For #Redpill2017, The most offensive security conference in Thailand.
This slide talks about the weak point of endpoint protection such as Antivirus, User Account Control, AppLocker.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
Matt Swann, Microsoft
As defenders, we watch our intrusion detection systems like a hawk so that we know when to jump into action. However, successfully evicting an adversary in a large-scale environment requires capabilities beyond detection.
In this talk I describe 5 capabilities that network defenders must have in order to effectively respond to an intrusion in a large-scale service. I describe how we overcame these challenges in Office 365 with pointers to source code and reusable tooling.
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
In todays IT security world, we accept and embrace that the technology is constantly changing, we are very often still amazed at the rapid growth of the technology evolution and how it has far superseded beyond expectations, whilst thinking about the potential uses of this new technology we get excited and then it hits us! What about the security implications for our organization?? Holy Crap what did you say about SS7?
In this presentation, Wayne will take you through some real live demonstrations of Network Crypto Hacking and Exploitation using the latest custom built, SWAT (Special Weapons and Technology) cyber-warfare hacking tools.
To help us defend against the latest threats, that sends our risk rating scores off the chart? We do as we have always done! Research the threat viability, learn and deploy defense and mitigation options. For this very reason its imperative for us to stay up-to date with new emerging threats tactics.
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
In this presentation I have explained about difference between regular malware attack and fileless attack. Also added ways to capture it using EventTracker.
Jugal Parikh, Microsoft
Holly Stewart, Microsoft
Humans are susceptible to social engineering. Machines are susceptible to tampering. Machine learning is vulnerable to adversarial attacks. Singular machine learning models can be “gamed” leading to unexpected outcomes.
In this talk, we’ll compare the difficulty of tampering with cloud-based models and client-based models. We then discuss how we developed stacked ensemble models to make our machine learning defenses less susceptible to tampering and significantly improve overall protection for our customers. We talk about the diversity of our base ML models and technical details on how they are optimized to handle different threat scenarios. Lastly, we’ll describe suspected tampering activity we’ve witnessed using protection telemetry from over half a billion computers, and whether our mitigation worked.
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
Lei Shi & Mei Wang, Qihoo 360
Virtualization is one of the most complicated software in the world. The VMware workstation is very popular in many fields. The windows 10 has a lot of mitigation technology to get avoid of exploitation. It's a great challenge to make a vm escape in VMware workstation under Win 10. Especially when the guest and host are both win 10 and the guest user are NO-ADMIN. This talk will present how to make a vm escape and execute arbitrary code in the host from a NO-ADMIN guest user under Win 10(both the guest and host are Win 10). They have developed three different exploitation. This talk will introduce them and show a very elegant exploitation technology of vm escape. Besides the vm escape technology, this talk will also show the exploitation technology in Win 10. It is quite attractive because there's a process continuation, saying that the guest can execute the exploitation without crashing/disturbing the host process(VMware workstation virtual machine process). The exploitation is very reliable, it reaches nearly 100% successful rate.
Insider Threat: How Does Your Security Stack Measure Up?ThinAir
Security technologists, practitioners, and the media love to talk about the latest malware, and zero-day attacks that hackers and nation states direct against their targets. The reality is that a significant portion of security incidents and data breaches come from within an organization’s security perimeter. The insider threat is the unglamorous side of security, and one that most vendors and industry professionals tend to ignore. Which tools in your security stack truly address the insider threat problem? What percentage of your security budget is dedicated to this issue?
This presentation will explore the rise of the insider threat, and the five essential components of an effective approach to identifying and investigating breaches that result from the malicious or innocent actions of internal actors.
Learning Objectives:
• Learn about the trends, size & scope of the insider threat problem
• How to Evaluate your security stack against the insider threat problem
• Explore emerging concept of insider detection and investigation and the five required components of an insider threat approach.
Adapt or Die: The Evolution of Endpoint SecurityTripwire
The rapid transformation of the digital landscape and the proliferation of new business models are bringing sweeping changes to IT organizations everywhere. In order to keep up with the accelerating cycles of change and keep your company safe in an increasingly hostile threat landscape, your organization’s endpoint protection strategy must evolve.
In this interactive webinar, Eric Ogren, Senior Security Analyst at 451 Research and Gajraj Singh, VP of Product Marketing at Tripwire will provide insight into proactive steps you can take to improve your endpoint security.
Topics include:
• The top three things you can do today to improve the effectiveness of your endpoint security program.
• How to gain sufficient endpoint visibility to effectively reduce breaches.
• The likely evolution of endpoints and how technology is adapting to protect them.
• How to incorporate the evolutions of endpoint detection into security investment decisions.
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
Matt Swann, Microsoft
As defenders, we watch our intrusion detection systems like a hawk so that we know when to jump into action. However, successfully evicting an adversary in a large-scale environment requires capabilities beyond detection.
