The document summarizes a security investigation conducted using Splunk software. The investigation began by detecting threat intelligence related network activity from an employee's system. Further investigation across endpoint, email, web, and DNS data sources traced the activity back to a targeted phishing email containing a weaponized PDF file. The file exploited a vulnerable PDF reader and installed Zeus malware. The root cause was determined to be a brute force attack on the company's website that stole the weaponized file. The investigation disrupted the cyber kill chain from reconnaissance to actions on objectives.
Hands-On Security - Disrupting the Kill ChainSplunk
Learn from a Splunk security expert how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
Splunk software allows security teams to collect, store, and analyze machine data from various sources to detect threats across the cyber kill chain. This includes reconnaissance, exploitation, and actions on objectives. The presentation demonstrates how to use Splunk to investigate a security incident involving a compromised system communicating with a botnet. The investigation leverages threat intelligence, endpoint data, and process information to trace the adversary's activities, confirm malicious behavior, and work towards a root cause.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
The document discusses a security investigation demo using Splunk software to disrupt the cyber kill chain. It begins with detecting threat intelligence related events across multiple data sources for a specific IP address. Further investigation using endpoint data from Microsoft Sysmon reveals network connections and process information. This traces the suspicious activity back through parent processes to identify a vulnerable PDF reader application exploited by opening a weaponized file delivered via email phishing. Additional context from web logs shows the file was obtained through a brute force attack on the company's website. The investigation is then able to connect events across various data sources to fully map out the adversary's actions.
Learn from a Splunk security expert how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
The document analyzes the prevalence and security impact of HTTPS interception by middleboxes and antivirus software. The researchers developed techniques to detect interception based on differences between the TLS handshake and HTTP user agent. Applying these techniques to billions of connections, they found interception rates over an order of magnitude higher than previous estimates, and that the majority (97-62%) of intercepted connections had reduced security, with 10-40% vulnerable to decryption. Testing of interception products found most reduced security and many introduced severe vulnerabilities. The findings indicate widespread interception negatively impacts security.
SafeBreach is a continuous security validation platform that can identify vulnerabilities in a company's network by simulating cyberattacks. It deploys agents across all systems to map the network and monitor for attacks without affecting the systems. The article describes how SafeBreach was tested on a large virtual network, quickly finding hundreds of potential entry points and paths to sensitive data. It also discusses how SafeBreach can be used to run security scenarios and wargames to help train IT teams to respond to attacks.
This document contains multiple BINGO cards for the MITRE ATT&CKcon conference. The cards list techniques from the MITRE ATT&CK matrix. The rules state that attendees should cross off techniques on the cards if they are mentioned during talks or on slides, and those who get 5 in a row can claim a prize from Adam Pennington.
This document contains information about security-related jobs, classifications of data sensitivity, access control lists, auditing Windows servers, and attaching tasks to event viewer logs. It also includes several links to resources about topics such as time-based access control lists, auditing Windows file and folder access, configuring Windows for syslog, and configuring failed login warnings with PowerShell. The document expresses interest in security work and includes links to blogs about overworked administrators and Windows server administration tutorials.
Hands-On Security - Disrupting the Kill ChainSplunk
Learn from a Splunk security expert how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
Splunk software allows security teams to collect, store, and analyze machine data from various sources to detect threats across the cyber kill chain. This includes reconnaissance, exploitation, and actions on objectives. The presentation demonstrates how to use Splunk to investigate a security incident involving a compromised system communicating with a botnet. The investigation leverages threat intelligence, endpoint data, and process information to trace the adversary's activities, confirm malicious behavior, and work towards a root cause.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
The document discusses a security investigation demo using Splunk software to disrupt the cyber kill chain. It begins with detecting threat intelligence related events across multiple data sources for a specific IP address. Further investigation using endpoint data from Microsoft Sysmon reveals network connections and process information. This traces the suspicious activity back through parent processes to identify a vulnerable PDF reader application exploited by opening a weaponized file delivered via email phishing. Additional context from web logs shows the file was obtained through a brute force attack on the company's website. The investigation is then able to connect events across various data sources to fully map out the adversary's actions.
Learn from a Splunk security expert how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
The document analyzes the prevalence and security impact of HTTPS interception by middleboxes and antivirus software. The researchers developed techniques to detect interception based on differences between the TLS handshake and HTTP user agent. Applying these techniques to billions of connections, they found interception rates over an order of magnitude higher than previous estimates, and that the majority (97-62%) of intercepted connections had reduced security, with 10-40% vulnerable to decryption. Testing of interception products found most reduced security and many introduced severe vulnerabilities. The findings indicate widespread interception negatively impacts security.
SafeBreach is a continuous security validation platform that can identify vulnerabilities in a company's network by simulating cyberattacks. It deploys agents across all systems to map the network and monitor for attacks without affecting the systems. The article describes how SafeBreach was tested on a large virtual network, quickly finding hundreds of potential entry points and paths to sensitive data. It also discusses how SafeBreach can be used to run security scenarios and wargames to help train IT teams to respond to attacks.
This document contains multiple BINGO cards for the MITRE ATT&CKcon conference. The cards list techniques from the MITRE ATT&CK matrix. The rules state that attendees should cross off techniques on the cards if they are mentioned during talks or on slides, and those who get 5 in a row can claim a prize from Adam Pennington.
This document contains information about security-related jobs, classifications of data sensitivity, access control lists, auditing Windows servers, and attaching tasks to event viewer logs. It also includes several links to resources about topics such as time-based access control lists, auditing Windows file and folder access, configuring Windows for syslog, and configuring failed login warnings with PowerShell. The document expresses interest in security work and includes links to blogs about overworked administrators and Windows server administration tutorials.
The document is a guide to ethical hacking that defines it as helping organizations strengthen security by simulating attacks while staying within legal limits. It outlines the typical phases of hacking: reconnaissance through passive and active information gathering; scanning networks to identify vulnerabilities; gaining access, often by exploiting vulnerabilities; maintaining access over time; and covering tracks to avoid detection. The guide provides examples of tools and techniques used for each phase to help administrators understand hacker mindsets and better protect their networks.
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
How adversaries use fileless attacks to evade your security and what you can do about it
Standard security solutions have continued to improve in their ability to detect and block malware and cyberattacks. This has forced cybercriminals to employ stealthier methods of evading legacy security to achieve success, including launching fileless attacks, where no executable file is written to disk. Download this presentation provided by CrowdStrike security experts to learn why so many of today’s adversaries are abandoning yesterday’s malware and relying on an evolving array of fileless exploits.
You’ll learn how fileless attacks are conceived and executed and why they are successfully evading the standard security measures employed by most organizations. You’ll also receive guidance on the best practices for defending your organization against these stealthy, damaging attacks.
The following presentation includes:
--How a fileless attack is executed — see how an end-to-end attack unfolds
--Why fileless attacks are having so much success evading legacy security solutions
--How you can protect your organization from being victimized by a fileless attack, including the security technologies and policies that are most effective
The document provides an overview of the state of the ATT&CK framework in 2020. It discusses that ATT&CK remains strong with 39 MITRE staff supporting it and a growing community. It describes the submission process and talks for the ATT&CKcon Power Hour, with 46% of talks submitted on the last day. It also previews upcoming changes and additions to ATT&CK in 2021, including potential stability in the Enterprise matrix with no changes as large as adding the PRE tactics or subtechniques.
