SANS CTI Summit 2016 Borderless Threat IntelligenceJason Trost
This past year was the year of the data breach. Large and small organizations across every industry vertical were impacted by compromises that ranged from theft of PII, intellectual property, and financial information to publication of entire backend databases and email spools. The data from these breaches often wound up being exposed publicly, exchanged or sold on underground markets, or simply leveraged to breach other organizations. Many of these breaches have cascading effects due to the transitive nature of security that exists across many companies. Many companies rely on critical business partners, subsidiaries, and other organizations whose services are trusted. Also, due to password reuse customers accounts included in a 3rd party data dump could enable unauthorized access to another business's assets.
In this talk we outline through case studies several ways that Threat Intelligence is being used today to improve the security and awareness of organizations by monitoring "supply chain" partners, customers, and trusted 3rd parties. Specifically we will discuss brand monitoring, mass credential compromises, signs of infection/compromise, and signs of targeting and social networking data-mining. We will outline how organizations can effectively integrate this practice into their existing security programs.
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Jason Trost
2015 is turning out to be the most spectacular year of high profile compromises across almost every vertical and many companies are starting to consider new options to raise the bar for intrusion detection and incident response, including deploying honeypots.
In this workshop we will present an overview of the current state of the art of leveraging open source tools to build a novel intrusion detection system inside the enterprise. We will discuss the pros/cons and ins/outs of several major open source honeypots as well as how to manage and deploy these sensors using the Modern Honey Network, Splunk, as well as integration into other systems such as ArcSight. We will discuss real world deployments of honeypots, what worked and what didn't as well as recommendations for getting the most out of these non-convention network sensors.
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
As organizations operationalize diverse network sensors of various types, from passive sensors to DNS sinkholes to honeypots, there are many opportunities to combine this data for increased contextual awareness for network defense and threat intelligence analysis. In this presentation, we discuss our experiences by analyzing data collected from distributed honeypot sensors, p0f, snort/suricata, and botnet sinkholes as well as enrichments from PDNS and malware sandboxing. We talk through how we can answer the following questions in an automated fashion: What is the profile of the attacking system? Is the host scanning/attacking my network an infected workstation, an ephemeral scanning/exploitation box, or a compromised web server? If it is a compromised server, what are some possible vulnerabilities exploited by the attacker? What vulnerabilities (CVEs) has this attacker been seen exploiting in the wild and what tools do they drop? Is this attack part of a distributed campaign or is it limited to my network?
BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesJason Trost
Anyone attending this conference knows the usefulness of running malware in a sandbox to perform triage, speed security analysts' workflow, extract indicators of compromise (IOCs), and to gather useful information for detection and mitigation. When analysts do this, what are the OPSEC concerns regarding tipping the adversary off? Which sandbox providers are better than others in this regard? In this talk we will present some research on taking an adversarial view of the free and widely used SaaS malware sandboxes. When an adversary's malware is detonated in a sandbox, what network artifacts can they see? Can they determine which sandbox provider based on the network? How do malware and related IOCs submitted to these sandboxes propagate to security companies and ultimately threat intelligence feeds? In this talk, we will answer all these questions and more.
Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.
SANS CTI Summit 2016 Borderless Threat IntelligenceJason Trost
This past year was the year of the data breach. Large and small organizations across every industry vertical were impacted by compromises that ranged from theft of PII, intellectual property, and financial information to publication of entire backend databases and email spools. The data from these breaches often wound up being exposed publicly, exchanged or sold on underground markets, or simply leveraged to breach other organizations. Many of these breaches have cascading effects due to the transitive nature of security that exists across many companies. Many companies rely on critical business partners, subsidiaries, and other organizations whose services are trusted. Also, due to password reuse customers accounts included in a 3rd party data dump could enable unauthorized access to another business's assets.
In this talk we outline through case studies several ways that Threat Intelligence is being used today to improve the security and awareness of organizations by monitoring "supply chain" partners, customers, and trusted 3rd parties. Specifically we will discuss brand monitoring, mass credential compromises, signs of infection/compromise, and signs of targeting and social networking data-mining. We will outline how organizations can effectively integrate this practice into their existing security programs.
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Jason Trost
2015 is turning out to be the most spectacular year of high profile compromises across almost every vertical and many companies are starting to consider new options to raise the bar for intrusion detection and incident response, including deploying honeypots.