In this talk I describe 5 capabilities that network defenders must have in order to effectively respond to an intrusion in a large-scale service. I describe how we overcame these challenges in Office 365 with pointers to source code and reusable tooling.
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
In todays IT security world, we accept and embrace that the technology is constantly changing, we are very often still amazed at the rapid growth of the technology evolution and how it has far superseded beyond expectations, whilst thinking about the potential uses of this new technology we get excited and then it hits us! What about the security implications for our organization?? Holy Crap what did you say about SS7?
In this presentation, Wayne will take you through some real live demonstrations of Network Crypto Hacking and Exploitation using the latest custom built, SWAT (Special Weapons and Technology) cyber-warfare hacking tools.
To help us defend against the latest threats, that sends our risk rating scores off the chart? We do as we have always done! Research the threat viability, learn and deploy defense and mitigation options. For this very reason its imperative for us to stay up-to date with new emerging threats tactics.
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
In this presentation I have explained about difference between regular malware attack and fileless attack. Also added ways to capture it using EventTracker.
Jugal Parikh, Microsoft
Holly Stewart, Microsoft
Humans are susceptible to social engineering. Machines are susceptible to tampering. Machine learning is vulnerable to adversarial attacks. Singular machine learning models can be “gamed” leading to unexpected outcomes.
In this talk, we’ll compare the difficulty of tampering with cloud-based models and client-based models. We then discuss how we developed stacked ensemble models to make our machine learning defenses less susceptible to tampering and significantly improve overall protection for our customers. We talk about the diversity of our base ML models and technical details on how they are optimized to handle different threat scenarios. Lastly, we’ll describe suspected tampering activity we’ve witnessed using protection telemetry from over half a billion computers, and whether our mitigation worked.
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
Lei Shi & Mei Wang, Qihoo 360
Virtualization is one of the most complicated software in the world. The VMware workstation is very popular in many fields. The windows 10 has a lot of mitigation technology to get avoid of exploitation. It's a great challenge to make a vm escape in VMware workstation under Win 10. Especially when the guest and host are both win 10 and the guest user are NO-ADMIN. This talk will present how to make a vm escape and execute arbitrary code in the host from a NO-ADMIN guest user under Win 10(both the guest and host are Win 10). They have developed three different exploitation. This talk will introduce them and show a very elegant exploitation technology of vm escape. Besides the vm escape technology, this talk will also show the exploitation technology in Win 10. It is quite attractive because there's a process continuation, saying that the guest can execute the exploitation without crashing/disturbing the host process(VMware workstation virtual machine process). The exploitation is very reliable, it reaches nearly 100% successful rate.
Insider Threat: How Does Your Security Stack Measure Up?ThinAir
Security technologists, practitioners, and the media love to talk about the latest malware, and zero-day attacks that hackers and nation states direct against their targets. The reality is that a significant portion of security incidents and data breaches come from within an organization’s security perimeter. The insider threat is the unglamorous side of security, and one that most vendors and industry professionals tend to ignore. Which tools in your security stack truly address the insider threat problem? What percentage of your security budget is dedicated to this issue?
This presentation will explore the rise of the insider threat, and the five essential components of an effective approach to identifying and investigating breaches that result from the malicious or innocent actions of internal actors.
Learning Objectives:
• Learn about the trends, size & scope of the insider threat problem
• How to Evaluate your security stack against the insider threat problem
• Explore emerging concept of insider detection and investigation and the five required components of an insider threat approach.
Adapt or Die: The Evolution of Endpoint SecurityTripwire
The rapid transformation of the digital landscape and the proliferation of new business models are bringing sweeping changes to IT organizations everywhere. In order to keep up with the accelerating cycles of change and keep your company safe in an increasingly hostile threat landscape, your organization’s endpoint protection strategy must evolve.
In this interactive webinar, Eric Ogren, Senior Security Analyst at 451 Research and Gajraj Singh, VP of Product Marketing at Tripwire will provide insight into proactive steps you can take to improve your endpoint security.
Topics include:
• The top three things you can do today to improve the effectiveness of your endpoint security program.
• How to gain sufficient endpoint visibility to effectively reduce breaches.
• The likely evolution of endpoints and how technology is adapting to protect them.
• How to incorporate the evolutions of endpoint detection into security investment decisions.
Data Loss Prevention technologies are needed to protect data coming into and leaving the organization. There are a number of problems and challenges with the many vendors supplying DLP technology. This presenation reviews some of the Myths around Data Loss Prevention.
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.
From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered:
• What do i actually need?
• Real-world framework to categorize endpoint capabilities
• Map vendors into buckets within the framework
• Housekeeping, what's needed before you even start?
