Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
Thotcon Presentation by John Bambenek on how some security solutions are leaking sensitive data to the internet making it easy to spy on individuals and companies without breaking any laws.
Exploit kits are a critical piece of the malware delivery infrastructure, delivering banking trojans, click fraud engines and ransomware. This small talk will be designed to aid collaboration on a means to tackle these threats with a long-term goal of eventual prosecution of the actors and partners behind exploit kits and their associated malware campaigns. We will discuss the latest research into the backend infrastructure and surveillance techniques of the Nuclear, RIG and Angler exploit kits, to enable all participants to learn what others are doing to stay ahead of them.
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
Domain Generation Algorithms (DGAs) and DNS provide a layer of resilience to botnets and malware. They also provide new and novel ways to monitor and surveil malicious networks. This talk will discuss methods you can use to turn DGAs and DNS against malware operators in order to better protect your enterprise.
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
Thotcon Presentation by John Bambenek on how some security solutions are leaking sensitive data to the internet making it easy to spy on individuals and companies without breaking any laws.
Exploit kits are a critical piece of the malware delivery infrastructure, delivering banking trojans, click fraud engines and ransomware. This small talk will be designed to aid collaboration on a means to tackle these threats with a long-term goal of eventual prosecution of the actors and partners behind exploit kits and their associated malware campaigns. We will discuss the latest research into the backend infrastructure and surveillance techniques of the Nuclear, RIG and Angler exploit kits, to enable all participants to learn what others are doing to stay ahead of them.
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
Domain Generation Algorithms (DGAs) and DNS provide a layer of resilience to botnets and malware. They also provide new and novel ways to monitor and surveil malicious networks. This talk will discuss methods you can use to turn DGAs and DNS against malware operators in order to better protect your enterprise.
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
Every time you look around some company or government organization is spouting out some huge number of “cyber-attacks” to their network every day. By no means is it easy, but could it be that there is a little exaggeration of the actuality of the encounters? There is surely a misconception in reporting and the understanding of the attack itself and how organizations account for them. There are “attacks” like port scanning and brute force attempting all across the internet and all hours of the day. Spreading awareness about them will inform the public on just how “intense” these attacks are. To demonstrate this, I bought a nice attractive domain and coupled it with a honey-pot and let the fun begin.
Are you a security professional looking for ways to identify and classify malware families? While most commonly associated with malware, YARA can actually be used against any file. In this presentation, we’ll pull back the curtain and give you an introduction to how you can use this powerful tool.
In this short time, we’ll discuss the basic format and structure of a YARA rule and introduce a few tricks to increase efficiency and performance. We will walk you through a few examples and show you some automated tools and how they can help. Lastly, we'll tie things up with some pointers on how organize rules for best effect.
There has been a Ransomware explosion the last 6 years and there have been very little done to stop infections aside from deprecated signature scans and classic malware scanner. Weston will go over a couple proof of concepts that work on even the most current versions of the malware stop from fully infecting the machines that would otherwise be infected with malware that demands 1000s of dollars in some instances. Weston will go over several methods of making your system immune to attacks from ransomware many of them were discovered from actually reverse engineering the malware early this year. Weston will also go over several open source tools to test your environments impact from malware such as Cryptowall and several tools both software and hardware that can protect your systems from malware infecting even methods of abusing the payment gateway system to allow you to get more than one file unlocked for free and Weston will also go into the research about breaking the encryption based on the outputted encrypted files.
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
Talk given at PHDAYS V in Moscow, May 2015.
This talk will focus on a research into Domain Generation Algorithms used in several malware families. By reverse engineering the DGA, it became possible to create near-time intelligence feeds used to monitor malicious networks and provide information required for network protection.
THOTCON - The War over your DNS QueriesJohn Bambenek
Talk given at THOTCON on October 9, 2021 entitled the War over your DNS queries and what to do about it. Covers DNS security and privacy and the importance of running your own DNS resolver.
