The modern web-scale network is a pretty complicated place. Modern techniques in Systems Management have made it trivial to create, destroy and repurpose any number of instance types. These instances can span the range from bare metal machines sitting in a datacenter, to 3rd party virtual machines on demand, and now these new containers and microservices seem to be all the rage. Instances are cattle, they are no longer pets. All of this perpetual churn and flexibility is exactly what you want in a constantly changing, highly available, and efficient infrastructure. The ability to create or destroy nodes on demand, or continuously and automatically scale up, down, and re-deploy applications as part of a continuous integration pipeline, have become necessary and an integral part of daily operations. However these systems can generate terabytes of network logs a day. And if your job is detecting, correlating, and alerting on the correct anomaly in all that data, the analogy of the needle in the haystack really doesn’t do it justice, something closer would be akin to finding a needle in the windstorm. How do you begin to collect, store, analyze, and alert on this much data without costing the company a small fortune? What are some practical steps you can take to reduce your overall risk and begin to gain more insight, visibility, and confidence into what is actually taking place on your network? This talk aims to give the attendee a solid understanding of the problem space, as well as recommendations and practical advice from someone who built their own ‘big data’ network and security monitor. It really is easier than it sounds.
Cybersecurity Fundamentals for Legal ProfessionalsShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at the 55th Annual Conference on Intellectual Property Law at The Center for American and International Law on November 13, 2017.
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory RealmShawn Tuma
The #CyberAvengers' Paul Ferrillo (a/k/a Director Fury) and Shawn Tuma (a/k/a Hulk) presented at the Practical Cybersecurity Risk Management Strategies program of the New Jersey State Bar Association (NJSBA) Cybersecurity Institute on November 17, 2017. In this presentation, Fury and Hulk focused the core #CyberAvengers message of the real-life cybersecurity issues facing most companies -- the basics of good cyber hygiene -- and explained how artificial intelligence and machine learning will help companies do a better job at getting these right, along with how and why AI/ML play a critical role in the future of cybersecurity.
This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.
From MITRE ATT&CKcon Power Hour November 2020
By Matt Snyder, Senior Threat Analytics Engineer, VMware
The market for Security products is flooded with vendors offering all sorts of solutions, and organizations are spending a record amount of money defending their environments. Nevertheless, an increasing number of breaches are reported each year, resulting in organizations spending millions of dollars to remediate them. The Security industry responds with more products, all offering to stop the next breach, and the cycle continues. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Matt discusses what VMware is doing internally to address this fundamental flaw in the Security industry and how they are leveraging the MITRE ATT&CK framework to reshape how we think about security.
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
APNIC Senior Security Specialist Adli Wahid provides some useful findings of lessons learned from security incidents at the UMS Cybersecurity Awareness Seminar, held online on 25 October 2021.
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
Say incident response to 10 people and odds are you'll get 10 different opinions on how to do it right. When evaluating tools and procedures for enterprise Incident Response it's helpful to understand how to approach this in a way that will cause the adversary maximum pain. This talk will review the essential requirements for IR tools and procedures in a vendor / tool neutral approach. Find out the right questions to ask and the strategies to make sure you get the most out of your incident response team.
Threat hunting is the best, proactive approach. But, excelling at threat hunting, discovering adversaries takes time, patience, planning, and some serious skills. Mature beyond the basics of hunting and evolve your program!
Cybersecurity Fundamentals for Legal ProfessionalsShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at the 55th Annual Conference on Intellectual Property Law at The Center for American and International Law on November 13, 2017.
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory RealmShawn Tuma
The #CyberAvengers' Paul Ferrillo (a/k/a Director Fury) and Shawn Tuma (a/k/a Hulk) presented at the Practical Cybersecurity Risk Management Strategies program of the New Jersey State Bar Association (NJSBA) Cybersecurity Institute on November 17, 2017. In this presentation, Fury and Hulk focused the core #CyberAvengers message of the real-life cybersecurity issues facing most companies -- the basics of good cyber hygiene -- and explained how artificial intelligence and machine learning will help companies do a better job at getting these right, along with how and why AI/ML play a critical role in the future of cybersecurity.
This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.
From MITRE ATT&CKcon Power Hour November 2020
By Matt Snyder, Senior Threat Analytics Engineer, VMware
The market for Security products is flooded with vendors offering all sorts of solutions, and organizations are spending a record amount of money defending their environments. Nevertheless, an increasing number of breaches are reported each year, resulting in organizations spending millions of dollars to remediate them. The Security industry responds with more products, all offering to stop the next breach, and the cycle continues. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Matt discusses what VMware is doing internally to address this fundamental flaw in the Security industry and how they are leveraging the MITRE ATT&CK framework to reshape how we think about security.
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
APNIC Senior Security Specialist Adli Wahid provides some useful findings of lessons learned from security incidents at the UMS Cybersecurity Awareness Seminar, held online on 25 October 2021.
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
Say incident response to 10 people and odds are you'll get 10 different opinions on how to do it right. When evaluating tools and procedures for enterprise Incident Response it's helpful to understand how to approach this in a way that will cause the adversary maximum pain. This talk will review the essential requirements for IR tools and procedures in a vendor / tool neutral approach. Find out the right questions to ask and the strategies to make sure you get the most out of your incident response team.
Threat hunting is the best, proactive approach. But, excelling at threat hunting, discovering adversaries takes time, patience, planning, and some serious skills. Mature beyond the basics of hunting and evolve your program!
small talk about IOT security especially IOT pentesting for beginner. What exactly IOT and how we test it?
Live on Ethical Hacker Indonesia
April 14th 2020
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkGert-Jan Bruggink
The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises. It explores targeting economic considerations when defending against techniques used by adversaries.
Diving into economics for adversaries to use or build certain techniques and tools over others. How can defenders defend against specific techniques by increasing the adversaries cost per intrusion. How can ATT&CK be used to make strategic risk management decisions.
