Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources.
This document outlines six steps to ensure SIEM success: 1) Avoid single-purpose SIEM tools and look for built-in security controls, 2) Know your use cases before evaluating tools, 3) Imagine worst case scenarios for your business, 4) Include built-in threat intelligence, 5) Use IP reputation data to prioritize alarms, and 6) Automate deployment. It emphasizes the importance of integrated security tools to reduce costs and complexity, and knowing business needs and threats to properly focus the SIEM.
The document lists the executive team of a company and then provides information about SIEM integration, escalation, use cases, and an informational interview. It discusses how SIEM can integrate with various platforms and software to secure them from threats. It also describes how SIEM has escalated to work with different technologies over time and provides security updates. The informational interview covers benefits of SIEM, investment aspects, data storage strategies, analytics techniques, challenges, cloud capabilities, and skills needed for implementation.
SIEM (Security Information and Event Management)Osama Ellahi
In this presentation we cover basic knowledge about siem .
-What is siem
-How It works
-Siem Process
-Siem capabilities
-Some snaps of VARNOIS(Tools that use for getting logs"LOGS aggregation" and then apply some machine algorithms to see about logs that logs are risky OR not).
There are a lot of others vendors also who provided the tools for information and event management.like QRADAR is also one of the best tool by IBM.
Security Information and Event Management (SIEM)k33a
This document provides an overview of security information and event management (SIEM). It defines SIEM as software and services that combine security information management (SIM) and security event management (SEM). The key objectives of SIEM are to identify threats and breaches, collect audit logs for security and compliance, and conduct investigations. SIEM solutions centralize log collection, correlate events in real-time, generate reports, and provide log retention, forensics and compliance reporting capabilities. The document discusses typical SIEM features, architecture, deployment options, and reasons for SIEM implementation failures.
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
It’s not just you. The frequency of severe vulnerabilities in internet-facing enterprise software being massively exploited at scale has increased drastically. The amount of time between disclosure and exploitation of these vulnerabilities has been reduced to near-zero, leaving defenders with less time to react and respond. While combating internet-wide opportunistic exploitation is a sprawling and complex problem, there is both an art and a science to staying ahead of large exploitation events such as Log4J.
In this talk we will share insights and challenges from operating a huge, shifting, adaptive, distributed sensor network listening to internet background noise and opportunistic exploitation traffic over the past four years. We will give a blunt state of the universe on mass exploitation. We will share patterns and unexplainable phenomena we’ve experienced across billions of internet scans. And we will make recommendations to defenders for preparing for the next time the cyber hits the fan.
The document discusses the configuration and setup of the Cisco ASA Firepower module. It provides the following key points:
1. The ASA Firepower module adds next-generation firewall services like IPS, application control, URL filtering, and malware protection. It can be configured in single or multiple context mode, and inline or transparent mode.
2. The module is configured using the separate Firesight Management Center application, either on an external appliance or virtual machine. Basic CLI configuration is also available directly on the ASA.
3. Setup involves installing the module software and image on the ASA, then building and configuring the Firesight Management Center to register and manage the module. Traffic policies on
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources.
This document outlines six steps to ensure SIEM success: 1) Avoid single-purpose SIEM tools and look for built-in security controls, 2) Know your use cases before evaluating tools, 3) Imagine worst case scenarios for your business, 4) Include built-in threat intelligence, 5) Use IP reputation data to prioritize alarms, and 6) Automate deployment. It emphasizes the importance of integrated security tools to reduce costs and complexity, and knowing business needs and threats to properly focus the SIEM.
The document lists the executive team of a company and then provides information about SIEM integration, escalation, use cases, and an informational interview. It discusses how SIEM can integrate with various platforms and software to secure them from threats. It also describes how SIEM has escalated to work with different technologies over time and provides security updates. The informational interview covers benefits of SIEM, investment aspects, data storage strategies, analytics techniques, challenges, cloud capabilities, and skills needed for implementation.
SIEM (Security Information and Event Management)Osama Ellahi
In this presentation we cover basic knowledge about siem .
-What is siem
-How It works
-Siem Process
-Siem capabilities
-Some snaps of VARNOIS(Tools that use for getting logs"LOGS aggregation" and then apply some machine algorithms to see about logs that logs are risky OR not).
There are a lot of others vendors also who provided the tools for information and event management.like QRADAR is also one of the best tool by IBM.
