This document provides greetings in 11 official languages of South Africa: Afrikaans, English, isiNdebele, isiXhosa, isiZulu, Sepedi, Sesotho, Setswana, SiSwati, Tshivenda, and Xitsonga. It lists each language along with the greeting used. At the end it thanks the reader in each of the 11 languages. The purpose is to showcase South Africa's multilingualism and celebrate its diversity of official languages.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Index
Top Cyber Crimes
What is OSINT
Resource For OSINT
Goal - OSINT
Information Gathering
Analysis
Career as a Digital Forensics Investigator
Case Study - Malaysian Airlines Flight MH17
OSINT Process
Confidential Data of GOV
Preventive Measures
www.fomada.com
Presented By Syed Amoz: CEO Fomada
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
Presented at BSides Perth 2019
Synopsis:
Although the practice of collecting and using intelligence has been studied and conducted by governments and the military for centuries, it’s relative application to Cyber Security has only recently been highlighted. This area of infosec has been termed Cyber Threat Intelligence, where the marriage of traditional intelligence techniques and analysis with deep technical understanding within the Cyber domain are used to predict future actions by threats through long term analysis and modelling. This approach is then used to support both proactive and reactive cyber security actions, from incident response to penetration testing. This presentation focuses on threat intelligence from a practical data perspective, moving away from just the commercial concept of threat intelligence feeds (although these form one part of the equation). This presentation will approach threat intelligence from an analysts perspective of what questions needs to be answered to effectively investigate an incident, using the Diamond Model and Cyber Kill Chain as framing devices. These questions will then lead to examples of the data that can be used to answer these questions. Although traditionally data collection has focused on external cyber information, more often than not however, it’s actions outside of those seen within an organisations network, or even outside cyberspace that can provide context to the actions a threat takes. Finally, we provide a number of use cases on which the results of threat intelligence processes can be applied within a Security Operations Centre, including Incident Response as well as traditional Penetration Testing and Red Teaming.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Index
Top Cyber Crimes
What is OSINT
Resource For OSINT
Goal - OSINT
Information Gathering
Analysis
Career as a Digital Forensics Investigator
Case Study - Malaysian Airlines Flight MH17
OSINT Process
Confidential Data of GOV
Preventive Measures
www.fomada.com
Presented By Syed Amoz: CEO Fomada
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
Presented at BSides Perth 2019
Synopsis:
Although the practice of collecting and using intelligence has been studied and conducted by governments and the military for centuries, it’s relative application to Cyber Security has only recently been highlighted. This area of infosec has been termed Cyber Threat Intelligence, where the marriage of traditional intelligence techniques and analysis with deep technical understanding within the Cyber domain are used to predict future actions by threats through long term analysis and modelling. This approach is then used to support both proactive and reactive cyber security actions, from incident response to penetration testing. This presentation focuses on threat intelligence from a practical data perspective, moving away from just the commercial concept of threat intelligence feeds (although these form one part of the equation). This presentation will approach threat intelligence from an analysts perspective of what questions needs to be answered to effectively investigate an incident, using the Diamond Model and Cyber Kill Chain as framing devices. These questions will then lead to examples of the data that can be used to answer these questions. Although traditionally data collection has focused on external cyber information, more often than not however, it’s actions outside of those seen within an organisations network, or even outside cyberspace that can provide context to the actions a threat takes. Finally, we provide a number of use cases on which the results of threat intelligence processes can be applied within a Security Operations Centre, including Incident Response as well as traditional Penetration Testing and Red Teaming.
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.
P.S. The concepts are still work in progress, and the slide deck is a bit rough around the edges, but I hope it can spark some ideas and help you out. If you have feedback I would also greatly appreciate hearing from you, e.g. on Twitter (@FrodeHommedal).
6 Steps for Operationalizing Threat IntelligenceSirius
The best form of defense against cyber attacks and those who perpetrate them is to know about them. Collaborative defense has become critical to IT security, and sharing threat intelligence is a force multiplier. But for many organizations, good quality intelligence is hard to come by.
Commercial threat intelligence technology and services can help enterprises arm themselves with the strategic, tactical and operational insights they need to identify and respond to global threat activity, and integrate intelligence into their security programs.
