This document summarizes a presentation on enterprise network security given in Taipei in 2014. The presentation covers prerequisites and past experience in enterprise defense, demonstrates tools and techniques for improving detection and incident handling, and discusses living with compromise in a challenging security environment like Russia. The document outlines the agenda and provides details on topics like identifying the attack surface, attacker tactics, incident response processes, and analyzing security incidents and systems.
This document discusses case studies of network breaches in virtualized environments. It provides an overview of the speaker's background and experience investigating cyber attacks. The document then outlines several past cases from 2011-2015, including nation state compromises and criminal organizations exfiltrating data. Tactics of advanced persistent threats and cybercriminals are converging. The presentation will explore a case study from Central Asia involving compromised government websites and the challenges of attribution.
HITB2013AMS Defenting the enterprise, a russian way!F _
Thank you for the summary. While technology can enable both helpful and harmful uses, focusing on understanding different perspectives and bringing more light than heat can help address challenges in a constructive manner.
The Information Security Community on LinkedIn, with the support of Cybereason, conducted a comprehensive online research project to gain
more insight into the state of threat hunting in security
operation centers (SOCs). When the 330 cybersecurity and IT professionals were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many
responses included “unknown” and “advanced” when
describing threats, indicating the respondents understand
the challenges and fear those emerging threats.
Read the full report here.
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
This document discusses how Azure Security Center (ASC) can help security operations centers (SOCs) with incident response in the cloud. ASC provides initial triage of security alerts and incidents, performs investigations across cloud and on-premises data sources, and gives SOC teams contextual awareness of incidents through linked alerts and machines. The document demonstrates ASC's capabilities through examples of detecting malware, exploiting processes, and responding to attacks.
Best Practices for Leveraging Security Threat IntelligenceAlienVault
The state of threat intelligence in the information security community is still very immature. Many organizations are still combating threats in a reactive manner, only learning what they're dealing with, well...when they're dealing with it. There is a wealth of information in the community, and many organizations have been gathering data about attackers and trends for years. How can we share that information, and what kinds of intelligence are most valuable? In this presentation, we'll start with a brief overview of AlienVault's Open Threat Exchange™ (OTX), and then we'll discuss attack trends and techniques seen in enterprise networks today, with supporting data from AlienVault OTX. We'll also take a look at some new models for collaboration and improving the state of threat intelligence going forward.
Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
Rafael Narezzi is a cybersecurity strategist and Chief Technology Officer of 4cyberSec with over 20 years of experience in the financial sector. He holds a master's degree in forensic computing, cybersecurity, and counter-terrorism. Narezzi lectures on cybersecurity and works as a senior advisor providing end-to-end security solutions for executives. He warns that short-term security benefits do not scale well against adaptive attackers. Cybercrime has become highly organized and profitable, treating attacks as a business. Total protection is impossible, but organizations must minimize damage from inevitable attacks.
This document discusses case studies of network breaches in virtualized environments. It provides an overview of the speaker's background and experience investigating cyber attacks. The document then outlines several past cases from 2011-2015, including nation state compromises and criminal organizations exfiltrating data. Tactics of advanced persistent threats and cybercriminals are converging. The presentation will explore a case study from Central Asia involving compromised government websites and the challenges of attribution.
HITB2013AMS Defenting the enterprise, a russian way!F _
Thank you for the summary. While technology can enable both helpful and harmful uses, focusing on understanding different perspectives and bringing more light than heat can help address challenges in a constructive manner.
The Information Security Community on LinkedIn, with the support of Cybereason, conducted a comprehensive online research project to gain
more insight into the state of threat hunting in security
operation centers (SOCs). When the 330 cybersecurity and IT professionals were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many
responses included “unknown” and “advanced” when
describing threats, indicating the respondents understand
the challenges and fear those emerging threats.
Read the full report here.
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
This document discusses how Azure Security Center (ASC) can help security operations centers (SOCs) with incident response in the cloud. ASC provides initial triage of security alerts and incidents, performs investigations across cloud and on-premises data sources, and gives SOC teams contextual awareness of incidents through linked alerts and machines. The document demonstrates ASC's capabilities through examples of detecting malware, exploiting processes, and responding to attacks.
Best Practices for Leveraging Security Threat IntelligenceAlienVault
The state of threat intelligence in the information security community is still very immature. Many organizations are still combating threats in a reactive manner, only learning what they're dealing with, well...when they're dealing with it. There is a wealth of information in the community, and many organizations have been gathering data about attackers and trends for years. How can we share that information, and what kinds of intelligence are most valuable? In this presentation, we'll start with a brief overview of AlienVault's Open Threat Exchange™ (OTX), and then we'll discuss attack trends and techniques seen in enterprise networks today, with supporting data from AlienVault OTX. We'll also take a look at some new models for collaboration and improving the state of threat intelligence going forward.
Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.
CSF18 - Guarding Against the Unknown - Rafael NarezziNCCOMMS
Rafael Narezzi is a cybersecurity strategist and Chief Technology Officer of 4cyberSec with over 20 years of experience in the financial sector. He holds a master's degree in forensic computing, cybersecurity, and counter-terrorism. Narezzi lectures on cybersecurity and works as a senior advisor providing end-to-end security solutions for executives. He warns that short-term security benefits do not scale well against adaptive attackers. Cybercrime has become highly organized and profitable, treating attacks as a business. Total protection is impossible, but organizations must minimize damage from inevitable attacks.
