SlideShare a Scribd company logo

Oksana Safronova - Will you detect it or not? How to check if security team is ready before incident happens

NoNameCon
NoNameCon

Talk by Oksana Safronova at NoNameCon 2019. https://nonamecon.org https://cfp.nonamecon.org/nnc2019/talk/AXCDXU/ Before the real incident happens, security team must test their detection capabilities in different ways. An overview of MITRE ATT&CK Matrix, test environments and other friends of Blue Team. Obstacles, unexpected discoveries, lack of information, a flood of logs, new technologies - you will meet them all if you want to build an effective defense team. The talk will expend the next topics based on the experience we have: How to test the security team's detection and incident response processes Best practices for endpoint monitoring tools configuration Some problems, that defense team can encounter Additional resources that can help you detect threats

Software
1 of 23
Download to read offline
Will you detect it or not? How to check if security team is ready before incident happens
whoami SOC Analyst with Underdefense
Agenda Environments can be different, use cases can be different, scope can be different, but detection basically remains the same. Detection capabilities are based on: 1. Data sources 2. Toolset in use 3. Expertise Some general assumptions and observations about what can be done better in real-time monitoring.
Data Sources
What can it be? Nearly everything ● OS ● Cloud ● Network devices ● Web Servers ● IOT devices ...and many,many more
How the logs are formatted? Examples: ●XML ●syslog ●JSON ●custom formats
How the logs can be expended? Example: Windows Advanced logging
How the logs can be filtered? Example: IIS web server logging
How the logs are collected? Is the method fast/secure/reliable? Example: Windows logging protection
Toolset in use
● Adequate reporting timing Example: osquery data logging by intervals https://osquery.read thedocs.io/en/stable /
● Customise configurations Examples: https://github.com/Neo23x0/auditd https://github.com/SwiftOnSecurity/sysmon- config
● Secure & monitor your security & monitoring tools Example: Sysmon service configuration
Expertise
Analyse the known threats ● MITRE ATT&CK Matrix - reach number of use cases (https://attack.mitre.org/matrices/enterprise/)
● Reports about other security organisations/researchers detection testing Example: “Detecting the lateral movement” research https://www.jpcert.or.jp/english/pub/sr/ir_research.html
Simulate the threats and malicious actions Some practices for test environment: 1) Better to have VM’s 2) Different OS versions 3) Patched/vulnerable machines 4) Isolated network 5) Popular products installed 6) Monitoring software on board
Example:
● Attack simulations Examples: DumpsterFire (Windows,Linux,macOS) Atomic-Red-Team (Windows,Linux,macOS) Caldera (Windows) APT-Simulator (Windows)
MITRE ATT&CK Evaluation (https://attackevals.mitre.org/) The following modifications were made to the standard Azure images: ● Configured firewall to allow SMB ● Configured firewall to allow FTP ● Disabled Network Level Authentication via the control panel GUI to allow RDP ● Created a shared drive ● Registry changed to allow storage of wdigest credentials ● Registry changed to disable Windows Defender ● Execution policy set to “bypass”
Analyse the normal activity ● Perform some general actions on system Examples: Inbound /outbound connections Accounts manipulations Configurations changes OR ● Do nothing & just observe ● what happens
Sum Up ● Understanding of out-of-the-box monitoring capabilities of the environment ● Filter data that is unrelated ● Know boundaries & features of the tools you use ● Analyse & simulate the threats ● Take a look on how device/system normally functions to create a solid “baseline”
THE END Special thanks to the SOC team, who’ve made this possible and is on real-time monitoring duty right now <3

Recommended

Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash CourseUTD Computer Security Group
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to ExploitationUTD Computer Security Group
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingUTD Computer Security Group
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to ToolingMichael Boelen
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure SecurityUTD Computer Security Group
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with LynisMichael Boelen
 
Handling of compromised Linux systems
Handling of compromised Linux systemsHandling of compromised Linux systems
Handling of compromised Linux systemsMichael Boelen
 

Recommended

Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash CourseUTD Computer Security Group
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to ExploitationUTD Computer Security Group
 
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?Michael Boelen
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingUTD Computer Security Group
 
Linux Security, from Concept to Tooling
Linux Security, from Concept to ToolingLinux Security, from Concept to Tooling
Linux Security, from Concept to ToolingMichael Boelen
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure SecurityUTD Computer Security Group
 
Linux Security Scanning with Lynis
Linux Security Scanning with LynisLinux Security Scanning with Lynis
Linux Security Scanning with LynisMichael Boelen
 