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers.
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
While we have many products and tools to protect enterprises and government networks, we are not using those same tools to protect consumers who cannot afford products and services by security companies. This talk will focus on the building of a RPZ service that can use already existing threat intelligence feeds that are freely accessible to protect consumers against threats we already know about.
Our researcher Aryeh Goretsky took a look at some of the more interesting pieces of malware and threats that have occurred over the first six months of the year 2014. And what a year it has been, with some serious new developments as well as persistence of numerous older threats.
A look at computer network defense techniques and strategies that actually work in a world of blinky light sales. Strait up defense served with a side of sarcasm.
Should I buy product $x from $vendor_y or product $y from $vendor_x? Probably neither. Come hear how you can get back to security basics to keep your organization from getting owned and discover when you are owned with a lot of tools you already have. No sales, no magic, just real world security for people that want to defend their organization.
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.
Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
Every time you look around some company or government organization is spouting out some huge number of “cyber-attacks” to their network every day. By no means is it easy, but could it be that there is a little exaggeration of the actuality of the encounters? There is surely a misconception in reporting and the understanding of the attack itself and how organizations account for them. There are “attacks” like port scanning and brute force attempting all across the internet and all hours of the day. Spreading awareness about them will inform the public on just how “intense” these attacks are. To demonstrate this, I bought a nice attractive domain and coupled it with a honey-pot and let the fun begin.
Are you a security professional looking for ways to identify and classify malware families? While most commonly associated with malware, YARA can actually be used against any file. In this presentation, we’ll pull back the curtain and give you an introduction to how you can use this powerful tool.
In this short time, we’ll discuss the basic format and structure of a YARA rule and introduce a few tricks to increase efficiency and performance. We will walk you through a few examples and show you some automated tools and how they can help. Lastly, we'll tie things up with some pointers on how organize rules for best effect.
There has been a Ransomware explosion the last 6 years and there have been very little done to stop infections aside from deprecated signature scans and classic malware scanner. Weston will go over a couple proof of concepts that work on even the most current versions of the malware stop from fully infecting the machines that would otherwise be infected with malware that demands 1000s of dollars in some instances. Weston will go over several methods of making your system immune to attacks from ransomware many of them were discovered from actually reverse engineering the malware early this year. Weston will also go over several open source tools to test your environments impact from malware such as Cryptowall and several tools both software and hardware that can protect your systems from malware infecting even methods of abusing the payment gateway system to allow you to get more than one file unlocked for free and Weston will also go into the research about breaking the encryption based on the outputted encrypted files.
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
Talk given at PHDAYS V in Moscow, May 2015.
This talk will focus on a research into Domain Generation Algorithms used in several malware families. By reverse engineering the DGA, it became possible to create near-time intelligence feeds used to monitor malicious networks and provide information required for network protection.
THOTCON - The War over your DNS QueriesJohn Bambenek
Talk given at THOTCON on October 9, 2021 entitled the War over your DNS queries and what to do about it. Covers DNS security and privacy and the importance of running your own DNS resolver.
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers.
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
While we have many products and tools to protect enterprises and government networks, we are not using those same tools to protect consumers who cannot afford products and services by security companies. This talk will focus on the building of a RPZ service that can use already existing threat intelligence feeds that are freely accessible to protect consumers against threats we already know about.
Our researcher Aryeh Goretsky took a look at some of the more interesting pieces of malware and threats that have occurred over the first six months of the year 2014. And what a year it has been, with some serious new developments as well as persistence of numerous older threats.
A look at computer network defense techniques and strategies that actually work in a world of blinky light sales. Strait up defense served with a side of sarcasm.
Should I buy product $x from $vendor_y or product $y from $vendor_x? Probably neither. Come hear how you can get back to security basics to keep your organization from getting owned and discover when you are owned with a lot of tools you already have. No sales, no magic, just real world security for people that want to defend their organization.