Threat intelligence sources have varying levels of relevance and context, and there are concerns about data quality and redundancy, shelf life, public/private data sharing, and threat intelligence standards. However, if processed and applied properly, threat intelligence provides a way for organizations to get the insight they need into attackers’ plans, prioritize and respond to threats, shorten the time between attack and detection, and focus staff efforts and decision-making.
View to learn:
--The difference between threat information and threat intelligence.
--Available sources of intelligence and how to determine if they apply to your business.
--Key steps for preparing to ingest threat information and turn it into intelligence.
--How to derive useful data that helps you achieve your business goals.
--Tools that are available to make collaboration easier.
Its is project based on one of the most interesting and wide topic of Computer Science, named Cyber Security
CONTENT :
1. What is Cyber Security
2. Why Cyber Security is Important
3. Brief History
4. Security Timeline
5. Architecture
6. Cyber Attack Methods
7. Technology for Cyber Secuirty
8. Development in Cyber Security
9. Future Trend in Cyber Security
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Valentine Mairet, Security Researcher, McAfee
The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.
Threat Hunting Professional Online Training CourseShivamSharma909
In Infosectrain, Grab the Threat Hunting Training to achieve a deep understanding of Threat Hunting techniques and the role of Threat Hunters. Our training is curated with the in-depth concepts of Threat Hunting methods and helps you to get certified for the Cyber Threat Hunting Professional exam.
https://www.infosectrain.com/courses/threat-hunting-training/
This presentation was delivered at SkyDogCon 6 in October 2016. The A/V is available here: https://www.youtube.com/watch?list=PLLEf-wPc7Tyae19iTuzKOXmPj-IQBIWuU&v=mKxGulV2Z74
It is an updated version of the original deck presented at BSides Augusta 2016 - Added original content including information on use cases and added definition/clarity.
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
Cyber threat intelligence: maturity and metricsMark Arena
From SANS Cyber Threat Intelligence Summit 2016. What are the characteristics of a mature cyber threat intelligence program, and how do you develop meaningful metrics? Traditionally, intelligence has been about providing decision
support to executives whilst the field of cyber threat intelligence supports this customer, and network defenders, who have different requirements. By using the intelligence cycle, this talk will
seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.
P.S. The concepts are still work in progress, and the slide deck is a bit rough around the edges, but I hope it can spark some ideas and help you out. If you have feedback I would also greatly appreciate hearing from you, e.g. on Twitter (@FrodeHommedal).
6 Steps for Operationalizing Threat IntelligenceSirius
The best form of defense against cyber attacks and those who perpetrate them is to know about them. Collaborative defense has become critical to IT security, and sharing threat intelligence is a force multiplier. But for many organizations, good quality intelligence is hard to come by.
Commercial threat intelligence technology and services can help enterprises arm themselves with the strategic, tactical and operational insights they need to identify and respond to global threat activity, and integrate intelligence into their security programs.
Threat intelligence sources have varying levels of relevance and context, and there are concerns about data quality and redundancy, shelf life, public/private data sharing, and threat intelligence standards. However, if processed and applied properly, threat intelligence provides a way for organizations to get the insight they need into attackers’ plans, prioritize and respond to threats, shorten the time between attack and detection, and focus staff efforts and decision-making.
View to learn:
--The difference between threat information and threat intelligence.
--Available sources of intelligence and how to determine if they apply to your business.
--Key steps for preparing to ingest threat information and turn it into intelligence.
--How to derive useful data that helps you achieve your business goals.
--Tools that are available to make collaboration easier.
Its is project based on one of the most interesting and wide topic of Computer Science, named Cyber Security
CONTENT :
1. What is Cyber Security
2. Why Cyber Security is Important
3. Brief History
4. Security Timeline
5. Architecture
6. Cyber Attack Methods
7. Technology for Cyber Secuirty
8. Development in Cyber Security
9. Future Trend in Cyber Security
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Valentine Mairet, Security Researcher, McAfee
The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.
