SlideShare a Scribd company logo

Blue Teaming On A Budget

Download as PPTX, PDF
K
KevinRiley83

This talk was at California Information Technology in Education (CITE 2022. This talk discussed tool that a blue team can use to gain to better respond to threats on their networks

Technology
1 of 33
Blue Teaming on a Budget Carl Fong – CTO cfong@ocde.us Nigel Green Cybersecurity Analyst ngreenjr@ocde.us Kevin Riley Cyber Security Architect kriley@ocde.us CITE Conference 2022
What is the Blue Team? • Defenders • Responders • SME
OSINT Tools
OSINT Tools  Usernames  Email Addresses  Domain Name  IP Address  Images/Videos/Docs  Social Networks  Search Engines https://osintframework.com https://Id.crawl.com, https://whatsmyname.app, www.google.com , https://www.yandex.com/images https://thatsthem.com
OSINT Tools Blind Crawler And Cewl  Find Email Addresses  Find Subdomains  Site Paths  Generate Word Lists Find emails •Find Subdomains •Site Paths •Generate Word Lists https://github.com/AhmedConstant/BlindCrawler/R EADME.md, https://github.com/digininja/CeWL https://github.com/BillyV4/ID-entify https://haveibeenpwned.com https://dehased.com
OSINT Tools Mr. Holmes Whats My Name Sherlock Find emails •Find Subdomains •Site Paths •Generate Word Lists https://github.com/Lucksi/Mr.Holmes https://github.com/m4ll0k/Infoga https://github.com/sherlock-project/sherlock https://github.com/WebBreacher/WhatsMyName
OSINT Tools DNS Dumpster Find emails •Find Subdomains •Site Paths •Generate Word Lists https://dnsdumpster.com
OSINT Tools Have I been pwned? DeHashed Find emails •Find Subdomains •Site Paths •Generate Word Lists https://haveibeenpwned.com/ https://www.dehashed.com
OSINT Tools Image Search Sock Puppets Find emails •Find Subdomains •Site Paths •Generate Word Lists https://this-person-does-not-exist.com/en https://fauxid.com/ www.bing.com, https://cybervie.com/blog/what-is-sock-puppets-iin-osint-how-to-create-one/ Youtube video on how to search via images using bing.com https://www.youtube.com/watch?v=OsY32K1s51Y&ab_channel=DavidBombal
OSINT Tools Find emails •Find Subdomains •Site Paths •Generate Word Lists Heath Adams ( The Cyber Mentor) 5 hour video on OSINT: https://www.youtube.com/watch?v=qwA6MmbeGNo&ab_channel=TheCyberMentor
Sysinternals • Mark Russinovich -1996 • Microsoft • Free • Actively Developed Main Site https://learn.microsoft.com/en-us/sysinternals/ Live Download https://live.sysinternals.com/
Sysinternals Sysmon PS C:Program Filessysmon> .Sysmon64.exe -i .sysmon-config.xml System Monitor v14.12 - System activity monitor By Mark Russinovich and Thomas Garnier Copyright (C) 2014-2022 Microsoft Corporation Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved. Sysinternals - www.sysinternals.com Loading configuration file with schema version 4.50 Sysmon schema version: 4.83 Configuration file validated. Sysmon64 installed. SysmonDrv installed. Starting SysmonDrv. SysmonDrv started. Starting Sysmon64.. Sysmon64 started. https://github.com/SwiftOnSecurity/sysmon-config
Sysinternals Sysmon Disabling Windows Defender
Sysinternals Sysmon Dumping LSASS
Sysinternals Sysmon Deploy via GPO https://www.syspanda.com/index.php/201 7/02/28/deploying-sysmon-through-gpo/
Sysinternals Process Explorer
Sysinternals Autoruns Find all locations where persistence hides Create a Baseline
Sysinternals Autoruns Compare Current to Baseline
Sysinternals Autoruns Find the Malicious Code
CyberChef Cyber Swiss Army Knife CyberChef Overview: https://www.youtube.com/watch?v=rT_CjwKN380&t=2s Decoding with CyberChef https://www.youtube.com/watch?v=l0ZCyfA75ZE
ntopng https://www.ntop.org/get-started/download/ https://github.com/ntop
Wireshark
Wireshark https://www.comparitech.com/net-admin/wireshark-cheat-sheet/ Tshark
Greenbone OpenVAS Included in Kali Linux – Recommended https://openvas.org
Zeek (BRO) • A passive, open-source network traffic analyzer • Network Security Monitor (NSM) • performance measurement and troubleshooting • Real-time and offline analysis • File extraction • Extensible architecture Docmentation https://docs.zeek.org/en/master/ Cheatsheet https://github.com/corelight/zeek-cheatsheets/blob/master/Corelight-Zeek- Cheatsheets-3.0.4.pdf
Suricata / Snort IDS High performance - multi-threaded, scalable code base Multipurpose Engine - NIDS, NIPS, NSM, offline analysis, etc. Cross-platform support - Linux, Windows, macOS, OpenBSD, etc. Modern TCP/IP support including a scalable flow engine, full IPv4/IPv6, TCP streams, and IP packet defragmentation Protocol parsers - packet decoding, application layer decoding HTTP engine - HTTP parser, request logger, keyword match, etc. Autodetect services for portless configuration Lua scripting (LuaJIT) Application-layer logging and analysis, including TLS/SSL certs, HTTP requests, DNS requests, and more Built-in hardware acceleration (GPU for network sniffing) File extraction https://suricata.readthedocs.io/en/suricata-6.0.9/ Modular design: Multi-threading for packet processing Shared configuration and attribute table Use a simple, scriptable configuration Plugin framework, make key components pluggable (and 200+ plugins) Auto-detect services for portless configuration Auto-generate reference documentation Scalable memory profile Rule parser and syntax (support sticky buffers in rules) https://www.snort.org/documents
OSQuery OSQuery allows you to use SQL to access information about a system. Runs everywhere. Cross platform – Mac, Windows, Linux Small footprint OSQuery Site https://www.osquery.io/ OSQuery resources https://github.com/sttor/awesome-osquery https://fleetdm.com/
Wazuh OSSEC Fork • Intrusion detection • Log data analysis • File integrity monitoring • Vulnerability detection • Configuration assessment • Incident response • Regulatory compliance • Cloud security • Containers security https://github.com/wazuh/wazuh
Packet Fence Opensource NAC • BYOD - Let people bring their own devices • Role-based access control • Eliminate malware • WiFi offload / hotspot • Provide guest access • Perform compliance checks • Simplify network management https://www.packetfence.org/ https://github.com/inverse-inc/packetfence
ELK Stack • Elastic Search • LogStash • Kibana https://www.elastic.co/what-is/elk-stack https://github.com/dzharii/awesome-elasticsearch
Security Onion • Network Security Monitoring • Central Log Management • Threat Hunting • Enterprise Security • Full Packet Capture • Fully Supported https://securityonionsolutions.com/
Security Onion Architecture
Questions? Download Slides https://hackingwithkali.com/BTB-CITE.pptx