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.
Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
In March of this year, a Romanian man killed himself and his 4-year old son because of a ransomware he received after visiting adult websites. This "police impersonation" malware instructed him to pay a massive fine or else go to jail for 11 years. Ransomware isn't a new threat; however, it introduced new life with CryptoLocker, the very first variant to perform encryption correctly, thussignificantly inhibiting security researchers and their typical countermeasures. Due to its unique nature, CryptoLocker is one of the few current malware campaigns that spawned its own working group focused around remediation. As time progressed, other ransomware copycat campaigns emerged, some of which got media attention even though they were nothing but vaporware.
This talk will focus on what the threat intelligence community did in response to this threat, including the development of near-time tracking of its infrastructure and what can be learned in order to manage new threats as they emerge.
Discussion Question Contrast file encryption and volume encryptio.docxJeniceStuckeyoo
Discussion Question: Contrast file encryption and volume encryption
· The discussion assignment requires an Original Posting (main post) from you of 2-3 paragraphs answering the module's question.
· In addition to your main post, you must post
three responses to other posts made by your classmates. These can be replies to other main posts or responding to student replies on your thread.
PLEASE RESPOND TO THE PEER POSTS BELOW
PEER 1
Ransomware works via finding its way onto a host computer, it's a kind of malware so it's like when your computer gets sick and slows it down but instead it locks out all your stuff. Usually what they ask for in return for control of your files is money, but sometimes they will ask for other important things. The FBI doesn't condone giving the attackers what they want because it's more than likely that they'll just take the money and keep your stuff locked, they'll possibly even ask for more. That's why they stress how important it is that if this happens to you then you should go to them for help. If your in a company then you ask your IT department.
The software goes through this encryption phase where it starts encrypting all the files on your computer until it's all locked and you can tell if something is encrypted usually because the file will have an extension added onto it. Such as .aaa , .micro , .encrypted , .ttt , .xyz , .zzz , .locky , .crypt , .cryptolocker , .vault , or .petya. These extensions are an indication that a file has been partially or fully encrypted. What's recommended is that as soon as you find out that your files are being locked, you disconnect from all wireless connections and other computing devices, because this virus can and will spread to cause even more havoc. It can spread across your network and ruin other computers on said network.
Ransomware is normally delivered by drive-by downloads or email phishing. Drive-by downloads are a fancy way of saying a download that you pick up while browsing a site and it runs in the background. Email phishing is one of the reasons you don't click on links from emails from anyone, even from trusted sources. If you know who the email is coming from your best bet is to get with them personally to make sure that it's a valid email and that it's not an attacker. If a ransom is paid though, the attack may give you an encryption key to unlock your files, if your lucky enough. Why take a chance though, you should always take the smart path and make sure that you contact the proper authorities if you come across anything like this in your time. Also make sure to back up your computer files, it may sound obvious enough to want to put it off and procrastinate this, but the longer you wait the more at risk you are.
PEER 2
This week, I have decided to write my discussion post about ransomware and explain how it works. I've always found it one of the more interesting topics in cybersecurity. The idea behind ransomware is quite si.
From Beer City Code Conference, Grand Rapids, MI - 2017
OWASP, SANS, Threat Modeling, Static Code Analysis, DevSkim, Burp Suite, WireShark, Fiddler, Agile, Use Cases, Code Review, Pull Request, Git, GitFlow, Red Team, Blue Team, Metasploit, NIST, TLS, Kali Linux,
Workshop on Cyber security and investigationMehedi Hasan
Introduction:
In the fast-evolving digital age of the 21st century, cybersecurity has emerged as a paramount concern for governments, businesses, and individuals. The Workshop on Cybersecurity is a comprehensive and immersive event designed to address the challenges posed by cyber threats and equip participants with the knowledge and tools to safeguard their digital assets. This workshop, to be held over five days, seeks to empower attendees with the latest insights and practices in cyber defense, fostering a culture of resilience and proactive security measures.