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
Threat hunting is a proactive approach to security that involves actively searching networks for threats that evade traditional defenses like firewalls and antivirus. It involves forming hypotheses about potential attacks based on indicators and then validating those hypotheses by searching for related evidence. While threat hunting requires time, skills, and resources that many organizations lack, Panda Security's Threat Hunting and Investigation Service (THIS) provides threat hunting as a managed service at no extra cost with their Adaptive Defense 360 platform. THIS continuously monitors endpoints, forms hypotheses about attacks, and validates findings to detect threats that other solutions may miss.
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016TierPoint
Nearly half of those businesses who suffered a DDoS attack in 2014 saw their organization taken completely offline. Why? Because over 80% of DDoS attacks are now multi-vector, striking the application layer and the network layer simultaneously, and often dragging on for days. During this webinar, Paul Mazzucco, TierPoint's Chief Security Officer, describes how these multi-vector DDoS attacks are being perpetrated and what you can do to mitigate against these complex intrusions.
The Evolution of IDS: Why Context is KeyAlienVault
As security teams today become more focused on improving their detection and response capabilities, they're having to revisit technologies they rely on, as well as how they're using those technologies to combat threats and improve security posture. Few technologies have played a bigger role in detection and response than intrusion detection and prevention systems. Today these tools are considered "must have" controls for security and compliance, but are we using them effectively? Are we getting the right alerts, and looking for the right events and patterns in network traffic? How can we more effectively correlate data from IDS and IPS with other information and build a better security capability based on internal and external threat intelligence? In this webcast, we'll revisit the IDS and its evolution as a mainstay technology in our security arsenal. We'll also look at where teams are taking these tools using more effective processes and technology to improve detection and response significantly.
Safe never sleep - a peak into the IT underworld. Security briefing from McAfee and Global Micro - Microsoft Hosting Partner of the Year 2010 and 2011. Presentation by Christo Van Staden www.globalmicro.co.za. Follow me on twitter @jjrmilner
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
Dragos' Sergio Caltagirone and Robert M. Lee discuss the four types of threat detection methods for industrial control systems operations, while providing ICS-specific use cases, to help you determine which detection strategy is most effective for your organization.
The recorded webinar can be found here: hhttps://youtu.be/zqvDu0OaY8k
Aslo check out: Four Types of Threat Detection White Paper: https://dragos.com/blog/FourTypesOfTh...
Part of the Secrets of ICS Cybersecurity webinar series: https://dragos.com/blog/20181017Webin...
More info www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
William F. Crowe presented on the cybersecurity kill chain, which models the stages of a cyber attack based on military doctrine. The model developed by Lockheed Martin includes stages of reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. ISACA and the European Union Agency for Network and Information Security also use similar kill chain models to analyze the process of advanced persistent threats targeting critical systems and data.
This document provides an overview of techniques for identifying Advanced Persistent Threats (APTs). It discusses 5 styles of techniques: network traffic analysis, network forensics, payload analysis, endpoint behavior analysis, and endpoint forensics. For each style, it provides examples of specific techniques. It emphasizes that effective APT protection requires combining techniques from different styles and approaches. The information is intended to be informative but does not constitute an explicit recommendation of any product or approach.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
This document provides an overview of ransomware attacks, including:
- Ransomware targets businesses of all sizes for financial gain or practice. It often puts small businesses out of business.
- The anatomy of a cyber attack generally involves phases of reconnaissance, weaponization, delivery, exploitation, installation, command and control, and achieving objectives.
- Ransomware has changed to demand larger ransoms, attack backups, and bully victims. Common entry points include remote access tools, unpatched equipment, and emails.
- Common misconceptions are that attackers won't provide decryption, only large companies are targeted, and single protections like antivirus will prevent attacks.
- To recover
This document outlines an overview of intelligent threat hunting presented by Dhruv Majumdar. It discusses the basics of threat hunting, including that it is a proactive and iterative process to detect threats that evade existing security solutions. It provides a threat hunting recipe and describes important data sources and skills needed like host analysis, network analysis, and threat intelligence. It also walks through an attack scenario and things to look for at different stages of an attack lifecycle. Finally, it concludes with the growing demand for threat hunters and recommendations on how to get started with threat hunting.
42 - Malware - Understand the Threat and How to RespondThomas Roccia
Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
This document discusses the cyber attack lifecycle and strategies for advanced adversaries. It describes the typical stages an adversary goes through, including reconnaissance, exploitation, delivery, installation, command and control, and actions on objectives. The adversary's goal is to accomplish their task and exfiltrate information without detection. New strategic approaches are needed to detect threats across all points, including the network edge, endpoints, mobile devices, and clouds. Security controls must innovate faster to reduce the vulnerability gap against sophisticated global attackers.
A tale story of building and maturing threat hunting programidsecconf
The document discusses building and maturing a threat hunting program. It covers the key aspects of people, process, and technology in threat hunting. For people, it discusses skillsets needed for threat hunters and establishing a threat hunting team. For process, it outlines the threat hunting life cycle and framework. For technology, it provides examples of data sources and platforms that can be used for threat hunting and analysis.
The Cyber Kill Chain is a framework that describes cyber attacks in seven phases from an attacker's perspective: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. It was developed by Lockheed Martin based on military doctrine to measure the effectiveness of defense strategies. Each phase of the kill chain can be mapped to corresponding defensive tools and actions, and understanding what phase an attack is in helps determine an appropriate response. Tracking similarities in tactics across phases can provide insights into threat actors and campaigns. The goal is to disrupt attacks as early in the kill chain as possible to improve security.
