The document discusses the ATT&CK framework, highlighting the use of the ATT&CK data sources to improve security analytics and validation. It emphasizes various projects such as the ATT&CK Python client and the Mordor project, which simulate adversarial techniques with pre-recorded security events. Collaboration and opportunities for data source improvements are also explored, alongside recommendations for validating data analytics in security environments.

1. Ready to ATT&CK?
Bring Your Own Data
(BYOD) and Validate Your
Data Analytics!
1

2. @Cyb3rWard0g & @Cyb3rPandaH
● Projects
○ @HunterPlaybook
○ @THE_HELK
○ ATTACK-Python-Client
○ @OSSEM_Project
○ @Mordor_Project
○ OpenHunt
○ Blacksmith & More
● Founders:
○ @HuntersForge
2https://github.com/hunters-forge

3. Agenda
● Explore ATT&CK
● 2018 -> 2019
● ATT&CK Data Sources Opportunities
● Enter Mordor
● Mordor & CAR
● CAR & Threat Hunter Playbook (Notebooks)
● Hunters Forge!
3

4. Explore ATT&CK
How do I query ATT&CK?
4

5. Exploring ATT&CK Metadata!
5

6. How do I access ATT&CK Metadata?
6

7. ATTACK-Python-Client Github Project
● A Python module to access up to date ATT&CK content available in
STIX via public TAXII server. It leverages cti-python-stix2 and cti-
taxii-client python libraries developed by MITRE.
● Goals
○ Allow the integration of ATT&CK content with other platforms
○ Allow security analysts to quickly explore ATT&CK content and
apply it in their daily operations
○ Explore all available ATT&CK metadata at once
○ Learn STIX2 and TAXII Client Python libraries
https://github.com/hunters-forge/ATTACK-Python-Client 7

8. ATTACK-Python-Client Installation
● Via PIP: pip install attackcti
● Or Straight from Source
○ git clone
https://github.com/hunters-
forge/ATTACK-Python-Client
○ cd ATTACK-Python-Client
○ pip install .
● Jupyter Notebooks Available
○ pip install -r requirements.txt
○ cd notebooks
○ jupyter lab
https://github.com/hunters-forge/ATTACK-Python-Client 8

9. Some Available Functions
9https://attackcti.readthedocs.io/en/latest/attackcti_functions.html

10. ATT&CK Metadata - Jupyter Notebook
https://github.com/hunters-forge/ATTACK-Python-Client/tree/master/notebooks 10

11. Explore ATT&CK
Querying ATT&CK 101
11

12. 12

13. 13

14. Explore ATT&CK
Any New Data Sources?
14

15. ATT&CK Techniques (519) and Data Sources
● Almost 51% of techniques have data
sources defined
● Around 49% of techniques do NOT
have data sources defined
● Pre-ATT&CK data sources maybe?
● Opportunities to collaborate and
define those without data sources?
https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb 15

16. ATT&CK Techniques (519) and Data Sources
16https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb

17. Looking for anything to do this weekend?
17https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb

18. ATT&CK Techniques with Data Sources (265)
18
Process Monitoring:
178 TechniquesFile Monitoring:
107 Techniques
Process Command
Line: 103 Techniques
https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb

19. ATT&CKing with the right
data
ATT&CKcon 2018 Talk!
19

20. Credentials in Registry -> DS -> Sub-DS -> Events
20
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
Process Creation
Process created Process
Process Write To Process
Process Process
Process Access
Process Process
Security
4688
Sysmon
1
Security
4689
Sysmon
8
Sysmon
10
Process Termination
User terminated Process
wrote_to
accessed
https://www.youtube.com/watch?v=QCDBjFJ_C3g

21. ATT&CK Data (OSSEM-> attack_data_sources)
https://github.com/hunters-forge/OSSEM 21

22. A lot more to do..
Going deeper!
22

23. API-To-Event Project (Windows Security)
https://github.com/hunters-forge/API-To-Event 23

24. Security
https://github.com/hunters-forge/API-To-Event 24

25. API-To-Event Project (Windows Sysmon)
https://github.com/hunters-forge/API-To-Event 25

26. Sysmon
https://github.com/hunters-forge/API-To-Event 26

27. A few opportunities!
Exploring Data Sources 2.0!
27

28. A few opportunities..
● ATT&CK Data sources covered by other data sources
● Windows Event Logs data source is too broad!
● ATT&CK data sources and the wrong platforms!
● Validation of ATT&CK data sources
recommendations
○ What specific event logs per data source?
28