The document provides an overview of ethical hacking, including definitions, goals, and the typical 5 phases of hacking: reconnaissance, scanning, gaining access, maintaining access, and covering tracks. It describes the importance of reconnaissance in gathering target information through passive and active means. Scanning involves using tools to discover technical details about a network like open ports and services. Gaining access focuses on exploiting vulnerabilities to infiltrate systems, while maintaining access ensures continued infiltration even after reboots. Covering tracks aims to remove evidence and logs of the intrusion. The document provides examples of techniques for each phase.
Connection String Parameter Pollution AttacksChema Alonso
Paper about Connection String Attacks that focus in Connection String Parameter Pollution in Web Applications. Presented in Ekoparty 2009, Black Hat DC 2010 and Troopers 2010
FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER csandit
This document summarizes a research paper that proposes FileShader, a system using hash values to ensure file integrity during transfers between clients and servers. FileShader works by having the file provider calculate and send the hash value of a file to a trusted hash server. When clients download a file, FileShader calculates the hash and compares it to the value stored on the hash server to detect any changes. The researchers implemented a prototype of FileShader and found it could accurately detect file changes with little performance overhead. They conclude FileShader is a practical solution that can increase security for internet users by verifying file integrity during transfers.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public CloudIRJET Journal
This document proposes a system called proxy-oriented data uploading and remote data integrity checking using identity-based public key cryptography (ID-PUIC) to address security issues in public cloud storage. The system allows a user to designate a proxy to upload data to the cloud on their behalf and check the integrity of the remotely stored data without downloading it. The proposed ID-PUIC protocol uses cryptographic techniques like key generation, encryption, and decryption to securely upload data from proxies, detect malware, and verify data integrity in a private or public manner depending on the user's authorization. The system aims to improve security, efficiency and flexibility compared to existing public key infrastructure approaches for remote data integrity checking and proxy-based data uploading in public
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
The document discusses the Splunk App for Stream, which enables real-time insights into private, public and hybrid cloud infrastructures by capturing and analyzing critical events from wire data not found in logs or with other collection methods. It provides an overview of the app, what's new, important features, architecture and deployment, customer success examples, and FAQs.
In the most recent Hacker Intelligence Initiative report, Imperva analyses vulnerabilities found in the SuperGlobal parameters of the PHP platform, and finds that a multi-step attack requires a multi-layered application security solution.
Symantec Intelligence Report December 2014Symantec
This document provides a summary of cybersecurity threats from Symantec's December 2014 Intelligence Report. Key points include:
- The average number of spear-phishing attacks dropped to 33 per day in December from 43 in November. Manufacturing was the most targeted industry for these attacks.
- There were 8 data breaches reported in December, with real names, government ID numbers, and home addresses as the most common types of exposed information.
- Trojan.Swifi was the most common malware in December. A new zero-day Flash Player vulnerability (CVE-2014-9163) was also disclosed.
- 428 vulnerabilities were disclosed in December, including 1 zero-day. Internet Explorer
A security strategy against steal and passIJNSA Journal
Stealing and passing credentials is currently one of the preferred cyberattack techniques within the hacking community as shown by the increasing number of related incidents over the last years. Instead of targeting passwords, attackers focus on obtaining derived credentials like hashes and session tickets. This type of credentials facilitates taking advantage of omnipresent background mechanisms like Single Sign-On. A combination of malware and penetration tools is used in order to exploit architecture vulnerabilities and steal the credentials. Vulnerabilities also allow the attacker to get access to other systems and covertly take the control of central infrastructure like Active Directory. The ultimate goal is not creating damage that can be noticed but covertly and constantly leaking confidential information for profit or cyber spionage. This paper proposes a comprehensive strategy of six points against steal-and-pass credential attacks and is intended to mitigate the risk significantly. Even if some points of the strategy can be considered security best-practices, other points require the establishment of technical and process controls that are not part of typical security management programs. Controls have to be regularly reviewed as part of security audits, since administrators and other privileged users have often the means to remove or bypass technical controls.
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.
Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals.
The Quarantine Report: Cybersecurity Impact Assessment for COVID-19Alex Smirnoff
The document provides a cybersecurity impact assessment of the COVID-19 outbreak. It finds that while the work from home shift has changed the attack surface, there is no clear evidence of a significant outbreak of cyber attacks. However, cybercriminals are exploiting COVID-19 in social engineering and phishing attacks. VPN and RDP usage has increased to enable remote work but these protocols have ongoing security issues. The document recommends adopting a zero trust approach and improving security awareness as a long term strategy.
Frost & Sullivan: Moving Forward with Distributed CryptographyEMC
This analyst report provides an overview of distributed cryptography. The premise underlying distributed cryptography is that if a credential (such as a password or a response to a challenge question) is stolen, the illegitimate possessor of that credential now has access to the secured material
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
The document discusses defending against cyber adversaries before an attack occurs. It introduces the concept of "defending left" by recognizing precursor behaviors to common cyber attacks. These precursor behaviors are referred to as PRE and include activities like reconnaissance, resource development, and establishing accounts. The document suggests cyber defenders can learn from an adversary's tactics and emulate their precursor behaviors through purple teaming exercises to identify vulnerabilities and strengthen defenses earlier in the cyber kill chain.
This document summarizes a report by Kaspersky Lab on evolving malware attacks originating in Syria. Malicious actors are using social engineering techniques like Skype messages, Facebook posts, and YouTube videos to distribute malware disguised as security programs. The malware payloads identified include remote access Trojans (RATs) like ShadowTech RAT and Dark Comet RAT. Over 100 malware samples have been found targeting activists and others in Syria, Lebanon, Turkey and other countries. The actors operate from locations including Syria, Russia, and Lebanon, and are constantly evolving their methods.
Hands on Security - Disrupting the Kill Chain Breakout SessionSplunk
The document discusses a security investigation using Splunk software to trace a cyber attack across multiple data sources. The investigation began by identifying communications from an internal IP address to known threats. Examining endpoint data revealed a suspicious svchost.exe process communicating outbound, which was traced back through parent processes to a vulnerable PDF reader opened by an employee. Web logs showed the attacker gained access to a sensitive file via a brute force attack on the company website. By connecting activities across threat intelligence, endpoint, email, web and other sources, the root cause was determined to be a targeted spear phishing email containing a weaponized PDF file.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
This document summarizes a security investigation using Splunk software to disrupt the cyber kill chain. The investigation began by detecting threat intelligence related events across multiple data sources for a specific IP address. Further investigation revealed DNS queries, proxy activity, and suspicious processes on an endpoint. Pivoting to the endpoint data identified a Zeus malware process communicating outbound. Working backwards through process lineage identified an exploited vulnerable application and a weaponized PDF file delivered via email phishing. A search of web logs found the file was obtained from a website via a brute force attack. The root cause was determined to be a targeted spear phishing email containing an exploit.