Day 1: Understanding the Cyber Landscape
The workshop commences with a deep dive into the complex cyber landscape that defines modern society. Distinguished experts from the cybersecurity field will present an overview of the ever-changing cyber ecosystem, highlighting its interconnectedness and vulnerabilities. Participants will gain valuable insights into the roles of governments, corporations, and individuals in shaping the cyber landscape.
Key topics covered will include the global impact of cyberattacks, the importance of international collaboration in countering cyber threats, and the significance of public-private partnerships. This foundational knowledge will serve as the basis for the subsequent discussions on cyber defense strategies.
Day 2: Unraveling Cyber Threats and Attack Vectors
Day two focuses on understanding the multitude of cyber threats and attack vectors that can target individuals and organizations. Renowned cybersecurity researchers will present real-life case studies of recent cyber incidents, ranging from nation-state-sponsored attacks to financially motivated hacking campaigns. Participants will gain a comprehensive understanding of the tactics employed by threat actors and the motivations behind their actions.
Through interactive sessions, attendees will be immersed in simulated cyber-attack scenarios, enabling them to identify and mitigate potential threats effectively. The day will emphasize the need for a proactive and adaptive approach to cybersecurity, as well as the importance of threat intelligence sharing to bolster collective defense capabilities.
Day 3: Building Robust Cyber Defense Strategies
Day three delves into the development and implementation of robust cyber defense strategies. Experts in the field will introduce participants to cutting-edge tools and technologies that can effectively detect, prevent, and respond to cyber threats. Topics covered will include advanced threat hunting techniques, next-generation firewalls, intrusion detection systems, and incident response best practices.
Encryption protects your privacy and is essential for communication. However encryption is sometimes complicated and hard to use. I want to discuss what encryption is, how it is used, and make it easy for everyone to use. I will show what tools are available under linux for protecting communications, hard drives, and web browsing.
Introduction:
In the fast-evolving digital age of the 21st century, cybersecurity has emerged as a paramount concern for governments, businesses, and individuals. The Workshop on Cybersecurity is a comprehensive and immersive event designed to address the challenges posed by cyber threats and equip participants with the knowledge and tools to safeguard their digital assets. This workshop, to be held over five days, seeks to empower attendees with the latest insights and practices in cyber defense, fostering a culture of resilience and proactive security measures.
Day 1: Understanding the Cyber Landscape
The workshop commences with a deep dive into the complex cyber landscape that defines modern society. Distinguished experts from the cybersecurity field will present an overview of the ever-changing cyber ecosystem, highlighting its interconnectedness and vulnerabilities. Participants will gain valuable insights into the roles of governments, corporations, and individuals in shaping the cyber landscape.
Key topics covered will include the global impact of cyberattacks, the importance of international collaboration in countering cyber threats, and the significance of public-private partnerships. This foundational knowledge will serve as the basis for the subsequent discussions on cyber defense strategies.
Day 2: Unraveling Cyber Threats and Attack Vectors
Day two focuses on understanding the multitude of cyber threats and attack vectors that can target individuals and organizations. Renowned cybersecurity researchers will present real-life case studies of recent cyber incidents, ranging from nation-state-sponsored attacks to financially motivated hacking campaigns. Participants will gain a comprehensive understanding of the tactics employed by threat actors and the motivations behind their actions.
Through interactive sessions, attendees will be immersed in simulated cyber-attack scenarios, enabling them to identify and mitigate potential threats effectively. The day will emphasize the need for a proactive and adaptive approach to cybersecurity, as well as the importance of threat intelligence sharing to bolster collective defense capabilities.
Day 3: Building Robust Cyber Defense Strategies
Day three delves into the development and implementation of robust cyber defense strategies. Experts in the field will introduce participants to cutting-edge tools and technologies that can effectively detect, prevent, and respond to cyber threats. Topics covered will include advanced threat hunting techniques, next-generation firewalls, intrusion detection systems, and incident response best practices.