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
The document provides an overview of ransomware, including its history, key stages, and examples. It discusses how ransomware has evolved from misleading applications and rogue antivirus software in the 2000s to modern crypto-ransomware. The five stages of crypto-ransomware are described as installation, contacting command and control servers, establishing encryption keys, encrypting files, and displaying an extortion message. Several examples of ransomware families are outlined, including Cryptowall, Zepto, KeRanger, Reveton, CryptoLocker, and WannaCry.
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
The document discusses the concept of defense in depth (DID) as it relates to cybersecurity. DID is defined as building mutually supporting layers of defense to reduce vulnerabilities and protect against attacks. The key aspects of DID include understanding threats, seeing the full battlefield, using defensive advantages, concentrating defenses, coordinating assets, and balancing security and legal constraints. The document advocates applying DID principles through multiple overlapping controls and frameworks, rather than relying on a single compliance standard, in order to provide comprehensive security that can withstand attacks from various threat actors.
This document discusses drive-by downloads and methods for detecting them. Drive-by downloads occur when malicious code is downloaded without a user's consent by visiting an infected website. The document outlines the injection and exploitation mechanisms used, including through iFrames, SQL injections, and exploiting browser/plugin vulnerabilities. It proposes a 4-step generalized detection approach involving analyzing JavaScript redirections, deobfuscating code, detecting memory corruption, and monitoring for exploitation behaviors. Maintaining updated software, using reputable search engines cautiously, and employing web filters are recommended security measures.
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin
This document discusses threat and vulnerability intelligence (TVI), which is a process to collect information on threats and vulnerabilities, analyze their relevance to an organization, and determine the appropriate corrective actions. It defines threats as malicious factors and vulnerabilities as potential weaknesses. TVI aims to fuse threat and vulnerability information together and help organizations act on it. It discusses sources of threat and vulnerability data, both locally and globally, as well as existing technologies that can be used and enhanced for TVI purposes.
How to protect your corporate from advanced attacksMicrosoft
Cybersecurity is a top priority for CSO/CISO and the budget allocated, especially in a large organization, is growing. The complexity and sophistication
of cyber threats are increasing. What are these current threats and how can Microsoft help your organization in their efforts to eliminate cyber threats?
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
Threat hunting is a proactive approach to security that involves actively searching networks for threats that evade traditional defenses like firewalls and antivirus. It involves forming hypotheses about potential attacks based on indicators and then validating those hypotheses by searching for related evidence. While threat hunting requires time, skills, and resources that many organizations lack, Panda Security's Threat Hunting and Investigation Service (THIS) provides threat hunting as a managed service at no extra cost with their Adaptive Defense 360 platform. THIS continuously monitors endpoints, forms hypotheses about attacks, and validates findings to detect threats that other solutions may miss.
Tierpoint webinar: Multi-vector DDoS attacks: detection and mitigation_Jan2016TierPoint
Nearly half of those businesses who suffered a DDoS attack in 2014 saw their organization taken completely offline. Why? Because over 80% of DDoS attacks are now multi-vector, striking the application layer and the network layer simultaneously, and often dragging on for days. During this webinar, Paul Mazzucco, TierPoint's Chief Security Officer, describes how these multi-vector DDoS attacks are being perpetrated and what you can do to mitigate against these complex intrusions.
The Evolution of IDS: Why Context is KeyAlienVault
As security teams today become more focused on improving their detection and response capabilities, they're having to revisit technologies they rely on, as well as how they're using those technologies to combat threats and improve security posture. Few technologies have played a bigger role in detection and response than intrusion detection and prevention systems. Today these tools are considered "must have" controls for security and compliance, but are we using them effectively? Are we getting the right alerts, and looking for the right events and patterns in network traffic? How can we more effectively correlate data from IDS and IPS with other information and build a better security capability based on internal and external threat intelligence? In this webcast, we'll revisit the IDS and its evolution as a mainstay technology in our security arsenal. We'll also look at where teams are taking these tools using more effective processes and technology to improve detection and response significantly.
Safe never sleep - a peak into the IT underworld. Security briefing from McAfee and Global Micro - Microsoft Hosting Partner of the Year 2010 and 2011. Presentation by Christo Van Staden www.globalmicro.co.za. Follow me on twitter @jjrmilner
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
Dragos' Sergio Caltagirone and Robert M. Lee discuss the four types of threat detection methods for industrial control systems operations, while providing ICS-specific use cases, to help you determine which detection strategy is most effective for your organization.
The recorded webinar can be found here: hhttps://youtu.be/zqvDu0OaY8k
Aslo check out: Four Types of Threat Detection White Paper: https://dragos.com/blog/FourTypesOfTh...
Part of the Secrets of ICS Cybersecurity webinar series: https://dragos.com/blog/20181017Webin...
More info www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
William F. Crowe presented on the cybersecurity kill chain, which models the stages of a cyber attack based on military doctrine. The model developed by Lockheed Martin includes stages of reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. ISACA and the European Union Agency for Network and Information Security also use similar kill chain models to analyze the process of advanced persistent threats targeting critical systems and data.
This document provides an overview of techniques for identifying Advanced Persistent Threats (APTs). It discusses 5 styles of techniques: network traffic analysis, network forensics, payload analysis, endpoint behavior analysis, and endpoint forensics. For each style, it provides examples of specific techniques. It emphasizes that effective APT protection requires combining techniques from different styles and approaches. The information is intended to be informative but does not constitute an explicit recommendation of any product or approach.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
This document provides an overview of ransomware attacks, including:
- Ransomware targets businesses of all sizes for financial gain or practice. It often puts small businesses out of business.
