keynote creating_your_enterprise_cloud_strategyC1 keynote creating_your_enterprise_cloud_strategy
C1 keynote creating_your_enterprise_cloud_strategyDr. Wilfred Lin (Ph.D.)
 
Hadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBI
Hadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBIHadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBI
Hadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBIAllen Day, PhD
 
Experimental Photography Artist Research
Experimental Photography Artist ResearchExperimental Photography Artist Research
Experimental Photography Artist ResearchJaskirt Boora
 
Conociendo los servicios adicionales en big data
Conociendo los servicios adicionales en big dataConociendo los servicios adicionales en big data
Conociendo los servicios adicionales en big dataSpanishPASSVC
 
VMworld 2015: Take Virtualization to the Next Level vSphere with Operations M...
VMworld 2015: Take Virtualization to the Next Level vSphere with Operations M...VMworld 2015: Take Virtualization to the Next Level vSphere with Operations M...
VMworld 2015: Take Virtualization to the Next Level vSphere with Operations M...VMworld
 
Giip bp-giip connectivity1703
Giip bp-giip connectivity1703Giip bp-giip connectivity1703
Giip bp-giip connectivity1703Lowy Shin
 
Data science unit introduction
Data science unit introductionData science unit introduction
Data science unit introductionGregg Barrett
 
Legrand Group Belgium - Brochure Sfera
Legrand Group Belgium - Brochure SferaLegrand Group Belgium - Brochure Sfera
Legrand Group Belgium - Brochure SferaArchitectura
 

Viewers also liked (20)

And the new System Center is here... what's actually new?
And the new System Center is here... what's actually new?And the new System Center is here... what's actually new?
And the new System Center is here... what's actually new?
 
Digital transformation - DevOps Day - 02/02/2017
Digital transformation - DevOps Day - 02/02/2017Digital transformation - DevOps Day - 02/02/2017
Digital transformation - DevOps Day - 02/02/2017
 
A4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiencyA4 drive dev_ops_agility_and_operational_efficiency
A4 drive dev_ops_agility_and_operational_efficiency
 
Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...
Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...
Oracle OpenWorld 2016 Review - Focus on Data, BigData, Streaming Data, Machin...
 
Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015
Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015
Lightweight Taxonomy Approaches - Taxonomy Bootcamp 2015
 
Bennett raglinphotography
Bennett raglinphotographyBennett raglinphotography
Bennett raglinphotography
 
Grade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guideGrade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guide
 
SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...
SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...
SplunkLive! Nutanix Session - Turnkey and scalable infrastructure for Splunk ...
 
02 a holistic approach to big data
02 a holistic approach to big data02 a holistic approach to big data
02 a holistic approach to big data
 
Software Engineering College 6 -timeseries data
Software Engineering College 6 -timeseries dataSoftware Engineering College 6 -timeseries data
Software Engineering College 6 -timeseries data
 
C1 keynote creating_your_enterprise_cloud_strategy
C1 keynote creating_your_enterprise_cloud_strategyC1 keynote creating_your_enterprise_cloud_strategy
C1 keynote creating_your_enterprise_cloud_strategy
 
Hadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBI
Hadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBIHadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBI
Hadoop and Genomics - What you need to know - Cambridge - Sanger Center and EBI
 
Experimental Photography Artist Research
Experimental Photography Artist ResearchExperimental Photography Artist Research
Experimental Photography Artist Research
 
okspring3x
okspring3xokspring3x
okspring3x
 
Migrating to aws
Migrating to awsMigrating to aws
Migrating to aws
 
Conociendo los servicios adicionales en big data
Conociendo los servicios adicionales en big dataConociendo los servicios adicionales en big data
Conociendo los servicios adicionales en big data
 
VMworld 2015: Take Virtualization to the Next Level vSphere with Operations M...
VMworld 2015: Take Virtualization to the Next Level vSphere with Operations M...VMworld 2015: Take Virtualization to the Next Level vSphere with Operations M...
VMworld 2015: Take Virtualization to the Next Level vSphere with Operations M...
 
