How we do it better than IR firms. Learn what you need to know to catch commoditized malware to advanced malware. Ask a Blue Team Ninja, Logoholic and Malware Archaeologist how we do ti.
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
We all practice Information Security, but do we practice what we preach? Do we do what we ask of our employees and clients to our own, family and work computers?
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
How we do it better than IR firms. Learn what you need to know to catch commoditized malware to advanced malware. Ask a Blue Team Ninja, Logoholic and Malware Archaeologist how we do ti.
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
We all practice Information Security, but do we practice what we preach? Do we do what we ask of our employees and clients to our own, family and work computers?
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
LOG-MD
Malware Archaeology
MalwareArchaeology.com
Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can we do about it
Logs, Logs, Logs - What you need to know to catch a thiefMichael Gough
This will help you get started at Windows logging. What to Enable, Configure, Gather and Harvest to start catching hackers in their tracks.
The Windows Logging Cheat Sheet and SEXY Six Event ID's you MUST monitor and alert on.
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
LOG-MD
Malware Archaeology
MalwareArchaeology.com
Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can we do about it
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
The pesky Pro-search.meis anything but harmless. This is actually one of the many browser hijackers out there. And those are quite a pest. The good news is that browser hijackers are among the relatively harmless types of viruses. However, no infection is completely harmless. Instead of tolerating this program’s shenanigans, take measures now. The sooner you manage to get rid of Search-selector.co, the better.
SpiceWorks Webinar: Whose logs, what logs, why logs AlienVault
Securing your environment requires an understanding of the current and evolving threat landscape as well as knowledge of network technology and system design. This session will combine lecture, demo and interactive Q/A that will highlight how to build out a security plan to defend against today’s threats. Join AlienVault for this webinar to learn:
• What network, system and host data you should be collecting for the quickest path to security visibility
• Best practices for network, perimeter and host monitoring
• Security advantages of new AlienVault Threat Alerts coming soon to SpiceWorks
Incident Response Fails – What we see with our clients, and their fails. As Incident Responders, what do we see as Incident Responders that you can do to be better prepared, reduce your incident costs, get answers faster and reduce the cost of an IR Firm if needed.
HackerHurricane
Malware Archaeology
MalwareArchaeology
LOG-MD
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
Can we really detect advanced attacks? This session walks through 4 published attacks to point out what we can learn and detect using malware management, some cheat sheets and Security 101. LOG-MD, FILE-MD, Malware Archaeology
This talk is a summarized view of the various other talks in my profile. It was given to TACOM HQ LCMC as part of the "Our Shared Responsibility" initiative.
This is a good topical overview with some technical information.
When you work with a lot of companies scrutinizing their security, you get to see some amazing things. One of the joys of being a commercial security consultant working for big name firms, is that you get to see a lot of innovation and interesting approaches to common problems.
However, as great as this is, the discrete projects you work on are usually a small representation of the overall company. When you look at the company in its entirety, a familiar pattern of weakness begins to reveal itself. While some companies are obviously better than others, the majority of companies are actually weak in remarkably similar ways.
My work in the attacker modeled pentest and enterprise risk assessment realms focuses on looking at a company as a whole. The premise is that, this is what an attacker would do. They won’t just try to attack your quarterly code reviewed main web site, or consumer mobile app. They won’t directly attack your PCI relevant systems to get to customer credit card data. They won’t limit their attacks to those purely against your IT infrastructure. Instead – they’ll look at your entire company, and they will play dirty.
In this session, I’ll focus on the things that plague us all (well most of us), and I’ll offer some simple advice for how to try and tackle each of these areas:
– Weaknesses in Physical Security
– Susceptibility to Phishing
– Vulnerability Management Immaturity
– Weaknesses in Authentication
– Poor Network Segmentation
– Loose Data Access Control
– Terrible Host / Network Visibility
– Unwise Procurement & Security Spending Decisions
How to Leverage Log Data for Effective Threat DetectionAlienVault
Event logs provide valuable information to troubleshoot operational errors, and investigate potential security exposures. They are literally the bread crumbs of the IT world. As a result, a commonly-used approach is to collect logs from everything connected to the network "just in case" without thinking about what data is actually useful. But, as you're likely aware, the "collect everything" approach can actually make threat detection and incident response more difficult as you wade through massive amounts of irrelevant data.