The document discusses disrupting cyber attacks using Splunk software. It provides an overview of Splunk's security capabilities such as monitoring known and unknown threats, security investigations, and fraud detection. It then demonstrates how to investigate a hypothetical security incident at a company called Buttercup Games. The investigation uses Splunk to trace an attack from initial website exploitation and phishing email through endpoint infection back to the root cause of a user opening a weaponized PDF file. The investigation illustrates how Splunk can disrupt the cyber kill chain by connecting threat indicators from multiple data sources to rapidly uncover attack details and attributes.
Join our Security Expert and learn how to use the Splunk App for Enterprise Security (ES) in a live, hands-on session. We'll take a tour through Splunk's award-winning security offering to understand some of the unique capabilities in the product. Then, we'll use ES to work an incident and disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
The document is a guide to ethical hacking that defines it as helping organizations strengthen security by simulating attacks while staying within legal limits. It outlines the typical phases of hacking: reconnaissance through passive and active information gathering; scanning networks to identify vulnerabilities; gaining access, often by exploiting vulnerabilities; maintaining access over time; and covering tracks to avoid detection. The guide provides examples of tools and techniques used for each phase to help administrators understand hacker mindsets and better protect their networks.
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemCrowdStrike
How adversaries use fileless attacks to evade your security and what you can do about it
Standard security solutions have continued to improve in their ability to detect and block malware and cyberattacks. This has forced cybercriminals to employ stealthier methods of evading legacy security to achieve success, including launching fileless attacks, where no executable file is written to disk. Download this presentation provided by CrowdStrike security experts to learn why so many of today’s adversaries are abandoning yesterday’s malware and relying on an evolving array of fileless exploits.
You’ll learn how fileless attacks are conceived and executed and why they are successfully evading the standard security measures employed by most organizations. You’ll also receive guidance on the best practices for defending your organization against these stealthy, damaging attacks.
The following presentation includes:
--How a fileless attack is executed — see how an end-to-end attack unfolds
--Why fileless attacks are having so much success evading legacy security solutions
--How you can protect your organization from being victimized by a fileless attack, including the security technologies and policies that are most effective
The document provides an overview of the state of the ATT&CK framework in 2020. It discusses that ATT&CK remains strong with 39 MITRE staff supporting it and a growing community. It describes the submission process and talks for the ATT&CKcon Power Hour, with 46% of talks submitted on the last day. It also previews upcoming changes and additions to ATT&CK in 2021, including potential stability in the Enterprise matrix with no changes as large as adding the PRE tactics or subtechniques.
The document provides an overview of ethical hacking, including definitions, goals, and the typical 5 phases of hacking: reconnaissance, scanning, gaining access, maintaining access, and covering tracks. It describes the importance of reconnaissance in gathering target information through passive and active means. Scanning involves using tools to discover technical details about a network like open ports and services. Gaining access focuses on exploiting vulnerabilities to infiltrate systems, while maintaining access ensures continued infiltration even after reboots. Covering tracks aims to remove evidence and logs of the intrusion. The document provides examples of techniques for each phase.
Connection String Parameter Pollution AttacksChema Alonso
Paper about Connection String Attacks that focus in Connection String Parameter Pollution in Web Applications. Presented in Ekoparty 2009, Black Hat DC 2010 and Troopers 2010
FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER csandit
This document summarizes a research paper that proposes FileShader, a system using hash values to ensure file integrity during transfers between clients and servers. FileShader works by having the file provider calculate and send the hash value of a file to a trusted hash server. When clients download a file, FileShader calculates the hash and compares it to the value stored on the hash server to detect any changes. The researchers implemented a prototype of FileShader and found it could accurately detect file changes with little performance overhead. They conclude FileShader is a practical solution that can increase security for internet users by verifying file integrity during transfers.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public CloudIRJET Journal
This document proposes a system called proxy-oriented data uploading and remote data integrity checking using identity-based public key cryptography (ID-PUIC) to address security issues in public cloud storage. The system allows a user to designate a proxy to upload data to the cloud on their behalf and check the integrity of the remotely stored data without downloading it. The proposed ID-PUIC protocol uses cryptographic techniques like key generation, encryption, and decryption to securely upload data from proxies, detect malware, and verify data integrity in a private or public manner depending on the user's authorization. The system aims to improve security, efficiency and flexibility compared to existing public key infrastructure approaches for remote data integrity checking and proxy-based data uploading in public
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
The document discusses the Splunk App for Stream, which enables real-time insights into private, public and hybrid cloud infrastructures by capturing and analyzing critical events from wire data not found in logs or with other collection methods. It provides an overview of the app, what's new, important features, architecture and deployment, customer success examples, and FAQs.
In the most recent Hacker Intelligence Initiative report, Imperva analyses vulnerabilities found in the SuperGlobal parameters of the PHP platform, and finds that a multi-step attack requires a multi-layered application security solution.
Symantec Intelligence Report December 2014Symantec
This document provides a summary of cybersecurity threats from Symantec's December 2014 Intelligence Report. Key points include:
- The average number of spear-phishing attacks dropped to 33 per day in December from 43 in November. Manufacturing was the most targeted industry for these attacks.
- There were 8 data breaches reported in December, with real names, government ID numbers, and home addresses as the most common types of exposed information.
- Trojan.Swifi was the most common malware in December. A new zero-day Flash Player vulnerability (CVE-2014-9163) was also disclosed.
- 428 vulnerabilities were disclosed in December, including 1 zero-day. Internet Explorer
A security strategy against steal and passIJNSA Journal
Stealing and passing credentials is currently one of the preferred cyberattack techniques within the hacking community as shown by the increasing number of related incidents over the last years. Instead of targeting passwords, attackers focus on obtaining derived credentials like hashes and session tickets. This type of credentials facilitates taking advantage of omnipresent background mechanisms like Single Sign-On. A combination of malware and penetration tools is used in order to exploit architecture vulnerabilities and steal the credentials. Vulnerabilities also allow the attacker to get access to other systems and covertly take the control of central infrastructure like Active Directory. The ultimate goal is not creating damage that can be noticed but covertly and constantly leaking confidential information for profit or cyber spionage. This paper proposes a comprehensive strategy of six points against steal-and-pass credential attacks and is intended to mitigate the risk significantly. Even if some points of the strategy can be considered security best-practices, other points require the establishment of technical and process controls that are not part of typical security management programs. Controls have to be regularly reviewed as part of security audits, since administrators and other privileged users have often the means to remove or bypass technical controls.
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.
Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals.
The Quarantine Report: Cybersecurity Impact Assessment for COVID-19Alex Smirnoff
The document provides a cybersecurity impact assessment of the COVID-19 outbreak. It finds that while the work from home shift has changed the attack surface, there is no clear evidence of a significant outbreak of cyber attacks. However, cybercriminals are exploiting COVID-19 in social engineering and phishing attacks. VPN and RDP usage has increased to enable remote work but these protocols have ongoing security issues. The document recommends adopting a zero trust approach and improving security awareness as a long term strategy.