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
Operationalizing the ATT&CK framework has enabled GE to deploy custom detection to evolving threat actor behaviors. By leveraging an in-house developed tool called TIAMAT (Tactical Intelligence Adversary Mapping and Analysis Tool) the ATT&CK framework is
incorporated into an end-to-end operational process from intelligence collection to customized detection deployment.
The designing of this new operational process is examined, and a use case presented of how examining a historical incident led to a new method of deploying detection based on ATT&CK and the detection of previously undiscovered activity. There is also a demo that walks the audience through the end-to-end process and explains TIAMATs capabilities.
-
As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked. So can facial and other biometrics. Why, then, is biometric-based authentication so fashionable? Why did one of the largest insurance companies just announce it is rolling out fingerprint and facial recognition for its customers (while it uses Symantec VIP for internal employees)? Did product management and marketing conduct a study that concluded customers feel safer with fingerprint and facial?
Apple’s Touch ID, and VISA’s integration with it are shaping the fashionable trend faster than a Milan runway. Hopefully these short hemlines will fade soon. Apple’s senior vice president, Dan Riccio, irresponsibly claims, “Fingerprints are one of the best passwords in the world.” He probably understands it is easy to reset a password. He probably does not understand how hard it is to reset his fingerprints. Truly the inmates are running the asylum.
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Burton Lee
Talk by Marcel van der Heijden, SpeedInvest & Aircloak (Silicon Valley | AT | DE), at Stanford on Feb 26 2018, in our session: 'New EU Data Privacy Rules : Lessons & Risks for Silicon Valley Corporations & Startups || GDPR'.
Website: http://www.StanfordEuropreneurs.org
YouTube Channel: https://www.youtube.com/user/StanfordEuropreneurs
Twitter: @Europreneurs
Slide yang kupresentasikan di PyCon 2019 (Surabaya, 23/11/2019)
Red-Teaming is a simulation of real world hacking against organization. It has little to no limit of time, location, and method to attack. Only results matter. This talk gives insight about how “hacker” works and how python can be used for sophisticated series of attack.
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments.
In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.
Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence:
http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?
Video en Youtube: https://www.youtube.com/watch?v=hngTacTVT3Y
La realización de un Test de Intrusión Físico tiene como finalidad conseguir acceso físico a una determinada ubicación, y no es una tarea sencilla. Requiere preparación, investigación, análisis, coordinación, mucha simulación y la aplicación de una metodología flexible que pueda adaptarse a las condiciones particulares de cada objetivo.
Analizar el entorno, evadir todo tipo de sistemas de seguridad física y colaborar en equipo (Red Team), son aspectos fundamentales para lograr la intrusión, y con ello posteriormente, el acceso a equipos, red y un sinfín de datos en las instalaciones del objetivo.Si quieres saber qué es un Red Team y profundizar en la realización de intrusiones físicas, esta es tu charla.
URL del video:
https://www.youtube.com/watch?v=TTwY2wPTcNg
Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks. Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like who is attacking you, what their motivations and capabilities are, and what indicators of compromise in your systems to look for.
reference:https://www.recordedfuture.com/threat-intelligence-definition/
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
This session discusses Deloitte’s purple teaming approach which is using ATT&CK as a guiding principle to help both teams improve.
This session shows how this works in a customer scenario, how to scope that scenario, how to plan the scenario and choose the various TTPs to be covered to how we assist the customers blue team in understanding the TTPs and helping them design detective capabilities for them.
When the Blue Team is able to connect the dots from offensive activities in the network and what they see in their logs, firewalls, SIEMs, etc. they have the ability to fully understand what adversaries do and what the TTP’s of attackers actually look like if they are active in their network.
It’s much easier to find the needle in the haystack if you know there is a needle to find to begin with. Purple teaming is providing this pointy needle, used to accelerate the Blue Team.
Cybersecurity Fundamentals for Legal Professionals (and every other business)Shawn Tuma
Cybersecurity & Data Privacy attorney Shawn Tuma delivered this presentation to the Mid-Year Meeting of the State Bar of Oklahoma's Intellectual Property Law Section on June 2, 2018. For more information visit www.shawnetuma.com
Preventing hard disk firmware manipulation attack and disaster recovery by Da...CODE BLUE
In this talk I will explain strategies prior to and after a hard disk has lost its ability to be used as a storage device due to human manipulation or natural disaster that will allow a high possibility of data recovery. The clicking sound of the hard disk's head is synonymous with hard disk failure , however its is not widely know that this clicking sound can happen even when there is nothing wrong with the head. Changing the hard disk's head merely because it is acting up is a very risky action because it can increase the dangers of damaging the clean insides of a hard disk. So what is causing the hard disk's head clicking sound? The answer is a damaged firmware. At this talk I will explain how to utilize the firmware to control the device and use in a disaster recovery situation.
Dai Shimogaito
CEO of Osaka Data Recovery Founded in 1998. Director of Data Recovery Association Japan.
Wanting to perfect data recovery methods conducts research and information exchange with engineers domestically and internationally.
Trainings : Data Recovery Trainings for NPA and IDF Seminars etc.,
Lectures : Digital Forensic Study Groups, NTT Secure Platform Laboratories, and privately for companies and governments
small talk about IOT security especially IOT pentesting for beginner. What exactly IOT and how we test it?
Live on Ethical Hacker Indonesia
April 14th 2020
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkGert-Jan Bruggink
The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises. It explores targeting economic considerations when defending against techniques used by adversaries.
Diving into economics for adversaries to use or build certain techniques and tools over others. How can defenders defend against specific techniques by increasing the adversaries cost per intrusion. How can ATT&CK be used to make strategic risk management decisions.
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
Operationalizing the ATT&CK framework has enabled GE to deploy custom detection to evolving threat actor behaviors. By leveraging an in-house developed tool called TIAMAT (Tactical Intelligence Adversary Mapping and Analysis Tool) the ATT&CK framework is
incorporated into an end-to-end operational process from intelligence collection to customized detection deployment.