- The anatomy of a cyber attack generally involves phases of reconnaissance, weaponization, delivery, exploitation, installation, command and control, and achieving objectives.
- Ransomware has changed to demand larger ransoms, attack backups, and bully victims. Common entry points include remote access tools, unpatched equipment, and emails.
- Common misconceptions are that attackers won't provide decryption, only large companies are targeted, and single protections like antivirus will prevent attacks.
- To recover
This document outlines an overview of intelligent threat hunting presented by Dhruv Majumdar. It discusses the basics of threat hunting, including that it is a proactive and iterative process to detect threats that evade existing security solutions. It provides a threat hunting recipe and describes important data sources and skills needed like host analysis, network analysis, and threat intelligence. It also walks through an attack scenario and things to look for at different stages of an attack lifecycle. Finally, it concludes with the growing demand for threat hunters and recommendations on how to get started with threat hunting.
42 - Malware - Understand the Threat and How to RespondThomas Roccia
Malware are becoming more and more complex. In this talk presenting with Jean-Pierre Lesueur at the School 42, we explained the business model behind as well provided an understanding of the Malware Threat.
This document discusses the cyber attack lifecycle and strategies for advanced adversaries. It describes the typical stages an adversary goes through, including reconnaissance, exploitation, delivery, installation, command and control, and actions on objectives. The adversary's goal is to accomplish their task and exfiltrate information without detection. New strategic approaches are needed to detect threats across all points, including the network edge, endpoints, mobile devices, and clouds. Security controls must innovate faster to reduce the vulnerability gap against sophisticated global attackers.
A tale story of building and maturing threat hunting programidsecconf
The document discusses building and maturing a threat hunting program. It covers the key aspects of people, process, and technology in threat hunting. For people, it discusses skillsets needed for threat hunters and establishing a threat hunting team. For process, it outlines the threat hunting life cycle and framework. For technology, it provides examples of data sources and platforms that can be used for threat hunting and analysis.
The Cyber Kill Chain is a framework that describes cyber attacks in seven phases from an attacker's perspective: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. It was developed by Lockheed Martin based on military doctrine to measure the effectiveness of defense strategies. Each phase of the kill chain can be mapped to corresponding defensive tools and actions, and understanding what phase an attack is in helps determine an appropriate response. Tracking similarities in tactics across phases can provide insights into threat actors and campaigns. The goal is to disrupt attacks as early in the kill chain as possible to improve security.
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
The document provides an overview of ransomware, including its history, key stages, and examples. It discusses how ransomware has evolved from misleading applications and rogue antivirus software in the 2000s to modern crypto-ransomware. The five stages of crypto-ransomware are described as installation, contacting command and control servers, establishing encryption keys, encrypting files, and displaying an extortion message. Several examples of ransomware families are outlined, including Cryptowall, Zepto, KeRanger, Reveton, CryptoLocker, and WannaCry.
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
The document discusses the concept of defense in depth (DID) as it relates to cybersecurity. DID is defined as building mutually supporting layers of defense to reduce vulnerabilities and protect against attacks. The key aspects of DID include understanding threats, seeing the full battlefield, using defensive advantages, concentrating defenses, coordinating assets, and balancing security and legal constraints. The document advocates applying DID principles through multiple overlapping controls and frameworks, rather than relying on a single compliance standard, in order to provide comprehensive security that can withstand attacks from various threat actors.
This document discusses drive-by downloads and methods for detecting them. Drive-by downloads occur when malicious code is downloaded without a user's consent by visiting an infected website. The document outlines the injection and exploitation mechanisms used, including through iFrames, SQL injections, and exploiting browser/plugin vulnerabilities. It proposes a 4-step generalized detection approach involving analyzing JavaScript redirections, deobfuscating code, detecting memory corruption, and monitoring for exploitation behaviors. Maintaining updated software, using reputable search engines cautiously, and employing web filters are recommended security measures.
Anton Chuvakin on Threat and Vulnerability IntelligenceAnton Chuvakin
This document discusses threat and vulnerability intelligence (TVI), which is a process to collect information on threats and vulnerabilities, analyze their relevance to an organization, and determine the appropriate corrective actions. It defines threats as malicious factors and vulnerabilities as potential weaknesses. TVI aims to fuse threat and vulnerability information together and help organizations act on it. It discusses sources of threat and vulnerability data, both locally and globally, as well as existing technologies that can be used and enhanced for TVI purposes.
How to protect your corporate from advanced attacksMicrosoft
Cybersecurity is a top priority for CSO/CISO and the budget allocated, especially in a large organization, is growing. The complexity and sophistication
of cyber threats are increasing. What are these current threats and how can Microsoft help your organization in their efforts to eliminate cyber threats?
This document discusses addressing cyber security. It begins with defining cyber security and providing examples of cyber security cases. It then discusses cyber security strategies used by the UK and US. A risk-based approach to cyber security is recommended, using standards like ISO27001 and ISO27005. This involves identifying risks, implementing controls, and managing security incidents using a plan-do-check-act cycle. Tools like SIEM can help correlate events to assess risk and generate security alarms. While cyber security faces new challenges compared to information security, risk management principles remain important to understand threats and maintain security over time.
Dr. Fengmin Gong, Co-Founder and Chief Strategy Officer, presents why an ecosystem-based approach is necessary to defend against modern malware threats. Discussion continues with what it takes to implement cybersecurity using this approach. He also presents a number of use cases where multi-vendor products interacting in a security ecosystem provide the most effective protection for enterprises.
