This document provides greetings in 11 official languages of South Africa: Afrikaans, English, isiNdebele, isiXhosa, isiZulu, Sepedi, Sesotho, Setswana, SiSwati, Tshivenda, and Xitsonga. It lists each language along with the greeting used. At the end it thanks the reader in each of the 11 languages. The purpose is to showcase South Africa's multilingualism and celebrate its diversity of official languages.

1. South Africa – 11 Official Languages
Greetings!
Afrikaans – Goeie dag
English – Hello
isiNdebele – Lotjhani
isiXhosa – Mholo
isiZulu – Sanibona
Sepedi – Thobela
Sesotho – Dumela
Setswana – Dumela
SiSwati – Sawubona
Tshivenda – Ndaa/Aa
Xitsonga – Avuxeni
Thank you!
Afrikaans – Dankie
English – Thanks
isiNdebele – Ngiyathokoza
isiXhosa – Enkosi
isiZulu – Ngiyabonga
Sepedi – Ke a leboga
Sesotho – Ke a leboha
Setswana – Ke a leboga
SiSwati – Ngiyabonga
Tshivenda –Ndi a livhuwa
Xitsonga – ndzi khense

2. NO TO RACISM/SEXISM/XENOPHOBIA/ETC

3. Threat Attack Simulations
&
Hunting Made Easy

4. #whoami
Nathi Mogomotsi @nathimog
african, black, grand[son], brother, hacker, n00b, vegan, alcohol, not-french,
suck-at-english, God fearing, not-a-saint, no tattoo, biker
Sr. Red Teamer @sanlam
Hacker @sensepost

5. How it all started
• New job
• More time to do research and 1337 hax
But…
• It wasn’t fun anymore
• Now I get to receive pen test reports
• I am on the receiving end
• Needed to do something about this
• Time to help the defenders
https://twitter.com/s7ephen/status/925969930134024192

6. On an Unrelated Note:
• I asked my previous boss (Charl) to buy me this book 4~ years I ago
• I knew I had some “defensive” blood in me 

7. How it all started
• Watched CG and CN talk
• Was impressed, thanks guys
• Go watch the talk
• Will wait for you…

8. Why this talk
• To share my experience
• To share my learnings
• Hopefully it will help you get started (you should)
• I am not an expert, so this is really basic stuff
• Ping me if you have any comments or ideas
• nathi@protonmail.com

9. Why this talk – Pyramid of Pain
http://detect-respond.blogspot.co.za/2013/03/the-pyramid-of-pain.html

10. What is attack simulation ?
• Just like a pilot simulator, it is there to put you in the worst possible
situation at a lowest level of risk - Chris Nickerson
• Understanding attacks that might be used against an organisation in
order to improve the organisation’s defence – me
• Attack simulations should be done to learn how attackers are likely to
achieve goals against your organization – Zane Lackey
• Can we detect and/or stop a particular attack ?
• Assume compromise – We can be compromised!

11. What is attack hunting ?
• Proactive incident response
• Are we hacked by this particular attack ?
• Assume compromise – We might be compromised already!

12. High Level Process|Attack Oriented Defence
Attack
Technique
Defensive
Controls
Simulation
Hunting
Measure
Effectiveness

13. Attack Techniques
Choose a
technique you
interested in:
• Technique used in the wild
• Technique from threat reports
• Technique you found during your vuln research
• Technique from software vendors security bulletins
• Technique from hacker tools
• Technique from pen testing report

14. Attack Techniques - MITRE
“ATT&CK is useful for understanding security risk against known
adversary behavior, for planning security improvements, and verifying
defenses work as expected.” https://attack.mitre.org/wiki/Main_Page

15. Attack Techniques - MITRE

16. Attack Techniques - Tools
Media and your CISO

17. Attack Techniques - Tools
https://www.slideshare.net/JaredAtkinson/purpose-driven-hunt-derbycon-2017

18. Recap
• We identified the technique we want to focus on.
Attack
Technique
Defensive
Controls
Simulation
Hunting
Measure
Effectiveness

19. Defensive Controls – Cyber Kill Chain

20. Weaponization
Reconnaissance
Delivery
Exploitation
Installation
Command &
Control
Actions on
Objectives
Detect Deny Disrupt Degrade Deceive Contain
Web Analytics Firewall ACL Firewall ACL
NIDS NIPS NIPS
Vigilant user Proxy filter Inline AV Email Queuing
App-Aware
Firewall
HIDS Vendor Patch EMET, DEP
Inter-Zone
NIPS
HIDS ‘chroot’ Jail AV EPP
NIDS Firewall ACL NIPS Tar pit DNS Redirect Trust Zones
Audit log Outbound ACL DLP QOS Throttle Honeypot Trust Zones

21. Recap
• We identified the technique we want to focus on.
• We understand our current defences.
• We identified the technique we want to focus on
Attack
Technique
Defensive
Controls
Simulation
Hunting
Measure
Effectiveness

22. Simulations – The process
Hack yourself first
Hack the humans
Attack analysis with the blue team
Defence controls update
Validate new defence controls
Activity Tracker