29. A few opportunities!
● ATT&CK Data sources covered by other data sources
● Windows Event Logs data source is too broad!
29

30. Credentials in Registry - Windows Registry
30https://www.youtube.com/watch?v=QCDBjFJ_C3g
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
Registry Creation
Process created Registry
Registry Modification
Process Registry
Registry Access
Process Registry
Sysmon
12
Sysmon
12
Security
4663
Security
4657
Security
4663
Registry Deletion
Process deleted Registry
modified
accessed
Sysmon
13

31. Windows Registry & Windows Security Event Logs?
31https://www.youtube.com/watch?v=QCDBjFJ_C3g
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
Registry Creation
Process created Registry
Registry Modification
Process Registry
Registry Access
Process Registry
Sysmon
12
Sysmon
12
Security
4663
Security
4657
Security
4663
Registry Deletion
Process deleted Registry
modified
accessed
Sysmon
13

32. ATT&CK Techniques with Data Sources (265)
32
Process Monitoring:
178 TechniquesFile Monitoring:
107 Techniques
Process Command
Line: 103 Techniques
https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb

33. ATT&CK Techniques with Data Sources (265)
33
Process Monitoring:
178 TechniquesFile Monitoring:
107 Techniques
Process Command
Line: 103 Techniques
https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb
Windows Event Logs

34. Windows Event Logs … a Universe Behind?
34https://www.youtube.com/watch?v=QCDBjFJ_C3g
Windows
Event Logs
4656
4657
4658
4660
4670
4663
4741
4742
4743
4776
4768
4771
4769
4770
5144
5140
5143
5142

35. Windows Event Logs
35
Windows
Event Logs
4656
https://www.youtube.com/watch?v=QCDBjFJ_C3g
4657
4658
4660
4670
4663
Audit Registry
Win Registry Deletion Request
Win Registry Key Value Modification
Win Registry Access Request
Win Registry Key Handle Closed
Win Registry Key Deletion
Win Registry Key Permissions Change
Win Registry Key Access
Win Registry Key Deletion
Audit
Computer
Account
Management
4741
4742
4743
Computer Account Creation
Computer Account Change
Computer Account Deletion

36. Windows Event Logs
36
Windows
Event Logs
4656
https://www.youtube.com/watch?v=QCDBjFJ_C3g
4657
4658
4660
4670
4663
Audit Registry
Win Registry Deletion Request
Win Registry Key Value Modification
Win Registry Access Request
Win Registry Key Handle Closed
Win Registry Key Deletion
Win Registry Key Permissions Change
Win Registry Key Access
Win Registry Key Deletion
Audit
Computer
Account
Management
4741
4742
4743
Computer Account Creation
Computer Account Change
Computer Account Deletion

37. Windows Event Logs
37
Windows
Event Logs
4656
https://www.youtube.com/watch?v=QCDBjFJ_C3g
4657
4658
4660
4670
4663
Audit Registry
Win Registry Deletion Request
Win Registry Key Value Modification
Win Registry Access Request
Win Registry Key Handle Closed
Win Registry Key Deletion
Win Registry Key Permissions Change
Win Registry Key Access
Win Registry Key Deletion

38. Windows Event Log 4656: A handle to an object was requested
38https://www.youtube.com/watch?v=QCDBjFJ_C3g
Windows
Registry
4656
Audit Registry
Audit File System
Win Registry Deletion Request
Win Registry Access Request
File Monitoring
File Deletion Request
File Access Request

39. Windows Event Log 4657: A registry value was modified
39https://www.youtube.com/watch?v=QCDBjFJ_C3g
Windows
Registry
4656
Audit Registry
Audit File System
Win Registry Deletion Request
Win Registry Access Request
File Monitoring
File Deletion Request
File Access Request
Windows
Registry
4657 Audit Registry Win Registry Key Value Modification

40. Windows Event Log 4658: The handle to an object was closed
40https://www.youtube.com/watch?v=QCDBjFJ_C3g
Windows
Registry
4656
Audit Registry
Audit File System
Win Registry Deletion Request
Win Registry Access Request
File Monitoring
File Deletion Request
File Access Request
File Monitoring4658 Audit File System File Handle Closed
Windows
Registry
4657 Audit Registry Win Registry Key Value Modification