Join us for this session to learn practical strategies for defining what you actually need to collect (and why) to help you improve threat detection and incident response, and satisfy compliance requirements. In this session, you'll learn :
*What log data you always need to collect and why
*Best practices for network, perimeter and host monitoring
*Key capabilities to ensure easy, reliable access to logs for incident response efforts
*How to use event correlation to detect threats and add valuable context to your logs
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
1. Information Security may seem like
a daunting task for SMB's, but if
you do some basic things and know
when to seek help, you can
succeed!
Michael Gough – Founder
MalwareArchaeology.com
MalwareArchaeology.com
2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist,
Logoholic
• I am the one you call when $*!+ hits the fan
• I love logs – they tell us Who, What, Where, When and
hopefully How
• Creator of the “Windows Logging Cheat Sheet”
• Creator of the “Malware Management Framework”
• @HackerHurricane also my Blog
MalwareArchaeology.com
3. Goal
• Interaction – Don’t be a Ding
Dong and NOT ask a question…
you WILL be rewarded
• Learn some basics
• Top 10 things everyone must
do well
MalwareArchaeology.com
4. • We discovered this May 2012
• Met with the Feds ;-)
Why listen to me
MalwareArchaeology.com
8. Recovery – Your Backups
• No matter what might happen, a hardware failure, theft, natural
disaster or hackers with malware or worse a breach, recovery is
your #1 goal
• This means backups are key to your continued success
• Organize the software you use, the data you have as that will aid in
recovery IF, I mean WHEN something bad happens
• Why? Because malware is software and you usually do not know it
is on your system until something bad happens or AV goes off or
someone calls you (the suits) and tells you that you have been
breached. ;-(
MalwareArchaeology.com
9. Backups
• For desktops data should be stored on a server that is
backed up
• If you must store data on your desktop or laptop, then use
a backup solution like Carbonite
• Have your IT person, people or consultant validate the
solution is working
• Some solutions offer a boot disk to recover the entire
system, OS and data
• But how do you know when your system went bad? What
backup do you recover the OS from? What if it was
infected for weeks?
• Why I prefer and recommend rebuilding the OS and
Applications from scratch and then restore your data.
MalwareArchaeology.com
11. Rebuild a system quickly
• Backups have your data
• But the PC, MAC or Server OS needs to be
built from scratch
• Instructions, steps, special configurations
• Make it easier for your IT person, people or
consultant helping your organization to
rebuild a dead or hacked system as fast as
possible
• Documentation for fast recovery is key
MalwareArchaeology.com
12. Rebuilding is a good thing
• It is the ONLY way you know your system is 100%
clean!
• Malware is written well to operate without
detection for days, weeks or months
• I rebuild my PC’s once or more per year
• Patching takes the longest, takes me 2 hours to
get up and running, 24 hours to finish patching
• Restoring a backup of an OS will take about an
hour, give or take, but how do you know it is
clean?
MalwareArchaeology.com
13. Step 3
Data and OS should
be seperate
MalwareArchaeology.com
14. Your Data and OS should not mix
• One of the worst things I see is where people
store data on the same drive as their operating
system
• If you want easier backups, keep data on a drive
that does NOT contain the operating system to
make it easier to rebuild a system and restore
data
• Only the OS and applications should be on the
drive that boots the operating system
• I prefer using a server share for your data that
gets backed up, but we have laptops with one
drive, so partition it into two parts; OS and Data
MalwareArchaeology.com
15. Your data and OS should not mix
• If you don’t use it, uninstall it
• Less is more as far as Apps
• Only install what you need and take an
inventory
• Please don’t store data in My Document ;-(
– User space is first to be hit in a RansomWare
event
MalwareArchaeology.com
18. You are just a user
• PLEASE… Don’t run as Administrator
• “But I have an application that must run as
Admin…” Fine, there is “Run As Administrator”
for this, enter these credentials as needed
• IF you have to because of a poorly written or old
application, then NO SURFING THE INTERNET !!!!
Or opening email attachments! Consider
isolating this system
• 90% of vulnerabilities will fail exploitation if you
are a General User
MalwareArchaeology.com
20. Patching is crucial
• Windows and Apple can auto update
• PLEASE make sure this is happening
• Let it interrupt your day
• Do NOT fall behind
• Malware takes advantage of what we call
“ZERO DAYS” or “0-Day” vulnerabilities and
patching breaks their exploit within 2 weeks of
discovery, your patches come monthly !