In this workshop we will present an overview of the current state of the art of leveraging open source tools to build a novel intrusion detection system inside the enterprise. We will discuss the pros/cons and ins/outs of several major open source honeypots as well as how to manage and deploy these sensors using the Modern Honey Network, Splunk, as well as integration into other systems such as ArcSight. We will discuss real world deployments of honeypots, what worked and what didn't as well as recommendations for getting the most out of these non-convention network sensors.
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
As organizations operationalize diverse network sensors of various types, from passive sensors to DNS sinkholes to honeypots, there are many opportunities to combine this data for increased contextual awareness for network defense and threat intelligence analysis. In this presentation, we discuss our experiences by analyzing data collected from distributed honeypot sensors, p0f, snort/suricata, and botnet sinkholes as well as enrichments from PDNS and malware sandboxing. We talk through how we can answer the following questions in an automated fashion: What is the profile of the attacking system? Is the host scanning/attacking my network an infected workstation, an ephemeral scanning/exploitation box, or a compromised web server? If it is a compromised server, what are some possible vulnerabilities exploited by the attacker? What vulnerabilities (CVEs) has this attacker been seen exploiting in the wild and what tools do they drop? Is this attack part of a distributed campaign or is it limited to my network?
BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesJason Trost
Anyone attending this conference knows the usefulness of running malware in a sandbox to perform triage, speed security analysts' workflow, extract indicators of compromise (IOCs), and to gather useful information for detection and mitigation. When analysts do this, what are the OPSEC concerns regarding tipping the adversary off? Which sandbox providers are better than others in this regard? In this talk we will present some research on taking an adversarial view of the free and widely used SaaS malware sandboxes. When an adversary's malware is detonated in a sandbox, what network artifacts can they see? Can they determine which sandbox provider based on the network? How do malware and related IOCs submitted to these sandboxes propagate to security companies and ultimately threat intelligence feeds? In this talk, we will answer all these questions and more.
Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.
An Adversarial View of SaaS Malware SandboxesJason Trost
Anyone attending this conference knows the usefulness of running malware in a sandbox to perform triage, speed security analysts' workflow, extract indicators of compromise (IOCs), and to gather useful information for detection and mitigation. When analysts do this, what are the OPSEC concerns regarding tipping the adversary off? Which sandbox providers are better than others in this regard? In this talk we will present some research on taking an adversarial view of the free and widely used SaaS malware sandboxes. When an adversary's malware is detonated in a sandbox, what network artifacts can they see? Can they determine which sandbox provider based on the network? How do malware and related IOCs submitted to these sandboxes propagate to security companies and ultimately threat intelligence feeds? In this talk, we will answer all these questions and more.
This presentation was delivered at BSides Augusta in September 2016. The A/V portion is available here: https://www.youtube.com/watch?v=i6p71t9PFWM
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
- Danny Akacki (@dakacki) was a Lead Analyst with GE Capitals' Applied Intelligence team prior to his employment with Mandiant, and now works for Bank of America's hunt team. He is a pragmatic optimist and believes we are probably screwed, but hopes we aren't. Danny enjoys finding evil on the weekends.
- Stephen Hinck (@stephenhinck) is a Senior Security Analyst at Oracle, Inc. Stephen stumbled into the information security world years ago and has since only managed to dig his way deeper to the rabbit hole. With a background in security operations, incident response and threat hunting, Stephen's experience is multi-faceted. Although he enjoys many things, he absolutely hates writing silly bios like this one.
This presentation was delivered at SkyDogCon 6 in October 2016. The A/V is available here: https://www.youtube.com/watch?list=PLLEf-wPc7Tyae19iTuzKOXmPj-IQBIWuU&v=mKxGulV2Z74
It is an updated version of the original deck presented at BSides Augusta 2016 - Added original content including information on use cases and added definition/clarity.
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments.
In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.
Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence:
http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
Whether they realize it or not, all enterprises have valuable data to protect. Credit card information, trade secrets, and patient data, for example, are all prime targets for cyber criminals.
You can reduce risk to your sensitive data through the use of compliance/segmentation monitoring. But what happens when malicious insiders or external attackers bypass these controls?
Join Lancope’s Consulting Security Architect, Charles Herring, to learn how network behavioral anomaly detection (NBAD) and deep visibility through NetFlow can be used to quickly alert administrators to these violations. Discover how to detect anomalies such as data hoarding and data loss to more effectively safeguard your crown jewels.