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...James Anderson
Are Cybersecurity threats increasing? Learn about protecting your business with a security program and understanding ransomware threats. Join us as Google's Biodun Awojobi and Wade Walters join us to discuss "Security Programs and Ransomware in the Cloud." We expect to have additional Cybersecurity events in future to cover security posture, Zero Trust, Google's Cybersecurity products & more!
#cybersecurity #ransomware #google #gdg #gdgcloudsouthlake
Future-proofing maritime ports against emerging cyber-physical threatsSteven SIM Kok Leong
First presented at Cybersecurity for Maritime Summit 2017 in Oct 2017. Subsequently presented at Temasek Polytechnic ISACA Day in Nov 2017. Audience comprises of cybersecurity professionals in the maritime sector and also cybersecurity students who are keen to learn more about cybersecurity considerations in a shipping port environment.
Incident Response Tactics with Compromise IndicatorsF _
Incident Response Tactics with Compromise Indicators - a short presentation on use of Indicators of compromise at RusCrypto 2014. The presentation covers opensource projects and standards (such as openioc) and possible practical applications.
As soluções da NetWitness capturam todos os dados que circulam na rede e os contextualizam, filtrando o que pode ser crítico ou não. O usuario pode ver quem está indo aonde e vendo o quê.
20160713 2016 the honeynet projct annual workshop focus and global trendsYi-Lang Tsai
The 2016 Honeynet Project Annual Workshop focused on global cybersecurity trends and threats. It included presentations on lessons learned from 17 years of the Honeynet Project, control systems cyberattacks including Stuxnet and attacks on Ukraine's power grid, using honeypots to study ICS/SCADA threats, and deep packet inspection in industrial control networks. The workshop provided a forum for 120 attendees to discuss behavioral analysis of unknown files, generating threat intelligence through hunting and visualization, and monitoring DDoS attacks with honeypots.
This document discusses threats to payment card data and PCI compliance. It provides an overview of the University of Alaska system and outlines steps to evaluate threat risk and maintain PCI compliance. These include identifying vulnerabilities and threats, assessing risk levels, remediating vulnerabilities, and conducting regular vulnerability assessments and penetration testing using various tools. Maintaining compliance is important to minimize the reputational risks to the university from potential data breaches.
Vulnerability is a weakness in the application or a design flaw that allows an attacker to exploit for potential harm or financial benefits. Though it is practically impossible to have vulnerability free system, one can implement tools to identify the nature of vulnerabilities and mitigate the potential risk they pose. As an institution, it is very important for business managers, administrators, and IT security personnel to pay attention to those security warnings. The talk will identify types, sources, and mitigation of external and internal threats. The talk will review Vulnerability Assessment and Penetration Testing (VAPT) tools available in the market and their benefits. Presenters will engage the audience in interactive style discussion on the available tools to detect vulnerabilities and threats and the steps needed to mitigate.
John Shaw, VP of Product management at Sophos, introduced us to the world of Project Galileo. What is Sophos doing to bring Network Security and Endpoint security together? How do we make these two pillars of IT security work together?
Indicators of Compromise were meant to solve the failures of signature-based detection tools. Yet today’s array of IOC standards, feeds and products haven’t impeded attackers, and most intel is shared in flat lists of hashes, IPs and strings. This session will explore why IOCs haven’t raised the bar, how to better utilize brittle IOCs and how to use intrinsic network data to craft better IOCs.
(Source: RSA USA 2016-San Francisco)
Presentation at LACNIC21 by Mat Ford on some Internet Society projects that are underway relating to the resilience and security of the Internet routing system.
This 5-day Certified Ethical Hacker training course teaches students how to scan, test, hack, and secure their own systems by learning the techniques used by hackers. The course covers topics like footprinting, scanning, enumeration, system hacking, viruses, sniffers, denial of service attacks, session hijacking, web server hacking, web application vulnerabilities, password cracking, SQL injection, and wireless and cryptography attacks. The goal is to help security professionals and network administrators enhance cybersecurity by thinking like an attacker in order to defend systems from real-world threats.
This document discusses various types of security assessments, including technical security testing, security process assessments, and security audits. It provides details on vulnerability assessments, network penetration testing, web application penetration testing, and source code analysis. It also discusses security process reviews and the differences between security assessments and security audits.
Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and ...Leonardo
Finmeccanica is Italy's largest manufacturer in the high technology sector and Ansaldo STS's largest shareholder. The document discusses cyber security strategies for railway signaling systems, distinguishing between vital systems that ensure safety and non-vital systems subject to cyber risks. It promotes a mature approach to cyber security including discovery and assessment, redesign to address gaps, and intelligence/analytics. Best practices include incident management, monitoring, and governance. Specific strategies proposed include enhancing monitoring through correlation, adding virtual patching and firewall logging, near real-time asset control, and lightweight security information and event management.
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
Ioan Constantin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
This document provides a summary of techniques that internet service providers (ISPs) can use to improve their security and resistance to attacks. It discusses preparing the network operations center (NOC) team through training, tools, and procedures. Key mitigation techniques discussed include securing network devices, establishing collaboration communities, implementing remote triggered black hole filtering, and gaining total network visibility through data collection and analysis.
