This presentation was delivered at SkyDogCon 6 in October 2016. The A/V is available here: https://www.youtube.com/watch?list=PLLEf-wPc7Tyae19iTuzKOXmPj-IQBIWuU&v=mKxGulV2Z74
It is an updated version of the original deck presented at BSides Augusta 2016 - Added original content including information on use cases and added definition/clarity.
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
This presentation was delivered at BSides Augusta in September 2016. The A/V portion is available here: https://www.youtube.com/watch?v=i6p71t9PFWM
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
- Danny Akacki (@dakacki) was a Lead Analyst with GE Capitals' Applied Intelligence team prior to his employment with Mandiant, and now works for Bank of America's hunt team. He is a pragmatic optimist and believes we are probably screwed, but hopes we aren't. Danny enjoys finding evil on the weekends.
- Stephen Hinck (@stephenhinck) is a Senior Security Analyst at Oracle, Inc. Stephen stumbled into the information security world years ago and has since only managed to dig his way deeper to the rabbit hole. With a background in security operations, incident response and threat hunting, Stephen's experience is multi-faceted. Although he enjoys many things, he absolutely hates writing silly bios like this one.
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
We can all agree that threat detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for ways for evil to do evil things. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune ranked organizations. We hope to challenge you to expand your security operations, moving beyond traditional signature based detection.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Threat hunting and achieving security maturityDNIF
In this virtual meetup of DNIF KONNNECT (04.04.2019), where the growing DNIF community connects, interacts, shares and helps each other to grow and learn about the latest in threat hunting and many more...this time we have Mr. Ankit Panchal from NSDL who shall demonstrate an end to end demo of how you can achieve security maturity.
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
This presentation was delivered at BSides Augusta in September 2016. The A/V portion is available here: https://www.youtube.com/watch?v=i6p71t9PFWM
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
- Danny Akacki (@dakacki) was a Lead Analyst with GE Capitals' Applied Intelligence team prior to his employment with Mandiant, and now works for Bank of America's hunt team. He is a pragmatic optimist and believes we are probably screwed, but hopes we aren't. Danny enjoys finding evil on the weekends.
- Stephen Hinck (@stephenhinck) is a Senior Security Analyst at Oracle, Inc. Stephen stumbled into the information security world years ago and has since only managed to dig his way deeper to the rabbit hole. With a background in security operations, incident response and threat hunting, Stephen's experience is multi-faceted. Although he enjoys many things, he absolutely hates writing silly bios like this one.
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
We can all agree that threat detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for ways for evil to do evil things. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune ranked organizations. We hope to challenge you to expand your security operations, moving beyond traditional signature based detection.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Threat hunting and achieving security maturityDNIF
In this virtual meetup of DNIF KONNNECT (04.04.2019), where the growing DNIF community connects, interacts, shares and helps each other to grow and learn about the latest in threat hunting and many more...this time we have Mr. Ankit Panchal from NSDL who shall demonstrate an end to end demo of how you can achieve security maturity.
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
For organizations and individuals with limited security budgets, successfully hunting for cyber adversaries can be a daunting challenge. Threat Intelligence can be expensive and sometimes
nothing more than IoCs or blacklists. In this talk, Endgame’s threat research team will present a series of techniques that can enable organizations to leverage free or almost-free sources of
data and open-source tools to “hunt on the cheap.” They’ll explain how to: retrieve attackers’ tools from globally distributed honeynets that look like your organization or a juicy launching
point to attackers; enrich the data past basic file/tool hashes to identify malicious command and control IPs/domains through automated binary analysis using open-source sandboxes and tools; and use passive DNS data to identify active infections and enrich existing data sets. Attendees will learn how to apply these three techniques to hunt for adversaries within their own
networks. They will also learn about the various open-source solutions available, such as graph databases, that make these techniques inexpensive and within the scope of many organizations.
Anjum Ahuja, Senior Threat Researcher, Endgame
Jamie Butler, Chief Scientist, Endgame
Andrew Morris, Threat Researcher, Endgame
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
After anomalous network traffic has been identified there can still be an abundance of results for an analyst to process. This presentation is for data scientist and network security professionals who want to increase the signal-to-noise.