The landscape of open source malware analysis tools improves every day. A malware analysis lab can be thought of as a set of entry points into a tool chain. The main entry points are a file, a URL, a network traffic capture, and a memory image. This talk is an examination of the major open source tools that satisfy the analysis requirements for each of these entry points. Each tool’s output can potentially feed into another tool for further analysis. The linking of one tool to the next in a tool chain allows one to build a comprehensive automated malware analysis lab using open source software.
For file analysis, the three major versions of Cuckoo Sandbox will be examined. To analyze a potentially malicious URL, the low-interaction honeyclient, Thug, will be covered. Next, if one has a network capture (PCAP) to analyze, the Bro Network Security Monitor is a great option, and will be covered. Finally, if the analysis target is a memory image, the Volatility Framework will be examined. Each of the inputs and outputs of the tools will be reviewed to expose ways that they can be chained together for the purpose of automation.
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
Burning Down the Haystack to Find the Needle: Security Analytics in ActionJosh Sokol
Your network is already compromised, but do you know how and by whom? Can you find them, remove them, and prevent them from getting back in again? In this presentation, we will examine actual attacks and indicators of compromise and show how, using some basic network flow pattern analysis, we can detect and prevent contemporary malware, advanced persistent threats (APTs), zero-day exploits and more. In addition, we will discuss how to feed this data into a security analytics program to create a new, broader perspective on the threats that your organization faces.
Over the past four years at National Instruments, we have been collecting tools to work cohesively as part of a larger security analytics platform. The goal of this presentation is to provide the attendee with the basic information that they need in order to build a security analytics program of their own. We will begin by talking about the problem of a lack of visibility within the enterprise environment. From there, we will talk about the traits that characterize a tool as being good for security analytics. Next, we will talk about the types of data that exists in the different tool sets and what types of questions they are good at answering. From there, we will talk about what it means to create patterns and analyze your data to find those specific patterns. Then, we will look at some specific analytics that are useful to run on a regular basis to find malware, misconfigured systems, APTs, and more. Lastly, we will talk about actionable (and even automated) next steps once we discover the patterns that we are looking for.
This talk will encourage audience participation by encouraging them to share what they are doing to perform security analytics and is appropriate for both novice and experienced security professionals.
User and entity behavior analytics: building an effective solutionYolanta Beresna
This presentation provides an overview of UEBA space and gives insights into the core components of an effective solution, such as relevant Threat and Attack Scenarios, Data Sources, and various Analytic techniques. This was presented during ISSA-UK chapter meeting.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Alex Pinto
We could all have predicted this with our magical Big Data analytics platforms, but it seems that Machine Learning is the new hotness in Information Security. A great number of startups with ‘cy’ and ‘threat’ in their names that claim that their product will defend or detect more effectively than their neighbour's product "because math". And it should be easy to fool people without a PhD or two that math just works.
Indeed, math is powerful and large scale machine learning is an important cornerstone of much of the systems that we use today. However, not all algorithms and techniques are born equal. Machine Learning is a most powerful tool box, but not every tool can be applied to every problem and that’s where the pitfalls lie.
This presentation will describe the different techniques available for data analysis and machine learning for information security, and discuss their strengths and caveats. The Ghost of Marketing Past will also show how similar the unfulfilled promises of deterministic and exploratory analysis were, and how to avoid making the same mistakes again.
Finally, the presentation will describe the techniques and feature sets that were developed by the presenter on the past year as a part of his ongoing research project on the subject, in particular present some interesting results obtained since the last presentation on DefCon 21, and some ideas that could improve the application of machine learning for use in information security, especially in its use as a helper for security analysts in incident detection and response.
Video (at YouTube) - http://bit.ly/19TNSTF
Big Data Security Analytics, Data Science and Machine Learning are a few of the new buzzwords that have invaded out industry of late. Most of what we hear are promises of an unicorn-laden, silver-bullet panacea by heavy-handed marketing folks, evoking an expected pushback from the most enlightened members of our community.
This talk will help parse what we as a community need to know and understand about these concepts and help understand where the technical details and actual capabilities of those concepts and also where they fail and how they can be exploited and fooled by an attacker.
The talk will also share results of the author's current ongoing research (on MLSec Project) of applying machine learning techniques to information secuirty monitoring.