Security Information and Event Management (SIEM)k33a
This document provides an overview of security information and event management (SIEM). It defines SIEM as software and services that combine security information management (SIM) and security event management (SEM). The key objectives of SIEM are to identify threats and breaches, collect audit logs for security and compliance, and conduct investigations. SIEM solutions centralize log collection, correlate events in real-time, generate reports, and provide log retention, forensics and compliance reporting capabilities. The document discusses typical SIEM features, architecture, deployment options, and reasons for SIEM implementation failures.
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
It’s not just you. The frequency of severe vulnerabilities in internet-facing enterprise software being massively exploited at scale has increased drastically. The amount of time between disclosure and exploitation of these vulnerabilities has been reduced to near-zero, leaving defenders with less time to react and respond. While combating internet-wide opportunistic exploitation is a sprawling and complex problem, there is both an art and a science to staying ahead of large exploitation events such as Log4J.
In this talk we will share insights and challenges from operating a huge, shifting, adaptive, distributed sensor network listening to internet background noise and opportunistic exploitation traffic over the past four years. We will give a blunt state of the universe on mass exploitation. We will share patterns and unexplainable phenomena we’ve experienced across billions of internet scans. And we will make recommendations to defenders for preparing for the next time the cyber hits the fan.
The document discusses the configuration and setup of the Cisco ASA Firepower module. It provides the following key points:
1. The ASA Firepower module adds next-generation firewall services like IPS, application control, URL filtering, and malware protection. It can be configured in single or multiple context mode, and inline or transparent mode.
2. The module is configured using the separate Firesight Management Center application, either on an external appliance or virtual machine. Basic CLI configuration is also available directly on the ASA.
3. Setup involves installing the module software and image on the ASA, then building and configuring the Firesight Management Center to register and manage the module. Traffic policies on
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Radware provides a hybrid web application protection solution including an on-premise WAF appliance and cloud-based WAF service. The solution offers complete coverage of the OWASP Top 10 vulnerabilities through negative and positive security models. Radware's WAF requires minimal manual configuration and provides automatic policy generation for fast time to protection against both known and unknown attacks. The cloud-based WAF service provides always-on DDoS and behavioral protection along with a fully managed web application security solution.
Présentation de la suite ELK dans un contexte SIEM et zoom sur Wazuh (OSSEC) , IDS open source
Venez découvrir comment être proactif face aux problèmes de cyber sécurité en analysant les données fournies par vos équipements et applications critiques.
Hello Friends...
I have created a presentation on Malware Analysis . In this presentation i have include all the necessary information about malware analysis technique and also mention malware code to interact practically with malware and learn how to make its own basic virus code .
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
This document summarizes a presentation given by Ranjit Sawant of FireEye. The presentation covered the following key points:
1) Attackers are increasingly leveraging COVID-19 themes in cyber attacks, with malicious emails related to COVID-19 increasing fourfold in March 2020. However, these emails still represent a small percentage of overall malicious emails detected.
2) FireEye Endpoint Security provides capabilities to detect and respond to advanced threats, going beyond just malware to track indicators of compromise, behavior, and attacker techniques across the attack lifecycle.
3) The presentation included a war story example of how FireEye Endpoint Security was used to investigate and respond to a sophisticated nation-state attacker targeting an Asian bank.
The document discusses the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics collected from real-world observations. It describes how the framework categorizes behaviors using tactics, techniques, and procedures. The framework can be used for threat intelligence, detection and analytics, adversary emulation, and assessment and engineering. The document provides examples of how organizations can map their detection capabilities and data sources to techniques in the framework to improve visibility of attacks. It cautions against misusing the framework as a checklist rather than taking a threat-informed approach.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
MITRE is a not-for-profit organization that operates federally-funded research and development centers. Their ATT&CK framework is a useful cybersecurity model illustrating how adversaries behave and explaining the tactics you should use to mitigate risk and improve security. ATT&CK stands for “adversarial tactics, techniques and common knowledge.”
This presentation explores a methodology for pairing proven industry frameworks like MITRE ATT&CK with threat modeling practices to quickly detect and respond to cyber threats. With this approach, industrial organizations can slice their infrastructure into smaller components, making it easier to secure their assets and minimize the attack surface.
Takeaways include how to:
-Make the most out of their threat intelligence feeds
-Report on progress and compliance
-Negotiate trust relationships in the intelligence sharing cycle
-Improve their organization’s overall security posture
Delivered 1 - day Practical Threat Hunting workshop at sacon.io in Bangalore,India balancing on developing the threat hunting program in organization, how and where to start from as well threat hunting demos as it would look on the ground with hands on labs for 100+ participants.