Participants will engage in practical workshops, enabling them to apply the newly acquired knowledge and skills to real-world scenarios. Emphasis will be placed on the importance of continuous monitoring, vulnerability management, and the establishment of an agile security infrastructure capable of adapting to emerging
I'm All Up in Your Blockchain - Hunting Down the NazisJohn Bambenek
In the wake of the white supremacist rally in Charlottesville, Virginia and the car attack in the aftermath, normal people wondered what is behind the resurgence of racial extremism. In looking at some of the figureheads of this movement, it was immediately apparent that several fund their operations with bitcoin with several holding thousands of dollars and a few holding millions (as of today's exchange rate). This talk will cover the research efforts into figuring out the adversaries behind the white supremacist movement, who is funding them, and the results of publishing their transactions on a live twitter feed at @neonaziwallets. We will show how they are getting their big money and what can be done to disrupt their activities. This talk will also cover an open-source twitter bot script that can monitor transactions to defined wallets and demonstrate how various exchanges leak information that allow visibility into other altcoins, particularly monero.
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceJohn Bambenek
This is a talk given at the MISP summit in Luxembourg on how the Barncat malware configuration uses MISP to share data and the interesting things you can do with a huge body of malware configurations.
SANSFIRE - Elections, Deceptions and Political BreachesJohn Bambenek
Its been the year of political breaches. While campaigns are odd entities, there are lessons enterprises can draw from what happened in 2016 to protect their organizations from attacks.
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
This talk by John Bambenek, "What Small Businesses and Entrepreneurs Need to Know About Cybercrime" was given at IESBGA 2014 on May 30th, 2014 at Illinois State University.
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
Every day we hear more and more about credit cards getting stolen, businesses getting hacked and national secrets being pilfered from our government. In this seminar, you’ll learn:
- what threats small businesses need to be aware of
- what threats are hype
- how small businesses can protect themselves in a cost-effective way
- you’ll walk away with 5 things you can do in your small business to be more secure without having to buy a single piece of software
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Defcon Crypto Village - OPSEC Concerns in Using Crypto
1. OPSEC CONCERNS IN USING
CRYPTOGRAPHY
OR:
HOW YOUR BAD TECH DECISIONS
HELP ME PUT YOU IN JAIL
JOHN BAMBENEK
CRYPTO & PRIVACY VILLAGE, DEFCON 24
2. BIO
• Manager, Threat Systems @ Fidelis Cybersecurity
• Lecturer in CS @ University of Illinois Urbana-Champaign
• Run several takedown oriented groups on malware threats
• Crafter of Artisanal Molotov Cocktails
4. TL;DR - PATTERNS AND NORMALCY
• Surveillance does not scale for large datasets:
• People, malware, packets on the internet, etc.
• There has to be multiple layers of filtering and scoring to
determine priority of tasking resources.
• Some targets are specifically and explicitly tasked, everything
else is all subject to some level of pattern matching and
prioritization.
6. WHAT IS OPSEC?
• Operational security: keep what you don’t want known
unknown.
• Part is keeping secrets.
• Another (more important part) is not looking like you have secrets worth
having.
• Basic security matters (we’re still not using passphrase-less
keys are we?)
• Compartmentalization: everyone has compartments.
• Signaling vs. Communication
7. RISK ASSESSMENT?
• Who are we hiding from? What are their interests and
capabilities? What is “sufficiency”?
• Intelligence services, law enforcement, and their friends (like
me)
• Criminals or other malicious actors
• Comcast
8. DON’T THINK YOU ARE A TARGET?
• How many people here have admin/root on infrastructure they
don’t own?
• Our government has already said that is the exact kind of
people they are targeted (even before those of you how have 0-
days, etc).
• You don’t think the US is the only one who does this, do you?