The designing of this new operational process is examined, and a use case presented of how examining a historical incident led to a new method of deploying detection based on ATT&CK and the detection of previously undiscovered activity. There is also a demo that walks the audience through the end-to-end process and explains TIAMATs capabilities.
-
As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked. So can facial and other biometrics. Why, then, is biometric-based authentication so fashionable? Why did one of the largest insurance companies just announce it is rolling out fingerprint and facial recognition for its customers (while it uses Symantec VIP for internal employees)? Did product management and marketing conduct a study that concluded customers feel safer with fingerprint and facial?
Apple’s Touch ID, and VISA’s integration with it are shaping the fashionable trend faster than a Milan runway. Hopefully these short hemlines will fade soon. Apple’s senior vice president, Dan Riccio, irresponsibly claims, “Fingerprints are one of the best passwords in the world.” He probably understands it is easy to reset a password. He probably does not understand how hard it is to reset his fingerprints. Truly the inmates are running the asylum.
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Burton Lee
Talk by Marcel van der Heijden, SpeedInvest & Aircloak (Silicon Valley | AT | DE), at Stanford on Feb 26 2018, in our session: 'New EU Data Privacy Rules : Lessons & Risks for Silicon Valley Corporations & Startups || GDPR'.
Website: http://www.StanfordEuropreneurs.org
YouTube Channel: https://www.youtube.com/user/StanfordEuropreneurs
Twitter: @Europreneurs
Slide yang kupresentasikan di PyCon 2019 (Surabaya, 23/11/2019)
Red-Teaming is a simulation of real world hacking against organization. It has little to no limit of time, location, and method to attack. Only results matter. This talk gives insight about how “hacker” works and how python can be used for sophisticated series of attack.
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments.
In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.
Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence:
http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?
Video en Youtube: https://www.youtube.com/watch?v=hngTacTVT3Y
La realización de un Test de Intrusión Físico tiene como finalidad conseguir acceso físico a una determinada ubicación, y no es una tarea sencilla. Requiere preparación, investigación, análisis, coordinación, mucha simulación y la aplicación de una metodología flexible que pueda adaptarse a las condiciones particulares de cada objetivo.
Analizar el entorno, evadir todo tipo de sistemas de seguridad física y colaborar en equipo (Red Team), son aspectos fundamentales para lograr la intrusión, y con ello posteriormente, el acceso a equipos, red y un sinfín de datos en las instalaciones del objetivo.Si quieres saber qué es un Red Team y profundizar en la realización de intrusiones físicas, esta es tu charla.
URL del video:
https://www.youtube.com/watch?v=TTwY2wPTcNg
Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks. Rooted in data, threat intelligence gives you context that helps you make informed decisions about your security by answering questions like who is attacking you, what their motivations and capabilities are, and what indicators of compromise in your systems to look for.
reference:https://www.recordedfuture.com/threat-intelligence-definition/
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
This session discusses Deloitte’s purple teaming approach which is using ATT&CK as a guiding principle to help both teams improve.
This session shows how this works in a customer scenario, how to scope that scenario, how to plan the scenario and choose the various TTPs to be covered to how we assist the customers blue team in understanding the TTPs and helping them design detective capabilities for them.
When the Blue Team is able to connect the dots from offensive activities in the network and what they see in their logs, firewalls, SIEMs, etc. they have the ability to fully understand what adversaries do and what the TTP’s of attackers actually look like if they are active in their network.
It’s much easier to find the needle in the haystack if you know there is a needle to find to begin with. Purple teaming is providing this pointy needle, used to accelerate the Blue Team.
Cybersecurity Fundamentals for Legal Professionals (and every other business)Shawn Tuma
Cybersecurity & Data Privacy attorney Shawn Tuma delivered this presentation to the Mid-Year Meeting of the State Bar of Oklahoma's Intellectual Property Law Section on June 2, 2018. For more information visit www.shawnetuma.com
Preventing hard disk firmware manipulation attack and disaster recovery by Da...CODE BLUE
In this talk I will explain strategies prior to and after a hard disk has lost its ability to be used as a storage device due to human manipulation or natural disaster that will allow a high possibility of data recovery. The clicking sound of the hard disk's head is synonymous with hard disk failure , however its is not widely know that this clicking sound can happen even when there is nothing wrong with the head. Changing the hard disk's head merely because it is acting up is a very risky action because it can increase the dangers of damaging the clean insides of a hard disk. So what is causing the hard disk's head clicking sound? The answer is a damaged firmware. At this talk I will explain how to utilize the firmware to control the device and use in a disaster recovery situation.
Dai Shimogaito
CEO of Osaka Data Recovery Founded in 1998. Director of Data Recovery Association Japan.
Wanting to perfect data recovery methods conducts research and information exchange with engineers domestically and internationally.
Trainings : Data Recovery Trainings for NPA and IDF Seminars etc.,
Lectures : Digital Forensic Study Groups, NTT Secure Platform Laboratories, and privately for companies and governments
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
Collaborative defence strategies for network securitysonukumar142
This ppt describes Environmental comparison of Collaborative defence strategies for network security. Collaborative defence Strategies accumulates several algorithms and techniques to enhance and enrich network security.
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
End-user’s requirements for secure IT products are continually increased in environment that are affected directly to human life and industry such as IoT, CPS. Because vendors and end-user sell or buy products based on trustworthy or objective security evaluation results, security evaluation roles are important. Security Evaluations are divided to two parts, one is evaluation on design level such as ISO/IEC 29128(Verification of Cryptographic Protocols) and another one is post-implementation level such as ISO/IEC 15408(Common Criteria). These security evaluation standards, both ISO/IEC 29128 and ISO/IEC 15408, advise to use formal verification and automated tools when high assurance level of target products is required.
For a long time, vulnerability detection using automated tools have been tried and studied by many security researchers and hackers. And recently, the study related to automated vulnerability detection are now more active than ever in hacking community with DARPA’s CGC(Cyber Grand Challenge). But, too many tools are developed continually and usually each tool has their own purpose to use, so it’s hard to achieve ultimate goal of security evaluation effectively and verify evaluation results.