This document provides an overview and agenda for a Data Loss Prevention presentation. It discusses trends in data loss, how DLP works to discover, monitor and protect data, and case studies of how DLP helps different types of insider and outsider threats. It highlights the advantages of the Symantec DLP solution, including its accuracy, sophisticated workflow for incident response, ability to identify sensitive data with Data Insight, and zero-day content detection through machine learning. The appendix discusses Symantec's leadership in the DLP market and new features of the latest DLP product version.
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
The document discusses the use of use cases to define the goals and metrics for a security operations center (SOC) program. It suggests developing use cases around monitoring specific threat vectors like the perimeter, infrastructure, and privileged accounts. Use cases should also align the SOC's capabilities with the threats the organization cares most about, such as script kiddies, insider threats, or nation-state actors. Properly defining use cases allows an organization to justify SOC expenditures and determine if it is achieving success.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
The document discusses insider threats and data breaches. It notes that insiders are often the source of initial data leaks, though they may not be responsible for catastrophic breaches. It examines past data leaks and the people responsible, such as Bradley Manning, Hervé Falciani, and Edward Snowden. The cost of cybercrime and data breaches is immense and increasing yearly. However, the full cost is difficult to measure due to unreported incidents and indirect costs. Common sources of data breaches are theft of equipment or data, mobile devices, removable media, email, and social media oversharing of information. Social engineering techniques like phishing, spear phishing, and whaling are effective because they use personal data obtained
Slides for the presentation about SCADA hacking given on Hackers 2 Hackers Conference 10th edition at São Paulo, Brazil
Demo videos:
- Wago 0day DOS: https://www.youtube.com/watch?v=ACMJmXy4hSg
- Modbus Replay: https://www.youtube.com/watch?v=1pfZDiUUQHQ
Presentation Video (pt_BR)
- https://www.youtube.com/watch?v=R1snsQ_WS9Y
Radware provides a hybrid web application protection solution including an on-premise WAF appliance and cloud-based WAF service. The solution offers complete coverage of the OWASP Top 10 vulnerabilities through negative and positive security models. Radware's WAF requires minimal manual configuration and provides automatic policy generation for fast time to protection against both known and unknown attacks. The cloud-based WAF service provides always-on DDoS and behavioral protection along with a fully managed web application security solution.
Présentation de la suite ELK dans un contexte SIEM et zoom sur Wazuh (OSSEC) , IDS open source
Venez découvrir comment être proactif face aux problèmes de cyber sécurité en analysant les données fournies par vos équipements et applications critiques.
Hello Friends...
I have created a presentation on Malware Analysis . In this presentation i have include all the necessary information about malware analysis technique and also mention malware code to interact practically with malware and learn how to make its own basic virus code .
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
This document summarizes a presentation given by Ranjit Sawant of FireEye. The presentation covered the following key points:
1) Attackers are increasingly leveraging COVID-19 themes in cyber attacks, with malicious emails related to COVID-19 increasing fourfold in March 2020. However, these emails still represent a small percentage of overall malicious emails detected.
2) FireEye Endpoint Security provides capabilities to detect and respond to advanced threats, going beyond just malware to track indicators of compromise, behavior, and attacker techniques across the attack lifecycle.
3) The presentation included a war story example of how FireEye Endpoint Security was used to investigate and respond to a sophisticated nation-state attacker targeting an Asian bank.
The document discusses the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics collected from real-world observations. It describes how the framework categorizes behaviors using tactics, techniques, and procedures. The framework can be used for threat intelligence, detection and analytics, adversary emulation, and assessment and engineering. The document provides examples of how organizations can map their detection capabilities and data sources to techniques in the framework to improve visibility of attacks. It cautions against misusing the framework as a checklist rather than taking a threat-informed approach.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
The document provides an overview of a red team consultant's methodology for penetration testing engagements. It discusses various stages of an engagement including pre-engagement reconnaissance using tools like LinkedIn and domain research. It covers external testing techniques like NTLM brute forcing. Internal testing focuses on privileges escalation using tools like Mimikatz and movement using techniques like DLL hijacking. Reporting emphasizes providing a full narrative and findings of high quality over large quantities.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
MITRE is a not-for-profit organization that operates federally-funded research and development centers. Their ATT&CK framework is a useful cybersecurity model illustrating how adversaries behave and explaining the tactics you should use to mitigate risk and improve security. ATT&CK stands for “adversarial tactics, techniques and common knowledge.”