Flare is a network analytic framework designed for data scientists, security researchers, and network professionals. Written in python, flare is designed for rapid prototyping and development of behavioral analytics. Flare comes with a collection of pre-built utility functions useful for performing feature extraction.
Using flare, we'll walk through identifying Domain Generation Algorithms (DGA) commonly used in malware and how to reduce the dataset to a manageable amount for security professionals to process.
We'll also explore flare's beaconing detection which can be used with the output from popular Intrusion Detection System (IDS) frameworks.
More information on flare can be found at https://github.com/austin-taylor/flare
www.austintaylor.io
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments.
In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.
Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence:
http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Adversaries compromise at will, penetrating today’s signature and IOC dependent detection capabilities. Most incident responders are locked in a cycle of constant reaction to the fraction of activity that is known. Often, undetected attackers remain active in the network as reported incidents are remediated. A new approach is needed to break the cycle of reaction and eradicate the unknown.
An offense-based approach must be adopted. Hunting puts the defender on the offensive within their networks, allowing for rapid detection and remediation of threats. Adversary dwell time can be drastically reduced, reducing business impacts and recovery costs. The Endgame hunt platform enables instant protection, visibility, and precision response across your endpoints and automates detection of known and never before seen adversaries without relying on signatures.
This talk covers:
• Description and benefits of hunt
• Challenges of hunting
• Solutions and hunting best practices
Confusion and deception new tools for data protectionPriyanka Aash
Cyberthreats are assymetric risks: corporate defenders must secure and detect everything, but the attacker needs to exploit only once. As petabytes of data traverse the ecosystem, legacy data protection methods leave many gaps. By looking through the adversary’s eyes, you can create subterfuges, delay attack progress or reduce the value of any data ultimately accessed—and shift the risk equation.
(Source : RSA Conference USA 2017)
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
This is about what is threat hunting and how to perform it in cyberworld. Our traditional detection systems are being bypassed and we need modern approach to detect & respond to modern day threats.
Entire demo of the same is available on youtube - https://www.youtube.com/playlist?list=PL2iM-fIRjbTCQVI4tR7U2I5IdwLb2QSi_
Using Canary Honeypots for Network Security Monitoringchrissanders88
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
For organizations and individuals with limited security budgets, successfully hunting for cyber adversaries can be a daunting challenge. Threat Intelligence can be expensive and sometimes
nothing more than IoCs or blacklists. In this talk, Endgame’s threat research team will present a series of techniques that can enable organizations to leverage free or almost-free sources of
data and open-source tools to “hunt on the cheap.” They’ll explain how to: retrieve attackers’ tools from globally distributed honeynets that look like your organization or a juicy launching
point to attackers; enrich the data past basic file/tool hashes to identify malicious command and control IPs/domains through automated binary analysis using open-source sandboxes and tools; and use passive DNS data to identify active infections and enrich existing data sets. Attendees will learn how to apply these three techniques to hunt for adversaries within their own
networks. They will also learn about the various open-source solutions available, such as graph databases, that make these techniques inexpensive and within the scope of many organizations.
Anjum Ahuja, Senior Threat Researcher, Endgame
Jamie Butler, Chief Scientist, Endgame
Andrew Morris, Threat Researcher, Endgame
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
After anomalous network traffic has been identified there can still be an abundance of results for an analyst to process. This presentation is for data scientist and network security professionals who want to increase the signal-to-noise.
Flare is a network analytic framework designed for data scientists, security researchers, and network professionals. Written in python, flare is designed for rapid prototyping and development of behavioral analytics. Flare comes with a collection of pre-built utility functions useful for performing feature extraction.
Using flare, we'll walk through identifying Domain Generation Algorithms (DGA) commonly used in malware and how to reduce the dataset to a manageable amount for security professionals to process.
We'll also explore flare's beaconing detection which can be used with the output from popular Intrusion Detection System (IDS) frameworks.
More information on flare can be found at https://github.com/austin-taylor/flare
www.austintaylor.io
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments.
In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.
Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence:
http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Adversaries compromise at will, penetrating today’s signature and IOC dependent detection capabilities. Most incident responders are locked in a cycle of constant reaction to the fraction of activity that is known. Often, undetected attackers remain active in the network as reported incidents are remediated. A new approach is needed to break the cycle of reaction and eradicate the unknown.
An offense-based approach must be adopted. Hunting puts the defender on the offensive within their networks, allowing for rapid detection and remediation of threats. Adversary dwell time can be drastically reduced, reducing business impacts and recovery costs. The Endgame hunt platform enables instant protection, visibility, and precision response across your endpoints and automates detection of known and never before seen adversaries without relying on signatures.
This talk covers:
• Description and benefits of hunt
• Challenges of hunting
• Solutions and hunting best practices
Confusion and deception new tools for data protectionPriyanka Aash
Cyberthreats are assymetric risks: corporate defenders must secure and detect everything, but the attacker needs to exploit only once. As petabytes of data traverse the ecosystem, legacy data protection methods leave many gaps. By looking through the adversary’s eyes, you can create subterfuges, delay attack progress or reduce the value of any data ultimately accessed—and shift the risk equation.
(Source : RSA Conference USA 2017)
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
This is about what is threat hunting and how to perform it in cyberworld. Our traditional detection systems are being bypassed and we need modern approach to detect & respond to modern day threats.
Entire demo of the same is available on youtube - https://www.youtube.com/playlist?list=PL2iM-fIRjbTCQVI4tR7U2I5IdwLb2QSi_
Using Canary Honeypots for Network Security Monitoringchrissanders88
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
2023 NCIT: Introduction to Intrusion DetectionAPNIC
APNIC Senior Security Specialist Adli Wahid presents an Introduction to Intrusion Detection at the 2023 NCIT, held in Suva, Fiji from 17 to 18 August 2023.
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
APNIC Senior Security Specialist Adli Wahid provides some useful findings of lessons learned from security incidents at the UMS Cybersecurity Awareness Seminar, held online on 25 October 2021.
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
Incident handlers manage security incidents by understanding common attack techniques, vectors and tools as well as defending against and/or responding to such attacks when they occur. In this talk we will discuss modern attacks, techniques, how to defend & respond to those threats.
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
Despite changing threats and the near certainty of compromise, most
IT security programs are much the same as they were a decade ago. How
have attacker motivations and tactics changed, and why? What does
this mean for IT security departments, and how must they adapt?
This webinar will detail the security challenges organizations face
today, the implications of changes in attacker tactics and
motivations, and what firms can do to better align their security
program with today's reality.
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Colby Clark, Director of Incident Management, Fishnet Security
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
7. Building a Hunt Program
Hunting: Defense Against The Dark Arts 7
"Understanding is the first step to
acceptance, and only with
acceptance can there be
recovery.“
— Albus Dumbledore
8. Hunt Program
Mature detection capabilities
Use Cases + Playbooks
Guiding processes for SOC / CIRT
Technology & Tools
Operationally-driven and requirements-based
SOC + CIRT
Security operations and incident response
Formalized Security Program
Chartered and backed by an executive sponsor
Hunting: Defense Against The Dark Arts 8
Hunting Capability Pyramid
Must be this
tall to ride J
10. Building a Hunt Program
Hunting: Defense Against The Dark Arts 10
1. Establish executive sponsorship and mission charter/objectives
2. Establish and implement enterprise logging strategy
3. Aggregate, centralize, and process data
4. Make data available within a (fast) searchable interface
5. Drive maturity
• Develop Use Cases
• Are we getting the right data?
• Review tooling and associated requirements
• Reintegrate hunt mission data to security operations
11. Hunting + IR à Detection Maturation
Hunting: Defense Against The Dark Arts 11
HUNT SOC DETECT
IR USE CASE
Ongoing Hunt
Missions
Feed Incident
Response
activities
IR outcomes
affect
SecOps
Lessons
Learned
incorporated
to SecOps
Detection
capability
improvement
Evil
Non-Evil Risk
12. What is a Use Case?
Hunting: Defense Against The Dark Arts 12
• Discrete objectives and processes used to solve mission problems
and guide thinking
• Can be simple or complex
• Helps to identify data / capability requirements and gaps
• Aligned to an attacker lifecycle: Kill Chain or ATT&CK
• Contains Internal TTP used to achieve the Use Case Objectives
• Data – What should we collect to detect EOI?