Furthermore, there are no references for categorizing about automated tools on perspective of security evaluations. So, in this presentation we will list up, categorize and analyze all of automated tools for vulnerability detection and introduce our result such as pros and cons, purpose, effectiveness, etc.
-- InHyuk Seo
My name is Inhyuk Seo(Nick: inhack). I graduated B.S. in Computer Science and Engineering at Hanyang University(ERICA) in 2015. Now I’m a researcher and M.S. of SANE(Security Analaysis aNd Evaluation) Lab at Korea University. I’m interested in Programming Language, Software Testing, Machine Learning, Artificial Intelligence.
In 2012, I completed high-quality information security education course “the Best of the Best(BoB)” hosted by KITRI(Korea Information Technology Research Institute) and conducted “Exploit Decoder for Obfuscated Javascript” Project.
I participated in many projects related with vulnerability analysis. I conducted “Smart TV Vulnerability Analysis and Security Evaluation” and “Developing Mobile Security Solution(EAL4) for Military Environment ”. Also, I participated in vulnerability analysis project for IoT products of various domestic tele-communications.
-- Jisoo Park
Jisoo Park graduated with Dongguk University B.S in Computer science engineering. He participated in secure coding research project in Programming Language Lab and KISA(Korea Internet & Security Agency). He worked as a software QA tester at anti-virus company Ahnlab. He also completed high-quality information security education course “Best of the Best” hosted by KITRI(Korea Information Technology Research Institute) and conducted security consulting for Car sharing service company.
Now, Jisoo Park is a
New immune system of information security from CHINA by WooYun - CODE BLUE 2015CODE BLUE
This talk is about the introduction of Wooyun.
WooYun is a platform where security researchers report vulnerabilities and vendors give feedbacks. While WooYun follows vulnerabilities, it also provides researchers a platform for public interests, study, communication, and research.I will introduce how WooYun works and why we start this project in my presentation, also what WooYun changes in the security circle in China, and why, when, where it built, how it developed and the difficulties when developing.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Methods and techniques for monitoring, surveillance and profiling of cyberspace activities are available to state actors and criminal operators as well as to skilled individuals.
Civilian individuals without extensive knowledge and exposure to counter-intelligence techniques and Operations Security (OPSEC) protocols are vulnerable and helpless against these privacy breaches. This represents significant gap between actors and their victims – gap that can be bridged only through education.
The primary objective of this workshop oriented activity is to educate people operating in above-average risk situations in cyberspace and to bridge the unfair gap between them and malicious actors. Secondary objective aims at understanding how cyber security can be taught to non-security minded people in efficient way.
PCI DSS Simplified: What You Need to KnowAlienVault
Maintaining, verifying, and demonstrating PCI DSS compliance is far from a trivial exercise. Those 12 requirements often translate into a lot of manual and labor-intensive tasks – chasing down discrepancies in asset inventory spreadsheets, removing false positives from network vulnerability assessment reports, and weeding through log data trying to make sense of it all. In fact, you may need to consult at least a dozen different tools for those dozen requirements.
Thankfully, there’s a simpler alternative. AlienVault Unified Security Management (USM) consolidates the five essential capabilities you need for PCI DSS compliance. As a nearly complete PCI compliance solution, AlienVault’s USM delivers the security visibility you need in a single pane-of-glass. And it solves more than the single purpose PCI DSS compliance software alternatives do. During this webcast, you will learn how to:
Achieve, demonstrate and maintain PCI DSS compliance
Consolidate and simplify SIEM, log management, vulnerability assessment, IDS, and file integrity monitoring in a single platform
Implement effective incident response with emerging threat intelligence
Plus, you'll see how quickly and easily you can simplify and accelerate PCI DSS compliance. Register Now to secure your spot.
OSINT Basics for Threat Hunters and PractitionersMegan DeBlois
This presentation was created for the SWIFT Tech Symposium at Calpoly Pomona. Learn the basics of OSINT, but for hunting Internet infrastructure.
-OSINT Basics: Let’ s talk about what it is, why it’s important, how it’s used in the world of Internet infrastructure.
-Understanding Different Use Cases: We’ll take a quick look at examples of how this is valuable for threat hunters, security practitioners, as well as researchers.
-Practice, practice, practice: I’ll end this talk by sharing out some good resources and ideas for how you can sharpen your OSINT skills for security research or for better organization defense.
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
Empowering School Leaders to Manage and Lead I.T.Mark S. Steed
This presentation is designed to give School Leaders who have little or no knowledge and experience of Information Technology some insight into how to lead and manage I.T. The Presentation looks at three things
1) Why and How Educationalists should take control of making IT decisions;
2) Three Principles to help School Leaders Understand IT
3) Ten Questions to ask your IT Network Manager.
The presentation was given at the Digital Education Show in Dubai on Wednesday 16th November 2016.
Information Security: Advanced SIEM TechniquesReliaQuest
Joe Parltow, CISO, ReliaQuest (www.reliaquest.com) -We’ve all heard it before; SIEM is dead, defense is boring, logs suck, etc. The fact is having total visibility into what’s happening on your network is absolutely necessary and keeps you from having to answer questions like “How did you not know we were compromised for the past 6 months!” This talk focuses on advanced tips and tricks you can implement with your SIEM to give you better visibility into all areas of your environment. Also includes top secret, 1337 (ok maybe just average) code snippets.
Video (at YouTube) - http://bit.ly/19TNSTF
Big Data Security Analytics, Data Science and Machine Learning are a few of the new buzzwords that have invaded out industry of late. Most of what we hear are promises of an unicorn-laden, silver-bullet panacea by heavy-handed marketing folks, evoking an expected pushback from the most enlightened members of our community.
This talk will help parse what we as a community need to know and understand about these concepts and help understand where the technical details and actual capabilities of those concepts and also where they fail and how they can be exploited and fooled by an attacker.