Giip bp-giip connectivity1703
Giip bp-giip connectivity1703Giip bp-giip connectivity1703
Giip bp-giip connectivity1703
 
Data science unit introduction
Data science unit introductionData science unit introduction
Data science unit introduction
 
Legrand Group Belgium - Brochure Sfera
Legrand Group Belgium - Brochure SferaLegrand Group Belgium - Brochure Sfera
Legrand Group Belgium - Brochure Sfera
 

Similar to Poor mans spy vs spy using open source tools to detect attackers

The Case for EDR: What's In Your Toolkit
The Case for EDR: What's In Your ToolkitThe Case for EDR: What's In Your Toolkit
The Case for EDR: What's In Your ToolkitDawn Yankeelov
 
Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Spiceworks Ziff Davis
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics Interset
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Achieving and Measuring Success with the Security Awareness Maturity Model
Achieving and Measuring Success with the Security Awareness Maturity ModelAchieving and Measuring Success with the Security Awareness Maturity Model
Achieving and Measuring Success with the Security Awareness Maturity ModelPriyanka Aash
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingTony Martin-Vegue
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
Webinar: Scale up you Cyber Security Strategy Webinar
Webinar: Scale up you Cyber Security Strategy WebinarWebinar: Scale up you Cyber Security Strategy Webinar
Webinar: Scale up you Cyber Security Strategy WebinarBlueliv
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Core Security
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defensePriyanka Aash
 
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...OpenDNS
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghNapier University
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
Crowd Sourced Reflected Intelligence for Solr and Hadoop
Crowd Sourced Reflected Intelligence for Solr and HadoopCrowd Sourced Reflected Intelligence for Solr and Hadoop
Crowd Sourced Reflected Intelligence for Solr and HadoopGrant Ingersoll
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Security Innovation
 
Great Expectations: A Secure Software Story - Open Source North
Great Expectations: A Secure Software Story - Open Source NorthGreat Expectations: A Secure Software Story - Open Source North
Great Expectations: A Secure Software Story - Open Source NorthBrian Glas
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 

Similar to Poor mans spy vs spy using open source tools to detect attackers (20)

The Case for EDR: What's In Your Toolkit
The Case for EDR: What's In Your ToolkitThe Case for EDR: What's In Your Toolkit
The Case for EDR: What's In Your Toolkit
 
Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!Big data security in the cloud: Buzzword Bingo!
Big data security in the cloud: Buzzword Bingo!
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Achieving and Measuring Success with the Security Awareness Maturity Model
Achieving and Measuring Success with the Security Awareness Maturity ModelAchieving and Measuring Success with the Security Awareness Maturity Model
Achieving and Measuring Success with the Security Awareness Maturity Model
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
Webinar: Scale up you Cyber Security Strategy Webinar
Webinar: Scale up you Cyber Security Strategy WebinarWebinar: Scale up you Cyber Security Strategy Webinar
Webinar: Scale up you Cyber Security Strategy Webinar
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defense
 
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
Speak Security: Under the Hood of the OpenDNS Security Research Labs with Dhi...
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
Griot: Open Source Storytelling Tool
Griot: Open Source Storytelling ToolGriot: Open Source Storytelling Tool
Griot: Open Source Storytelling Tool
 
Crowd Sourced Reflected Intelligence for Solr and Hadoop
Crowd Sourced Reflected Intelligence for Solr and HadoopCrowd Sourced Reflected Intelligence for Solr and Hadoop
Crowd Sourced Reflected Intelligence for Solr and Hadoop
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
Great Expectations: A Secure Software Story - Open Source North
Great Expectations: A Secure Software Story - Open Source NorthGreat Expectations: A Secure Software Story - Open Source North
Great Expectations: A Secure Software Story - Open Source North
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Poor mans spy vs spy using open source tools to detect attackers