An Adversarial View of SaaS Malware SandboxesJason Trost
Anyone attending this conference knows the usefulness of running malware in a sandbox to perform triage, speed security analysts' workflow, extract indicators of compromise (IOCs), and to gather useful information for detection and mitigation. When analysts do this, what are the OPSEC concerns regarding tipping the adversary off? Which sandbox providers are better than others in this regard? In this talk we will present some research on taking an adversarial view of the free and widely used SaaS malware sandboxes. When an adversary's malware is detonated in a sandbox, what network artifacts can they see? Can they determine which sandbox provider based on the network? How do malware and related IOCs submitted to these sandboxes propagate to security companies and ultimately threat intelligence feeds? In this talk, we will answer all these questions and more.
This presentation was delivered at BSides Augusta in September 2016. The A/V portion is available here: https://www.youtube.com/watch?v=i6p71t9PFWM
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
- Danny Akacki (@dakacki) was a Lead Analyst with GE Capitals' Applied Intelligence team prior to his employment with Mandiant, and now works for Bank of America's hunt team. He is a pragmatic optimist and believes we are probably screwed, but hopes we aren't. Danny enjoys finding evil on the weekends.
- Stephen Hinck (@stephenhinck) is a Senior Security Analyst at Oracle, Inc. Stephen stumbled into the information security world years ago and has since only managed to dig his way deeper to the rabbit hole. With a background in security operations, incident response and threat hunting, Stephen's experience is multi-faceted. Although he enjoys many things, he absolutely hates writing silly bios like this one.
This presentation was delivered at SkyDogCon 6 in October 2016. The A/V is available here: https://www.youtube.com/watch?list=PLLEf-wPc7Tyae19iTuzKOXmPj-IQBIWuU&v=mKxGulV2Z74
It is an updated version of the original deck presented at BSides Augusta 2016 - Added original content including information on use cases and added definition/clarity.
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
The security industry is talking a lot about threat intelligence; external information that a company can leverage to understand where potential threats are knocking on the door and might have already perpetrated the network boundaries. Conversations with many CERTs have shown that we have to stop relying on knowledge about how attacks have been conducted in the past and start 'hunting' for signs of compromises and anomalies in our own environments.
In this presentation we explore how the decade old field of security visualization has emerged. We show how we have applied advanced analytics and visualization to create our own threat intelligence and investigated lateral movement in a Fortune 50 company.
Visualization. Data science. No machine learning. But pretty pictures.
Here is a blog post I wrote a bit ago about the general theme of internal threat intelligence:
http://www.darkreading.com/analytics/creating-your-own-threat-intel-through-hunting-and-visualization/a/d-id/1321225?
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
Whether they realize it or not, all enterprises have valuable data to protect. Credit card information, trade secrets, and patient data, for example, are all prime targets for cyber criminals.
You can reduce risk to your sensitive data through the use of compliance/segmentation monitoring. But what happens when malicious insiders or external attackers bypass these controls?
Join Lancope’s Consulting Security Architect, Charles Herring, to learn how network behavioral anomaly detection (NBAD) and deep visibility through NetFlow can be used to quickly alert administrators to these violations. Discover how to detect anomalies such as data hoarding and data loss to more effectively safeguard your crown jewels.
The landscape of open source malware analysis tools improves every day. A malware analysis lab can be thought of as a set of entry points into a tool chain. The main entry points are a file, a URL, a network traffic capture, and a memory image. This talk is an examination of the major open source tools that satisfy the analysis requirements for each of these entry points. Each tool’s output can potentially feed into another tool for further analysis. The linking of one tool to the next in a tool chain allows one to build a comprehensive automated malware analysis lab using open source software.
For file analysis, the three major versions of Cuckoo Sandbox will be examined. To analyze a potentially malicious URL, the low-interaction honeyclient, Thug, will be covered. Next, if one has a network capture (PCAP) to analyze, the Bro Network Security Monitor is a great option, and will be covered. Finally, if the analysis target is a memory image, the Volatility Framework will be examined. Each of the inputs and outputs of the tools will be reviewed to expose ways that they can be chained together for the purpose of automation.
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)PRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
Burning Down the Haystack to Find the Needle: Security Analytics in ActionJosh Sokol
Your network is already compromised, but do you know how and by whom? Can you find them, remove them, and prevent them from getting back in again? In this presentation, we will examine actual attacks and indicators of compromise and show how, using some basic network flow pattern analysis, we can detect and prevent contemporary malware, advanced persistent threats (APTs), zero-day exploits and more. In addition, we will discuss how to feed this data into a security analytics program to create a new, broader perspective on the threats that your organization faces.