The talk will also share results of the author's current ongoing research (on MLSec Project) of applying machine learning techniques to information secuirty monitoring.
The extent and impact of recent security breaches is showing that current security approaches are just not working. But what can we do to protect our business? We have been advocating monitoring for a long time as a way to detect subtle, advanced attacks that are still making it through our defenses. However, products have failed to deliver on this promise.
Current solutions don't scale in both data volume and analytical insights. In this presentation we will explore what security monitoring is. Specifically, we are going to explore the question of how to visualize a billion log records. A number of security visualization examples will illustrate some of the challenges with big data visualization. They will also help illustrate how data mining and user experience design help us get a handle on the security visualization challenges - enabling us to gain deep insight for a number of security use-cases.
Nagios Conference 2014 - Scott Wilkerson - Getting Started with Nagios Networ...Nagios
Scott Wilkerson's presentation on Getting Started with Nagios Network Analzyer
The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference
Maintaining, verifying, and demonstrating compliance with the PCI-DSS standard is far from a trivial exercise. Find out how AlienVault USM can help you meet PCI compliance requirements.
Why Use Open Source to Gain More Visibility into Network MonitoringDevOps.com
Learn how to use open source solutions for your network monitoring to gain the necessary visibility in the status, performance and responsiveness of your enterprise, cloud or hybrid application environments. Get a faster and easier tool to start collecting data from multiple sources and quickly perform root-cause analysis reducing your MTTR.
IT Operation Analytic for security- MiSSconf(sp1)stelligence
IT Operation Analytic: Using Anomaly Detection , Unsupervised Machine Learning, to distinct normal and abnormal behavior and enhance efficiency of SIEM detection and alert capability.
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
Protecting Financial Networks from Cyber CrimeLancope, Inc.
Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risks
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
65. Questions
What goals am I trying to accomplish?
What are the sources of truth?
What tools would work best?
What is an anomaly?
Am I correlating the alerts?
What about user experience?
Is the system robust and secure?
What else can I do with all the data?
68. name: travis carelock
twitter: @l3d
email: travis@soundcloud.com
pgp: 463E B548 F3B1 F879 4589 6505 E417 7480 D1A4 A990
private: travis@carelock.net
pgp: 4CFC 8E69 4A07 59F2 4508 8A39 0AFA 9CC3 2D65 031E
otr: l3d@dukgo.com
fingerprint: 40FCAFD7 FAA097B6 29BE95CE 6740E37E 0790E295
is hiring!
Web: http://soundcloud.com/jobs
Email: jobs@soundcloud.com
Thank You!
Special Thank You to Code Blue and the Organisers!
Editor's Notes
Let’s Start. Hello everyone and thank you for coming to my Presentation. My name is Travis Carelock and this is Practical Network Defence at Scale or Protecting the Eierlegende Wollmichsau. (….) First of all I would like to thank Code Blue for giving me the opportunity to speak it you. I am very honoured and hope that everyone here finds this presentation useful.(…) There is a lot of material to cover, so this presentation may move quickly.(…)
One more thing before I start. I will be focusing on network defence, but all your logs have a wealth of information. Please do not get too focused on the implementation details, instead try to find inspiration, and think about how you can apply some of these techniques to your own organizations. (…)
Who am I? As I said, my name is Travis Carelock, and I currently work as an Engineer on the Security Team at SoundCloud in Berlin. (…) In the past I have worked for Black Hat and the Louisiana Department of Justice.
Why did I want to talk on this subject? Well first, I love defence. (…) I always have. Some people love to attack, to figure out a weakness, exploit it and move on to the next target. (…) I enjoy understanding my environment, both the strengths and the weaknesses. I enjoyed raising the walls, laying traps, and keeping watch from the tower. (…) I also enjoy the adversarial nature of it. There are real humans out there attacking. (…) So you have to adjust and stay on your toes.
And. I love avoiding this. We also get paid to avoid this.
Focus on network defense. A custom scalable SEIM. LOTS of logs for your own use.
So I hope to show with this talk some real concrete steps you can take to start building up your defences give yourself some piece of mind. (…) I will be focusing on network defence, but all your logs have a wealth of information. Please do not get too focused on the implementation details, instead try to find inspiration, and think about how you can apply some of these techniques to your own organizations. (…)
I thought about the best way to present this. (…) Due to the nature of defense, log analysis, and anomaly detection, there is really no one simple answer. No one simple button to press. Each infrastructure must be analysed.(…) An effective security monitor can only be created and tuned by understanding the environment in which it operates.(…)
Therefore, I thought it was sensible to present a series of questions that one should answer before begin building a network monitoring solution.
The first question. What am I trying to accomplish? (…) This question seems basic but the answer shapes everything to come after it. So it is super important to get right.(….) From a security point of view, the question is also deceptive.
People outside the organization might say something like: “What are we trying to accomplish?! We are trying to be secure and not get hacked! (…) You’ve seen all the hackers out there, right!? STOP THEM!”
We know that is not realistic. Sure there might be people trying to expoit the infrastructure in one manner or the other. (…) But fearing some amorphous, evil force who’s “smarter” than you, better equipped, and has WAY more coffee and time than you do. Is both not helpful and won’t accomplish anything.
Good security can only come from a realistic assessment of the environment.
Then use a systematic and sustained effort to mitigate the highest risks as best as possible. Periodically repeat the risk assessment to ensure the organization is still spending resources in the necessary places. It can be a slow process, but it is the only way to make real defensive progress. (…)
So it is required to have a detailed view of the environment. This must come before we can answer the question “What are we trying to accomplish?” (…) Funny enough, we will use the example of a “fast-moving” start-up.
A bit of a disclaimer here. I will try to make this example a generic as possible. After all I still want to keep some of secrets. (…)
The example environment consists of large, flat networks with thousands nodes. When we say it is flat that means that nodes can “see” each other on the network without segmentation. It is a giant beehive of activity. These nodes serve billions of daily user actions. (…) That means billions of times a day users are logging in, playing songs, uploading tracks, messaging and commenting with their friends or in someway interacting with this network. (…) Most of the events trigger fan-out type connections to multiple services as each user’s request is fulfilled. Now lets focus in on what any one of those nodes could be.
