Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SecOps - IR and Forensic Workflows - Python (Security Automation)

271 views

Published on

The talk is about the SecOps - Incident Response and Forensics Workflows, Where we are using python for automation stuff.

- SOAR Use Cases (5)
- API Integrations
- DEMOS
- Email Beaconing (Advanced setup)
- Public Interaction

Published in: Technology
  • Be the first to comment

SecOps - IR and Forensic Workflows - Python (Security Automation)

  1. 1. - Santhosh Baswa SecOps -Automation !1 Workflows & Python IR & Forensics
  2. 2. • SecOps - New Starter • CTF player *Occasionally* • Offensive + Defensive Guy Who Am I !2
  3. 3. “What is SecOps : Where | What | How to Automate ???” !3 *** Share Your Thoughts***
  4. 4. What is SOAR ? (Security Orchestration Automation Response) !4 ***Any IDEA***
  5. 5. SecOps Teams | Automation | Use-Cases !5 - SIEM Alert
 - Phishing Triage
 - Threat Hunting
 - Insider Threat
 - Endpoint Protection
 - Forensic Investigation
  6. 6. SIEM Alert | Threat Hunting | Forensic Investigation !6
  7. 7. !7 Where do we Automate ? • What about Endpoint Agent installation ? • Configuration management (Sysmon/osquery) • SIEM Alert Integration *Python API* / *REST API* • Threat Intel Integration *Corporate/Open Source* • Query Active Directory (Python: ldap3/pyad) • EDR REST API Integration (Get Forensic Snapshots)
  8. 8. !8 Threat Intel : API Integrations • pip install virustotal-api-v2 • X-Force REST API
  9. 9. !9 Active Directory : LDAP Integration
  10. 10. Phishing Triage | Endpoint Investigation !10
  11. 11. !11 Where do we Automate ? • Email -> Extract -> JSON output (Dirty Python Script) • HTML Email Template Generation (Python) • JIRA/ServiceNow - Python API Integration • EDR API Integration : REST API • SandBox Submission: (Cuckoo/VMRay/Falcon/SNDBOX etc.) • Threat Intel - API Integration : VT/IBM-X Force/Open Source • Office 365 Email API Integration
  12. 12. !12 Weird Automation Demos: ** Demo Time **
  13. 13. !13 O365 Management : API Integrations
  14. 14. Data Exfiltration !14
  15. 15. !15 Exfiltration - Detection • Curious about MTA Agents ? • Is Ingress/Outgress Email Traffic monitor in Firewall ? • What about free mail providers/disposable email providers ? • Track how many partners/clients are using free email services ? • Gist: https://gist.github.com/P3t3rp4rk3r/bc707cebaeb306aba3e8e9a9597aa658
  16. 16. !16 Email Beaconing - (Next Level) - Python • What is Beaconing ? pip install python-guerrillamail
  17. 17. “ !17 — P3t3rp4rk3r Any Questions ???

×