Recommended

OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
MarceloCunha571649
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
inovex GmbH
 
Azure Ninja Tips and Tricks
Azure Ninja Tips and TricksAzure Ninja Tips and Tricks
Azure Ninja Tips and Tricks
Todd Whitehead
 
Metadata - What is Unseen
Metadata - What is UnseenMetadata - What is Unseen
Metadata - What is Unseen
Edith Cowan University
 
Career path and preparation for computer science field
Career path and preparation for computer science fieldCareer path and preparation for computer science field
Career path and preparation for computer science field
Ekaantik Software Solutions
 
Cloud-Native .Net des applications containerisées .Net sur Linux, Windows e...
Cloud-Native .Net des applications containerisées .Net sur Linux, Windows e... Cloud-Native .Net des applications containerisées .Net sur Linux, Windows e...
Cloud-Native .Net des applications containerisées .Net sur Linux, Windows e...
VMware Tanzu
 

Recommended

OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
MarceloCunha571649
 
Android Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoTAndroid Embedded - Smart Hubs als Schaltzentrale des IoT
Android Embedded - Smart Hubs als Schaltzentrale des IoT
inovex GmbH
 
Azure Ninja Tips and Tricks
Azure Ninja Tips and TricksAzure Ninja Tips and Tricks
Azure Ninja Tips and Tricks
Todd Whitehead
 
Metadata - What is Unseen
Metadata - What is UnseenMetadata - What is Unseen
Metadata - What is Unseen
Edith Cowan University
 
Career path and preparation for computer science field
Career path and preparation for computer science fieldCareer path and preparation for computer science field
Career path and preparation for computer science field
Ekaantik Software Solutions
 