9. WHY OPSEC CONCERNS WITH CRYPTO?
• Thought process starting in tracking mobile malware, Android
Apps need to be signed.
• As an investigator and intel analyst, I LOVE free-form text
fields. (more later)
• As technologists, crypto is hard and many of us still don’t
understand it’s limitations.
• Encrypt all the things may not be the best option in certain
circumstances.
10. WHY OPSEC CONCERNS WITH CRYPTO?
• Two parts of OPSEC:
• Want to hide the secrets
• Want to hide the fact you have secrets
• Crypto is great at the first one.
• Crypto often loudly yells that you are the second guy.
• Note- Everyone I’ve helped put in jail is there because they
screwed up their OPSEC.
12. OPSEC PROBLEM #1 WITH ENCRYPTION
• Not everything is encrypted.
• Above example, the DNS request which is “good enough” to know what
you’re doing.
• Even in a “perfect” crypto world, the session metadata isn’t
encrypted.
• Source, Destination, Time, Inferences of size of communication…
• If I know who you are calling/texting, sometimes that’s enough to make
inferences.
• The HEIST attack at RSA, while overhyped, is an example.
13. CAREER DECISIONS
From: Kevin Mandia kevin.mandia@fireeye.com
To: John Bambenek john.bambenek@fidelissecurity.com
Subject: Job Offer for VP role
-----BEGIN PGP MESSAGE-----
Version: GnuPG
v2hQEMA/RALgVP0CqhAQf+K6nsUfJ2JZKEJQIqcuywV3xwtpRR4bQhZblCPQcSJwbPzgh/q4zoIZi/yy5XLTGQ
6p2WrQH+0UfmQmyu44v1VPBF+3JFReG1IJvJNXPQPcH13gGiyLRj4A1r32EgieHIxbfN+TWvrrl4M1BOQ0dQ
2UXkrInj2/5xLFl2HunrDZiqSQcpZrqwTCJf+CJXlZJJKmQRNz76ohQzVbJFyqV/zIKD26DBMGKRB0v2gYjhTRW
V9cuHLf9JSNA5ZdmyskcEM0PFCzSnv9Mx6VprsbWGeb6dbkwW1kM+xgdbcSnyEuRyVFUoOPTb1E0q5rDN
wVZknUZAq1pjYnn+D+zoVRyz99LA0AFLgF8T3gQaQqIQErW3OlVxQKb58DKv6lM4x5oxlI4sv1je6HT7+PK
nCvmbhRRWFpWVkyot5Fam0xILWR2UbE+/1a3nSDySnGnzNNq2e2EDrKA+CNVFGXd3HfFZgzAp2foEP/Z+
kbU9O/2QvwS/jBbclti9SPK0PNuPa321TpD/Qoz0yuPWhpOrYp/kxN7nJ9FW5OWI+r5dEB29yasAeeCoMsxJz
yzo7TnKQEOP5Ty/Sae+K0yY4Do7oakGQVKyEkQUzQlOc0bwAwINavXJsov2nlGmV7eRJgr8xzDc6DCHuZm
3URfqKvt37Vbr1kpPs6mjtHSw0iJJ1tvk9tbiElfAQvXr3KyQlGhqNjtPC8TEYnWeIlq27OfQ6iLarTtkYX3oJLW5NlI
lvSVLICzB+yejDP+8HMVKF1s8Nc6D9V78dyHBPdx8wafPUYf4XeImux1m1SFdRJjvYhaU5famV0hPR22Tui+e
EPSvzKWDa4VDT/jIENl9TSPH3LqpXEQVYoL2Cw/+0lBpWE90+Hlw2w8==Iidd
-----END PGP MESSAGE-----
14. AND THERE’S MORE
$ gpg -vvvv text.gpg
gpg: using character set `utf-8’
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG v2
:pubkey enc packet: version 3, algo 1, keyid F4402E054FD02AA1
data: [2046 bits]
gpg: public key is 4FD02AA1
:encrypted data packet: length: 400 mdc_method: 2
gpg: encrypted with RSA key, ID 4FD02AA1
gpg: decryption failed: secret key not available
15. IF YOU HAVE THE KEY, YOU GET MORE
:secret key packet: version 4, algo 1, created 1442844965,
expires 0 skey[0]: [4096 bits] skey[1]: [17 bits] iter+salt
S2K, algo: 3, SHA1 protection, hash: 2, salt: 1edfd8aa175bb427
protect count: 65536 (96) protect IV: 8a d6 c0 76 0e
c4 86 5c encrypted stuff follows keyid:
0F3B1D99BBB8C31E:user ID packet: "John Bambenek
<john.bambenek@fidelissecurity.com>”
Anonymity with PGP is hard. See Tom Ritter’s Deanonymizing
Alt.Anonymous.Messages talk: https://ritter.vg/p/AAM-
defcon13.pdf
16. KEYSERVERS
• With a Key ID, you can cross-search keyservers to find the
identity.