Threat Hunting Professional Online Training CourseShivamSharma909
In Infosectrain, Grab the Threat Hunting Training to achieve a deep understanding of Threat Hunting techniques and the role of Threat Hunters. Our training is curated with the in-depth concepts of Threat Hunting methods and helps you to get certified for the Cyber Threat Hunting Professional exam.
https://www.infosectrain.com/courses/threat-hunting-training/
This presentation was delivered at SkyDogCon 6 in October 2016. The A/V is available here: https://www.youtube.com/watch?list=PLLEf-wPc7Tyae19iTuzKOXmPj-IQBIWuU&v=mKxGulV2Z74
It is an updated version of the original deck presented at BSides Augusta 2016 - Added original content including information on use cases and added definition/clarity.
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
This presentation was delivered at BSides Augusta in September 2016. The A/V portion is available here: https://www.youtube.com/watch?v=i6p71t9PFWM
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
- Danny Akacki (@dakacki) was a Lead Analyst with GE Capitals' Applied Intelligence team prior to his employment with Mandiant, and now works for Bank of America's hunt team. He is a pragmatic optimist and believes we are probably screwed, but hopes we aren't. Danny enjoys finding evil on the weekends.
- Stephen Hinck (@stephenhinck) is a Senior Security Analyst at Oracle, Inc. Stephen stumbled into the information security world years ago and has since only managed to dig his way deeper to the rabbit hole. With a background in security operations, incident response and threat hunting, Stephen's experience is multi-faceted. Although he enjoys many things, he absolutely hates writing silly bios like this one.
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
We can all agree that threat detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for ways for evil to do evil things. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune ranked organizations. We hope to challenge you to expand your security operations, moving beyond traditional signature based detection.
Incorporating Threat Intelligence into Your Enterprise Communications Systems...EC-Council
It is well known that computer exploitation will continue to increase in prevalence and sophistication. Computer network attacks and data exfiltrations are most successful when the methods of exploitation traverse the entry and egress vectors that are least expected and least defended in your network. Most of the time, no matter how well your perimeter is guarded, the user still represents the weakest avenue into that network. A clear need exists to better protect data transmitted and received by the user. But what are we to do when signature-based detection has long been defeated and anomaly/heuristic-based detection is not yet where we need it to be? The solution lies in enhancing the defense paradigm via the incorporation of intelligence-based security (Threat Intelligence) in the analysis of threats and discovery of malicious activity affecting your network, data, and your protected clients.
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
Video (at YouTube) - http://bit.ly/19TNSTF
Big Data Security Analytics, Data Science and Machine Learning are a few of the new buzzwords that have invaded out industry of late. Most of what we hear are promises of an unicorn-laden, silver-bullet panacea by heavy-handed marketing folks, evoking an expected pushback from the most enlightened members of our community.
This talk will help parse what we as a community need to know and understand about these concepts and help understand where the technical details and actual capabilities of those concepts and also where they fail and how they can be exploited and fooled by an attacker.
The talk will also share results of the author's current ongoing research (on MLSec Project) of applying machine learning techniques to information secuirty monitoring.
2023 NCIT: Introduction to Intrusion DetectionAPNIC
APNIC Senior Security Specialist Adli Wahid presents an Introduction to Intrusion Detection at the 2023 NCIT, held in Suva, Fiji from 17 to 18 August 2023.
Adversaries compromise at will, penetrating today’s signature and IOC dependent detection capabilities. Most incident responders are locked in a cycle of constant reaction to the fraction of activity that is known. Often, undetected attackers remain active in the network as reported incidents are remediated. A new approach is needed to break the cycle of reaction and eradicate the unknown.
An offense-based approach must be adopted. Hunting puts the defender on the offensive within their networks, allowing for rapid detection and remediation of threats. Adversary dwell time can be drastically reduced, reducing business impacts and recovery costs. The Endgame hunt platform enables instant protection, visibility, and precision response across your endpoints and automates detection of known and never before seen adversaries without relying on signatures.
This talk covers:
• Description and benefits of hunt
• Challenges of hunting
• Solutions and hunting best practices
Join the hunt: Threat hunting for proactive cyber defense.pptxInfosec
As threat hunters, you already know staying ahead of the adversary demands a proactive approach to threat detection and response. Don your virtual threat hunting gear and join Infosec Principal Security Researcher Keatron Evans as he goes sleuthing for cyber threats.