Cloud-Native .Net des applications containerisées .Net sur Linux, Windows e...
Cloud-Native .Net des applications containerisées .Net sur Linux, Windows e... Cloud-Native .Net des applications containerisées .Net sur Linux, Windows e...
Cloud-Native .Net des applications containerisées .Net sur Linux, Windows e...
VMware Tanzu
 
Build Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDBBuild Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDB
ScyllaDB
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
DevOps-Roadmap
DevOps-RoadmapDevOps-Roadmap
DevOps-Roadmap
BnhNguynHuy1
 
Introduction to Azure DocumentDB
Introduction to Azure DocumentDBIntroduction to Azure DocumentDB
Introduction to Azure DocumentDB
Denny Lee
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
Cisco DevNet
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 
All up-dev ops
All up-dev opsAll up-dev ops
All up-dev ops
Ian Philpot
 
Performance Tune Up for Web Developers
Performance Tune Up for Web DevelopersPerformance Tune Up for Web Developers
Performance Tune Up for Web Developers
Lenin Ghazi
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
Jerod Brennen
 
Big Data - in the cloud or rather on-premises?
Big Data - in the cloud or rather on-premises?Big Data - in the cloud or rather on-premises?
Big Data - in the cloud or rather on-premises?
Guido Schmutz
 
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Nikos Katirtzis
 
Improving your team’s source code searching capabilities
Improving your team’s source code searching capabilitiesImproving your team’s source code searching capabilities
Improving your team’s source code searching capabilities
Nikos Katirtzis
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
Paul Morse
 
Node liveboston welcome
Node liveboston welcomeNode liveboston welcome
Node liveboston welcome
Michael Dawson
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
Sergii Bielskyi "Azure Logic App and building modern cloud native apps"
Sergii Bielskyi "Azure Logic App and building modern cloud native apps"Sergii Bielskyi "Azure Logic App and building modern cloud native apps"
Sergii Bielskyi "Azure Logic App and building modern cloud native apps"
Fwdays
 
Freelancer Weapons of mass productivity
Freelancer Weapons of mass productivityFreelancer Weapons of mass productivity
Freelancer Weapons of mass productivity
Gregg Coppen
 
Microservices in the Enterprise
Microservices in the Enterprise Microservices in the Enterprise
Microservices in the Enterprise
Jesus Rodriguez
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco DevNet
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
hackersuli
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 

More Related Content

Similar to Blue Teaming On A Budget

Build Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDBBuild Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDB
ScyllaDB
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
DevOps-Roadmap
DevOps-RoadmapDevOps-Roadmap
DevOps-Roadmap
BnhNguynHuy1
 
Introduction to Azure DocumentDB
Introduction to Azure DocumentDBIntroduction to Azure DocumentDB
Introduction to Azure DocumentDB
Denny Lee
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
Cisco DevNet
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
JasonOstrom1
 
All up-dev ops
All up-dev opsAll up-dev ops
All up-dev ops
Ian Philpot
 
Performance Tune Up for Web Developers
Performance Tune Up for Web DevelopersPerformance Tune Up for Web Developers
Performance Tune Up for Web Developers
Lenin Ghazi
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
Jerod Brennen
 
Big Data - in the cloud or rather on-premises?
Big Data - in the cloud or rather on-premises?Big Data - in the cloud or rather on-premises?
Big Data - in the cloud or rather on-premises?
Guido Schmutz
 
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Nikos Katirtzis
 
Improving your team’s source code searching capabilities
Improving your team’s source code searching capabilitiesImproving your team’s source code searching capabilities
Improving your team’s source code searching capabilities
Nikos Katirtzis
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
Paul Morse
 
Node liveboston welcome
Node liveboston welcomeNode liveboston welcome
Node liveboston welcome
Michael Dawson
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
Sergii Bielskyi "Azure Logic App and building modern cloud native apps"
Sergii Bielskyi "Azure Logic App and building modern cloud native apps"Sergii Bielskyi "Azure Logic App and building modern cloud native apps"
Sergii Bielskyi "Azure Logic App and building modern cloud native apps"
Fwdays
 
Freelancer Weapons of mass productivity
Freelancer Weapons of mass productivityFreelancer Weapons of mass productivity
Freelancer Weapons of mass productivity
Gregg Coppen
 