• Old keys never die.
• Many people have multiple emails tied to the same key (not
usually a good idea).
• People reuse same SSH keys for authentication across
environments.
• Silk Road – Dread Pirate Roberts compartmentalization screw-
ups should be required reading.
17. BOTTOM LINE
• The argument for shutting down “safe spaces” for terrorists to
communicate is stupid. Never drive a known into an unknown
without some return.
• Lots of useful data still available in metadata.
• Required reading: @thegrugq
• https://medium.com/@thegrugq/intelligence-services-are-
scary-af-40f7646ea117#.o6hszwm7g
18. OPSEC PROBLEM #2 WITH CRYPTO
• SSL/TLS Certificates, Signing Certs create all sorts of new
metadata
• Geolocation, Identity, Serial Number, Creation/Expiration Dates
• CAs have one job: to verify identify of the owner of certs they
sign
• Have I said I love free-form text fields?
19. YOU HAVE ONE JOB
# ./letsencrypt-auto certonly --standalone -d gmail.com
An unexpected error occurred:
Policy forbids issuing for name
# ./letsencrypt-auto certonly --standalone -d fireeye.com
Installation succeeded.
# ./letsencrypt-auto certonly --standalone -d illinois.gov
Installation succeeded.
20. IT GETS WORSE
• What happens when someone gets a wildcard certificate?
• What about when a security company gets their own CA
certificate?
21. MORE CERTIFICATE FUN
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
fa:21:6b:2c:8e:6c:35:f6
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle
Developer/emailAddress=admin@oracle.com
Validity
Not Before: Jan 6 16:33:13 2015 GMT
Not After : May 23 16:33:13 2042 GMT
Subject: C=EU, ST=Oregon, L=Cincinati, O=Oracle Corporation, OU=Oracle, CN=Oracle
Developer/emailAddress=admin@oracle.com
22. MORE CERTIFICATE FUN
• Malware builder always used the above cert when it resigned
trojanized app.
• Now it’s trivial to find the “many” apps in the Google Play store
with that malware.
• Basic statistically analysis, hunting for geographic oddities, etc
makes hunting mobile malware easy.
23. HOW TO FAIL AT TLS
Data:
Version: 3 (0x2)
Serial Number: 522427837 (0x1f239dbd)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, O=assylias.Inc, CN=assylias
Validity
Not Before: Jan 17 05:26:19 2015 GMT
Not After : Dec 24 05:26:19 2114 GMT
Subject: C=FR, O=assylias.Inc, CN=assylias
25. ONE LAST POINT
• SSL/TLS certification information is searchable with Shodan and
a few other tools specifically for archiving observed SSL/TLS
certs.
• If you re-use certs, it makes it easy to correlate your activities
and break your compartmentalization.