This presentation explores a methodology for pairing proven industry frameworks like MITRE ATT&CK with threat modeling practices to quickly detect and respond to cyber threats. With this approach, industrial organizations can slice their infrastructure into smaller components, making it easier to secure their assets and minimize the attack surface.
Takeaways include how to:
-Make the most out of their threat intelligence feeds
-Report on progress and compliance
-Negotiate trust relationships in the intelligence sharing cycle
-Improve their organization’s overall security posture
Delivered 1 - day Practical Threat Hunting workshop at sacon.io in Bangalore,India balancing on developing the threat hunting program in organization, how and where to start from as well threat hunting demos as it would look on the ground with hands on labs for 100+ participants.
This document provides an overview and agenda for a Data Loss Prevention presentation. It discusses trends in data loss, how DLP works to discover, monitor and protect data, and case studies of how DLP helps different types of insider and outsider threats. It highlights the advantages of the Symantec DLP solution, including its accuracy, sophisticated workflow for incident response, ability to identify sensitive data with Data Insight, and zero-day content detection through machine learning. The appendix discusses Symantec's leadership in the DLP market and new features of the latest DLP product version.
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
The document discusses the use of use cases to define the goals and metrics for a security operations center (SOC) program. It suggests developing use cases around monitoring specific threat vectors like the perimeter, infrastructure, and privileged accounts. Use cases should also align the SOC's capabilities with the threats the organization cares most about, such as script kiddies, insider threats, or nation-state actors. Properly defining use cases allows an organization to justify SOC expenditures and determine if it is achieving success.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
The document discusses insider threats and data breaches. It notes that insiders are often the source of initial data leaks, though they may not be responsible for catastrophic breaches. It examines past data leaks and the people responsible, such as Bradley Manning, Hervé Falciani, and Edward Snowden. The cost of cybercrime and data breaches is immense and increasing yearly. However, the full cost is difficult to measure due to unreported incidents and indirect costs. Common sources of data breaches are theft of equipment or data, mobile devices, removable media, email, and social media oversharing of information. Social engineering techniques like phishing, spear phishing, and whaling are effective because they use personal data obtained
Slides for the presentation about SCADA hacking given on Hackers 2 Hackers Conference 10th edition at São Paulo, Brazil
Demo videos:
- Wago 0day DOS: https://www.youtube.com/watch?v=ACMJmXy4hSg
- Modbus Replay: https://www.youtube.com/watch?v=1pfZDiUUQHQ
Presentation Video (pt_BR)
- https://www.youtube.com/watch?v=R1snsQ_WS9Y
The report regarding the cybercrime activities conducted by threat actors through the SandiFlux fastflux botnet in the middle of 2019! We have tracked different malware campaigns including (i) attacks conducted by the APT group known as TA505, which are spreding FlawedAmmyyRAT, AmadeyBot and a EmailStealer, (ii) ransomware campaigns such as GandCrab and Sodinokibi, (iii) the campaigns of malware known as Phorphiex Worm/Trik and Ursnif, and (iv) other kind of cybercrime activities such as the hosting of phishingcampaigns and cadingsites domains.
RFID Smart Tags for Controlling Belonging in SheltersIJERA Editor
It is very important to identify each belongings to its owner to prevent these things get lost. A traditional way is to label or paste barcodes to every objects. Currently, there are emerging technologies that allow us to label everything, person or place. This paper presents a solution based on RFID technology (Radio Frequency Identification) for identifying objects in a temporary shelter. To do this, a computer application is used to control the incoming and outgoing of the personal belongings of victims rescued from a natural disaster, this application is used in temporary shelters. Our solution allows communication between a reader and RFID tags, just as the application accesses a database to store the information needed to control personal belongings of affected people. The application attempts to reduce risks of loss of belongings and information, allowing the identification of each object when located within the radius of coverage of the reader, showing the information associated with the items (objects) and owner
CYBER SECURITY WORKSHOP (Only For Educational Purpose)Chanaka Lasantha
This document provides an agenda for a cyber security workshop targeting network and cloud security undergraduates. The workshop will cover topics such as security frameworks, information gathering and vulnerability assessment, penetration testing, patch management, intrusion detection systems, compliance best practices, and incident response. It will be led by Chanaka Lasantha and include hands-on exercises using tools like Kali Linux, Metasploit, and Wireshark.
MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator facilitate corporate adoption and allow for a holistic overview on attack techniques and how the organization is preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Join Erik Van Buggenhout in this presentation, where he will discuss how MITRE ATT&CK can be leveraged in the organization as part of your overall cyber security program, with a focus on adversary emulation.
Erik Van Buggenhout is the lead author of SANS SEC599 - Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses. Next to his activities at SANS, Erik is also a co-founder of NVISO, a European cyber security firm with offices in Brussels, Frankfurt and Munich.
The document discusses Capture the Flag (CTF) competitions and wargames and why everyone should participate in them. It notes that CTFs are legal hacking games or puzzles that help people improve their information security skills. Wargames are similar but always online and have no time limits. The document outlines different categories of challenges people may encounter in CTFs and wargames, including programming, cryptography, steganography, forensics, reverse engineering, and web challenges. It argues that participating provides free training, is fun, helps improve skills, allows competitive testing of skills, and can help with recruitment and stress testing teams.
Improving Network Intrusion Detection with Traffic DenoiseMiroslav Stampar
This document discusses improving network intrusion detection systems by filtering out "noise" from real threats. It proposes collecting data from multiple sensors on different IP ranges to identify traffic that is seen across many networks, which is likely noise rather than targeted attacks. By ignoring or lowering the severity of events originating from noisy IP addresses found on public blacklists or seen across different sensor networks, the system could focus alerts on real adversaries and reduce the number of false alarms. An experimental system using these techniques saw a 35-37% reduction in total events and threats after filtering noise. Further development could help security teams prioritize real network threats.
These are the slides from a guest talk "2014 – Year of Broken Name Generator(s)" held at Faculty of Electrical Engineering and Computing 2015 (Croatia / Zagreb 16th January 2015) by Miroslav Stampar
This document discusses the history and techniques of buffer overflow exploits. It begins with an overview of stack-based and heap-based buffer overflows and vulnerable code. It then details the history of buffer overflow exploitation from 1961 to present day. The rest of the document explains techniques used to exploit buffer overflows such as DEP/NX, ASLR, stack canaries, NOP sleds, return-to-libc, egg hunting, heap spraying, and return-oriented programming. It also discusses defenses implemented by operating systems like SEHOP, SafeSEH, and safe functions.
These are the slides from a guest talk "Hash DoS Attack" held at Faculty of Electrical Engineering and Computing 2014 (Croatia / Zagreb 17th January 2014) by Miroslav Stampar
This document describes a case study of discovering and exploiting a SQL injection vulnerability. Over the course of three days, the researcher tested various parameters of a web application using sqlmap and custom payloads. After initial failures, the researcher realized the application was using Windows Search and leveraged its Advanced Query Syntax to conduct file queries and infer file contents. This allowed retrieving a local web.config file containing a SQL Server password. The researcher concluded that thorough manual analysis is needed to fully understand vulnerabilities beyond just using automated scanners.
These are the slides from a talk "Heuristic methods
used in sqlmap" held at FSec 2013 conference (Croatia / Varazdin 19th September 2013) by Miroslav Stampar
This document summarizes sqlmap, an open source penetration testing tool used for detecting and exploiting SQL injection flaws. It discusses sqlmap's features such as supporting large data dumps, storing session data, XML payload and query formats, multithreading, direct database connections, loading requests from files, form and site crawling, authentication, detection of reflection and dynamic content, and fingerprinting of databases and web servers.
These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.
These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
1. Blind WAF identificationBlind WAF identification
Miroslav Stampar
(@stamparm)
Blind WAF identificationBlind WAF identification
Miroslav Stampar
(@stamparm)
2. Sh3llCON, Santander (Spain) January 26th, 2019 2
Who am I?Who am I?
FOSS programmer, Croatian Government CERT
(daily), #infosec researcher (nightly), CTF
enthusiast (sporadically)
4. Sh3llCON, Santander (Spain) January 26th, 2019 4
What is WAF? (I)What is WAF? (I)
WAF (Web Application Firewall)
Protects web applications by monitoring and
filtering (HTTP/S) traffic
Security hardening by making more difficult
exploitation of web application security flaws
Does not replace the network firewall
Deployed between the network firewall and the
web server infrastructure (inspects
unencrypted traffic)
To (potentially) bypass it, penetration tester
(first) needs to recognize the type (!)
