Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Blue Teamin' on a Budget [of zero]


Published on

Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Blue Teamin' on a Budget [of zero]

  1. 1. Blue-Teamin’ on a Budget [of Zero] Kyle Bubp Principal Consultant
  2. 2. Agenda High level overview of building a security program Specific free & open-source tools to help at each step Real-World Experiences and Fun Stories If you want down in the weeds, this isn’t it… so it’s cool if you wanna leave.
  3. 3. kbubp@bsidescle ~ $ whoami • ex dept. of defense/fbi/dept. of energy • ex lead incident handler/vuln manager/firewall admin/jack of all trades for a berkshire hathaway company • ex ‘security practice lead’ for VAR • current: founder of savage security, principal consultant • motorcycle enthusiast • hiking is fun • chillin’ in knoxville, tn w/ my wife and 2 doggos
  4. 4. Start with a solid foundation.
  5. 5. Foundational Blueprints NIST 800-53 NIST Cybersecurity Framework NIST CSF Tool CIS Critical Security Controls
  6. 6. Document Everything A core documentation repository is critical. For policy, procedure, how-tos, etc: MediaWiki Atlassian Confluence ($10 for up to 10 users) Incident Response Ticketing/Documentation: RTIR ( The Hive (
  7. 7. NetDB Uses ARP tables and MAC databases on your network gear. .ova available at Supports the following: Cisco Palo Alto JunOS Aruba Dell Powerconnect HP ProCurve… and more!
  8. 8. Other Network Mapping Techniques nmap + ndiff/yandiff Not just for red teams. Export results, diff for changes. Alert if something changed. Netdisco Uses SNMP to inventory your network devices
  9. 9. Map your network
  10. 10. What’s Goin’ On? Facebook-developed osquery can give you all you need. Agents for MacOS, Windows, Linux Deploy across your enterprise w/ Chef, Puppet, or SCCM Do fun things like, search for IoCs (hashes, processes, etc.) Pipe the data into ElasticStack for visibility & searchability
  11. 11. User Data Discovery Users are good at putting sensitive data on the network. Find it with OpenDLP
  12. 12. Go hard.
  13. 13. Windows 10 - Out of the Box - CIS Compliance 22%
  14. 14. Secure Configuration CIS Benchmarks / DISA Stigs Configuration Management, while not exciting, is important Deploy configs across your enterprise using tools like GPO, Chef, or Puppet Change Management is also important Use git repo for tracking changes to your config scripts
  15. 15. OpenVAS Fork of Nessus Still maintained Default vuln scanner in AlienVault Does a great job in comparison w/ commercial products
  16. 16. OpenVAS Example
  17. 17. Scan your Web Apps Too Arachni Framework ( OWASP ZAP (Zed Attack Proxy) Nikto2 (more of a server config scanner) Portswigger Burp Suite (not free - $350) For a comparison –
  18. 18. In addition to fixing code… Build in some additional security on your web servers. (also part of a secure configuration) Fail2ban Python-based IPS that runs off of Apache Logs Modsecurity Open source WAF for Apache & IIS
  19. 19. PATCH IT ALL (kinda)
  20. 20. Patching Windows
  21. 21. Patching Linux
  22. 22. Logging and Monitoring Central logging makes detection and analysis easier Many options here, such as Windows Event Subscription, rsyslog Can also pipe to one central location with dashboards, such as ElasticStack Good idea to include DNS logs
  23. 23. Intrusion Detection/Prevention
  24. 24. Network Based IDS
  25. 25. CHEAP GIGABIT “TAP” - GS105E
  26. 26. Host Based IDS
  27. 27. Phishing Education Phishing Frenzy Social Engineering Toolkit (SET) GoPhish
  28. 28. Some Parting Thoughts... Security Requirements don’t change, regardless of budget. Build a strong foundation and branch out. Stay curious and contribute to projects you like. DOCUMENT EVERYTHING You will get busy, and you will forget things. Build an internal Wiki. Don’t treat people like idiots. Your role is to educate them, not berate them.
  29. 29. Kyle Bubp @kylebubp @savagesec