Join us for practical threat hunting insights and career recommendations, including:
Threat hunting knowledge and skills to accelerate your career
How to help clients navigate the threat hunting toolbox and prioritize technology investments
Live demos of notoriously hard-to-detect adversarial behavior like memory-only malware and living-off-the-land techniques
One lucky attendee will win a free year of Infosec Skills. Complete the form to save your seat!
P.S. Don’t miss our novice-level threat hunting session: Threat hunting foundations: People, process and technology.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
4. #whoami
Nathi Mogomotsi @nathimog
african, black, grand[son], brother, hacker, n00b, vegan, alcohol, not-french,
suck-at-english, God fearing, not-a-saint, no tattoo, biker
Sr. Red Teamer @sanlam
Hacker @sensepost
5. How it all started
• New job
• More time to do research and 1337 hax
But…
• It wasn’t fun anymore
• Now I get to receive pen test reports
• I am on the receiving end
• Needed to do something about this
• Time to help the defenders
https://twitter.com/s7ephen/status/925969930134024192
6. On an Unrelated Note:
• I asked my previous boss (Charl) to buy me this book 4~ years I ago
• I knew I had some “defensive” blood in me
7. How it all started
• Watched CG and CN talk
• Was impressed, thanks guys
• Go watch the talk
• Will wait for you…
8. Why this talk
• To share my experience
• To share my learnings
• Hopefully it will help you get started (you should)
• I am not an expert, so this is really basic stuff
• Ping me if you have any comments or ideas
• nathi@protonmail.com
9. Why this talk – Pyramid of Pain
http://detect-respond.blogspot.co.za/2013/03/the-pyramid-of-pain.html
10. What is attack simulation ?
• Just like a pilot simulator, it is there to put you in the worst possible
situation at a lowest level of risk - Chris Nickerson
• Understanding attacks that might be used against an organisation in
order to improve the organisation’s defence – me
• Attack simulations should be done to learn how attackers are likely to
achieve goals against your organization – Zane Lackey
• Can we detect and/or stop a particular attack ?
• Assume compromise – We can be compromised!
11. What is attack hunting ?
• Proactive incident response
• Are we hacked by this particular attack ?
• Assume compromise – We might be compromised already!
13. Attack Techniques
Choose a
technique you
interested in:
• Technique used in the wild
• Technique from threat reports
• Technique you found during your vuln research
• Technique from software vendors security bulletins
• Technique from hacker tools
• Technique from pen testing report
14. Attack Techniques - MITRE
“ATT&CK is useful for understanding security risk against known
adversary behavior, for planning security improvements, and verifying
defenses work as expected.” https://attack.mitre.org/wiki/Main_Page
20. Weaponization
Reconnaissance
Delivery
Exploitation
Installation
Command &
Control
Actions on
Objectives
Detect Deny Disrupt Degrade Deceive Contain
Web Analytics Firewall ACL Firewall ACL
NIDS NIPS NIPS
Vigilant user Proxy filter Inline AV Email Queuing
App-Aware
Firewall
HIDS Vendor Patch EMET, DEP
Inter-Zone
NIPS
HIDS ‘chroot’ Jail AV EPP
NIDS Firewall ACL NIPS Tar pit DNS Redirect Trust Zones
Audit log Outbound ACL DLP QOS Throttle Honeypot Trust Zones
21. Recap
• We identified the technique we want to focus on.
• We understand our current defences.