When we look at a node. In this environment, it is an incredibly dynamic At any given time it can take on any number of tasks and configurations.
For example. A node could be deployed on:(…) A physical machine or machines in a datacentre.(…)
Virtual Machines or a container (…) Infrastructure Equipment such as routers and switches (…)
Cloud Provided Assets.(…) Or even temporary nodes that represent VPN users logging in(…)
And these nodes, they can be serving a variety or services or roles.
Some could be running a very important and complex application or microservice.(…) Some could be a datasource. (..)
It might be serving as part of a cluster, even a data source cluster (…)
It could be providing internal services such as DNS, DHCP, or running tests(…)
Many people have load-balancers helping to spread out traffic(…)
The node might be a corporate user querying for business intelligence data(…)
It could be the Engineers scaling nodes and redeploying services. Or just poking around(…)
And some might even be part of a security system.(…)
You also have things to look out for… namely zombie machines or malicious entities. (…)
I would l like to speak a moment about way the modern infrastructure has changed the way administrators and engineers view and manages these nodes.
Some of this has been said in a few talks before, but I would like to expand on the concept a bit.
Basically, in the past because nodes were generally so hard to rebuild we treated them as pets. We took care of them. And prided ourselves on the uptime counter. If our servers needed ANYTHING, ANYTHING at all… we did it. Does the 200 Kilo server need to be moved up 3 flights of stairs to a brand new air conditioned closet? DON’T TURN IT OFF!!! Ask 3 interns to help carefully carry the 40 Kilo backup battery alongside. It was ridiculous. As scale environments started to become more normal a better way server management was needed…. DevOps is the broad name for this. And it really concerns itself with the management of systems with repeatable code. Continual Integration is closely tied as it works to automate the deploy-to-production pipeline. As a result of all this automation…..
We now treat nodes as cattle. Did something get corrupted? Some physical failure? Did we rm the wrong thing? No problem, make sure the load balancer handles the load, rack a replacement, and turn it on. But, this analogy is not quite correct. Because cattle can only do certain things. Give milk, and meat. Maybe pull your wagon. (…) But the modern system engineers dream to view every node as a Eierlegende Wollmichau.
A Eierlegende Wollmichau is a german term. Literally it is an “egg-laying wool, milk pig” It is a pretend farm beast that provides everything one might need. Engineers want a node like this. Nodes that can do anything. One moment a node might be part of a database cluster. (…) Then an hour later, the physical machine that the node was on is wiped, the node is destroyed and instead two different application nodes take its place on the hardware.(…) The original database node is then deployed to an entirely new IP, behind a load-balancer and hosted in a Virtual Private Cloud.(…)
Or possibly during peak times 50 application nodes are automatically scaled to 150. And then after peak, the excess nodes are all destroyed.(…) These are very typical daily activites. SEIMs have not been able to keep up with this. Many were built for the typical environment of three to five years ago…..
So…. Any node can be anything at anytime.
This looks a bit scarier now….
But don’t worry! One step at a time. Just start with a simple goal and expand from there.
Let’s get back to what our goals are. Now that we have an example environment, some definite network security goals really begin to surface. (…) You can really go crazy here, but remember small bites, and attainable results will both help your security and your sanity. (…)Here are three very reasonable goals that a system like the one we are designing should accomplish. I will go through each one for clarity.
The first goal would be to simply investigate network traffic between nodes, or between logical collections of nodes. (…) A collection of nodes could be something like a database cluster, container group, a scaled application, a micro-service, etc. (….)
For any given logical grouping of nodes used by the Systems Engineers I would like to be able to investigate connections to any other logical grouping of nodes.(…) From a layer 3 point of view, I would like to know IPs, Ports, and data transfer.
Next, I would like to write rules around this traffic. And then be alerted when these rules are violated. (…) For example, I would want to allow a node or collection nodes connect to a database cluster, but I would like to be alerted if any other nodes in the network attempt to connect via 3306. (…) Or, maybe I would like to be alerted when any database node made a connection to any IP on the internet. Or any IP outside of it’s allowed range. The rule possibilities are literally endless with the right query system.
Finally we would like to be able to store this data for a determined amount of time, and perform various forms of analysis. And if necessary, provide forensic evidence after an alert has been triggered in order to assess the extent of damage or further compromise. (…) This could be very important.
Now that we have an idea of what we want to accomplish. We can move forward to the next question. What are the Sources of Truth?
What contains the information I need to answer the questions and accomplish the goals?(…) What data do I collect and analyse? If the current data doesn’t exist, can I build something that will produce it? (…) Looking back at our example. Can we find sources of truth emitted by systems in that infrastructure that will help to create a network monitor? YES!
These are just some of the examples that could exist in your network. I will tell you a secret, to monitor network traffic we are going to highly rely on generating traffic flow logs generated by the switching and routing infrastructure. (…) These will give a very useful and independent view of the network from a layer 3 perspective. (…) Obviously firewall and Intrusion detection systems logs would be important, but I encourage you to expand your log collection as far as possible.(…) Think about logs from infrastructure services such as DNS/DHCP, host based logs, Application logs, database logs, Amazon Cloudtrail, S3 logs, And sometimes we event want to use code to create small services that emit speciality logs.
Also you will want to understand the nature of the data you are collecting.
This is a critical step.(…) Ask questions like, how consistent is this data? Does it come in erratic? Does it measure what it says it measures? Is it independent? Could it have been corrupted in some way? (…) How reliable is it? This will allow you to give it a confidence score as it relates to any given investigation or query. For example, if a host node is suspected of being compromised. (…) The auth.log says no one has logged in however the sflow logs from the connected switch clearly shows lots of ssh traffic. One of those logs would have a much lower confidence score than the other. (…) Finally keep in mind the retention policy of this data. How long do they or should they stick around. That all depends on the risk profile associated with that data. Some things you just want to get rid of.