Over the past four years at National Instruments, we have been collecting tools to work cohesively as part of a larger security analytics platform. The goal of this presentation is to provide the attendee with the basic information that they need in order to build a security analytics program of their own. We will begin by talking about the problem of a lack of visibility within the enterprise environment. From there, we will talk about the traits that characterize a tool as being good for security analytics. Next, we will talk about the types of data that exists in the different tool sets and what types of questions they are good at answering. From there, we will talk about what it means to create patterns and analyze your data to find those specific patterns. Then, we will look at some specific analytics that are useful to run on a regular basis to find malware, misconfigured systems, APTs, and more. Lastly, we will talk about actionable (and even automated) next steps once we discover the patterns that we are looking for.
This talk will encourage audience participation by encouraging them to share what they are doing to perform security analytics and is appropriate for both novice and experienced security professionals.
User and entity behavior analytics: building an effective solutionYolanta Beresna
This presentation provides an overview of UEBA space and gives insights into the core components of an effective solution, such as relevant Threat and Attack Scenarios, Data Sources, and various Analytic techniques. This was presented during ISSA-UK chapter meeting.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Alex Pinto
We could all have predicted this with our magical Big Data analytics platforms, but it seems that Machine Learning is the new hotness in Information Security. A great number of startups with ‘cy’ and ‘threat’ in their names that claim that their product will defend or detect more effectively than their neighbour's product "because math". And it should be easy to fool people without a PhD or two that math just works.
Indeed, math is powerful and large scale machine learning is an important cornerstone of much of the systems that we use today. However, not all algorithms and techniques are born equal. Machine Learning is a most powerful tool box, but not every tool can be applied to every problem and that’s where the pitfalls lie.
This presentation will describe the different techniques available for data analysis and machine learning for information security, and discuss their strengths and caveats. The Ghost of Marketing Past will also show how similar the unfulfilled promises of deterministic and exploratory analysis were, and how to avoid making the same mistakes again.
Finally, the presentation will describe the techniques and feature sets that were developed by the presenter on the past year as a part of his ongoing research project on the subject, in particular present some interesting results obtained since the last presentation on DefCon 21, and some ideas that could improve the application of machine learning for use in information security, especially in its use as a helper for security analysts in incident detection and response.
Video (at YouTube) - http://bit.ly/19TNSTF
Big Data Security Analytics, Data Science and Machine Learning are a few of the new buzzwords that have invaded out industry of late. Most of what we hear are promises of an unicorn-laden, silver-bullet panacea by heavy-handed marketing folks, evoking an expected pushback from the most enlightened members of our community.
This talk will help parse what we as a community need to know and understand about these concepts and help understand where the technical details and actual capabilities of those concepts and also where they fail and how they can be exploited and fooled by an attacker.
The talk will also share results of the author's current ongoing research (on MLSec Project) of applying machine learning techniques to information secuirty monitoring.
BSidesLV 2013 - Using Machine Learning to Support Information SecurityAlex Pinto
Big Data, Data Science, Machine Learning and Analytics are a few of the new buzzwords that have invaded out industry of late. Again we are being sold a unicorn-laden, silver-bullet panacea by heavy handed marketing folks, evoking an expected pushback from the most enlightened members of our community. However, as was the case before, there might just be enough technical meat in there to help out with our security challenges and the overwhelming odds we face everyday. And if so, what do we as a community have to know about these technologies in order to be better professionals? Can we really use the data we have been collecting to help automate our security decision making? Is a robot going to steal my job?
If you are interested in what is behind this marketing buzz and are not scared of a little math, this talk would like to address some insights into applying Machine Learning techniques to data any of us have easy access to, and try to bring home the point that if all of this technology can be used to show us “better” ads in social media and track our behavior online (and a bit more than that) it can also be used to defend our networks as well.