Microservices in the Enterprise
Microservices in the Enterprise Microservices in the Enterprise
Microservices in the Enterprise
Jesus Rodriguez
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco DevNet
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
hackersuli
 

Similar to Blue Teaming On A Budget (20)

Build Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDBBuild Low-Latency Applications in Rust on ScyllaDB
Build Low-Latency Applications in Rust on ScyllaDB
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
DevOps-Roadmap
DevOps-RoadmapDevOps-Roadmap
DevOps-Roadmap
 
Introduction to Azure DocumentDB
Introduction to Azure DocumentDBIntroduction to Azure DocumentDB
Introduction to Azure DocumentDB
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
 
All up-dev ops
All up-dev opsAll up-dev ops
All up-dev ops
 
Performance Tune Up for Web Developers
Performance Tune Up for Web DevelopersPerformance Tune Up for Web Developers
Performance Tune Up for Web Developers
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
Big Data - in the cloud or rather on-premises?
Big Data - in the cloud or rather on-premises?Big Data - in the cloud or rather on-premises?
Big Data - in the cloud or rather on-premises?
 
Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...Improving your team's source code searching capabilities - Voxxed Thessalonik...
Improving your team's source code searching capabilities - Voxxed Thessalonik...
 
Improving your team’s source code searching capabilities
Improving your team’s source code searching capabilitiesImproving your team’s source code searching capabilities
Improving your team’s source code searching capabilities
 
Big Data Approaches to Cloud Security
Big Data Approaches to Cloud SecurityBig Data Approaches to Cloud Security
Big Data Approaches to Cloud Security
 
Node liveboston welcome
Node liveboston welcomeNode liveboston welcome
Node liveboston welcome
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Sergii Bielskyi "Azure Logic App and building modern cloud native apps"
Sergii Bielskyi "Azure Logic App and building modern cloud native apps"Sergii Bielskyi "Azure Logic App and building modern cloud native apps"
Sergii Bielskyi "Azure Logic App and building modern cloud native apps"
 
Freelancer Weapons of mass productivity
Freelancer Weapons of mass productivityFreelancer Weapons of mass productivity
Freelancer Weapons of mass productivity
 
Microservices in the Enterprise
Microservices in the Enterprise Microservices in the Enterprise
Microservices in the Enterprise
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 

Recently uploaded

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 

Recently uploaded (20)