Eventually you will want to search for similar items across all logs. If you just blindly dump all the logs into a giant vat, they will end up only being useful in reference to other logs of the same type.(…)
To get the most out of the logs, the first step is to normalize. (…)
You will notice here that all three of these logs do display a timestamp… And that is necessary, but notice that they are each in slightly different formats. (…) You will want to normalize all these into a single timestamp standard format during pre-processing. Luckly, Logstash uses Jruby to modify log-lines on the fly.
.
Here we see data transfer. Is it in bytes, bits, mega-bytes? Again normalize to a standard.
If you tag the logs during pre-processing then, searching for similar fields across all the logs is possible. (..) Take the time to chop up and GROK your log files, it pays off in the end. (…) Here we are tagging this a src_ip, not matter what the log file calls it.
Here we would apply a “dst_ip” tag.
And finally TYPE the individual fields as they are tagged. Not everything is a string.(…) For example anything that is tagged as a src_port is also an Integer. (…) This will allow you to preform calculations based on the variable’s type. So that means counts, addition, ranges.
So now you can answer questions like: for a given src_ip, what did it connect to, and how many bytes where transferred? How much of a change relative to yesterday at the same time period?
For ‘’IP’’ typed fields these calculations include IP ranges. Which makes full IP subnet range a valid query. This would not be possible if everything was just left to the default “string” type.(…)
Again, all this can be done within logstash. But there are any number of different opensource libraries you could use to interact with elasticsearch and basically ship JSON.
Obviously I’ve been speaking about chopping up logs, and that leads us to our next question. What tools are we going to use?
As you can already see collecting, indexing and asking questions of logs will be our primary way of accomplishing our goal. So, what are you going to use to accomplish the tasks? (…) Due to that fact we are working with logs, the primary tool I would like to use is Elasticsearch. It is a data store and the engine that drives ELK stack.(…) The ELK stack is a modular set of tools that have some very complementary features. They are Elasticsearch, Logstash, and Kibana. (…) Logstash helps to ingest, modify and tag logs before shipping to the ElasticSearch Datastore. And Kibana is a great web visualization tool.
As you can see, Kibana does make for pretty dashboards and include interesting features like maps.
And I do need to stress here. ElasticSearch is great… Just to give you an example. I am continually ingesting and indexing 35K log lines per second and generates about 1.5 TB daily. (…)
For this system, this is ES. This is me
As you bring data back to logstash from these various sources, some of the underlying tools may need tweaking and non-standard conigs in order to keep up with the scale. (..) And at some point you will want to write some your own code to make your left easier, and sometimes just to get the job done. (…)My advice, no matter what the language, finding well supported libraries are key. Many people face similar issues and there is no need to reinvent the wheel.(…)
And I can not stress this enough, when building these high scale systems:
Now you have the goal. Investigate network traffic and setup rules, and alerts. You have the sources of truth, and the tools with which to analyse them. Now you have to ask What is the Target?(…) You can’t just say, “Ok computer, Show me everything Bad.” Security is accomplished by systematically reducing the risk and increasing visibility.(…) Start with a narrow scope and work out from there. You can find the best narrow targets by performing a general risk analysis. Find out what is most important to the business. A particular database cluster or all the database clusters might be an example.(…) But if we were not focused on network security with this example, the focus could just as easily target something like AWS Console, API activity, and S3 bucket access, or user access in the production environment. This all depends on the organization.
First in order to separate malicious traffic from normal traffic, we need to know what normal traffic is. (…) Who should be connecting to the database? We need to understand the logical side of the network.
In the modern scaled network, system engineers don’t create every machine or container by hand. So there must be some set of systems that have a high-level understanding of nodes, and their deployment configurations.(…) In addition, most services or micro-services deployed have their own set of dependency services that must be known about and discoverable. (…) Find these systems and interface with them. They understand the world.
Some of the more popular system management systems out are Chef, Puppet, Ansible, and CFEngine. These are the systems are the backbone of most DevOps infrastructures. Query their data. (…)
In addition most of these enviornments also have some method for applications to automatically discover their service dependencies. This could be something like DNS and other service discovery tools.(…)
The cloud services also have their own APIs that you can query to get a varity of information about the instance and its tags.(…)
Source Code is a excellent place to look to understand how services connect to one another. If there are a huge variety of code types and config files, a standardized, machine-readable info file could be add to the root directory of the project.(…) And there is no getting around it. For somethings a small amount of code will surface the information you need.
The main point is to understand what powers the infrastructure, determines a node’s configurations, as well as an application’s dependencies. (…) It is important to develop a repeatable method for querying this information.
Because, ideally once that we understand how to query reliably, the next step is to automate. (…) Automation is always helped by consistency. Try to standardize procedures where possible and there is consensus. (…) A side note here, be sure to work with the engineering team on this one. Some of these queries can be very costly to a high scale environment. (…) Think about adding a cache layer to the system, this could take pressure off of the other infrastructure. It can also make the overall system more robust if some external resources becomes unavailable.
By correlating the data from these various “management systems” it becomes possible to create a current “view of the world”. (…)
It becomes possible to answer questions such as what are the IPs and hostnames for a given cluster of database nodes. Which containers are serving microservce_A? (…) What are the virtual IPs for a particular set of loadbalancers? Which datasources and dependencies are Application_B expected to require? (…)
With these answers it is also possible to build baseline, normal behaviour patterns.
This works pretty good. A custom query to the elastic search data store based on the expected view of the world.
But this world doesn’t stay still. (…)
Due to the constant churn and redeloy of nodes and applications, these “views-of-the-world” need to be rebuilt constantly. (…) Node information becomes stale very quickly. Mappings and views that once were associated with a certain type of traffic will change over time.(…) Most SEIMs can not deal with this.
From experience, as these system begin to be brought online, be prepared to deal with many false positives. How much depends on the amount of chaos currently in the infrastructure.(..) But with careful consideration these can be delt with.