• Tools – What can we use to handle our Data?
• Logic – How can we best leverage both our Data and Tools?
13. EOI, Incidents, and Use Cases
Hunting: Defense Against The Dark Arts 13
Incident
Events of Interest
Detection Use Case
Events of Interest, ex.
1. $Endpoint1 seen
making DNS
requests for known
bad domain
2. HTTP Proxy sees
$Endpoint1
requesting binary
with unknown MD5
3. Network logs show
periodic suspicious
communications
from $Endpoint1 to
multiple new hosts
in unlikely
countries
4. Can you think of
more examples?
14. Use Case Design Tree: Objective
Hunting: Defense Against The Dark Arts 14
15. Use Case Design Tree: Tools & Capabilities
Hunting: Defense Against The Dark Arts 15
16. Hunt Mission Outcomes
Hunting: Defense Against The Dark Arts 16
•Benefit: Activity shown not to be present
•Next Step: Evaluate hunt mission effectiveness
No Detection
•Benefits: Activity shown to be present
Hunt mission effectiveness validated
Identify best practice / compliance issues
•Next Step: Escalate as appropriate, monitor to closure
Detection:
Non-Malicious
•Benefits: Activity shown to be present
Hunt mission effectiveness validated
Identify security incidents
•Next Step: Escalate as appropriate, monitor to closure
Detection:
Malicious
17. Sorting Out Your Data
Hunting: Defense Against The Dark Arts 17
"Not Slytherin, eh? Are you sure? You could be great, you know."
18. Data Sources
- Remote Access
- Web Proxy
- IDS / IPS
- Email
- WAF
- DNS
- DHCP
- NetFlow
- Firewall
- Router / Switch
- Wireless Infrastructure
- Agents
- Antivirus
- Operating Systems
- Active Directory
- File, Print, Database
- Other Services
External Feeds
- Paid, Free, OSINT
Internal Feeds
- Recon Data
- Threat/Risk Models
- IR Lessons Learned
- Critical Asset
Inventory
- Identity & Access
Management (IAM)
- Scheduled
Service
Interruptions
- Terminated Users
- Acceptable Use Policy
- Employee Work Hours
- Physical Access Logs
Security
Network
Endpoint
IT
Threat
Intel
HR
Hunting: Defense Against The Dark Arts 18
19. Two Types of Events
Hunting: Defense Against The Dark Arts 19
1. Observed à Originated from a device that handled the event in some way
2. Synthetic à Generated through automated analysis of event data
20. What is the Right Data?
Hunting: Defense Against The Dark Arts 20
• Original source data wherever possible
• Ensure the presence of important metadata
• Generally, observed events > synthetic events
• Synthetic events can provide useful context in the form of analytics
• Logs must enable pivoting
• Minimum - one extractable / consistent data point to correlate log sources
21. Ready the Spells!
Hunting: Defense Against The Dark Arts 21
• Understand the network
• Learn critical assets
• Develop enterprise logging strategy
• Ensure data sources use consistent time settings; implement NTP, use GMT (or UTC)
• Plug in to asset, change, and configuration management processes
• Account for other organizational use cases
• IT Operations
• Forensics / Incident Response
• Compliance / Audit
• Clean up the hunt dataset
• Normalization
• De-duplication
• Parsing
• Enrich and contextualize the dataset...!
22. Event Enrichment
Hunting: Defense Against The Dark Arts 22
• Internally-sourced Intelligence
• Attack Trees
• Red Team / Penetration test output
• TTPs from previous incidents
• Deviances from baselines / Expected behavior
• Organizational risk profile / Threat context
• Externally-sourced Intelligence
• Paid subscriptions
• OSINT
• Free feeds
• Passive DNS, WHOIS, etc.
• Geographical data
• ISAC, Infragard, etc.