Similar to Hitcon 2014: Surviving in tough Russian Environment (20)
Honeycon2014: Mining IoCs from Honeypot data feedsF _
The document discusses mining indicators of compromise (IOCs) from honeypot systems. It covers IOC standards like OpenIOC and STIX, analyzing data from honeypots in Russia and Taiwan to extract IOCs like malicious domains, IP addresses and file hashes. The IOCs can help identify compromise events and emerging threats that real networks may face.
Indicators of Compromise Magic: Living with compromiseF _
This document outlines an presentation on indicators of compromise (IOCs). It discusses IOC standards like OpenIOC and STIX, how to mine and apply IOCs through case studies and practical tasks analyzing network traffic, HTTP logs, and antivirus logs. The document provides examples of IOCs like an exploit pack trace and a Nuclearsploit pack indicator.
whats wrong with modern security tools and other blurpsF _
This document discusses the limitations of modern network security tools and techniques. It provides examples of how malware authors are able to evade detection from antivirus software, network filters, and other defenses by using techniques like domain generation algorithms, encoding payloads in images and documents, and compromising legitimate websites and infrastructure to host and distribute attacks. The document argues that security vendors struggle to keep up with the constantly evolving tactics of cybercriminals, and that non-targeted social engineering attacks remain an effective way to compromise users.
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
This document analyzes advanced persistent threat (APT) attacks targeting Taiwan, focusing on the "Lstudio" group. It describes the group's infrastructure including command and control servers, use of botnets to control thousands of compromised machines internationally, and development of custom tools. The summary highlights key points about the group's operations since 2007, use of multiple software versions and back-ends, and targeting of both government and private sector victims primarily in Taiwan but also worldwide.
This document discusses various techniques used in cyber attacks, including exploiting vulnerabilities in software like Adobe Reader and Microsoft Office, using email as an attack vector, and social engineering techniques like password-protected archives. Specific examples are given of attacks resembling advanced persistent threats (APTs), including a targeted email with an exploit-carrying document and customized payload behavior. Detection and prevention methods are also covered, such as analyzing suspicious user agents and traffic patterns.
This document discusses detecting malicious network infrastructure through analyzing DNS traffic patterns. Specific techniques discussed include analyzing DNS query patterns for domain generation algorithm (DGA) domains to identify botnets. The document outlines a system built to perform passive DNS analysis to cluster similarly behaving domains and map command and control (C&C) infrastructure through techniques like WHOIS lookups and identifying domains with shared IP addresses or autonomous system numbers. Examples are provided of analyzing DNS query data step-by-step to identify known botnets like Carberp and Palevo. Automated detection and mapping of C&C infrastructure is discussed as well as potential uses of the collected data like generating blacklists or taking over botnets.
The document outlines tools and methods used to study the Russian underground economy. It discusses how data is collected from public forums and compromised systems. Automated and manual analysis is used to understand terminology and trends. Open source tools like Nutch and SOLR are customized for processing slang and context. The document then describes various online criminal activities like malware distribution, credit card theft, money laundering through money mules and currency exchanges. Metrics on traffic generation and DDoS costs are provided. Emerging areas like mobile malware and SEO spam are also covered. The document concludes by noting how cybercrime has become a global online economy rather than isolated incidents.
This document provides a summary of a presentation on cybercrime trends in 2012. It discusses emerging attack vectors like database breaches and email campaigns. Case studies are presented on malicious campaigns targeting Russian websites like kp.ru and rzd.ru in late 2011. Evolving evasion techniques used by cybercriminals like exploiting stolen DNS accounts and domains with similar names are examined. Mobile malware scams are also covered. The document concludes by emphasizing the need for automating real-time detection to keep up with cybercriminal techniques.
The document outlines an agenda for a seminar on enhancing AML/CTF tools and techniques to address electronic payment systems increasingly used for criminal activities. The seminar will examine case studies of real "red flag" activities involving electronic payment channels and patterns, and discuss regulatory requirements and best practices for monitoring these payment vehicles and strengthening AML programs. Speakers will also provide examples of underground money transfer systems like WebMoney that are abused for fraudulent services.
The document discusses unlawful internet activities like malware, cybercrime and digital piracy. It describes different types of actors involved, from "kiddies" to organized cybercriminal groups. It analyzes advanced persistent threats and case studies of infrastructure compromises. Examples are given of traffic monetization, ad abuse like malvertisements, extortion scams, and illicit online goods and services. The presentation aims to provide insights into these criminal underground economies and how they operate.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 6
Hitcon 2014: Surviving in tough Russian Environment
1. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Living with compromise: Enterprise Network Survival
in tough Russian Environment
Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin
HITCON 2014
Affilations: Academia Sinica, o0o.nu, chroot.org
Aug 20, 2014, Taipei
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
2. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Outline
Agenda
Prerequizites and Experience
Know your history
Incidents: detection, prevention
Tools and Execution
Incident Response
Questions
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
3. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Agenda
Prerequisites and past Experience share practical experience in an
enterprise defense that lead to particular conclusions
Tools and implemention
demonstrate tools and techniques that improve detection aid incident handling
lifecycle
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
4. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
You are or will be compromised
If you are under attack, your AV,Firewaslls, IDS, etc. are in THE ATTACKER
THREATS MODEL. The option you have - read between the lines. When you
are compromised, what is the action plan? Are you able to:
Detect
Properly:
Categorise
Mitgate
Investigate
. . .
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
5. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Threat Landscape
Assumption - Not isolated big networks are (almost) always somehow
compromised During the last year about 30% of monitored hosts was
attacked by cybercrimes at least once. For Basic setup Host AV, Proxy
with AV, firewalls, IPS, etc. . . Success rate 3-15% If you have 10k hosts
network in Russia, about 3k host will be attacked and 90-450 will be
compromised on average. Approximate this situation to 40M hosts. . .