41. Currently collaborating with ATT&CK team..
41

42. A few opportunities!
ATT&CK data sources and the wrong platforms!
42

43. ATT&CK Windows Data Sources & Platform (2019)
43https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb

44. A few opportunities!
● Validation of ATT&CK data sources recommendations
○ What specific event logs per data source?
44

45. Credentials in Registry - Windows Registry
45https://www.youtube.com/watch?v=QCDBjFJ_C3g
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
Security
4656
Security
4657
Security
4658
Security
4660
Security
4670
Security
4663
Win Registry Deletion Request
Win Registry Key Value Modification
Win Registry Access Request
Win Registry Key Handle Closed
Win Registry Key Permissions Change
Win Registry Key Deletion
Win Registry Key Access
Sysmon
12
Sysmon
13

46. Wait! Where is all this happening so far?
46

47. Data Analytics Development (Example)
47
Define a Research
Goal
Simulate
Adversary
Define Detection
Model
Validate Detection
Model
Document and
Communicate
Findings
Model Data
https://www.youtube.com/watch?v=DuUF-zXUzPs

48. Data Analytics Development (Example)
48
Define a Research
Goal
Simulate
Adversary
Define Detection
Model
Validate Detection
Model
Document and
Communicate
Findings
Model Data
https://www.youtube.com/watch?v=DuUF-zXUzPs

49. How do we validate our data recommendations?
49

50. Data Analytics Development (Example)
50
Define a Research
Goal
Simulate
Adversary
Define Detection
Model
Validate Detection
Model
Document and
Communicate
Findings
Model Data
https://www.youtube.com/watch?v=DuUF-zXUzPs

51. More than just testing security controls!
51
Simulate
Adversary
Test Security
Controls
Model Adversary
Behavior
● Endpoint Agent Detection
● Analytics Platform Rules
● Can I see it in my environment?
● Learn adversary behavior
● Map data sources to adversary actions
● Study derived techniques

52. A basic adversary simulation flow!
52https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1571754303.pdf
Plan Engagement Emulate Adversary
Collect & Analyze
Data
Can I
see it?
Enable
Telemetry
No Document Results
Yes

53. What do we need for Credentials in Registry?
53https://attack.mitre.org/techniques/T1214/

54. What do we need for Credentials in Registry?
54https://attack.mitre.org/techniques/T1214/

55. What else do we need for Credentials in Registry?
55
● Windows Registry?
○ Enable Audit Object Access > Audit Registry
● Process Monitoring?
○ Enable Audit Detailed Tracking > Audit Process Creation
● Process Command-line Parameters?
○ Enable Administrative TemplatesSystemAudit Process
Creation > Include command line in process creation
events

56. What else do we need for Credentials in Registry?
56https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
● Windows Registry?
○ Enable Audit Object Access > Audit Registry
○ Set Audit Rule to trigger event!
● Process Monitoring?
○ Enable Audit Detailed Tracking > Audit Process Creation
● Process Command-line Parameters?
○ Enable Administrative TemplatesSystemAudit Process
Creation > Include command line in process creation
events

57. What else do we need for Credentials in Registry?
57https://github.com/hunters-forge/Blacksmith/blob/master/aws/mordor/cfn-files/scripts/default/Join-Domain.ps1#L37-L49
● What are we testing?
○ Available default automatic logon user Settings!!
Set-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" -
Name AutoAdminLogon -Value 1
Set-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" -
Name DefaultUserName -Value pgustavo
Set-ItemProperty "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon" -
Name DefaultPassword -Value W1n1!2019

58. What else do we need for Credentials in Registry?
58https://github.com/hunters-forge/Set-AuditRule/blob/master/registry/default_logon_user.md
● Set Audit Rule! How?
○ Download https://github.com/hunters-forge/Set-AuditRule
○ Import-module Set-AuditRule.ps1
○ Set-AuditRule -RegistryPath
"HKLM:SOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon" -IdentityReference Everyone -
Rights QueryValues -InheritanceFlags None -PropagationFlags
None -AuditFlags Success

59. What else do we need for Credentials in Registry?
59
● Testing Commands?
○ reg query "HKLMSOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon" /f password /t REG_SZ
/s

60. What about technique variations?
60

61. What else do we need for Credentials in Registry?
61
● Testing Commands?
○ reg query "HKLMSOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon" /f password /t REG_SZ
/s
○ Get-ItemProperty -Path
"HKLM:SOFTWAREMicrosoftWindows
NTCurrentVersionWinlogon" -Name *password*
○ C#, Python, etc!