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 

Blue Teaming On A Budget

  • 1. Blue Teaming on a Budget Carl Fong – CTO cfong@ocde.us Nigel Green Cybersecurity Analyst ngreenjr@ocde.us Kevin Riley Cyber Security Architect kriley@ocde.us CITE Conference 2022
  • 2. What is the Blue Team? • Defenders • Responders • SME
  • 4. OSINT Tools  Usernames  Email Addresses  Domain Name  IP Address  Images/Videos/Docs  Social Networks  Search Engines https://osintframework.com https://Id.crawl.com, https://whatsmyname.app, www.google.com , https://www.yandex.com/images https://thatsthem.com
  • 5. OSINT Tools Blind Crawler And Cewl  Find Email Addresses  Find Subdomains  Site Paths  Generate Word Lists Find emails •Find Subdomains •Site Paths •Generate Word Lists https://github.com/AhmedConstant/BlindCrawler/R EADME.md, https://github.com/digininja/CeWL https://github.com/BillyV4/ID-entify https://haveibeenpwned.com https://dehased.com
  • 6. OSINT Tools Mr. Holmes Whats My Name Sherlock Find emails •Find Subdomains •Site Paths •Generate Word Lists https://github.com/Lucksi/Mr.Holmes https://github.com/m4ll0k/Infoga https://github.com/sherlock-project/sherlock https://github.com/WebBreacher/WhatsMyName
  • 7. OSINT Tools DNS Dumpster Find emails •Find Subdomains •Site Paths •Generate Word Lists https://dnsdumpster.com
  • 8. OSINT Tools Have I been pwned? DeHashed Find emails •Find Subdomains •Site Paths •Generate Word Lists https://haveibeenpwned.com/ https://www.dehashed.com
  • 9. OSINT Tools Image Search Sock Puppets Find emails •Find Subdomains •Site Paths •Generate Word Lists https://this-person-does-not-exist.com/en https://fauxid.com/ www.bing.com, https://cybervie.com/blog/what-is-sock-puppets-iin-osint-how-to-create-one/ Youtube video on how to search via images using bing.com https://www.youtube.com/watch?v=OsY32K1s51Y&ab_channel=DavidBombal
  • 10. OSINT Tools Find emails •Find Subdomains •Site Paths •Generate Word Lists Heath Adams ( The Cyber Mentor) 5 hour video on OSINT: https://www.youtube.com/watch?v=qwA6MmbeGNo&ab_channel=TheCyberMentor
  • 11. Sysinternals • Mark Russinovich -1996 • Microsoft • Free • Actively Developed Main Site https://learn.microsoft.com/en-us/sysinternals/ Live Download https://live.sysinternals.com/
  • 12. Sysinternals Sysmon PS C:Program Filessysmon> .Sysmon64.exe -i .sysmon-config.xml System Monitor v14.12 - System activity monitor By Mark Russinovich and Thomas Garnier Copyright (C) 2014-2022 Microsoft Corporation Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved. Sysinternals - www.sysinternals.com Loading configuration file with schema version 4.50 Sysmon schema version: 4.83 Configuration file validated. Sysmon64 installed. SysmonDrv installed. Starting SysmonDrv. SysmonDrv started. Starting Sysmon64.. Sysmon64 started. https://github.com/SwiftOnSecurity/sysmon-config
  • 17. Sysinternals Autoruns Find all locations where persistence hides Create a Baseline
  • 20. CyberChef Cyber Swiss Army Knife CyberChef Overview: https://www.youtube.com/watch?v=rT_CjwKN380&t=2s Decoding with CyberChef https://www.youtube.com/watch?v=l0ZCyfA75ZE
  • 24. Greenbone OpenVAS Included in Kali Linux – Recommended https://openvas.org
  • 25. Zeek (BRO) • A passive, open-source network traffic analyzer • Network Security Monitor (NSM) • performance measurement and troubleshooting • Real-time and offline analysis • File extraction • Extensible architecture Docmentation https://docs.zeek.org/en/master/ Cheatsheet https://github.com/corelight/zeek-cheatsheets/blob/master/Corelight-Zeek- Cheatsheets-3.0.4.pdf
  • 26. Suricata / Snort IDS High performance - multi-threaded, scalable code base Multipurpose Engine - NIDS, NIPS, NSM, offline analysis, etc. Cross-platform support - Linux, Windows, macOS, OpenBSD, etc. Modern TCP/IP support including a scalable flow engine, full IPv4/IPv6, TCP streams, and IP packet defragmentation Protocol parsers - packet decoding, application layer decoding HTTP engine - HTTP parser, request logger, keyword match, etc. Autodetect services for portless configuration Lua scripting (LuaJIT) Application-layer logging and analysis, including TLS/SSL certs, HTTP requests, DNS requests, and more Built-in hardware acceleration (GPU for network sniffing) File extraction https://suricata.readthedocs.io/en/suricata-6.0.9/ Modular design: Multi-threading for packet processing Shared configuration and attribute table Use a simple, scriptable configuration Plugin framework, make key components pluggable (and 200+ plugins) Auto-detect services for portless configuration Auto-generate reference documentation Scalable memory profile Rule parser and syntax (support sticky buffers in rules) https://www.snort.org/documents
  • 27. OSQuery OSQuery allows you to use SQL to access information about a system. Runs everywhere. Cross platform – Mac, Windows, Linux Small footprint OSQuery Site https://www.osquery.io/ OSQuery resources https://github.com/sttor/awesome-osquery https://fleetdm.com/
  • 28. Wazuh OSSEC Fork • Intrusion detection • Log data analysis • File integrity monitoring • Vulnerability detection • Configuration assessment • Incident response • Regulatory compliance • Cloud security • Containers security https://github.com/wazuh/wazuh
  • 29. Packet Fence Opensource NAC • BYOD - Let people bring their own devices • Role-based access control • Eliminate malware • WiFi offload / hotspot • Provide guest access • Perform compliance checks • Simplify network management https://www.packetfence.org/ https://github.com/inverse-inc/packetfence
  • 30. ELK Stack • Elastic Search • LogStash • Kibana https://www.elastic.co/what-is/elk-stack https://github.com/dzharii/awesome-elasticsearch
  • 31. Security Onion • Network Security Monitoring • Central Log Management • Threat Hunting • Enterprise Security • Full Packet Capture • Fully Supported https://securityonionsolutions.com/