  • 2. RedvsBlue - 2017 About • Can free and open source tools to monitor and defend against a cyber attack? • Incident Response on a shoestring budget • Standard disclaimer of one size does not fit all and your mileage may vary
  • 3. RedvsBlue - 2017 Bio Troy • Incident Responder/Lead Analyst at NNS-HII • Host/Network Forensics • (H|N)IDS • Malware Taste Tester • IOC Hunter/Gatherer • Purveyor of non-traditional thoughts
  • 4. RedvsBlue - 2017 Bio Derek • Security Analyst at Black Hills Information Security • Previous Blue Team, now mostly Red Team • CitySec Meetup Organizer – TidewaterSec (Hampton, VA) • Avid OWA enthusiast
  • 5. RedvsBlue - 2017 Detection vs Prevention • Prevention is ideal but detection is a must • Preventive measures can be bypassed • Preventive solutions potentially cost more money • Many detective solutions can be done for “free” • Detective solutions are essential in identifying the “full picture” on an incident
  • 6. RedvsBlue - 2017 Value of Time • Open source and free software is not cost free if you value your time • Trade offs for figuring out vs. ability to call the vendor • If you go with completely free and open source solutions, you may be on your own to figure it out and make it work • But your security Kung Fu will get better because of this
  • 7. RedvsBlue - 2017 Core Monitoring and IR Components • Network Monitoring • Host Based Monitoring (monitoring edge devices) • Forensics at Scale (one analyst to many systems) • Centralized Logging • Log Correlation and alerting (SIEM)
  • 8. RedvsBlue - 2017 Intelz lockheedmartin.com/cyber Cyber Kill Chain®
  • 10. RedvsBlue - 2017 Network Monitoring • Bro vs. Snort - Apples and oranges • Bro is network protocol decoding at scale o Forensic ground truth of what happens on the network • Snort matches packets to signatures to detect potentially bad traffic • They have different use cases – use the right tool for the job
  • 11. RedvsBlue - 2017 Network Monitoring • What about Full Packet Capture? • Can be done for with open source software o Moloch o Tcpdump and scripting • Hardware and storage a concern o Dedicated capture card o 1Gbps saturated link will need ~6TB storage per day
  • 12. RedvsBlue - 2017 Host Based Monitoring • With cloud and mobile, increasingly more important to gain edge device visibility • Sysmon is an easy win to deploy to Windows Endpoints o Process creation with full command line o Hash of process o Network Connections o File creation time changes
  • 13. RedvsBlue - 2017 Sysmon By Default: • Process create (with SHA1) • Process terminate • Driver loaded • File creation time changed • RawAccessRead • CreateRemoteThread • Sysmon service state changed
  • 14. RedvsBlue - 2017 Sysmon Process Create: UtcTime: 2017-06-09 00:57:42.516 ProcessGuid: {3f6cf078-f286-5939-0000-001096ec2a00} ProcessId: 3232 Image: C:WindowsSystem32WindowsPowerShellv1.0powershell.exe CommandLine: powershell /HeLlo CurrentDirectory: C:UsersBruce L. Roy User: WIN-OK4HSK4QBPHBruce L. Roy LogonGuid: {3f6cf078-30ec-5938-0000-002031df1000} LogonId: 0x10df31 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D ParentProcessGuid: {3f6cf078-f27b-5939-0000-001026e22a00} ParentProcessId: 3364 ParentImage: C:WindowsSystem32cmd.exe ParentCommandLine: "C:Windowssystem32cmd.exe"
  • 15. RedvsBlue - 2017 Don’t Ignore Known Good Process Create: UtcTime: 2017-06-09 01:03:28.404 ProcessGuid: {3f6cf078-f3e0-5939-0000-0010eb2e2c00} ProcessId: 3700 Image: C:UsersBruce L. RoyAppDataLocalTempnot_malware.exe CommandLine: .not_malware.exe CurrentDirectory: c:UsersBruce L. RoyAppDataLocalTemp User: WIN-OK4HSK4QBPHBruce L. Roy LogonGuid: {3f6cf078-30ec-5938-0000-002031df1000} LogonId: 0x10df31 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D ParentProcessGuid: {3f6cf078-f27b-5939-0000-001026e22a00} ParentProcessId: 3364 ParentImage: C:WindowsSystem32cmd.exe ParentCommandLine: "C:Windowssystem32cmd.exe"