Handling of compromised Linux systems
Handling of compromised Linux systemsHandling of compromised Linux systems
Handling of compromised Linux systemsMichael Boelen
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Paula Januszkiewicz
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network SecurityEng Teong Cheah
 
Ethical hacking basics
Ethical hacking basicsEthical hacking basics
Ethical hacking basicsBHAWESH RAJPAL
 
Linux Hardening
Linux HardeningLinux Hardening
Linux HardeningMichael Boelen
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash CourseUTD Computer Security Group
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
opensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for Tumbleweedopensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for TumbleweedMarcus Meissner
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linuxHammad Ahmed Khawaja
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharramKevin Wharram
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration AuditingAlbert Campa
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]Phil Huggins FBCS CITP
 

More Related Content

What's hot

Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Paula Januszkiewicz
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network SecurityEng Teong Cheah
 
Ethical hacking basics
Ethical hacking basicsEthical hacking basics
Ethical hacking basicsBHAWESH RAJPAL
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
opensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for Tumbleweedopensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for TumbleweedMarcus Meissner
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesInformation Technology
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewKaiwan Billimoria
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux NetworkingJames Morris
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration AuditingAlbert Campa
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 

What's hot (20)

Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
 
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
Microsoft Ignite session: Look under the hood: bypassing antimalware tactics ...
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network Security
 
Ethical hacking basics
Ethical hacking basicsEthical hacking basics
Ethical hacking basics
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
Linux Security Crash Course
Linux Security Crash CourseLinux Security Crash Course
Linux Security Crash Course
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter Security
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
opensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for Tumbleweedopensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for Tumbleweed
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
Linux Operating System Vulnerabilities
Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
 
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an OverviewSecurity, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Directions in SELinux Networking
Directions in SELinux NetworkingDirections in SELinux Networking
Directions in SELinux Networking
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharram
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration Auditing
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
 

Similar to Oksana Safronova - Will you detect it or not? How to check if security team is ready before incident happens

Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]Phil Huggins FBCS CITP
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Henry Stamerjohann
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Guglielmo Iozzia
 
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureStay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureHARMAN Services
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14jemtallon
 
Monitoring - deeper dive
Monitoring - deeper diveMonitoring - deeper dive
Monitoring - deeper diveRobert Kubiś
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaSridhar Kumar N
 
Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018Sumo Logic
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22jemtallon
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionFederico Franzoni
 
Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018Sumo Logic
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn ContainerDay Security 2023
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceDocker, Inc.
 

Similar to Oksana Safronova - Will you detect it or not? How to check if security team is ready before incident happens (20)

Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
 
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureStay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
 
OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
 
Monitoring - deeper dive
Monitoring - deeper diveMonitoring - deeper dive
Monitoring - deeper dive
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,GrafanaPrometheus - Intro, CNCF, TSDB,PromQL,Grafana
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
 
Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018Using Sumo Logic - Apr 2018
Using Sumo Logic - Apr 2018
 
CISSP Week 22
CISSP Week 22CISSP Week 22
CISSP Week 22
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018Level 3 Certification: Setting up Sumo Logic - Oct 2018
Level 3 Certification: Setting up Sumo Logic - Oct 2018
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
How to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experienceHow to accelerate docker adoption with a simple and powerful user experience
How to accelerate docker adoption with a simple and powerful user experience
 

More from NoNameCon

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]NoNameCon
 
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]NoNameCon
 
Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop] Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop] NoNameCon
 
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...NoNameCon
 
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографіїRuslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографіїNoNameCon
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...NoNameCon
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
 
Bert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for CybersecurityBert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for CybersecurityNoNameCon
 
Ievgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpackingIevgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpackingNoNameCon
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...NoNameCon
 
Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?NoNameCon
 
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!NoNameCon
 
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...NoNameCon
 
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...NoNameCon
 
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameConAlexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameConNoNameCon
 
Stas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon WorkshopStas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon WorkshopNoNameCon
 
Serhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security BySerhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security ByNoNameCon
 
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical AccessSerhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical AccessNoNameCon
 
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...NoNameCon
 

More from NoNameCon (20)

Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
 
Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]Anastasiia Vixentael – Encryption basics [NoName CyberKids]
Anastasiia Vixentael – Encryption basics [NoName CyberKids]
 
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]
 
Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop] Olha Pasko - Hunting fileless malware [workshop]
Olha Pasko - Hunting fileless malware [workshop]
 
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
 
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографіїRuslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографії
 
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
 
Bert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for CybersecurityBert Heitink - 10 major steps for Cybersecurity
Bert Heitink - 10 major steps for Cybersecurity
 
Ievgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpackingIevgen Kulyk - Advanced reverse engineering techniques in unpacking
Ievgen Kulyk - Advanced reverse engineering techniques in unpacking
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
 
Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?Pavlo Zhavoronkov - What is autumn like in prison camps?
Pavlo Zhavoronkov - What is autumn like in prison camps?
 