One way is better design of the data queries.( ..) For example there may be the need to incorporate whites lists when edge cases arise.(…)
Additional services could be built to further enrich the data set. It might be possible to verify a connection was created by a certain user or user group and therefore okay, even if it is outside the expected flow. (…)
The establishment of consistant policies and guidelines will help developers and operators configure their systems in a similar manner, and create a predictable and knowable pattern.(…)
And don’t forget blocking. Many times it is better to stop access altogether with technology such as firewalls or layer2 segmentation.
So now we have this great way for anomaly detection on the network, what are we going to do when the anomaly is detected?
Not all anomalies are equal, so neither should the alerts actions that they produce be.
.
Not all anomalies are equal, so neither should the alerts actions that they produce be.
Slide – 32 Alert actions
Some of the alerts should just result in the production of another log line.
Some might require an email.
Others might be a bit more important and sent via IM or irc.
As the severity increases it might be required SMS or pager services.
And some require the message to put on pants,(…)
Buy a bus pass, (…)
Ride to your house. (….)
And wake you up. (…)
In this system the alert results should be considered data as well. If a tested was passed, is it because of a threshold count or a whitelist? If a test is passed because the count is below a certain threshold, how far below? (..) Enrich you alert logs as much as possible and feed that back into the system pipeline. It will now be possible to create escalation chains of alerts. You could also implement kill-chains. (..) Maybe you don’t want to get paged if there was an nmap scan detected, or if someone logs into the VPN after midnight, or that a VPN login was from outside countries with offices. But if you see all three things within 10min then you may want a page.(…) Or something as simple as, every 4 email alerts generated in 10min sends a page.
An alert could trigger queries to external services. Depending on the answer received, the alert action could be changed.(…) For example, an ssh login from an unexpected geo location, could trigger a certain level of alert, but if a query to an external service could verify that the user was expected to be in that area, then a lesser action could be taken.
All these alerts and actions sound great but…….
I think I should stop and say something about Alerter Fatigue. It is a very real problem. If a system emits too many alerts, operators can become swamped and overrun.(…) Or if the system incorrectly classifies the severity of the anomaly and operatoers get paged for trival matters, then fatigue will set in. And it becomes all too easy to become complacent to the noise. (…) Invest time and resources in getting this part right. Save engineering time and stress, saves the organization money in the long run.
By now you can tell that this system is getting some what complex. As rules, alerts, actions, and external integrations are added this complexity will only increase. It is important to think about human to system interaction. After all, one of the keys of success is getting as many people in as possible using the system. They will only do this if they can reliably interact with the system
I have already spoken about how great Kibana is for an investigation tool. It also has the ability to load external json configuration files, this makes automatic scripting of dashboards possible. As you can see here.(…) I would hate to have to manually type all these IPs into a web interface.
But it would be wise to consider other User Interfaces in which to manage this system. It is true that as security people web design and user interfaces are not our first priority, however it is surprising easy it can be with some of the modern frameworks. From personal experience I was able to mock-up something very reasonable, in a short amount of time using the Sintra framework.
Some of the capability you might want to include in a UI is:
1: Kibana dashboard generation
2: Alert creation, edit and deletion, snooze, and whitelist capabilities, grouping, sorting, searching, display and export
3: History of world views.
4 : General infrastructure query tools.
5: Useability helpers, docs and links
So you have built this pretty intricate and complex interconnected group of systems. And you should be proud. But is it working as intended? (…) Is it robust and secure? (…) Arguable this one of the most important question you could ask. And many times it is overlooked.
Consider creating test that go beyond the build pipeline. (…) Create a set of small. SAFE, and I can’t stress that word enough, SAFE. Red-teaming apps, bots, and scenarios to test the alert sets, and time to discovery. (…)Create helper scripts that prune the alert sets themselves and look for unnecessary allow statements. This can help prevent stale alerts and privilege creep.(…)
In thinking about a robust system, consider how the system design would react to the loss of a data node? Or Loss of connections to an external service or data store? (…) What if the node cannot connect to the internet? Can it rebuild primary systems without it?
So now there is this system up and running. Hopefully delivering meaingfull alerts with few false positives. Slowly, but surely you will start to expand out your range of visibility and coverage within the infrastructure and even user machines. (…) There are really endless possibilities in the modern network. But there is also this wonderful treasure trove of data at your fingertips. And there really is so much that you can do with it.
If you are lucky like me, maybe you have some people on your team that understand all this math, statistical analysis, and machine learning stuff. (..) You can then begin to understand the data in new ways and detect anomalies you never could before. Everything we have been talking about today is very targeted at protecting a known item, with known rules.(…) Machine Learning can help you look for anomalous activity over the entire network. (…) Literally find thing you were not looking for.
Even though the primary function of this network monitoring system is security. It may be able to help other teams in your organization. It can help track down deployment problems, configuration errors, usage, or any number of other issues that show in the network traffic.
This system can also be crucial when it comes to an external audit or inquiry.(…) Because you have the network traffic, dns, and other service logs you can prove or dis-prove assumptions. (..) In any digital law investigation I’ve ever been part of, the first question is “Where are the logs?”. That’s what auditors want to know as well.
Revealed by a detailed understanding of the organization
Find or create the relevant data
Tools…for indexing logs Elasticsearch
What is an anaomaly
Build a world view, correlate logs, and test it.
Am I correlating my alerts
Killchains? Escalations Chains
What about User Experience
Easier for people the better
Is it robust and secure?
Yes?
What else can I do with this data?
So, I’m coming to the conclusion of this talk. I hope that this talk has been useful to you. (…)
And I wanted to leave with a few word. I know defense can be lonely. It doesn’t get all t
he glamour of offence. But remember at the end of the day, you are the one everyone depends on.
This is you as long as you take up the challenge. You are the game master because you wrote the rules. You understand the technology. It is your playground. (…)
The only thing that can fail you is the hardware. And we can all ways get more hardware.