  • 16. RedvsBlue - 2017 Log Consolidation • Centralize log collection from all edge devices and boundary devices • Syslog client on Linux systems • NXLog supports syslog shipping of Windows Event Logs • Microsoft Windows Event Collector • Boundary device syslog (Firewall, proxies, etc.)
  • 17. RedvsBlue - 2017 SIEM for Free? • Any DIY SIEM solution is going to be time and labor intensive • Elastic Logstash Kibana (ELK) / Elastic Stack • Graylog • If you have budget and have to choose where to spend, this may be the best place • If you are not centralizing logs now start simple o Consolidate device and endpoint logs into syslog with nxlog
  • 18. RedvsBlue - 2017 Forensics at Scale • Ability for IR and forensics staff to quickly and remotely acquire necessary evidence to analyze an attack • Can be difficult and time consuming to image RAM and disk evidence for every investigation • F-Response (not free) • Possible with PowerShell • Google GRR o Incident Response Framework
  • 19. RedvsBlue - 2017 Operation WannaBe • Model a “real world” attack • Phish > gain foothold > move lateral… • Encrypted C2 • Exfil sensitive data
  • 20. RedvsBlue - 2017 The Lab • Win7-5x(4-64,1-32) • Win10 • Server2012 (DC) • Server2012 (Sql-2012) • Server 2008-R2 (fileshare) • Ubuntu16 (Grr Server) • Ubuntu16 (rsyslog) • PFSense FW • Bro • Sysmon • Nxlog • GRR • Deployment through GPO
  • 22. RedvsBlue - 2017 What Happened? • Bro notice log SSL invalid certificate with apparently random Common Name of erpyja
  • 23. RedvsBlue - 2017 What Happened? • Internal IP address 192.168.2.171 made the connection to 162.243.44.94 • Bro connection log showed many connections to 162.243.44.94 on both TCP 443 and TCP 4444
  • 24. RedvsBlue - 2017 What Happened? • Sysmon on suspect endpoint logged macro execution • Base64 encoded PowerShell command suspicious • Invoice.xlsm opened just prior to connection • TCP 443 connections to 162.243.44.94 at interval
  • 25. RedvsBlue - 2017 What Happened? • Subsequent net commands run on 192.168.2.171 o net users /DOMAIN o net accounts /DOMAIN • Abnormal number of consecutive LDAP requests to Domain Controller
  • 26. RedvsBlue - 2017 What Happened? • Google GRR used to remotely retrieve the potential malicious document
  • 27. RedvsBlue - 2017 What Happened? • Were there other systems that talked to 162.243.44.94? • Sysmon log showed the SQL01 Server where all the company secrets are kept!
  • 28. RedvsBlue - 2017 What Happened? • Security Event log from SQL01 showed successful remote login Event from infected system • Corresponding connection from infected system to SQL01 over TCP 445 in Sysmon log
  • 29. RedvsBlue - 2017 What Happened? • Bro connection log showed SSL connection from SQL01 Server to 162.243.44.94 with a large amount of bytes transferred
  • 30. RedvsBlue - 2017 Oops! Process Create: UtcTime: 2017-06-09 00:54:24.907 ProcessGuid: {3f6cf078-f1c0-5939-0000-0010b6742900} ProcessId: 3124 Image: C:WindowsSystem32WindowsPowerShellv1.0powershell.exe CommandLine: "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" -w 1 - C "sv WaR -;sv Fss ec;sv nMNx ((gv WaR).value.toString()+(gv Fss).value.toString());powershell (gv nMNx).value.toString() ('JAB0AGgARQAgAD0AIAAnACQAQgBYAG8ARgAgAD0AIAAnACcAWwBEAGwAbABJA… CurrentDirectory: IA'+'AkAGUAIgA7AH0A')" User: C:UsersBruce L. RoyDocuments LogonGuid: {00490057-004e-002d-4f00-4b0034004800} LogonId: 0x510034004b0053 TerminalSessionId: 5242946 IntegrityLevel: HBruce L. Roy Hashes: x㽬レ夸 ParentProcessGuid: {df312000-0010-df31-1000-000000000100} ParentProcessId: 5046272 ParentImage: edium ParentCommandLine: SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48
