S08_Microsoft 365 E5 Compliance による内部不正対策の実践 [Microsoft Japan Digital Days]日本マイクロソフト株式会社
日本マイクロソフト株式会社
クラウド&ソリューション事業本部 サイバー セキュリティ&コンプライアンス統括本部 コンプライアンス技術営業本部
小野寺 真司
リモートワークが普及し、他者の目を意識する機会が減った結果、意図的・偶発的な内部不正事案が増加しています。
本セッションでは Microsoft 365 E5 Compliance による内部不正対策についてご紹介いたします。
【Microsoft Japan Digital Daysについて】
Microsoft Japan Digital Days は、お客様が競争力を高め、市場の変化に迅速に対応し、より多くのことを達成することを目的とした、日本マイクロソフトがお届けする最大級のデジタル イベントです。4 日間にわたる本イベントでは、一人一人の生産性や想像力を高め、クラウド時代の組織をデザインするモダンワークの最新事例や、変化の波をうまく乗り切り、企業の持続的な発展に必要なビジネスレジリエンス経営を支えるテクノロジの最新機能および、企業の競争優位性に欠かせないクラウド戦略のビジョンなどデジタル時代に必要な情報をお届けいたしました。(2021年10月11日~14日開催)
S08_Microsoft 365 E5 Compliance による内部不正対策の実践 [Microsoft Japan Digital Days]日本マイクロソフト株式会社
日本マイクロソフト株式会社
クラウド&ソリューション事業本部 サイバー セキュリティ&コンプライアンス統括本部 コンプライアンス技術営業本部
小野寺 真司
リモートワークが普及し、他者の目を意識する機会が減った結果、意図的・偶発的な内部不正事案が増加しています。
本セッションでは Microsoft 365 E5 Compliance による内部不正対策についてご紹介いたします。
【Microsoft Japan Digital Daysについて】
Microsoft Japan Digital Days は、お客様が競争力を高め、市場の変化に迅速に対応し、より多くのことを達成することを目的とした、日本マイクロソフトがお届けする最大級のデジタル イベントです。4 日間にわたる本イベントでは、一人一人の生産性や想像力を高め、クラウド時代の組織をデザインするモダンワークの最新事例や、変化の波をうまく乗り切り、企業の持続的な発展に必要なビジネスレジリエンス経営を支えるテクノロジの最新機能および、企業の競争優位性に欠かせないクラウド戦略のビジョンなどデジタル時代に必要な情報をお届けいたしました。(2021年10月11日~14日開催)
S03_まずはここから!Microsoft 365 E3 でセキュリティの第一歩を踏み出す [Microsoft Japan Digital Days]日本マイクロソフト株式会社
日本マイクロソフト株式会社
サイバー セキュリティ&コンプライアンス統括本部 サイバー セキュリティ技術営業本部 テクニカル スペシャリスト
芳賀 俊亮
リモートワークが一時的なものではなくなり、情報システム担当の皆様は様々な課題をお持ちではないでしょうか?
本セッションでは、Azure Active Directory・Intune に焦点を当てて、Microsoft 365 E3 でセキュアなアクセス制御・デバイス管理をどう実現できるかをご紹介いたします。
今回はシナリオを 1 つご用意しております。株式会社マクロハード (架空) が抱えている課題を Microsoft 365 E3 でどう解決していくかを是非ご覧ください!
【Microsoft Japan Digital Daysについて】
Microsoft Japan Digital Days は、お客様が競争力を高め、市場の変化に迅速に対応し、より多くのことを達成することを目的とした、日本マイクロソフトがお届けする最大級のデジタル イベントです。4 日間にわたる本イベントでは、一人一人の生産性や想像力を高め、クラウド時代の組織をデザインするモダンワークの最新事例や、変化の波をうまく乗り切り、企業の持続的な発展に必要なビジネスレジリエンス経営を支えるテクノロジの最新機能および、企業の競争優位性に欠かせないクラウド戦略のビジョンなどデジタル時代に必要な情報をお届けいたしました。(2021年10月11日~14日開催)
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
S03_まずはここから!Microsoft 365 E3 でセキュリティの第一歩を踏み出す [Microsoft Japan Digital Days]日本マイクロソフト株式会社
日本マイクロソフト株式会社
サイバー セキュリティ&コンプライアンス統括本部 サイバー セキュリティ技術営業本部 テクニカル スペシャリスト
芳賀 俊亮
リモートワークが一時的なものではなくなり、情報システム担当の皆様は様々な課題をお持ちではないでしょうか?
本セッションでは、Azure Active Directory・Intune に焦点を当てて、Microsoft 365 E3 でセキュアなアクセス制御・デバイス管理をどう実現できるかをご紹介いたします。
今回はシナリオを 1 つご用意しております。株式会社マクロハード (架空) が抱えている課題を Microsoft 365 E3 でどう解決していくかを是非ご覧ください!