• Context
• Environmental
• Refer to "Data Source" slide
• Previous hunt and IR output
• Malware analysis
• Analytics, Ex:
• Geo-infeasibility
• Beacon detection
• DNS entropy
• Data exfiltration
23. Tools of the Trade
Hunting: Defense Against The Dark Arts 23
"It is important to fight, and fight again, and keep
fighting, for only then could evil be kept at bay,
though never quite eradicated"
— Albus Dumbledore
24. Criteria for a Working Hunt Platform
Hunting: Defense Against The Dark Arts 24
• Rapid search with high quality UI and / or API
• Stacking
• Group and reduce the dataset to more easily identify outliers
• Improves feasibility of analyzing large environments
• Pivoting
• Move laterally through the dataset
• See the whole picture
• Nice to Have
• Tagging and Enrichments
• Intelligence Integration Support
• Automation: Rules & Alerting
25. All About The Galleons
Hunting: Defense Against The Dark Arts 25
• Budget!
• Driven by Operational Requirements
• Tool/Vendor Selection Process
• Evaluation Success Criteria
• Multiple Tools: Diverse Perspectives
• Free and Open Source Software!
• NXLog
• Sysmon
• Moloch
• Wireshark
• Bro Network Security Monitor
• ELK Stack (ElasticSearch, Logstash, Kibana)
• Security Onion Linux Distribution– Da Real MVP
+ a bunch of other stuff not listed here...
27. Sample Hypotheses to Drive Hunt Missions
Hunting: Defense Against The Dark Arts 27
1. Sensitive corporate data stored
only in approved locations
2. Large or extended outbound data
transfers meet business needs
3. Reconnaissance activities
against DMZ hosts provide
advance warning of pending
malicious activity
4. VPN logins by users are
geographically feasible
5. Domain controller baselines are
simple and deviations rarely
occur
6. Service credentials are used only
in expected ways and for their
appropriate services
7. Web proxies are appropriately
configured to block suspicious
traffic
8. Services communicate using
secure, encrypted protocols
9. Tunneling HTTP traffic and other
proxy avoidance techniques are
not allowed in or out of our
network
10. The use of management tools
(such as PSExec) occurs only
within approved change
windows
11. Endpoints are not added to the
network without infosec visibility
28. More Data, More Problems
Hunting: Defense Against The Dark Arts 28
"Dobby is... free."
30. 1. Remote Access
Hunting: Defense Against The Dark Arts 30
Hypothesis: Remote access to our environment is conducted using approved means
Discovery:
• Remote access is occurring over multiple protocols to / from unapproved hosts
• VNC to / from production network
• RDP to domain controllers from DMZ
• Evidence of unapproved remote access utilities such as LogMeIn, GoToMyPC, etc
Recommendation:
• Evaluate unapproved connections for mitigation or for risk acceptance
• Ensure that risk accepted software is fully patched and up to date
• Implement strong encryption, jump boxes / VPN ACLs, and two-factor
authentication where possible
31. 2. Data Storage
Hunting: Defense Against The Dark Arts 31
Hypothesis: Corporate data is only stored in approved locations
Discovery:
• Sensitive corporate data stored on unencrypted and infected external media
• Unrestricted use of common cloud data storage providers
• Unmanaged source code repositories (intellectual property)
Recommendation:
• Evaluate DLP implementation and allowed web proxy categories
• Consider establishing formalized agreement with a cloud storage provider
• Bring unmanaged data stores under management in support of development
teams
32. 3. Proxy Infrastructure
Hunting: Defense Against The Dark Arts 32
Hypothesis: Our proxy infrastructure is properly configured
Discovery:
• Not blocking known malicious categories
• Not blocking executable downloads
• Proxies not logging all necessary protocol metadata
• Ex. User Agent, Status Code, Byte Counts, X-Forward-For, etc.
Recommendation:
• Validate security operations' requirements of proxy infrastructure
• Re-evaluate proxy configurations for appropriate changes
• Ensure security operations are looped in to the change management process
33. 4. Approved Protocols
Hunting: Defense Against The Dark Arts 33
Hypothesis: Protocols transiting our network are secure and approved for use
Discovery:
• Various insecure protocols identified in use across the network
• Unencrypted: Telnet, FTP
• Deprecated: SNMP v2, cleartext SMTP
• Risky: IRC, TOR / i2p
Recommendation:
• Identify opportunities to deploy secured versions of protocols
• FTP à SFTP
• Telnet à SSH
• SNMP v2 à SNMP v3, etc.