MalwareArchaeology.com
22. Anti-Virus is useful
• Everyone should know that Anti-Virus is no longer what it use to be
• But it does catch older (1 year+) emailed malware or older malware
found on compromised websites
• It does NOT do a good job on newly crafted Phishing Email SPAM
campaigns or newly compromised websites
• So don’t spend a lot on this, free solutions are almost as good as
paid solutions
• Windows Security Essentials (Windows 7 - Free)
• Windows Defender (Windows 8 - Free)
• Sophos (MAC OS – Free)
• Install only ONE AV solution
• Do not install Anti-Spyware or other “Fear-ware” prevention
• Stick to the big names
MalwareArchaeology.com
24. Update your Apps
• Malwarians (the hackers) pick on your apps as
a way in
• Keep them up to date!
• Install Secunia Personal Software Inspector
(PSI) or the paid version for business
• Better yet do NOT use applications that are
exploited regularly
• Any guesses?
MalwareArchaeology.com
25. Update your Apps
• Adobe anything – Bad
– Use FoxIT, Sumatra or other PDF Reader
– If required (Quickbooks)) install Adobe Reader and
then install FoxIT and mke it your default PDF reader
– Adobe Flash is builtin to Chrome
• Java – Bad
– Disable Java in your browser
• Anything that is Browser launched or email
attachment launched will be exploited !
• Don’t use Internet Explorer !!! Use Chrome
and/or Firefox or Safari
MalwareArchaeology.com
27. Better Browser
• Firefox – Use Security Plugins
– No Script (blocks scripting on websites)
– Ad Block (blocks ads used to spread malware)
– Web of Trust (gives you an idea of good and bad websites when
you search)
• Chrome – Use Security plugins
– Script Block (blocks scripting on websites)
– Ad Block (blocks ads used to spread malware)
– Web of Trust (gives you an idea of good and bad websites when
you search)
• Safari – For MAC lovers
– Firefox and Chrome too, same above applies
MalwareArchaeology.com
29. Passwords are evil
• Strong passwords
• What do you think?
• Long and random
– How long?
– But I can’t remember them?
– There are so many accounts…
• Password Managers are incredible !!!
– LastPass is my favorite
– Store all your passwords
– NEVER store them in your browser!
• Use 2-Factor authentication (Google Authenticator or a
Yubikey)
MalwareArchaeology.com
31. Bookmarks
• You need to save websites you visit often
• LastPass will do most of this for you, not just
ones with passwords
• Another item that gets lost when your system
crashes or is replaced
• Remember that first goal?
• Xmarks will synchronize your bookmarks to
the Internet so you can easily restore them on
rebuild. Just a plugin to your browser
MalwareArchaeology.com
33. Verizon DBIR – Top Remediation
items
MalwareArchaeology.com
34. What if you are big enough for
in house infrastructure?
• Outsource these functions
– Email
– Email protection
– Web Surfing protection
– Endpoint protection (Malware detection and
prevention)
• Use a consultant to set these up, less for you to
maintain
• Think about the data you are storing with cloud
services (ADP, Salesforce, Amazon, Google) and
use ones that are trustworthy and well known
MalwareArchaeology.com
35. Use the Security features the
OS has
• Whitelisting
– Windows – Software Policy Restrictions
– Windows Ultimate or Enterprise – AppLocker
• Logging
– Can do SO much to detect bad things, needs to be
enabled and configured
– Splunk #1
– Loggly #2
– You outsource this unless you have staff
– #1 thing I will ask for and do if you need someone like
me
MalwareArchaeology.com
36. Safer Web Surfing
• OpenDNS
• Inexpensive way
to reduce bad
sites being visited
MalwareArchaeology.com
37. In Summary
• Ten things you CAN do to help reduce damage
caused by one of many outages
• Know when to ask for help implementing these
items by asking your IT person, people or
consultant to do these often and well
• All these items are basically FREE or very low cost
and yes, people time
• You don’t need to pay me to delete malware on a
PC or two, just rebuild them and move on at the
speed of business
MalwareArchaeology.com
38. Resources
• My Website
– MalwareArchaeology.com
• This presentation
– SlideShare.com – Search for Malware
Archaeology
• Attend training or a conference
– Bsides - SecurityBSides.org
MalwareArchaeology.com
39. Questions?
• You can find me at:
• @HackerHurricane
• MalwareArchaeologist.com
• HackerHurricane.com
MalwareArchaeology.com