  • 31. RedvsBlue - 2017 Volatility ftw Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------------------ ------ ------ ------ -------- ------------ -------------------- -------------------- Volatile Systems Volatility Framework 2.2 0x85ebc770 powershell.exe 3912 1680 9 229 1 0 2017-06-07 10:56:57 0x844e5030 powershell.exe 1560 3912 9 235 1 0 2017-06-07 10:56:59 0x84483850 powershell.exe 1240 1560 16 465 1 0 2017-06-07 10:56:59 root@SIFT-Workstation:/mnt/hgfs/mal/2017-06-07_wannaBe# vol.py pslist -f Windows 7-860dc55b.vmem --profile=Win7SP1x86 |grep1680 Volatile Systems Volatility Framework 2.2 0x84c08638 EXCEL.EXE 1680 2600 22 663 1 0 2017-06-07 10:56:42 0x85ebc770 powershell.exe 3912 1680 9 229 1 0 2017-06-07 10:56:57 == root@SIFT-Workstation:/mnt/hgfs/mal/2017-06-07_wannaBe# vol.py pslist -f Windows 7-860dc55b.vmem --profile=Win7SP1x86 |grep2600 Volatile Systems Volatility Framework 2.2 0x8563b518 explorer.exe 2600 2568 31 869 1 0 2017-02-27 15:58:36 0x84c08638 EXCEL.EXE 1680 2600 22 663 1 0 2017-06-07 10:56:42 == root@SIFT-Workstation:/mnt/hgfs/mal/2017-06-07_wannaBe# vol.py pslist -f Windows 7-860dc55b.vmem --profile=Win7SP1x86 |grep3912 Volatile Systems Volatility Framework 2.2 0x85ebc770 powershell.exe 3912 1680 9 229 1 0 2017-06-07 10:56:57 0x844e5030 powershell.exe 1560 3912 9 235 1 0 2017-06-07 10:56:59 root@SIFT-Workstation:/mnt/hgfs/mal/2017-06-07_wannaBe# vol.py pslist -f Windows 7-860dc55b.vmem --profile=Win7SP1x86 |grep1560 Volatile Systems Volatility Framework 2.2 0x844e5030 powershell.exe 1560 3912 9 235 1 0 2017-06-07 10:56:59 0x84483850 powershell.exe 1240 1560 16 465 1 0 2017-06-07 10:56:59
  • 32. RedvsBlue - 2017 What about prevention? • What does not work? The same old advice, have these and you’re good: o Antivirus o Firewall o IDS • Yes these are necessary, but they are not enough
  • 33. RedvsBlue - 2017 What about prevention? • Configuration changes can be effective prevention o Strong password policy • 15 characters min for users • 27 for service and administrator accounts o 2FA on all external facing portals o Restrict administrative access • LAPS • Microsoft Tiered Architecture Approach o Restrict client-to-client communication
  • 34. RedvsBlue - 2017 What about prevention? • Windows 10 Enterprise features o Device Guard – attempts to prevent malicious code from ever running, only known good code can run o Credential Guard – hardening of key user and system secrets, attempted mitigation of credential based attacks • Both use Virtual Secure Mode (VMS) • Both require planning and deployment
  • 35. RedvsBlue - 2017 Resources • Network Monitoring o www.bro.org o snort.org o molo.ch • Host Based Monitoring o Sysmon - technet.microsoft.com/en- us/sysinternals/bb545021.aspx o Sysmon Config: https://github.com/SwiftOnSecu rity/sysmon-config o Nxlog: nxlog.co • Live response at scale o Google GRR: https://github.com/google/grr • Log Correlation o Elastic: https://www.elastic.co/ o Graylog: https://www.graylog.org/ • Microsoft Environment Configuration o LAPS: https://www.microsoft.com/en- us/download/details.aspx?id=46899 o AD Tiered Model: https://docs.microsoft.com/en- us/windows-server/identity/securing- privileged-access/securing-privileged- access-reference-material
  • 36. RedvsBlue - 2017 Conclusions • Free and Open Source solutions can effectively be used for monitoring, detection, and live response • Edge based host monitoring with centralized logging is a powerful combination • Configuration changes are an important aspect of preventing compromise
  • 37. RedvsBlue - 2017 Summary and Conclusions • Derek Banks - @0xderuke o Black Hills Information Security • @BHInfoSecurity– http://www.blackhillsinfosec.com • Troy Wojewoda - @wojeblaze o Newport News Shipbuilding - HII • Questions?