62. Are we ready?
62

63. We need an environment setup.. working!
63

64. Execute -> Collect -> Analyze -> Repeat
64
Model Adversary
Behavior
Test Security
Controls
Data produced
Simulating Adversarial
Technique

65. Same Technique + Some Variations
65
Model Adversary
Behavior
Test Security
Controls
Data produced

66. Credentials in Registry Data Mapping
66
Process
Registry
Key Value
Queried

67. Credentials in Registry Data Mapping
67
Process
Registry
Key Value
Queried
EVENT ID TASK
4688 Process Creation
4673 Sensitive Privilege Use
4656 Registry (Request Handle)
4690 Handle Manipulation
4663 Registry (Access)
4658 Registry (Closing Handle)
4689 Process Termination

68. Credentials in Registry Data Mapping
68
Process
Registry
Key Value
Queried
EVENT ID TASK
4688 Process Creation
4673 Sensitive Privilege Use
4656 Registry (Request Handle)
4690 Handle Manipulation
4663 Registry (Access)
4658 Registry (Closing Handle)
4689 Process Termination
Process Monitoring
Process Command-Line
Parameters
Windows Registry
Process Monitoring

69. Credentials in Registry - Windows Registry
69https://www.youtube.com/watch?v=QCDBjFJ_C3g
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
Security
4656
Security
4657
Security
4658
Security
4660
Security
4670
Security
4663
Win Registry Deletion Request
Win Registry Key Value Modification
Win Registry Access Request
Win Registry Key Handle Closed
Win Registry Key Permissions Change
Win Registry Key Deletion
Win Registry Key Access
Sysmon
12
Sysmon
13

70. Credentials in Registry - Windows Registry
70https://www.youtube.com/watch?v=QCDBjFJ_C3g
T1214
Windows
Registry
Process
Monitoring
Process
Command-Line
Parameters
Security
4656
Security
4657
Security
4658
Security
4660
Security
4670
Security
4663
Win Registry Deletion Request
Win Registry Key Value Modification
Win Registry Access Request
Win Registry Key Handle Closed
Win Registry Key Permissions Change
Win Registry Key Deletion
Win Registry Key Access
Sysmon
12
Sysmon
13

71. Spending +time producing data & -time analyzing
71
Model Adversary
Behavior
Test Security
Controls
Data produced
Takes Time!
Similar Events?

72. Same Technique + Some Variations
72
Model Adversary
Behavior
Test Security
ControlsEVENT ID TASK
4688 Process Creation
4673 Sensitive Privilege Use
4656 Registry (Request Handle)
4690 Handle Manipulation
4663 Registry (Access)
4658 Registry (Closing Handle)
4689 Process Termination

73. We might be all doing this..
73

74. We might be doing this over and over..
74

75. What if we share our datasets?
75

76. From Zero to Data Analytics Validation!
76

77. Enter Mordor
77

78. Mordor Project @Mordor_Project
● Pre-recorded security events generated by
simulated adversarial techniques in the form
of JavaScript Object Notation (JSON)
● Pre-recorded data categorized by platforms,
adversary groups, tactics and techniques
defined by the Mitre ATT&CK Framework.
● Data represents not only specific known
malicious events but additional
context/events that occur around it.
78https://github.com/Cyb3rWard0g/mordor

79. Mordor Standard Environments
● Environment designed to replicate a small research network
● Standardized and documented setup
● Platforms
○ Windows
○ Linux
● Endpoints Telemetry
○ Windows Security Auditing
○ Event Tracing for Windows (ETW) (NEW!!)
● Network Telemetry
○ Network Logs
● Environments Available: Shire and Erebor
79https://mordor.readthedocs.io/en/latest/index.html

80. Mordor Environments: The Shire
80

81. The Shire Design
81

82. The Shire Telemetry: Win Logs & Sysmon
82https://github.com/Cyb3rWard0g/OSSEM/tree/master/data_dictionaries/windows/sysmon