Editor's Notes

  1. Osint is a compilation of publicly available resources to acquire knowledge about an individual, company, or subject matter. In this presentation, I will go over some of the tools I use to conduct OSINT research on the districts with which we conduct pentesting engagements. I will discuss how you can also use these tools to decrease your threat landscape to threat actors.
  2. The picture above is an OSINT framework that outlines various tools you can use to gather information on people and organizations. The bullet points to the left outline the typical things the OCDE cybersecurity department would focus on during a pen testing engagement. We would include these things in the OSINT section of our report to the district.
  3. BlindCrawler is a really helpful tool that helps to enumerate a target organization’s website. Blindcrawler will find emails and websites paths and save them in a text file. Finding emails in the environment is important when identifying company personnel to target with different attack vectors to penetrate the organization. Cewl is a tool that generates a wordlist from a website for password cracking of NTLM hashes. These would expedite password cracking if users in the environment use passwords that are related to where they work i.e. OCDE123!! Creating unique passwords reducing the security risk for your organization. It only takes one account with the correct access to get into an organization.
  4. Mr. Holmes is my OSINT search tool of choice. It provides several options to utilize when researching someone. It searches popular social media sites for the username you input. It is also able to validate an email. Mr. Holmes can be installed on Kali Linux/Ubuntu. Mr. Holmes will also save a report of everything found in a folder with a file in different file formats. Review the security section of your social media accounts. There are options to keep people who aren’t your friends from viewing your profile and friends. A threat actor can use your social media accounts to gain valuable information about you and use that to comprise the organization that you work for.
  5. DNS Dumpster help to provide a security overview of your organization. DNSdumpster does this by discovering hosts related to a domain. This is valuable for assessing whether hosts are visible to a threat actor because DNS dumpster is a free tool.
  6. HaveIbeenpwned is a valuable tool because it lets you know if an email has been leaked in any breaches. This can be a great tool to check to see if any of your staff members’ work email has been found in a breach. This way you can inform them to change their passwords as passwords are usually leaked with email information. Dhashed takes HaveIbeenpwned to the next level and allows you to search for leaked passwords and hashes of email/username account.
  7. This is Kristy Boyer she lives in San Rafael New Mexico. Her email address k.boyer@gmail.com. We can use the OSINT tools that we have previously discussed to find out what accounts she has only. She is not a real person. This picture is not real and there is no Kristy Boyer. This is an AI generated photo. If you look real closely on her face by her cheek the hair blends in with the skin. These are they types of profiles you need to be aware of. What I created was a sock puppet. Threat actors can create fake people and profiles to steal your information or catfish you.
  8. Your users are your first line of defense. Educating them on best practices for password use, safe browsing, data protection, and avoiding password reuse is imperative in keeping your environment safe. Users should know that their data is valuable for threat actors who wish to use it for financial gain. Threat actors use social engineering, phishing, vishing, and smishing to extract vital information from users. Know what these threats look and sound like and be careful what links you click. What can you do to protect your users? Invest in phishing simulation software to educate your user bases such as Knowbe4 or Proofpoint Phishing Education. Encourage your users to use a password manager. If using a password manager please sign out of your password manager daily.
  9. osquery is an operating system instrumentation framework for Windows, OS X (macOS), and Linux. The tools make low-level operating system analytics and monitoring both performant and intuitive. osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
  10. osquery is an operating system instrumentation framework for Windows, OS X (macOS), and Linux. The tools make low-level operating system analytics and monitoring both performant and intuitive. osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
  11. osquery is an operating system instrumentation framework for Windows, OS X (macOS), and Linux. The tools make low-level operating system analytics and monitoring both performant and intuitive. osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
  12. osquery is an operating system instrumentation framework for Windows, OS X (macOS), and Linux. The tools make low-level operating system analytics and monitoring both performant and intuitive. osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
  13. osquery is an operating system instrumentation framework for Windows, OS X (macOS), and Linux. The tools make low-level operating system analytics and monitoring both performant and intuitive. osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
  14. osquery is an operating system instrumentation framework for Windows, OS X (macOS), and Linux. The tools make low-level operating system analytics and monitoring both performant and intuitive. osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
  15. osquery is an operating system instrumentation framework for Windows, OS X (macOS), and Linux. The tools make low-level operating system analytics and monitoring both performant and intuitive. osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.