Frost & Sullivan: Moving Forward with Distributed CryptographyEMC
This analyst report provides an overview of distributed cryptography. The premise underlying distributed cryptography is that if a credential (such as a password or a response to a challenge question) is stolen, the illegitimate possessor of that credential now has access to the secured material
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
The document discusses defending against cyber adversaries before an attack occurs. It introduces the concept of "defending left" by recognizing precursor behaviors to common cyber attacks. These precursor behaviors are referred to as PRE and include activities like reconnaissance, resource development, and establishing accounts. The document suggests cyber defenders can learn from an adversary's tactics and emulate their precursor behaviors through purple teaming exercises to identify vulnerabilities and strengthen defenses earlier in the cyber kill chain.
This document summarizes a report by Kaspersky Lab on evolving malware attacks originating in Syria. Malicious actors are using social engineering techniques like Skype messages, Facebook posts, and YouTube videos to distribute malware disguised as security programs. The malware payloads identified include remote access Trojans (RATs) like ShadowTech RAT and Dark Comet RAT. Over 100 malware samples have been found targeting activists and others in Syria, Lebanon, Turkey and other countries. The actors operate from locations including Syria, Russia, and Lebanon, and are constantly evolving their methods.
Hands on Security - Disrupting the Kill Chain Breakout SessionSplunk
The document discusses a security investigation using Splunk software to trace a cyber attack across multiple data sources. The investigation began by identifying communications from an internal IP address to known threats. Examining endpoint data revealed a suspicious svchost.exe process communicating outbound, which was traced back through parent processes to a vulnerable PDF reader opened by an employee. Web logs showed the attacker gained access to a sensitive file via a brute force attack on the company website. By connecting activities across threat intelligence, endpoint, email, web and other sources, the root cause was determined to be a targeted spear phishing email containing a weaponized PDF file.
Hands-On Security Breakout Session- Disrupting the Kill ChainSplunk
This document summarizes a security investigation using Splunk software to disrupt the cyber kill chain. The investigation began by detecting threat intelligence related events across multiple data sources for a specific IP address. Further investigation revealed DNS queries, proxy activity, and suspicious processes on an endpoint. Pivoting to the endpoint data identified a Zeus malware process communicating outbound. Working backwards through process lineage identified an exploited vulnerable application and a weaponized PDF file delivered via email phishing. A search of web logs found the file was obtained from a website via a brute force attack. The root cause was determined to be a targeted spear phishing email containing an exploit.
The document discusses disrupting cyber attacks using Splunk software. It provides an overview of Splunk's security capabilities such as monitoring known and unknown threats, security investigations, and fraud detection. It then demonstrates how to investigate a hypothetical security incident at a company called Buttercup Games. The investigation uses Splunk to trace an attack from initial website exploitation and phishing email through endpoint infection back to the root cause of a user opening a weaponized PDF file. The investigation illustrates how Splunk can disrupt the cyber kill chain by connecting threat indicators from multiple data sources to rapidly uncover attack details and attributes.
Join our Security Expert and learn how to use the Splunk App for Enterprise Security (ES) in a live, hands-on session. We'll take a tour through Splunk's award-winning security offering to understand some of the unique capabilities in the product. Then, we'll use ES to work an incident and disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
Splunk for Security Workshop
Join our Splunk Security Experts and learn how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
The document is an agenda for a security session presentation by Splunk. It includes an introduction to Splunk for security use cases, a demo of the Zeus security product, and a discussion of enterprise security and user behavior analytics solutions from Splunk. Key points include how Splunk can provide a unified platform for security data from multiple sources, detect advanced threats that are difficult to find, and help connect related security events to better understand security incidents.
The document discusses security session presented by Philipp Drieger. It begins with a safe harbor statement noting any forward-looking statements are based on current expectations and could differ from actual results. The agenda includes discussing Splunk for security, enterprise security, and Splunk user behavior analytics. It provides examples of how Splunk can be used to detect threats like fraud and advanced persistent threats by analyzing machine data from various sources. It also discusses how threat intelligence can be incorporated using STIX/TAXII standards and open IOCs. Customer examples show how Nasdaq and Cisco have replaced their SIEMs with Splunk to gain better scalability and flexibility.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Splunk Discovery Day Hamburg - Security SessionSplunk
This document discusses best practices for security strategies and Splunk's security offerings. It begins with an overview of the evolving threat landscape, noting that traditional defenses are no longer sufficient. It then outlines Splunk's data-driven security approach and demo. Splunk can complement or replace SIEMs by collecting, storing, searching, reporting on, and investigating machine data from various sources. It positions Splunk as a leader in security information and event management. The document concludes with next steps around discovery workshops and questions.
Sie haben viel Geld für Ihre Security Infrastruktur ausgegeben. Wie führen Sie nun all die verschiedenen Systeme zusammen, damit Sie Ihre Ziele erreichen: Bedrohungen schnelle entdecken, darauf reagieren und sie zukünftig zu verhindern. Gleichzeitg soll es Ihrem Security Team natürlich möglich sein, im Sinne Ihre Geschäftstätigkeit und Strategie zu handeln. Erfahren Sie hier, wie Sie Ihre Security Ressources am effektivsten einsetzen. Wir zeigen Ihnen das Ganze in einer Live Demo.
This document provides instructions for a hands-on security analytics session using Splunk. The session will use Splunk to investigate a Zeus malware infection across network, endpoint, asset, and threat intelligence data sources. Participants will begin by searching for new threat intelligence, then investigate the infection to identify the complete adversary kill chain. They will access a shared Splunk instance and work through exercises discovering the attacker's kill chain, producing new threat intelligence, and performing incident investigation across the security stack.
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Splunk Webinar Best Practices für Incident InvestigationGeorg Knon
The document discusses best practices for incident investigation using Splunk, including collecting data from various sources like network traffic, endpoints, user activity, and threat intelligence. Effective investigation requires visibility into who and what communicated on the network, running processes, file system changes, and privileged access on endpoints. The goal is to quickly scope infections and disrupt breaches by understanding attack intent, lateral movement, and exfiltration through correlation of different data sources.
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
This document discusses how Splunk can be used for security analytics and threat detection. It describes how Splunk allows organizations to centrally gather and correlate security-related data from various sources like networks, endpoints, applications and threat intelligence feeds. This enables use cases like monitoring for known threats, detecting unknown threats, incident investigation and user behavior analytics. Advanced techniques like machine learning and user/entity behavior analytics are also discussed to help identify anomalous activity that could indicate security incidents or threats.
Big organizations are dealing with massive amounts of data from various sources that needs to be collected and analyzed in real-time to detect security threats. This requires normalizing the data, integrating it from different sources, and using analytics to identify patterns and correlations that could indicate attacks. Doing this analysis in real-time allows threats to be addressed quickly before data is stolen, rather than only analyzing after an attack occurred.
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...MohamedOmerMusa
This document contains 31 multiple choice questions about information security concepts from the CompTIA Security+ exam. The questions cover topics like security controls, threat actors, reconnaissance tools, vulnerability scanning, and supply chain risks. Example questions ask about the properties of secure systems, non-repudiation, security operations centers, DevSecOps teams, and more.