What to do?
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
6. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Threat Identification
Identify threats within detection capabilities of your organisation.
There always will be threats your org can’t detect or handle. You have to
accept the risk (or allocate additional resources to mitigate it).
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
7. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Examples of an Org. Strength:
You have Good monitoring team - otherwise you can ONLY rely on your
security vendors opinion and support in handling security incidents. BAD!
Defense in Depth: Have multipe independent layers of protection
monitoring or mitigation.
Examples: sinkholes redirect botnet traffic to internal sinkholes. proxy
blacklist prevents access to botnet resources. and so on. This also
decreases risks of your organization to be blacklisted in public blacklists, such
as spamhaus, shadowserver lists (SPB, RSBL).
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
8. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Examplies of possible org Limitations:
No security team, IT operations outsourced :)
HUGE distributed Not centralized environment. No uniform defense
mechanisms.
Limited ability to control and monitor IT and SECURITY events
No recording of forensic evidence
Distributed, uncommunicating IT support teams
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
9. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Identify your Attack Surface
browser? mail? vpn? rewmovable devices?publically accessable asset?
Untrusted vendor?
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
10. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Attacker information gathering
Targetted Attackers want your data.
They have time.
Not every javascript serves exploit. Some are just recording information
on your environment.
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
11. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Attacker exploitation
vuls vs kis (based on Mila/contagiodump repo data):
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
12. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Know your history
Incident history datamining.
Case studies of Incident and Incident Response
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
13. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
An Incident Lifestype
stages in life of an incident
Incident (Almost) Happens
Incident Detected
Additional Information Collected
Short-Term Impact Minimization
Incident Categorized
Long-Term Mitigation plan (typical/ not typical)
Mitigation plan implementation
QOS (Mitigation assurance): CHECK!
Indicators of Compromise (IOCs) preservation
Check for presence of IOCs in other parts of monitoring Environments
Store incident data, update knowledge base, collect useful stats to speed
up future incident handling.
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
14. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Be sure that measures are effective.
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
15. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Incidents
Characteristics of incidents
How to enhance security measures
How to prevent further recurrence
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
16. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Classification of Incidents
Examples:
Malicious code
Malicious code, with consequential network activity
Anomalous activity
Out of the scope of Enterprise Network Activity
Untrusted executable
Direct reputation risk
Indirect reputation risk
Targeted Attack (APT)
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
17. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Incidents vs Systems(1)
Incidents VS Systems: Usability of various components common belief
incidents/systems firewalls AV web traf IPS DNS Profiling
Malicious code 10
Malicious code, with .. 1 7 2
Anomalous activity 5 5
Out of the scope .. 5 5
Untrusted executable 7 3
Direct reputation risk
Indirect reputation risk
Targeted Attack (APT) 8 2
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
18. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Incidents vs Systems(2)
Incidents VS Systems: Usability of various components reality
incidents/systems firewalls AV web traf IPS DNS Profiling
Malicious code 4 6
Malicious code, with .. 1 2 4 1 2
Anomalous activity 2 3 2 4
Out of the scope .. 2 5 3
Untrusted executables 1 8 1
Direct reputation risk 10
Indirect reputation risk 10
Targeted Attack (APT) 8 2
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
19. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Examples: Web Traffic Analysis
Proxy and passive HTTP traffic analysis
Sources:
proxy logs
passive web traffic monitoring (including
HTTPS)
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
20. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Example
url ip mime type size code
cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 93.189.46.222 text/html 118162 200
cuba.eanuncios.net/2909620968/1/1399422480.htm 93.189.46.222 text/html 37432 200
cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive 18451 200
cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive 18451 200
cuba.eanuncios.net/f/1/1399422480/2909620968/2 93.189.46.222 application/octet-stream 115020 200
cuba.eanuncios.net/f/1/1399422480/2909620968/2/2 93.189.46.222 - 327 200
What just happened?
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
21. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Examples: DNS
Passive DNS traffic acquisition and analysis
a couple of examples (last week)
domain ip owner
rtvwerjyuver.com 69.164.203.105 linode
tvrstrynyvwstrtve.com 109.74.196.143 linode
cu3007133.wfaxyqykxh.ru . . .
what does your DNS traffic look like..?
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
22. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
DNS viz01
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
23. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
DNS viz02
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
25. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Covert channel communication
8/13/2014 5:49:04 PM − x . x . x . x − 5141017. mtdtzwdhc . mdgtmtmmd
8/13/2014 5:49:04 PM − x . x . x . x − 5141017. mtdtzwdhc . mdgtmtmmd
Time : Today 13:19:25
D e s c r i p t i o n : REP. b i l s c z Detected at Today
13:19:25
I n t e r f a c e Name : bond1 .382
I n t e r f a c e D i r e c t i o n : outbound
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
26. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Sinkhole in DNS
Credit: domaintools.com
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
27. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Sinkhole in DNS
Credit: domaintools.com
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
28. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
DNS
Suspicious activity: DNS lookups: kojxlvfkpl.biz:149.93.207.203
kojxlvfkpl.biz:216.66.15.109
kojxlvfkpl.biz:38.102.150.27
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
29. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Look for holes :)
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
30. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Hole traffic
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
31. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Usability of sandboxes
Sandboxes could be helpful to analyze mal. content.