【Microsoft Japan Digital Daysについて】
Microsoft Japan Digital Days は、お客様が競争力を高め、市場の変化に迅速に対応し、より多くのことを達成することを目的とした、日本マイクロソフトがお届けする最大級のデジタル イベントです。4 日間にわたる本イベントでは、一人一人の生産性や想像力を高め、クラウド時代の組織をデザインするモダンワークの最新事例や、変化の波をうまく乗り切り、企業の持続的な発展に必要なビジネスレジリエンス経営を支えるテクノロジの最新機能および、企業の競争優位性に欠かせないクラウド戦略のビジョンなどデジタル時代に必要な情報をお届けいたしました。(2021年10月11日~14日開催)
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
Let's Talk Technical: Malware Evasion and DetectionJames Haughom Jr
This is from my talk at IR18 geared around evasion techniques employed by malware, and detection methods for incident responders. I touch on everything from ransomware, to evasive fileless WMI malware. My goal for this talk was to teach defenders about the inner-workings and capabilities of malware, as well as some detection methods they may have not considered.
How we do it better than IR firms. Learn what you need to know to catch commoditized malware to advanced malware. Ask a Blue Team Ninja, Logoholic and Malware Archaeologist how we do ti.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Security devices work in silo and do not share useful data. This presentation will propose an architecture which will allow such devices or applications to be dynamically reconfigured to increase the overall security of the assets.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
How to secure microservices running in containers? Strategies for Docker, Kubernetes, Openshift, RancherOS, DC/OS Mesos.
Privileges, resources and visibility constrains with capabilities, cgroups and namespaces. Image vulnerability scanning and behaviour security monitoring with Sysdig Falco.
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
In this presentation, I present an automatically disarmament system for armed malware with anti-sandboxing. The system targets on 1) Host-fingerprinting malware like citadel, 2) armed malware with general anti-sandboxng for automated sandbox analyzer. An approach of disarmament focuses on exit reason and exit before activity in malware execution. I have developing CPU emulator-based disarmament system with instrumentation. The system suggests a suitable environment for dynamic analysis for individual malware.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
32. How to Detect ?
• Initial access
• Phishing
• Path, cmdline, signature, …
• Exploit
• General exploit cmdline, parent process
33. How to Detect ?
• Initial access
• Phishing
• Path, cmdline, signature, …
• Exploit
• General exploit cmdline, parent process
• Execution
• General exploit cmdline
• Parent process name
• File name
34. How to Detect ?
• Persistence
• Service create, autorun registry, startup folder, …
• Account create
• DLL side-loading
• Privilege Escalation
• Treasure
• General exploit cmdline
35. How to Detect ?
• Discovery
• Common command: whoami, ipconfig, netstat, ping, …
• Parent process name
• File name
36. How to Detect ?
• Discovery
• Common command: whoami, ipconfig, netstat, ping, …
• Parent process name
• File name
• Lateral movement
• Microsoft protocol: RDP, SMB, RPC, …
• General exploit cmdline
37. How to Detect ?
• Discovery
• Common command: whoami, ipconfig, netstat, ping, …
• Parent process name
• File name
• Lateral movement
• Microsoft protocol: RDP, SMB, RPC, …
• General exploit cmdline
• Exfiltration
• Rarely seen cmdline
39. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline
40. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline
41. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline
42. Suspicious Behaviors
• Initial Access
w3wp.exe create cmd.exe process
• Execution
General expoloit cmdline
• Discovery
Common command (net)
• Execution
Masquerading (File path)
• Execution
Masquerading (File path)
• Execution
General exploit cmdline
43. Suspicious Behaviors
• Obviously, it was a common web exploitation.
• The server is Exchange server, maybe it was a dated Exchange suffered from
Exchange CVEs.
46. Nothing else is interesting.
Just recommend our user to update their Exchange and resolve this incident (?)
However, there is a little bit different from the feature of known CVEs…
47. Access Log Review ‒ ProxyShell
• Recall the ProxyShell
Ref: Actually, your blue team is red. Stealing your red move from the blue side, Hitcon, 2022.
55. ProxyNotShell Mitigation
• Recommended Regex: (?=.*autodiscover)(?=.*powershell)
• Change the input {REQUEST_URI} to {UrlDecode:{REQUEST_URI}}
Ref: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
56. Conclusion
• As long as continuously monitoring and tuning the detection rules, suspicious
behaviors can be detected in large amount of logs.
• Be curious about every abnormal events/incidents/logs so that we can make
decision more precisely.
• Despite the fact that we cannot make sure it was a unknown 1day or 0day attack
at that time, we successfully detected and mitigated it.
• Now we knew that it was a 0day attack.
• That is…
We defeated the 0day Attack!