26. OPSEC PROBLEM #3 WITH ENCRYPTION
• Encryption (to some) is inherently suspicious.
• What is actually suspicious is abnormal behavior.
• All profiling (and surveillance) is based on this concept because
it is impossible to monitor everyone completely. Target
selection is important.
29. VPNS
• I may not know what you’re saying, but I know when you’re
saying it.
• All the “privacy” VPN services are known and their IP space is
profiled.
• You could set up your own VPN, but you immediately lose the
privacy using a common service provides.
• And don’t think all those bitcoin services will help you either.
Bitcoin is anonymous but it is NOT private.
30. MAKING ENCRYPTION MAINSTREAM
• We’re already doing it with Let’s Encrypt and other aspects of
PRISM fallout.
• Google now sends email over TLS (**if other side supports it**)
• Tor is not ”normal”
• VPNs to non-corporate endpoints are not “normal”
• Encrypted email is not ”normal”, nor is WhatsApp, Signal, et al…
yet.
• But they can be. We may not look like a sheep, but maybe we
can make the sheep look like us.
31. SOMETIMES ENCRYPTION IS NOT WORTH IT
• When traveling in “less friendly” locations, it may be better not
to draw attention. Border checkpoints are not your friends.
• Tor may hide what you are looking at but it stands out on a
network.
• Many criminal and intelligence professionals use electronic
means for signaling and then have a conversation in a preferred
secure location.
32. SOMETIMES ENCRYPTION IS NOT WORTH IT
• How many people here have secure wifi at home?
• Note, digital forensics is good at figuring out the bits. It can be
hard to figure out what’s going on in actual meat space.
• Sometimes ambiguity is your friend.
33. OPSEC PROBLEM #4 WITH ENCRYPTION
• Encryption doesn’t protect you against stupid mistakes.
Including by others.
• It’s the stupid stuff that gets you.
• Password re-use, even when hashed and salted can taint
compartmentalization.
• Passphrase-less keys publicly available on the web
34. STUPID MISTAKES BY OTHERS
• All security is based on trust.
• Using a hacker bulletin board? How can you be sure they are
fully patched and haven’t had their database dumped?
• Are you sure your encrypted messenger isn’t just giving your
data away anyway?
• Think it can’t happen? Look at Wall of Sheep upstairs. Or ask
Ashley Madison.
• Important point, password hashes become identifiers.
35. ALL ENCRYPTION NEEDS TO BE
EVENTUALLY DECRYPTED
• Cracking crypto is hard… attacking endpoints is easy. Attacking
people’s stupid mistakes is trivial.
• If I already own your box, all your encrypted comms are
worthless.
36. PASSPHRASE-LESS KEYS
• You may be in a scenario to have to give up your files… if your
keys are there it’s game over.
• Virustotal keeps all files that are submitted to it and makes
them available via commercial API.
• You can use Yara to find things, like all files that have “BEGIN
RSA PRIVATE KEY”.
• The search “maxes” out the results at 10,000. Of those, over 85% had no
passphrase.
• SSH keys don’t have targeting information in them directly.
• PGP keys do though, and you can search for those in VT too
37. WHAT TO DO ABOUT IT ALL?
• It depends on what adversary you care about.
• Free-form text fields are your worst enemy.
• Layers help.
• Compartmentalize (if you’re doing interesting things while
using tor from home, you’re doing it wrong).
• Look and smell like a normal. Sometimes waiting or not
encrypting is a better option.
38. TOOL 1 – ANDROID-CERT-GENERATOR
• https://github.com/uiucseclab/Android-Cert-Generator from UI
Security Lab students.
• I wanted to figure out how to defeat my own analytics.
• Problem: Android malware requires you to write a fully-functioning
app or to trojanize an existing app but have to resign it. Need a way
to create believable but fake signed APKs because you lack the
private key.
• Uses same details as previous signed cert.
• Checks google play store and wolfram alpha to generate the information.