• Cheat sheet of probing questions to ask vendors
• Best practices of deploying best of breed solutions
Data Security: Why You Need Data Loss Prevention & How to Justify ItMarc Crudgington, MBA
With the increasing number of cyber-attacks and incidents seeming to occur weeks/months/years before discovery of breach, simply securing your perimeter is no longer enough to protect your most critical assets. Privacy breaches are averaging upwards of $200 per record and studies have shown at intellectual property infringement cost the average company $101.9 million in revenues.
Key points addressed include:
• The Impact of Cyber Crime on our Economy
• The Cost Companies are incurring due to Cyber Crime and Data Breaches
• Who are the threat actors?
• What makes up a Data Loss Prevention ecosystem?
• What does a Data Loss Prevention strategy do for me?
• Hidden Benefits of Data Loss Prevention
• Justifying a Data Loss Prevention Strategy
What Is Next-Generation Endpoint Security and Why Do You Need It?Priyanka Aash
This session will clarify the definition of next-generation endpoint security and distinguish it from legacy antivirus software. It will also describe how next-generation endpoint security can help organizations improve incident prevention, detection and response.
(Source: RSA USA 2016-San Francisco)
Data loss is considered by security experts to be one of the most serious threats that businesses currently face.
Maintaining the confidentiality of personal information and data is an essential factor in operating a successful business. People must be able to trust that their service provider takes the appropriate measures to implement security controls that will ultimately protect their privacy.
However, some of the largest and most reputable organizations have fallen victim to data loss security breaches resulting in significant legal, financial, and reputation loss, including [1]:
The Bank of America: Losing the personal employee information of over one million employees
The United States Government: Losing data related to the military
Heartland Payment Systems: Transferring credit card information and other personal records of over 130 million customers
In 2013, it was estimated that data breaches had resulted in the exploitation of over 800 million personal records [2]. This number is also expected to rise over the next several years given the advanced tools that cybercriminals use to steal information and data.
Interestingly, it is not just cybercriminals who represent a threat as:
64% of data loss is caused by well-meaning insiders.
50% of employees leave with data.
$3.5 million average cost of a security breach.
Considering these extensive data breaches, it is practical for organizations to understand where their critical data is located and understanding current security controls that can stop data loss.
Data Loss Prevention (DLP) solutions locate critical and personal data for organizations and help prevent data loss. By having a deeper understanding of efficient DLP security controls, you will help protect the reputation of your organization.
For more information contact: rkopaee@riskview.ca
https://www.threatview.ca
http://www.riskview.ca
Technology Futurist Monty Metzger (http://blog.monty.de/keynote-speaker) speaks about how to master the fourth industrial revolution. The Digital Future will have far more impact — the next 25 years will usher more change than in the previous three centuries. What separates great leaders from the rest, is they have a precise vision of the future. A vision to enable change today.
Who will be leading the Fourth Industrial Revolution? How will our economy depend on data, analytics and AI? How Digital Transformation can boost your business?
Monty’s keynote speeches are for those who want to change things and for those who want embrace the opportunities of the Digital Future.
Book Monty for your conference, workshop or company meeting
http://blog.monty.de/keynote-speaker
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
In this lecture we will talk about what you should know and consider in the construction of an application developer to ensure the safe use of confidential user data.
This presentation discusses most common appliacation compatibility issues in Windows 7 that applications designed for Windows Xp may experience. It explains the new features of the OS such as UAC, file and registry virtualization, WRP, Session 0 isolation, Mandatory Integrity Level that compatible applications have to be aware with to run well on Windows 7
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
"All happy cloud deployments are alike; each unhappy cloud deployment is unhappy in its own way." — Leo Tolstoy, Site Reliability Engineer
At Gruntwork, I've had the chance to see the cloud adoption journeys of hundreds of companies, from tiny startups to Fortune 50 giants. I've seen those journeys go well. I've seen those journeys go poorly. In this talk, I discuss a few of the ways cloud adoption can go horribly wrong (massive cost overruns, endless death marches, security disasters), and more importantly, how you can get it right.
To help you get it right, we looked at the cloud journeys that were successful and extracted from them the patterns they had in common. We distilled all this experience down into something called the Gruntwork Production Framework, which defines five concrete steps you can follow to adopt the cloud at your own company—and hopefully, to end up with your very own happy cloud deployment.
Applying formal methods to existing software by B.MonateMahaut Gouhier
"Applying formal methods to existing software: what can you expect?" Talk by Benjamin Monate, Co-founder and CTO of TrustInSoft, at the 2018 Sound Static Analysis for Security Workshop, in the NIST, USA, on June 27th.
This work has been supported by the Core Infrastructure Initiative of the Linux foundation.