However, they are often not very practical. A few examples (delivery via
SMTP)
1.zip
FW supplier data form.msg
How to Get Thin Quick.msg
Losing a size within a fortnight It’s easy.msg
20141308.msg
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
32. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Problems with Sandboxing
Known tricks
matching environment
code behaves differently depending on: environment, time, user
interaction, time-zone, ..
performance (timeouts, ..)
Use interaction
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
33. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Stages of incident detection
Before Incident (Security Awareness, Pentests, etc.)
Access attempt
Access obtained
Privilege escalation
Execution of attack goal
Post-incident IR (too late))
Incidents VS Stages of detection ~= how monitoring team operates with
current limitations in Environment
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
34. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Incidents VS Stages of detection(1)
common belief
incidents/stages before attempt obtained escl impl late
Malicious code 5 5
Malicious code, with .. 5 5
Anomalous activity 8 2
Out of the scope ..
Untrusted executables 1 9
Direct reputation risk 10
Indirect reputation risk 10
Targeted Attack (APT) 8 2
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
35. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Incidents VS Stages of detection(2)
reality
incidents/stages before attempt obtained escl impl late
Malicious code 1 2 2 2 3
Malicious code, with .. 1 2 2 3 2
Anomalous activity 1 3 2 2 2
Out of the scope .. 2 8
Untrusted executables 2 3 3 2
Direct reputation risk 2 2 3 3
Indirect reputation risk 2 2 3 3
Targeted Attack (APT) 1 1 1 2 5
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
36. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Attack delivery method
incidents/delivery web email ext.storage share services other
Malicious code 5 2 2 1
Malicious code, with .. 5 2 2 1
Anomalous activity 1 3 2 1 1 2
Out of the scope .. 3 3 2 2
Untrusted executables 4 3 1 2
Direct reputation risk 3 2 3 2
Indirect reputation risk 3 2 1 2 2
Targeted Attack (APT) 2 3 1 2 2
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
37. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
How can you improve your security posture
Cross-correlate your historical data including data from following sources:
Incidents
Detection systems (ips/ids/av/fw/..): map type of incident to component
that detects those.
Stages of detection - and incidents
Delivery method - which network detection components detect what
delivery methods.
use community contributions :)
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
38. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Specific incident attributes
Availability first
Conflict of interest: flag
Restrictions on information sharing: limits the quality of teams
collaboration
Manual routing of information sharing for the special cases
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
39. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Incidents categorization
Categorisation based on Vendor knowledge
Categorisation based on public sources
Categorisation based on internal intel.
Categorisation based on limited IOCs sharing to the focused groups
Attribution
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
40. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Tools and Execution
There is a number of tools we can share. Some are developed by us. Other -
are just very good open source projects.
http://github.com/fygrave/ndf
http://github.com/fygrave/hntp
fiddler
elasticsearch && http://github.com/aol/moloch (vm)
yara (as moloch plugin)
hpfeeds
CIF
Indicators of Compromise is one of essential information mediums here to
represent facts on incident(s).
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
41. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Mining public knowledge
There is a lot of public knowledge you could mine. CIF is a fantastic tool for
that. https://github.com/collectiveintel/cif-v1
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
42. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
CIF: example
grabbing shadowserver data:
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
43. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
CIF: example
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
44. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
IOC representations
Multiple standards have been created to facilitate IOC exchanges.
Madiant: OpenIOC
Mitre: STIX (Structured Threat Information Expression), CyBOX
(CyberObservable Expression)
Mitre: CAPEC, TAXII
IODEF (Incident Object Description Format)
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
45. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Standards: OpenIOC
OpenIOC - Mandiant-backed effort for unform representation of IOC (now
FireEye) http://www.openioc.org/
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
46. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
RAW Data Preservation
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
47. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Moloch as detection tool
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
48. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Tools for Dynamic Detection
Moloch
Moloch supports Yara (IOCs can be directly applied)
Moloch allows you to develop your own plugins
Moloch has awesome tagger plugin:
# tagger . so
# p r o v i d e s a b i l i t y to import t e x t f i l e s with IP and/ or hostn
# i n t o a sensor that would cause autotagging of a l l matching
p l u g i n s=tagger . so
t a g g e r I p F i l e s=b l a c k l i s t , tag , tag , tag . . .
taggerDomainFiles=domainbasedblacklists , tag , tag , tag
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
49. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Extending Moloch
Moloch is easily extendable with your own plugins
https://github.com/fygrave/moloch_zmq - makes it easy to
integrate other things with moloch via zmq queue pub/sub or push/pull model
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
50. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Moloch ZMQ example
CEP-based analysis of network-traffic (using ESPER):
https://github.com/fygrave/clj-esptool/
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
51. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Fake targets
Honeypots are very useful when dealing with unknown threats or when dealing
with environments with limited capabilities (VPN, BYOD, ..)
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
52. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Honeypot data sharing
HPFeeds could be used to share honeypot data feeds in controlled manner via
your own broker.
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
53. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Last not least :)
Incident response: your availability is impacted by your investigation
capabilities.
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
54. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Incident Response: some details
Ways to determine scope (impact)
Ways to minimize scope (impact)
Response to the threats with known scope (impact)
Response to the threats with unknown scope (impact)
Keep historical record of the process.
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org
55. Agenda Prerequizites and Experience Know your history Incidents: detection, prevention Tools and Execution Incident Response
Questions
Q&A
our slides: http://www.slideshare.net/burguzbozo/
Living with compromise: Enterprise Network Survival in tough Russian Environment
Affilations: Academia Sinica, o0o.nu, chroot.org