• We identified the technique we want to focus on
Attack
Technique
Defensive
Controls
Simulation
Hunting
Measure
Effectiveness
22. Simulations – The process
Hack yourself first
Hack the humans
Attack analysis with the blue team
Defence controls update
Validate new defence controls
Activity Tracker
23. Simulations – Hack yourself first
• Test detection tools
• Use a test machine identical to your environment
• Collect Indicators of Compromise (IoCs)
Network artefacts
User Agent Strings
Dynamic DNS visits
Encrypted traffic
MIME type downloads
Host artefacts
New files
New services
New registry
Files that runs on reboot
25. Simulation – hack the humans
• Test processes
• Test blue team response to alerts
• Test IR procedure
26. Simulations – Attack Analysis with the blue
• Show how you did your hack
• Kill chain analysis and controls
• Map logs to the attack
• Handover Indicators of Compromise
28. Simulation – Defence update
• To automate detection
• Update
• FW/IDS/IPS/AV/EDR/<your security product here>
• Processes
• Deploy Controls
• Controls should not be expensive and complex
• https://t2.fi/2017/02/05/haroon-meer-keynote-2016/
29. Simulation – Controls validation
• Validate the new defence controls
• Create a script to automate this
• Should not be fancy
• Mainly to help the blue team
31. Recap
• We identified the technique we want to focus on
• We understand our current defences
• We tested, updated and validated controls and incident procedures
• We know which data sets to use for our hunts
Attack
Technique
Defensive
Controls
Simulation
Hunting
Measure
Effectiveness
32. Hunting – The process
• Collect data sets
• Process the data sets
• Analyse collection
• Malicious activity
• Activity tracker
34. Hunting – Techniques to process the data sets
Searching
Stack Counting
Grouping
Clustering
https://sqrrl.com/threat-hunting-reference-guide/
https://speakerdeck.com/davidjbianco/toppling-the-stack-practical-outlier-detection-for-threat-hunters
35. Hunting – Analyse collection
• Search artefacts on the network data sets
• Find suspicious hosts
• Host threat hunting
https://www.sans.org/summit-archives/file/summit-archive-1492556122.pdf
36. Hunting – Found suspicious activity
• Call the forensicators
• Execute the IR plan
38. Recap
• We identified the technique we want to focus on
• We understand our current defences
• We tested, updated and validated controls and incident procedures
• We know which data sets to use for our hunts
• We confirmed if we are under attack or not
• Hopefully eradicated the threat
Attack
Technique
Defensive
Controls
Simulation
Hunting
Measure
Effectiveness
39. Measure Effectiveness
• Effectiveness is a measure of the success of the operation, overall - Raphael Mudge.
• Roberto Rodriguez (@cyb3rWard0g)
• https://cyberwardog.blogspot.co.za/2017/07/how-hot-is-your-hunt-team.html
40. KEY TAKEAWAYS
• You get to play part in defence
• You get to find bad guys and pen testers
• You get to learn other stuff i.e DFIR, network monitoring, rules writing
• You get to do cool hacks that actually makes a difference in your org
• You get to teach the blue team
• You get to learn from them too..
https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180
41. More from CN and CG
• If you didn’t watch their talk earlier
• Go ahead and watch this one
• Updated and more awesome
• Thanks once again guys
42. Tools – because you want to automate
• CALDERA: Automatic adversary emulation (to be released at BH17 EU)
• DumpsterFire – Threat simulations
• SQRLL VM – Threat hunting
• CCF VM – Incident triage (DFIR) with ELK
• Bro IDS – Network monitoring
• Sysmon – System monitoring
• ELK – Data visualisation
• Chris Gates is also releasing something soon ;)
43. Credits / References / Thank you
Credits & Thank you for your contributions
• @indi303
• @carnal0wnage
• @ jackcr
• @DavidJBianco
• @Sroberts
• @RobertMLee
• @Subtee
• @Chrissanders88
• DR. Eric Cole
• @Jaredcatkinson
• @Robwinchester3
• @DAkacki
• @cyb3rWard0g
Resources
• https://github.com/magoo/redteam-plan
• http://soc.wa.gov/resources/exercises
• https://github.com/redcanaryco/atomic-red-team
• https://resources.redcanary.com/atomic-red-team-training-session-
nov-2017
• https://github.com/demisto/content
Training
• Chris Sanders - http://chrissanders.org/training/
• @zanelackey
• @haroonmeer
• @M_haggis
• @mattifestation
• @AlanOrlikoski
• @PyroTek3
• @SqrrlData
• @redcanaryco
• Bloodhound Gang
44. Special Thanks:
When I do grow up one day I want to be like these guys
• Willem Smit @slackerscoza
• Kelvin Adams @nivlek007
• George Pranschke @cheorchie
• Chris Gates @carnal0wnage
• Awesome people I have ever met!
• Keep rocking guys.
45. “Do whatever you want. Trust your guts, your humanly feelings, your
very limited knowledge. This is best effort.” – Julio Auto
46. Thanks once again, do your best effort to try to be
nice to one another & take care of your health!