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together.
The document discusses using the Splunk Universal Forwarder to monitor endpoints for security purposes. It outlines how the Universal Forwarder can collect a variety of log and system data from endpoints to gain visibility into potential attacks or malware. Specific examples are provided of how the Universal Forwarder was used by large companies to monitor millions of endpoints and detect security issues and fraud.
Similar to Hands-On Security Breakout Session- Disrupting the Kill Chain (20)
.conf Go 2023 - Raiffeisen Bank InternationalSplunk
This document discusses standardizing security operations procedures (SOPs) to increase efficiency and automation. It recommends storing SOPs in a code repository for versioning and referencing them in workbooks which are lists of standard tasks to follow for investigations. The goal is to have investigation playbooks in the security orchestration, automation and response (SOAR) tool perform the predefined investigation steps from the workbooks to automate incident response. This helps analysts automate faster without wasting time by having standard, vendor-agnostic procedures.
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...Splunk
.conf Go 2023 presentation:
"Das passende Rezept für die digitale (Security) Revolution zur Telematik Infrastruktur 2.0 im Gesundheitswesen?"
Speaker: Stefan Stein -
Teamleiter CERT | gematik GmbH M.Eng. IT-Sicherheit & Forensik,
doctorate student at TH Brandenburg & Universität Dresden
El documento describe la transición de Cellnex de un Centro de Operaciones de Seguridad (SOC) a un Equipo de Respuesta a Incidentes de Seguridad (CSIRT). La transición se debió al crecimiento de Cellnex y la necesidad de automatizar procesos y tareas para mejorar la eficiencia. Cellnex implementó Splunk SIEM y SOAR para automatizar la creación, remediación y cierre de incidentes. Esto permitió al personal concentrarse en tareas estratégicas y mejorar KPIs como tiempos de resolución y correos electrónicos anal
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)Splunk
Este documento resume el recorrido de ABANCA en su camino hacia la ciberseguridad con Splunk, desde la incorporación de perfiles dedicados en 2016 hasta convertirse en un centro de monitorización y respuesta con más de 1TB de ingesta diaria y 350 casos de uso alineados con MITRE ATT&CK. También describe errores cometidos y soluciones implementadas, como la normalización de fuentes y formación de operadores, y los pilares actuales como la automatización, visibilidad y alineación con MITRE ATT&CK. Por último, señala retos
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk
BMW is defining the next level of mobility - digital interactions and technology are the backbone to continued success with its customers. Discover how an IT team is tackling the journey of business transformation at scale whilst maintaining (and showing the importance of) business and IT service availability. Learn how BMW introduced frameworks to connect business and IT, using real-time data to mitigate customer impact, as Michael and Mark share their experience in building operations for a resilient future.
The document is a presentation on cyber security trends and Splunk security products from Matthias Maier, Product Marketing Director for Security at Splunk. The presentation covers trends in security operations like the evolution of SOCs, new security roles, and data-centric security approaches. It also provides updates on Splunk's security portfolio including recognition as a leader in SIEM by Gartner and growth in the SIEM market. Maier highlights some breakout sessions from the conference on topics like asset defense, machine learning, and building detections.
Data foundations building success, at city scale – Imperial College LondonSplunk
Universities have more in common with modern cities than traditional places of learning. This mini city needs to empower its citizens to thrive and achieve their ambitions. Operationalising data is key to building critical services; from understanding complex IT estates for smarter decision-making to robust security and a more reliable, resilient student experience. Juan will share his experience in building data foundations for a resilient future whilst enabling digital transformation at Imperial College London.
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk
Learn how Vodafone has provided end-to-end visibility across services by building an Operational Analytics Platform. In this session, you will hear how Stefan and his team manage legacy, on premise, hybrid and public cloud services, and how they are providing a platform for complex triage and debugging to tackle use cases across Vodafone’s extensive ecosystem.
.italo operates an Essential Service by connecting more than 100 million people annually across Italy with its super fast and secure railway. And CISO Enrico Maresca has been on a whirlwind journey of his own.
Formerly a Cyber Security Engineer, Enrico started at .italo as an IT Security Manager. One year later, he was promoted to CISO and tasked with building out – and significantly increasing the maturity level – of the SOC. The result was a huge step forward for .italo.
So how did he successfully achieve this ambitious ask? Join Enrico as he reveals the key insights and lessons learned in his SOC journey, including:
Top challenges faced in improving security posture
Key KPIs implemented in order to measure success
Strategies and approaches applied in the SOC
How MITRE ATT&CK and Splunk Enterprise Security were utilised
Next steps in their maturity journey ahead
This document summarizes a presentation about observability using Splunk. It includes an agenda introducing observability and why Splunk for observability. It discusses the need for modernization initiatives in companies and the thousands of changes required. It presents that Splunk provides end-to-end visibility across metrics, traces and logs to detect, troubleshoot and optimize systems. It shares a customer case study of Accenture using Splunk observability in their hybrid cloud environment. Finally, it concludes that observability with Splunk can drive results like reduced downtime and faster innovation.
This document contains slides from a Splunk presentation covering the following topics:
- Updated Splunk logo and information about meetings in Zurich and sales engineering leads
- Ideas for confused or concerned human figures in design concepts
- Three buckets of challenges around websites slowing, apps being down, and supply chain issues
- Accelerating mean time to detect, identify, respond and resolve through cyber resilience with Splunk
- Unifying security, IT and DevOps teams
- Splunk's technology vision focusing on customer experience, hybrid/edge, unleashing data lakes, and ubiquitous machine learning
- Gaining operational resilience through correlating infrastructure, security, application and user data with business outcomes
This document summarizes a presentation about Splunk's platform. It discusses Splunk's mission of helping customers create value faster with insights from their data. It provides statistics on Splunk's daily ingest and users. It highlights examples of how Splunk has helped customers in areas like internet messaging and convergent services. It also discusses upcoming challenges and new capabilities in Splunk like federated search, flexible indexing, ingest actions, improved data onboarding and management, and increased platform resilience and security.
The document appears to be a presentation from Splunk on security topics. It includes sections on cyber security resilience, the data-centric modern SOC, application monitoring at scale, threat modeling, security monitoring journeys, self-service Splunk infrastructure, the top 3 CISO priorities of risk based alerting, use case development, a security content repository, security PVP (posture, vision, and planning) and maturity assessment, and concludes with an overview of how Splunk can provide end-to-end visibility across an organization.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
3. 3
Safe Harbor Statement
During the course of this presentation, we may make forward looking statements regarding future events
or the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC. The forward-looking statements
made in this presentation are being made as of the time and date of its live presentation. If reviewed
after its live presentation, this presentation may not contain current or accurate information. We do not
assume any obligation to update any forward looking statements we may make. In addition, any
information about our roadmap outlines our general product direction and is subject to change at any
time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described orto includeany suchfeatureor functionalityina futurerelease.
4. 4
Agenda
Splunk & Security
– Unknown Threats
– Connect the Dots across All Data
Kill Chain* Disruption
– Overview
Exercise/Demo
– Security Investigation Example
6. 6
Want a hard copy?