8. Sh3llCON, Santander (Spain) January 26th, 2019 8
Typical reactionsTypical reactions
“Bad request”
“Access denied”
“Not acceptable”
“Request denied”
“URL was rejected”
“Forbidden”
“Request could not be satisfied”
“Attempt has been blocked”
“Blocked your request”
etc.
17. Sh3llCON, Santander (Spain) January 26th, 2019 17
WAF detection (I)WAF detection (I)
Sending dummy payload(s) (deliberate,
provocative, not dangerous):
<script>alert('XSS')</script>
' OR SLEEP(5) OR ' (etc.)
Usage of random-generated GET/POST
parameter names (e.g. ?oFx=...)
Detection of any kind of response
changes compared to the original:
HTTP code (200 OK → 403 Forbidden)
HTML title (Homepage → Attention Required!)
Occurrence(s) of rejection specific keywords (- →
...you have been blocked...)
18. Sh3llCON, Santander (Spain) January 26th, 2019 18
WAF detection (II)WAF detection (II)
Original
WAF provoked
19. Sh3llCON, Santander (Spain) January 26th, 2019 19
Non-blind WAF identification (I)Non-blind WAF identification (I)
After the (successful) detection phase, in
identification phase we are trying to identify
the web application security product (i.e. WAF)
In best case (non-blind) provoked WAF will
respond with specific response trails which
distinguishes it from other products
Keywords / sentences (e.g. dotDefender
Blocked Your Request)
HTTP codes (e.g. 999 No Hacking)
HTTP headers (e.g. Server: BinarySec)
HTTP cookies (e.g. jsl_tracking=….)
File paths (e.g. .../wzws-waf-cgi/...)
20. Sh3llCON, Santander (Spain) January 26th, 2019 20
Non-blind WAF identification (II)Non-blind WAF identification (II)
@sqlmap (case) / --identify-waf
WAF scripts (currently 77)
Each covers one specific WAF (protection
system)
4 (+1 NIL) dummy payloads / attack
vectors
Checking page content, headers and
(HTTP) code after each payloads
23. Sh3llCON, Santander (Spain) January 26th, 2019 23
Blind WAF identification (I)Blind WAF identification (I)
How to distinguish different WAF types when
there are only TRUE (generic rejected) and
FALSE (original) responses?
Similar problem like in boolean-based blind SQL
injection, though, with more constraints (i.e.
there is no data source to pull data from)
In theory, different WAFs should have different
protection engines with different set of rules
Hence, different WAFs should answer
differently to a predefined list of dummy
payloads (“battery of tests”)
Final goal: characteristic vectors (signatures)
24. Sh3llCON, Santander (Spain) January 26th, 2019 24
Blind WAF identification (II)Blind WAF identification (II)
26. Sh3llCON, Santander (Spain) January 26th, 2019 26
identYwaf (I)identYwaf (I)
WAF detection and identification tool
Non-blind support for 70 WAFs and blind
support for 64 WAFs (74 WAFs in total)
Non-blind recognition implemented by
usage of regular expressions over raw HTTP
response (including HTTP headers)
Blind recognition implemented by usage of
inference based on response(s) comparison
with predefined characteristic vectors
(signatures) of size 45 (payloads)
Based on extensive (empirical?) study
29. Sh3llCON, Santander (Spain) January 26th, 2019 29
identYwaf (IV)identYwaf (IV)
Calculating difference (distance) between
response vector and WAF characteristic
vectors (signatures)
Smaller the difference, greater the match
Periodic safe-checking for potential
complete blocking (dummy digit payload)
Detection of WAF “chaining” based on
different rejection HTTP codes (e.g. 403 and
500) or Server headers (e.g. nginx and
imunify360-webshield/1.5)
Auxiliary “hardness” score (i.e. strictness)
34. Sh3llCON, Santander (Spain) January 26th, 2019 34
Future workFuture work
Dealing with strict (rate-limiting) WAFs (e.g.
usage of proxy list)
Extensive testing of WAF capabilities (e.g.
POST body, different encodings, etc.)
Detailed reporting for the sake of bypassing
(e.g. only FI payloads are blocked, POST
body is not being processed, only
characters < and > are being blocked, etc.)
Collaborative sharing of unknown
signatures (e.g. automatic Github issue)
Bypass “recommendations”