83. The Shire: Event Log -> WEC -> HELK
83https://mordor.readthedocs.io/en/latest/mordor_shire.html#

84. Mordor Environments: Erebor (Lonely Mountain)
84

85. Erebor Design
85

86. Erebor Telemetry: ETW Events via SilkETW
86https://medium.com/threat-hunters-forge/threat-hunting-with-etw-events-and-helk-part-1-installing-silketw-6eb74815e4a0

87. Erebor: ETW Events -> Event Log -> WEC -> HELK
87

88. How do you collect data?
● We use Kafkacat!
● kafkacat is a generic non-JVM producer and consumer for Apache Kafka
>=0.8, think of it as a netcat for Kafka.
● In consumer mode
○ Kafkacat reads messages from a topic and prints them to standard output
(stdout). You can also redirect it to a file (i.e. JSON)
● In producer mode
○ Kafkacat reads messages from standard input (stdin). You can also send data to
kafkacat by adding data from a file.
88https://github.com/edenhill/kafkacat

89. Consuming Data (Taking a snapshot of data)
89https://mordor.readthedocs.io/en/latest/export_mordor.html
$ kafkacat -b <Kafka-IP>:9092 -t
<kafka-Topic> -C -o end > file.json
● -b : Kafka broker
● -t : Topic to consume from
● -C : Consumer Mode
● -o : Offset to start consuming from

90. Consuming Data -> Creating Mordor File (Video)
90https://mordor.readthedocs.io/en/latest/export_mordor.html

91. Consuming Data -> Creating Mordor File (Demo 02)
91https://mordor.readthedocs.io/en/latest/export_mordor.html

92. Producing Data (Injecting Adversary Dataset)
92

93. Producing Data (Injecting Adversary Dataset)
93https://mordor.readthedocs.io/en/latest/import_mordor.html
$ kafkacat -b <Kafka-IP>:9092 -t
<kafka-Topic> -P -l file.json
● -b : Kafka broker
● -t : Topic to produce to
● -P : Producer Mode
● -l : Send messages from a file

94. I just want to download all the datasets..
94
$ git clone https://github.com/hunters-
forge/mordor.git
$ cd mordor/small_datasets/
$ find . -type f -name "*.tar.gz" -print0
| sudo xargs -0 -I{} tar xf {} -C .

95. Expedite Analytics Validation!
95https://github.com/hunters-forge/mordor
Model Adversary
Behavior
Test Security
Controls
Data produced
YOU CAN DO IT NOW!

96. Validate Analytics!
96
Mordor File
Validate Analytics
2 + 2 = 4

97. Where do we get analytics from?
97

98. I have data with me and I am ready!
98

99. Mordor & CAR
The MITRE Cyber Analytics Repository (CAR)!
99

100. CAR-2019-08-001: Credential Dumping via Windows Task Manager
● The Windows Task Manager may be used to dump the memory space of
lsass.exe to disk for processing with a credential access tool such as
Mimikatz. This is performed by launching Task Manager as a privileged user,
selecting lsass.exe, and clicking “Create dump file”. This saves a dump file to
disk with a deterministic name that includes the name of the process being
dumped.
● This requires filesystem data to determine whether files have been created.
● Contributors: Tony Lambert/Red Canary
100https://car.mitre.org/analytics/CAR-2019-08-001/

101. But, How do I simulate that technique?
101

102. Interactive Task Manager Lsass dump (Demo 03)
102
https://github.com/hunters-
forge/mordor/blob/master/small_datasets/windows/credential_access/credential_dumping_T1003/interactive_taskmngr_ls

103. Interactive Task Manager Lsass dump (Demo 03)
103
https://github.com/hunters-
forge/mordor/blob/master/small_datasets/windows/credential_access/credential_dumping_T1003/interactive_taskmngr_ls

104. CAR-2019-08-001: Procdump - File Create (Pseudocode)
files = search File:Create
lsass_dump = filter files where (
file_name = "lsass*.dmp" and
image_path = "C:Windows*taskmgr.exe")
output lsass_dump
104https://car.mitre.org/analytics/CAR-2019-08-001/

105. But, where do I run that?
105

106. Enter Jupyter Notebooks
106

107. What are Jupyter Notebooks?
● Think of a notebook as a document that you can access via a web interface
that allows you to save:
○ Input (live code)
○ Output (evaluated code output)
○ Visualizations and narrative text (Tell the story!)
● Uses include:
○ Data cleaning and transformation
○ Statistical modeling
○ Data visualization
○ Machine learning, and much more
107https://jupyter.org/