Link to walkthrough:
https://splunk.box.com/slc-splunklive-security
Servers:
URL #1: https://54.234.52.9
URL #2: https://54.81.91.128
URL #3: https://54.161.169.143
11. Machine Data contains a definitive record of all
Human <-> Machine
&
Machine <-> Machine
Interaction
Splunk is a very effective platform to collect,
store, and analyze all of that data.
13. 13
Splunk software complements, replaces and goes beyond traditional SIEMs.
Moving Past SIEM to Security Intelligence
Small Data. Big Data. Huge Data.
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
MONITORING
OF UNKNOWN
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
14. Hands-OnSession: Kill Chain*Disruption
14
Your system is compromised and the adversary begins its work
Exploitation
The adversary works to understand your organization looking for opportunities
Reconnaissance
The attacker steals data, disrupts your operations or causes damage
Act on Intent
*mostly….
15. • How can the security analysts at Buttercup Games, Inc. discover that their systems
have been compromised by way of a stolen document from their web portal?
• They would want to discover and disrupt the kill chain:
• Where did the adversary start? (Recon)
• How did they get a foothold? (Exploitation)
• What was their motive and what did they take?
(Actions on Intent)
Security InvestigationExample
15
bu tercup
games
Let’s get hands-on!
16. 16 1
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Act on Objectives
Web
Kill Chain Demo Data Source - Activity
Email and Endpoint
Endpoint
Endpoint, DNS, Proxy
Endpoint, DNS, Proxy
A brute force attack takes place on the
customer web site, access is gained, and a
sensitive pdf file is downloaded and
weaponized with malware.
A convincing phishing email is crafted and
sent to an internal target
The pdf document is opened then exploits
the vulnerable pdf reader app creating a
dropper which installs the malware.
Command/Control activity is highlighted by
it’s association with Threat Intelligence
Demo Story line
Threat Intelligence Integration
17. 17
APT Transaction Flow Across Data Sources
1
http (proxy) session
to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
Proxy
Conduct
Business
Create additional
environment
Gain Access
to systemTransaction
Threat
Intelligence
Endpoint
Network
Email, Proxy,
DNS, and Web
Data Sources
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exe
(malware)
Calc.exe
(dropper)
Attacker hacks website
Steals .pdf files
Web
Portal.pdf
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment
Our Investigation begins by
detecting high risk
communications through the
proxy, at the endpoint, and
even a DNS call.
19. 19
To begin our
investigation, we will
start with a quick search
to familiarize ourselves
with the data sources.
In this demo
environment, we have a
variety of security
relevant data including…
Web
DNS
Proxy
Firewall
Endpoint
Email
20. 20
Take a look at the
endpoint data source.
We are using the
Microsoft Sysmon TA.
We have endpoint
visibility into all network
communication and can
map each connection
back to a process.
}
We also have detailed
info on each process and
can map it back to the
user and parent process.}
Lets get our day started by looking
using threat intel to prioritize our
efforts and focus on communication
with known high risk entities.
21. 21
We have multiple source
IPs communicating to
high risk entities
identified by these 2
threat sources.
We are seeing high risk
communication from
multiple data sources.
We see multiple threat intel related
events across multiple source types
associated with the IP Address of
Chris Gilbert. Let’s take closer look
at the IP Address.
We can now see the owner of the system
(Chris Gilbert) and that it isn’t a PII or PCI
related asset, so there are no immediate
business implications that would require
informing agencies or external customers
within a certain timeframe.
This dashboard is based on event
data that contains a threat intel
based indicator match( IP Address,
domain, etc.). The data is further
enriched with CMDB based
Asset/identity information.
22. 22
We are now looking at only threat
intel related activity for the IP
Address associated with Chris
Gilbert and see activity spanning
endpoint, proxy, and DNS data
sources.
These trend lines tell a very
interesting visual story. It appears
that the asset makes a DNS query
involving a threat intel related
domain or IP Address.
ScrollDown
Scroll down the dashboard to
examine these threat intel events
associated with the IP Address.
We then see threat intel related
endpoint and proxy events
occurring periodically and likely
communicating with a known Zeus
botnet based on the threat intel
source (zeus_c2s).
23. 23
It’s worth mentioning that at this point
you could create a ticket to have
someone re-image the machine to
prevent further damage as we continue
our investigation within Splunk.
Within the same dashboard, we have
access to very high fidelity endpoint
data that allows an analyst to continue
the investigation in a very efficient
manner. It is important to note that
near real-time access to this type of
endpoint data is not common within the
traditional SOC.
The initial goal of the investigation is
to determine whether this
communication is malicious or a
potential false positive. Expand the
endpoint event to continue the
investigation.
Proxy related threat intel matches are
important for helping us to prioritize our
efforts toward initiating an
investigation. Further investigation into
the endpoint is often very time
consuming and often involves multiple
internal hand-offs to other teams or
needing to access additional systems.
This encrypted proxy traffic is concerning
because of the large amount of data
(~1.5MB) being transferred which is
common when data is being exfiltrated.
24. 24
Exfiltration of data is a serious
concern and outbound
communication to external entity
that has a known threat intel
indicator, especially when it is
encrypted as in this case.
Lets continue the investigation.
Another clue. We also see that
svchost.exe should be located in a
Windows system directory but this is
being run in the user space. Not
good.
We immediately see the outbound
communication with 115.29.46.99 via
https is associated with the svchost.exe
process on the windows endpoint. The
process id is 4768. There is a great deal
more information from the endpoint as
you scroll down such as the user ID that
started the process and the associated
CMDB enrichment information.
25. 25
We have a workflow action that will
link us to a Process Explorer
dashboard and populate it with the
process id extracted from the event
(4768).
26. 26
This is a standard Windows app, but
not in its usual directory, telling us
that the malware has again spoofed
a common file name.
We also can see that the parent
process that created this
suspicuous svchost.exe process is
called calc.exe.
This has brought us to the Process
Explorer dashboard which lets us
view Windows Sysmon endpoint
data.
Suspected Malware
Lets continue the investigation by
examining the parent process as this
is almost certainly a genuine threat
and we are now working toward a
root cause.
This is very consistent with Zeus
behavior. The initial exploitation
generally creates a downloader or
dropper that will then download the
Zeus malware. It seems like calc.exe
may be that downloader/dropper.
Suspected Downloader/Dropper
This process calls itself “svchost.exe,”
a common Windows process, but the
path is not the normal path for
svchost.exe.
…which is a common trait of
malware attempting to evade
detection. We also see it making a
DNS query (port 53) then
communicating via port 443.
27. 27
The Parent Process of our suspected
downloader/dropper is the legitimate PDF
Reader program. This will likely turn out to
be the vulnerable app that was exploited
in this attack.
Suspected Downloader/Dropper
Suspected Vulnerable AppWe have very quickly moved from
threat intel related network and
endpoint activity to the likely
exploitation of a vulnerable app.
Click on the parent process to keep
investigating.
28. 28
We can see that the PDF
Reader process has no
identified parent and is the
root of the infection.