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!
 
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...
 
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
Eugene Pilyankevich - Getting Secure Against Challenges Or Getting Security C...
 
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameConAlexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
Alexander Olenyev & Andrey Voloshin - Car Hacking 101 by NoNameCon
 
Stas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon WorkshopStas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
Stas Kolenkin & Taras Bobalo - CloudFlare Recon Workshop
 
Serhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security BySerhii Korolenko - Passing Security By
Serhii Korolenko - Passing Security By
 
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical AccessSerhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
Serhii Aleynikov - Remote Forensics of a Linux Server Without Physical Access
 
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
 

Recently uploaded

SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profileakrivarotava
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencessuser9e7c64
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 

Recently uploaded (20)

SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
SoftTeco - Software Development Company Profile
SoftTeco - Software Development Company ProfileSoftTeco - Software Development Company Profile
SoftTeco - Software Development Company Profile
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Patterns for automating API delivery. API conference
Patterns for automating API delivery. API conferencePatterns for automating API delivery. API conference
Patterns for automating API delivery. API conference
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 

Oksana Safronova - Will you detect it or not? How to check if security team is ready before incident happens

  • 1. Will you detect it or not? How to check if security team is ready before incident happens
  • 2. whoami SOC Analyst with Underdefense
  • 3. Agenda Environments can be different, use cases can be different, scope can be different, but detection basically remains the same. Detection capabilities are based on: 1. Data sources 2. Toolset in use 3. Expertise Some general assumptions and observations about what can be done better in real-time monitoring.
  • 5. What can it be? Nearly everything ● OS ● Cloud ● Network devices ● Web Servers ● IOT devices ...and many,many more
  • 6. How the logs are formatted? Examples: ●XML ●syslog ●JSON ●custom formats
  • 7. How the logs can be expended? Example: Windows Advanced logging
  • 8. How the logs can be filtered? Example: IIS web server logging
  • 9. How the logs are collected? Is the method fast/secure/reliable? Example: Windows logging protection
  • 11. ● Adequate reporting timing Example: osquery data logging by intervals https://osquery.read thedocs.io/en/stable /
  • 12. ● Customise configurations Examples: https://github.com/Neo23x0/auditd https://github.com/SwiftOnSecurity/sysmon- config
  • 13. ● Secure & monitor your security & monitoring tools Example: Sysmon service configuration
  • 15. Analyse the known threats ● MITRE ATT&CK Matrix - reach number of use cases (https://attack.mitre.org/matrices/enterprise/)
  • 16. ● Reports about other security organisations/researchers detection testing Example: “Detecting the lateral movement” research https://www.jpcert.or.jp/english/pub/sr/ir_research.html
  • 17. Simulate the threats and malicious actions Some practices for test environment: 1) Better to have VM’s 2) Different OS versions 3) Patched/vulnerable machines 4) Isolated network 5) Popular products installed 6) Monitoring software on board
  • 19. ● Attack simulations Examples: DumpsterFire (Windows,Linux,macOS) Atomic-Red-Team (Windows,Linux,macOS) Caldera (Windows) APT-Simulator (Windows)
  • 20. MITRE ATT&CK Evaluation (https://attackevals.mitre.org/) The following modifications were made to the standard Azure images: ● Configured firewall to allow SMB ● Configured firewall to allow FTP ● Disabled Network Level Authentication via the control panel GUI to allow RDP ● Created a shared drive ● Registry changed to allow storage of wdigest credentials ● Registry changed to disable Windows Defender ● Execution policy set to “bypass”
  • 21. Analyse the normal activity ● Perform some general actions on system Examples: Inbound /outbound connections Accounts manipulations Configurations changes OR ● Do nothing & just observe ● what happens
  • 22. Sum Up ● Understanding of out-of-the-box monitoring capabilities of the environment ● Filter data that is unrelated ● Know boundaries & features of the tools you use ● Analyse & simulate the threats ● Take a look on how device/system normally functions to create a solid “baseline”
  • 23. THE END Special thanks to the SOC team, who’ve made this possible and is on real-time monitoring duty right now <3