108. How Do Jupyter Notebooks Work?
● Jupyter Notebooks work with what is called a two-process model based on
a kernel-client infrastructure.
● This model applies Read-Evaluate-Print Loop (REPL):
○ Takes a single user’s inputs
○ Evaluates them
○ Returns the result to the user
108https://jupyter.org/

109. Jupyter Notebooks Architecture
109https://jupyter.org/
WebSockets ZeroMQ
Notebook
File (json)
Client KernelJupyter Server
Jupyter Document

110. Mordor -> Jupyter Notebooks
CAR-2019-08-001: Credential Dumping via Windows Task
Manager
110

111. The ThreatHunter-Playbook @HunterPlaybook
● A Threat hunter's playbook to aid the
development of techniques and hypothesis for
hunting campaigns by leveraging security event
logs from diverse operating systems.
● It documents detection strategies in the form of
interactive notebooks to provide an easy and
flexible way to visualize the expected output and
be able to run the analytics against pre-
recorded mordor datasets
111https://github.com/hunters-forge/ThreatHunter-Playbook

112. OpenHunt Library
● Via PIP:
pip install openhunt
● Or Straight from Source
git clone
https://github.com/Cyb3rPanda/openhunt
cd OpenHunt && pip install .
112https://github.com/hunters-forge/openhunt

114. Is You Ready? haha
114

115. Hunt The Planet!
115

116. Threat Hunters Forge Community!
116

117. Threat Hunters Forge Slack Community!
117
https://launchpass.com/threathunting

118. Remember this initiative with Mordor?
118

119. What if everyone gets a notebook too?
119

120. Wait, Whaaat?
120

121. Wait, Whaaat?
121

122. The Binder Project
122
● The Binder Project is an open community that makes it
possible to create shareable, interactive, reproducible
environments.
● The main technical product that the community creates
is called BinderHub, and one deployment of a
BinderHub exists at mybinder.org.
● Who is it for?:
○ Researchers, Educators, people analyzing
data and people trying to communicate the
data analysis to others!!
https://mybinder.readthedocs.io/en/latest/introduction.html#what-is-the-binder-project

123. BinderHub
123
BinderHub connects several services together to provide on-the-fly creation and
registry of Docker images. It utilizes the following tools:
● A cloud provider such Google Cloud, Microsoft Azure, Amazon EC2, and others
● Kubernetes to manage resources on the cloud
● Helm to configure and control Kubernetes
● Docker to use containers that standardize computing environments
● A BinderHub UI that users can access to specify Git repos they want built
● BinderHub to generate Docker images using the URL of a Git repository
● A Docker registry (such as gcr.io) that hosts container images
● JupyterHub to deploy temporary containers for users
https://binderhub.readthedocs.io/en/latest/overview.html

124. Binder Design!
124
Repo2Docker Pod
https://github.com/repo
https://github.com/repo
Docker
Image
Exists?
No
Push
Image
Up to
date?
Yes
NoYes
Kubernetes
Cluster
Jupyter
Notebook Pod
Docker
Registry
https://binderhub.readthedocs.io/en/latest/overview.html#a-diagram-of-the-binderhub-architecture
Creates

125. Open Infrastructure for Open Hunts!
125https://github.com/hunters-forge/ThreatHunter-Playbook

126. Open Infrastructure for Open Hunts! (LIVE!)
https://mybinder.org/v2/gh/
hunters-forge/ThreatHunter-
Playbook/master
126

127. Threat Hunter Playbooks via Binder (Video)
127https://github.com/hunters-forge/ThreatHunter-Playbook

128. 128

129. Goal: Share and Empower the Community!
129

130. Let’s do it together!
130

131. Threat Hunters Forge References
● GitHub: https://github.com/hunters-forge
● Python Library: https://github.com/Cyb3rPanda/openhunt
● Slack Invitation: https://launchpass.com/threathunting
● Official Blog: https://medium.com/threat-hunters-forge
● Founders: @Cyb3rWard0g & @Cyb3rPandaH
● Official Twitter: @HuntersForge
● @HunterPlaybook
● @THE_HELK
● @OSSEM_Project, @Mordor_Project & More

132. Thank You! Muchas Gracias!
132