Learn more about TrustInSoft
https://trust-in-soft.com/
If you had to identify and remediate your entire infrastructure from something like Heartbleed, how long do you think it would take you today? In this presentation we will do this in about 15min. No matter how many servers we are using.
We will take a look at “Chef Automate”. A product from Chef Inc. that helps us to build, deploy and manage our infrastructure and applications. It is also an awesome way to analyse the state of our infrastructure in terms of compliance and vulnerabilities. https://www.chef.io/automate/
Jürgen Brüder will introduce the Chef Automate to us, show us a demo where we will analyse and fix 0-day vulnerabilities on various servers and then talk to us about his experience with using this tool with actual customers.
Security automation simplified: an intro to DIY security automationMoses Schwartz
As presented at BSidesSF 2019!
Security automation can look a lot like magic, and many feel a strong temptation to go buy $HOT_SECURITY_ORCHESTRATION_PRODUCT, but it's really not hard to get started automating SecOps with the tools you already have, free and open source tools, and a little bit of code. In this talk I will give a high level view of how a SecOps or other IT group can use automation to save time and effort. I'll walk through an example, with screenshots and code, of how to automate an ops process. I want to remove the magic from automation and present concrete ways for any ops team to do this. This is not a "no code required!" approach to automation, but it's practical and easy enough to get started.
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
In this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.
BIO
Stephan Chenette is the Director of Security Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive Labs. Stephan has been in involved in security research for the last 10 years and has presented at numerous conferences including: Blackhat, CanSecWest, RSA, EkoParty, RECon, AusCERT, ToorCon, SecTor, SOURCE, OWASP, B-Sides and PacSec. His specialty is in writing research tools for both the offensive and defensive front as well as investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining IOActive, Stephan was the head security researcher at Websense for 6 years and a security software engineer for 4 years working in research and product development at eEye Digital Security.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
9. What is Endpoint Protection?
• Endpoint security or endpoint protection is an approach
to the protection of computer networks that are remotely
bridged to client devices. The connection of laptops,
tablets, mobile phones and other wireless devices to
corporate networks creates attack paths for security
threats.
25. AppLocker
• Whitelisting application
• Executable files, scripts, Windows Installer files,
dynamic-link libraries (DLLs), packaged apps, and
packaged app installers
• Windows 7 >
• Single computer (secpol.msc), Group Policy Management
(gpmc.msc)
26. AppLocker File Type
• These are regular .exe and .com applications (cmd.exe,
ipconfig.exe, etc.)
• Windows Installer files (.msi, .msp, .mst), typically used to
install a new software on the machine.
• Script files with the following
extensions .ps1, .vbs, .vba, .cmd and .js.
• Packaged Apps installed through the Microsoft Store
• DLL files (.dll and .ocx in the advanced tab).
28. Bypass AppLocker
• Find exception path
• “C:WindowsTasks”
• “C:Windowstracing”
• Load file from memory (PowerSploit framework)
• $ByteArray = [System.IO.File]::ReadAllBytes(“C:usersricharddesktopmimikatz.exe");
• Invoke-expression(Get-Content .Invoke-ReflectivePEInjection.ps1 |out-string)
• Invoke-ReflectivePEInjection -PEBytes $ByteArray
• Obfuscate exe for bypass hash
• Powershell without powershell (Casey Smith) (Powershell Empire) and StarFighter
• Registry Key Manipulation
• Run PE file by using microsoft tool
• C:windowssystem32rundll32.exe
• C:WindowsMicrosoft.NETFrameworkv2.0.50727InstallUtil.exe ( install and uninstall applications via the command
prompt)
• C:WindowsSystem32regsvr32.exe (Install and Uninstall dll file)
• C:WindowsMicrosoft.NETFrameworkv4.0.30319MSBuild.exe (Using to build products in environments where Visual
Studio is not installed)
30. UAC
• User Account Control (UAC)
• Run with standard user rights instead of full administrator rights
• C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v
EnableLUA /t REG_DWORD /d 0 /f
• C:WindowsSystem32cmd.exe /k %windir%System32reg.exe ADD
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem /v
EnableLUA /t REG_DWORD /d 1 /f
31. Bypass UAC
• Using mistake of any autoElevate binary (Using sigcheck for check autoElevate flag)
• UACMe
• DLL Hijacking
• autoElevate
• Elevated COM interface
• SDCLT - Backup command with specific option
• Fodhelper - Manage Optional Features
• Using process or dll injection into Windows Publisher Certificate
• Using Windows Update Standalone Installer (wusa.exe)
• etc.
34. Protecting against malware
• People: Security Awareness Training, Always update yourself.
• Process: Restrict program install or usage with policy, Updates,
Backups, Governance, Intelligence, Incident response plan, and more =>
Security Team
• Technology: Technology supports the team and processes
• Backup
• Antivirus
• Anti-ransomware
• Endpoint Detection