ScrollDown
Scroll down the dashboard to
examine activity related to the PDF
reader process.
29. 29
Chris opened 2nd_qtr_2014_report.pdf
which was an attachment to an email!
We have our root cause! Chris opened a
weaponized .pdf file which contained the Zeus
malware. It appears to have been delivered via
email and we have access to our email logs as one
of our important data sources. Lets copy the
filename 2nd_qtr_2014_report.pdf and search a
bit further to determine the scope of this
compromise.
30. 30
Lets search though multiple data sources to
quickly get a sense for who else may have
have been exposed to this file.
We will come back to the web
activity that contains reference to
the pdf file but lets first look at the
email event to determine the scope
of this apparent phishing attack.
31. 31
We have access to the email
body and can see why this was
such a convincing attack. The
sender apparently had access to
sensitive insider knowledge and
hinted at quarterly results.
There is our attachment.
Hold On! That’s not our
Domain Name! The spelling is
close but it’s missing a “t”. The
attacker likely registered a
domain name that is very close
to the company domain hoping
Chris would not notice.
This looks to be a very
targeted spear phishing
attack as it was sent to
only one employee (Chris).
32. 32
Root Cause Recap
3
Data Sources
.pdf executes & unpacks malware
overwriting and running “allowed” programs
http (proxy) session
to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
Proxy
Conduct
Business
Create additional
environment
Gain Access
to systemTransaction
Threat
Intelligence
Endpoint
Network
Email, Proxy,
DNS, and Web
.pdf
Svchost.exe
(malware)
Calc.exe
(dropper)
Attacker hacks website
Steals .pdf files
Web
Portal.pdf
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment
We utilized threat intel to detect
communication with known high risk
indicators and kick off our investigation
then worked backward through the kill
chain toward a root cause.
Key to this investigative process is the
ability to associate network
communications with endpoint process
data.
This high value and very relevant ability to
work a malware related investigation
through to root cause translates into a very
streamlined investigative process compared
to the legacy SIEM based approach.
33. 33 3
Lets revisit the search for additional
information on the 2nd_qtr_2014-
_report.pdf file.
We understand that the file was delivered
via email and opened at the endpoint. Why
do we see a reference to the file in the
access_combined (web server) logs?
Select the access_combined
sourcetype to investigate
further.
34. 34 3
The results show 54.211.114.134 has
accessed this file from the web portal
of buttergames.com.
There is also a known threat intel
association with the source IP
Address downloading (HTTP GET)
the file.
35. 35 3
Select the IP Address, left-click, then
select “New search”. We would like to
understand what else this IP Address
has accessed in the environment.
36. 36 3
That’s an abnormally large
number of requests sourced
from a single IP Address in a
~90 minute window.
This looks like a scripted
action given the constant
high rate of requests over
the below window.
ScrollDown
Scroll down the dashboard to
examine other interesting fields to
further investigate.
Notice the Googlebot
useragent string which is
another attempt to avoid
raising attention..
37. 37 3
The requests from 52.211.114.134 are
dominated by requests to the login page
(wp-login.php). It’s clearly not possible to
attempt a login this many times in a short
period of time – this is clearly a scripted
brute force attack.
After successfully gaining access to our
website, the attacker downloaded the
pdf file, weaponized it with the zeus
malware, then delivered it to Chris
Gilbert as a phishing email.
The attacker is also accessing admin
pages which may be an attempt to
establish persistence via a backdoor into
the web site.
38. 38
Kill Chain Analysis Across Data Sources
3
http (proxy) session
to
command & control
server
Remote control
Steal data
Persist in company
Rent as botnet
Proxy
Conduct
Business
Create additional
environment
Gain Access
to systemTransaction
Threat
Intelligence
Endpoint
Network
Email, Proxy,
DNS, and Web
Data Sources
.pdf
.pdf executes & unpacks malware
overwriting and running “allowed” programs
Svchost.exe
(malware)
Calc.exe
(dropper)
Attacker hacks website
Steals .pdf files
Web
Portal.pdf
Attacker creates
malware, embed in .pdf,
emails
to the target
MAIL
Read email, open attachment
We continued the investigation
by pivoting into the endpoint
data source and used a
workflow action to determine
which process on the endpoint
was responsible for the
outbound communication.
We Began by reviewing
threat intel related events
for a particular IP address
and observed DNS, Proxy,
and Endpoint events for a
user in Sales.
Investigation complete! Lets get this
turned over to Incident Response team.
We traced the svchost.exe
Zeus malware back to it’s
parent process ID which was
the calc.exe
downloader/dropper.
Once our root cause analysis
was complete, we shifted out
focus into the web logs to
determine that the sensitive pdf
file was obtained via a brute
force attack against the
company website.
We were able to see which
file was opened by the
vulnerable app and
determined that the
malicious file was delivered
to the user via email.
A quick search into the mail
logs revealed the details
behind the phishing attack
and revealed that the scope
of the compromise was
limited to just the one user.
We traced calc.exe back to
the vulnerable application
PDF Reader.
40. The 6th Annual Splunk Worldwide Users’ Conference
September 21-24, 2015 The MGM Grand Hotel, Las Vegas
• 50+ Customer Speakers
• 50+ Splunk Speakers
• 35+ Apps in Splunk Apps Showcase
• 65 Technology Partners
• 4,000+ IT & Business Professionals
• 2 Keynote Sessions
• 3 days of technical content (150+ Sessions)
• 3 days of Splunk University
– Get Splunk Certified
– Get CPE credits for CISSP, CAP, SSCP, etc.
– Save thousands on Splunk education!
40
Register at: conf.splunk.com
41. 41
We Want to Hear your Feedback!
After the Breakout Sessions conclude
Text Splunk SLC to 878787
And be entered for a chance to win a $100 AMEX gift card!
Probably dating myself here. If you’ve ever read The Hitchhikers guide to the galaxy, you’d know this is the answer to life, the universe, and everything.
Google will prove that to you if you type “the answer to life, the universe, and everything” in.
What does that have to do with Splunk?
Our security biz is on fire - Between 35 and 42% of splunk customers buy splunk with security as the primary use case.
Used to be that the security department would purchase splunk and keep it for themselves
Now we see security spearheading Splunk and then driving the adoption across the org
We’ve adjusted our field organization to complement this.
Pre-Sales:
SMEs on every sales team that focus on security.
Specialists within every region that ONLY do security.
Post-Sales:
Security Practice that builds new content based on field experiences with customers. SPLICE as an example.
Security Services to do SOC building, breach response, tabletop exercises, etc.
Development and Partners:
Entire development organization built around our Enterprise App for Security
Partner program to get the very best integrations built with key security technologies.
Another interesting thing happened.
I’ve been at Splunk now for two years. In that time I’ve seen our customers shift.
First complement traditional SIEM – the ones listed up here: Q1, Arcsight. Nitro.
But wait, 90%...
Now, they’re actively sunsetting these and using pure Splunk in place of a traditional SIEM. The reasons are always the same:
-Faster development
-Better context
-Easier onboarding
-Staff can hunt instead of maintain
Splunk excels at creating a data fabric
Machine data: Anything with a timestamp, regardless of incoming format.