23. Simulations – Hack yourself first
• Test detection tools
• Use a test machine identical to your environment
• Collect Indicators of Compromise (IoCs)
Network artefacts
User Agent Strings
Dynamic DNS visits
Encrypted traffic
MIME type downloads
Host artefacts
New files
New services
New registry
Files that runs on reboot

24. Simulations – Hack yourself first (MITRE)
• https://github.com/redcanaryco/atomic-red-team
• https://www.youtube.com/watch?v=M4SHpDX8GTo

25. Simulation – hack the humans
• Test processes
• Test blue team response to alerts
• Test IR procedure

26. Simulations – Attack Analysis with the blue
• Show how you did your hack
• Kill chain analysis and controls
• Map logs to the attack
• Handover Indicators of Compromise

27. https://www.demisto.com/phishing-incident-response-playbook/
Simulations – Kill Chain Analysis and Controls

28. Simulation – Defence update
• To automate detection
• Update
• FW/IDS/IPS/AV/EDR/<your security product here>
• Processes
• Deploy Controls
• Controls should not be expensive and complex
• https://t2.fi/2017/02/05/haroon-meer-keynote-2016/

29. Simulation – Controls validation
• Validate the new defence controls
• Create a script to automate this
• Should not be fancy
• Mainly to help the blue team

30. Simulation – Activity Tracker

31. Recap
• We identified the technique we want to focus on
• We understand our current defences
• We tested, updated and validated controls and incident procedures
• We know which data sets to use for our hunts
Attack
Technique
Defensive
Controls
Simulation
Hunting
Measure
Effectiveness

32. Hunting – The process
• Collect data sets
• Process the data sets
• Analyse collection
• Malicious activity
• Activity tracker

33. Hunting – Collect data sets
• Proxy logs
• Anti-Virus logs
• Application logs
• Sysmon logs
• Bro IDS logs
• DNS logs
• Firewall logs
• Netflow data

34. Hunting – Techniques to process the data sets
Searching
Stack Counting
Grouping
Clustering
https://sqrrl.com/threat-hunting-reference-guide/
https://speakerdeck.com/davidjbianco/toppling-the-stack-practical-outlier-detection-for-threat-hunters

35. Hunting – Analyse collection
• Search artefacts on the network data sets
• Find suspicious hosts
• Host threat hunting
https://www.sans.org/summit-archives/file/summit-archive-1492556122.pdf

36. Hunting – Found suspicious activity
• Call the forensicators
• Execute the IR plan

37. Hunting – Activity Tracking

38. Recap
• We identified the technique we want to focus on
• We understand our current defences
• We tested, updated and validated controls and incident procedures
• We know which data sets to use for our hunts
• We confirmed if we are under attack or not
• Hopefully eradicated the threat
Attack
Technique
Defensive
Controls
Simulation
Hunting
Measure
Effectiveness

39. Measure Effectiveness
• Effectiveness is a measure of the success of the operation, overall - Raphael Mudge.
• Roberto Rodriguez (@cyb3rWard0g)
• https://cyberwardog.blogspot.co.za/2017/07/how-hot-is-your-hunt-team.html

40. KEY TAKEAWAYS
• You get to play part in defence
• You get to find bad guys and pen testers
• You get to learn other stuff i.e DFIR, network monitoring, rules writing
• You get to do cool hacks that actually makes a difference in your org
• You get to teach the blue team
• You get to learn from them too..
https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180

41. More from CN and CG
• If you didn’t watch their talk earlier
• Go ahead and watch this one
• Updated and more awesome
• Thanks once again guys

42. Tools – because you want to automate
• CALDERA: Automatic adversary emulation (to be released at BH17 EU)
• DumpsterFire – Threat simulations
• SQRLL VM – Threat hunting
• CCF VM – Incident triage (DFIR) with ELK
• Bro IDS – Network monitoring
• Sysmon – System monitoring
• ELK – Data visualisation
• Chris Gates is also releasing something soon ;)

43. Credits / References / Thank you
Credits & Thank you for your contributions
• @indi303
• @carnal0wnage
• @ jackcr
• @DavidJBianco
• @Sroberts
• @RobertMLee
• @Subtee
• @Chrissanders88
• DR. Eric Cole
• @Jaredcatkinson
• @Robwinchester3
• @DAkacki
• @cyb3rWard0g
Resources
• https://github.com/magoo/redteam-plan
• http://soc.wa.gov/resources/exercises
• https://github.com/redcanaryco/atomic-red-team
• https://resources.redcanary.com/atomic-red-team-training-session-
nov-2017
• https://github.com/demisto/content
Training
• Chris Sanders - http://chrissanders.org/training/
• @zanelackey
• @haroonmeer
• @M_haggis
• @mattifestation
• @AlanOrlikoski
• @PyroTek3
• @SqrrlData
• @redcanaryco
• Bloodhound Gang

44. Special Thanks:
When I do grow up one day I want to be like these guys
• Willem Smit @slackerscoza
• Kelvin Adams @nivlek007
• George Pranschke @cheorchie
• Chris Gates @carnal0wnage
• Awesome people I have ever met!
• Keep rocking guys.

45. “Do whatever you want. Trust your guts, your humanly feelings, your
very limited knowledge. This is best effort.” – Julio Auto

46. Thanks once again, do your best effort to try to be
nice to one another & take care of your health!