• Evaluate implementation of risk detection and mitigation strategies
34. 5. Approved Clients
Hunting: Defense Against The Dark Arts 34
Hypothesis: Internet access is achieved using known and approved client software
Discovery:
• Suspicious user-agents identified - indicating potential latent infections
• Extremely out of date software, including: client browsers, Flash, and Java
Recommendation:
• Begin incident response procedures to evaluate and triage endpoints
• Evaluate consistency of patch and vulnerability management processes
35. 6. Privilege Management
Hunting: Defense Against The Dark Arts 35
Hypothesis: Account management is rooted in best practice
Discovery:
• Service accounts used for unrelated purposes or shared by users
• Regular and privileged users with non-specific accounts
• Direct privileged logins without approved privilege escalation process (e.g. sudo)
• Suspicious usernames that do not conform to the organizational standard
• User account belonging to terminated user active on the network
Recommendation:
• Evaluate suspicious or ambiguous accounts for mitigation or for risk acceptance
• Ensure security operations are tied into the HR termination workflow
• Update organizational username standard and privilege management processes
36. 7. Security Architecture
Hunting: Defense Against The Dark Arts 36
Hypothesis: Event logs provide information needed to validate control effectiveness
Discovery:
• Non-security specific appliances with disabled security functionality
• Ex. Cisco ASA scan detection disabled
• Security specific appliances improperly placed
• Bro NSM placed post-proxy, post-NAT
Recommendation:
• Evaluate IT systems for security value (non-traditional security appliances)
• Ex. Network devices
• Modify configuration and placement of systems to meet requirements
37. 8. Process Execution
Hunting: Defense Against The Dark Arts 37
Hypothesis: Endpoints only execute processes required for business functions
Discovery:
• Obfuscated PowerShell execution
• Mimikatz and other persistence toolkit execution
• Suspicious filenames/paths/registry entries, etc.
• Users installing browser toolbars and miscellaneous adware/spyware
Recommendation:
• Call the IR Team J
• Adjust detections / controls to rapidly detect and prevent future occurrences
38. 9. DNS
Hunting: Defense Against The Dark Arts 38
Hypothesis: DNS resolutions occur within the bounds of best practices
Discovery:
• "Weird" protocol deviations/padded packets suggesting exfil or C&C
• Uncontrolled resolutions that are not forced through corporate infrastructure
• Resolutions for unusual or risky domains
• Ex. Dynamic DNS domains, domains appearing to be algorithmically generated
• Initial resolutions for suspicious domains + subsequent unusual communication
Recommendation:
• Harden organizational DNS infrastructure
• Ex. Implement DNSSEC, prevent zone transfers, etc.
• Configure perimeter devices to only accept DNS requests from corporate DNS
• Implement protocol anomaly detection to identify protocol misuse
40. Ensuring Successful Outcomes
Hunting: Defense Against The Dark Arts 40
• Goals
• Reduce attack surface
• Harden the environment
• Improve detection and monitoring
• Don't bother hunting without using the outputs!
• Lessons Learned / AAR
• Feedback loop on IR processes
• Create new or improve existing detections
• Metrics
• Cannot improve what is not measured
• The absence of something is still something
• Most metrics will trend upwards before they come down
• 'Time to Detect' and other metrics will trend downward over time
41. Hunt Methodology: From Art to Science
Hunting: Defense Against The Dark Arts 41
Begin evolution from intuitive art to a more rigorously structured science
43. Resources
Hunting: Defense Against The Dark Arts 43
FireEye Threat Analytics Platform: Hunting at Scale
https://www.fireeye.com/products/threat-analytics-platform.html
MITRE: Adversarial Tactics, Techniques & Common Knowledge
https://attack.mitre.org
The Threat Hunting Project: Compendium of useful resources
http://www.threathunting.net
Loggly: Helpful logging guidelines
https://www.loggly.com/intro-to-log-management
Security Onion: Peel back the layers of your network
https://securityonion.net