Throw it all in there!
Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting.
DETECTION NOT PREVENTION! ASSUME BREACH!
So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.”
So if you had a place to see “everything” that happened…
….what would that mean for your SOC and IR teams?
It’s not just about security data.
We collect all of that data – sure. You have to. We don’t want you to throw out any good sources of data.
In a lot of cases, Splunk is blind, and reliant on third parties to send it data
That’s one of the reasons our partners out in the hall are so important
In some cases our own software gathers a lot of native useful data – we will see that later
In many cases – you’re sending data from existing sources into splunk
There’s a lot of non traditional data though that is useful for security, and we’ll see much of it here in the demo
Examples:
-Analyze email senders, recievers, subject lines, and perhaps full email text to understand phishing activity.
-Get badge reader data to correlate physical location of individual with login and file access behavior.
-Correlate data against CMDB to provide risk scoring and other context
Splunk is used across the security spectrum these days
Within security, 6 major areas. Each could have its own presentation in itself.
Starting from the right: Insider threat. A significant number of breaches are attributed to insiders. But more importantly, an outsider often looks like an insider due to use of valid, often privileged, credentials. We want to capture the east-west trafffic – the behavior “inside the perimeter” and alert you to behavior that isn’t normal.
Fraud. Because we can capture the details of every online interaction, we can again look for patterns that shouldn’t be there. There’s a few great published use cases here – but if you think about looking for unusual use of coupons, strange price changes, credits to subscribers, access to accounts from unusual IP addresses or devices, you can start to get your head around what we do for fraud.
Unknown threats. These are the zero days – and here we are again looking for things that are not normal. Strange ports. Process or service names. Unusual login activity. Data transfer patterns. All of these can be IOCs.
Known threats, in real time. Here’s where we’ll consume data from those traditional sources. IDS, endpoint, malware, firewalls, antivirus – you name it. Correlate it against threat intelligence, provide risk scoring, and alert you to the threat.
Security and compliance reporting. Very simple – we collect all of the data relevant to just about any compliance standard you can think of, and we make it very easy to create reports to satisfy your external or internal auditors. Some mappings are more concrete than others – PCI, HIPAA, SANS 20. Some are more abstract but we can provide guidance.
And finally, the one we’ll concentrate on in this session: SOC incident investigations and then escalation to incident response and forensics. Again – we store everything, we make it quickly searchable, we never throw anything out, and we provide instant context to the reviewer. In IR, speed is your best ally – for every minute you waste waiting for analytics in a real incident, more damage can be done…
The phrase, Cyber Kill Chain, was coined by researchers from Lockheed Martin. For a complete list of
Phases please see:
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
This is how a common adversary – i.e. someone that wants to steal your data, or your intellectual property, or cause downtime, or embarrass your org, sees you and plans an attack. They could be cyber criminals, they could be nation states, they could be coming from the inside.
Recon: Discover/identify target. Maybe not even any direct communications with the target. They might be googling things to see if you have web portals that they can attack. Look at public records or proposals to see who is working on what, or what new products you are going to offer, or see who you have recently hired. Basically looking for something to exploit…
…which then happens via a multitude of ways. This is where the actual compromise takes place. Commonly, some artifact that is trusted is weaponized and delivered. This is also where social engineering may come in to steal credentials (100% of breaches involve stolen, valid credentials).
Then act on intent – what do they want to do to you? Steal your data or IP or affect your operations or cause physical harm, like we saw with Stuxnet a few years ago with the centerfuges.
The ones we are glossing over here are weaponization, delivery, installation, command and control. We will see those in the exercise.
Splunk is the only security analytics platform that allows analysts and incident investigators to leverage these disparate data sources to disrupt the adversary kill chain.
This demo shows a real world investigation scenario for the Zeus attack. We begin the investigation by searching for events for new threat intelligence and investigate the infection and identify the complete adversary kill chain.
This hands-on exercise shows a real world investigation scenario for the Zeus malware. Why zeus?
Malware that reports into a botnet, been around since 2009,
Disrupts services, acquires financial data, installs ransomware to lock up machines.
Very effective, very elusive – every time we think we have a handle on it it comes back because it keeps morphing.
Attempts to shut it down largely unsuccessful.
Most important: the data that we will be working with is real data, from an actual Splunk customer. We have sanitized it of course and taken a small portion of it to make it more manageable.
The goal here is NOT to show you how Splunk can help you combat Zeus, specifically.
The goal here is to show you how Splunk integrates threat intelligence, and helps you jump from event data across the entire security stack, to get a full picture of what’s going on, and help you disrupt an adversary.
Incident investigation can be intimidating! What do you click on first? How do you follow the path of an attacker? It’s helpful to work backwards through the cyber kill chain, because that will make us better defenders in the future. The earlier we can disrupt the kill chain, the better.
This use of Splunk can be intimidating too! We’re going to get away from the pretty dashboards we saw in the morning session and delve deep into log files here. Security practictioners are in general a really smart group – but Splunk is a great tool to make smart people smarter….
Just to explain what we’re going to do here and map it to the kill chain phases…plus to give you a preview of the kinds of data we will see in the exercise…
It’s available on any modern Windows platform
It’s tunable now – you can tell it what to capture which it reports in XML-style logs
It’s free
And there’s a free Splunk app to ingest the data.
At RSA back in April, the guy that wrote Sysmon – SysInternals author Mark Russinovich, during his presentation, said that Sysmon should be enabled on every one of your windows endpoints, and you should collect the data it generates in an analysis tool like Splunk.
Now – you might have other endpoint threat detection (and remediation) technologies in place on your endpoints – this could be Tripwire, Carbon Black, Ziften – those are all excellent, all partners of ours, and all have feature sets above what Sysmon can give you. But for free, it turns out, this is pretty useful…
Scroll down on sysmon and talk about field extraction!
This is a splunk dashboard – these are very easy to create from your existing searches. You can make them interactive, like this one is
This one maps IP addresses found in our data to known bad IP addresses.
Let’s talk about lookups – data does not have to live in Splunk to be useful to Splunk
-static lookups
-databases
-hadoop
-web services
-dynamic lookups (like bing or virustotal)
-STIX/TAXII
CMDB – we want to gain context. All about speed.
Threat Intel – we want to match artifacts in our data against IOCs from threat feeds.
IP address Domain URL
Now with STIX: just about anything. Registry values, filenames, hashes, process names, email addresses, etc
Cymru is pronounced (“cum-ree”)
Same dash but now scoped just to Chris Gilbert’s IP.
Talk about workflow actions here
So we know what happened here – targeted malware was sent to Chris Gilbert in a weaponized PDF file and he opened it up. Question is – how did the attackers get a copy of the confidential quarterly report?
And finally, I would like to encourage all of you to attend our user conference in September.
The energy level and passion that our customers bring to this event is simply electrifying.
Combined with inspirational keynotes and 150+ breakout session across all areas of operational intelligence,
It is simply the best forum to bring our Splunk community together, to learn about new and advanced Splunk offerings, and most of all to learn from one another.