Magic, art or science? Deep learning unraveledGoDataDriven
Contents and talk by Ivo Evers
Machine learning - deep learning - use cases - lessons
Data + computing power = Rocket fuel + engine
Deep learning is yet another claim for the success and threats of AI
Deep nets are hard to implement and explain
Deep Learning Based Real-Time DNS DDoS Detection SystemSeungjoo Kim
[Poster] Deep Learning Based Real-Time DNS DDoS Detection System @ ACSAC 2016 (The 32nd Annual Computer Security Applications Conference 2016), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
Honeypots are really useful for collecting security data for research, especially around botnets, scanning hosts, password brute forcers, and other misbehaving systems. They are also the cheapest way collect this data at scale. Deploying many types of honeypots across geo-diverse locations of the Internet improves the aggregate data quality and provides a holistic view. This provides insight into both global trends of attacks and network activity as well as the behaviors of individual malicious systems. For these reasons, we started the Modern Honey Network, which is both an open source (GPLv3) project and a community of hundreds of MHN servers that manage and aggregate data from thousands of heterogeneous honeypots (Dionaea, Kippo, Amun, Conpot, Wordpot, Shockpot, and Glastopf) and network sensors (Snort, Suricata, p0f) deployed by different individuals and organizations as a distributed sensor network. The project has turned into the largest crowdsourced honeynet in the world consisting of thousands of diverse sensors deployed across 35 countries and 5 continents worldwide. Sensors are operated by all sorts of people from hobbyists, to academic researchers, to Fortune 1000 companies. In this talk we will discuss our experience in starting this project, analyzing the data, and building a crowdsourced global sensor network for tracking security threats and gathering interesting data for research. We've found that lots of people like honeypots, especially if you give them a cool realtime visualization of their data and make it easy to setup; lots of organizations will share their data with you if it is part of a community; and lots of companies will deploy honeypots as additional network sensors, especially if you make it easy to deploy/manage/integrate with their existing security tools.
Anomaly Detection - New York Machine LearningTed Dunning
Anomaly detection is the art of finding what you don't know how to ask for. In this talk, I walk through the why and how of building probabilistic models for a variety of problems including continuous signals and web traffic. This talk blends theory and practice in a highly approachable way.
Extending Flink for anomaly detection with Hierarchical Temporal Memory (HTM). Presented at Bay Area Apache Flink Meetup, in San Jose on June 27, 2016.
https://github.com/htm-community/flink-htm
Data protection is at the center of a mature organizational information security strategy. Encryption plays an important role in that strategy to effectively protect data, even after other lines of defense have been compromised.
Unfortunately, there are many factors complicating the when, where and how of successfully using encryption technologies:
Final Year Project Synopsis: Post Quantum Encryption using Neural NetworksJPC Hanson
A synopsis of my final year project at Brunel University exploring the possibilities of using Neural Networks as a method of encryption immune to Shor's algorithm. i.e. a secure, 'post quantum' alternative to the NTRU algorithms.
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
The Slides cover :
Offensive Attack landscape: Analyzing Data from Deep dark and Surface web
Tools, Techniques & Trends related to Offensive Attack Simulation: Attack Surface Management (ASM), Continuous Automated Red Teaming (CART) & More
How CART (Continuous Automated Red Teaming) can help
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
DNS: STRATEGIES FOR REDUCING DATA LEAKAGE & PROTECTING ONLINE PRIVACY
DNS is the foundational protocol used to directly nearly all Internet traffic making the collection and analysis of DNS traffic highly valuable. This talk will examine ways in which you can effectively limit the disclosure of your online habits through securing the way your local DNS resolvers work.
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
Bobby Dominguez is an accomplished Internet pioneer and an acknowledged security, risk, and privacy expert. Mr. Dominguez has successfully integrated information security into top-level business initiatives at Home Shopping Network, PSCU Financial Services, and PNC Bank, where he implemented a new technology risk management framework. Under his leadership, the Sykes Global Security and Risk Management team was nominated and selected as one of the 5 best by 2008 SC Magazine “Best Security Team in the US.” Mr. Dominguez was also selected as one of the top 5 Chief Security Officers for the 2009, 2010, and 2013 SC Magazine “CSO of Year.” In 2012 he was a finalist for (ISC)2 Americas Information Security Leadership Awards.
Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
Mindfulness – “The quality or state of being conscious or aware of something.” Security can seem intimidating and complex for many, but we shouldn’t (can’t) let that stop us from doing everything we can to secure our WordPress sites and ourselves. After all, our websites are often part of our livelihood. In this session Adam addresses the “big picture” of personal and website security and breaks down the fundamental tasks needed for a strong security plan online. He provides an actionable checklist on what audience members can implement immediately to better secure themselves online in addition to their WordPress websites. After attending this session, audience members will have a better understanding of personal security online and how it affects website security as a whole, as well as steps they can take to mitigate risk in the future.
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
IT security teams have a tough job. While organizations depend upon Internet access to conduct business, security teams are responsible for safeguarding these communications and transactions from those who wish to profit by stealing intellectual property, customer private data or even just encrypting your data and demanding a ransom for its safe recovery. There are a number of tools available to monitor log events, network flows, and packet captures, but most of these are performing after-the-fact analysis. That can make it easy for the bad guys to hide out on your network.
IBM QRadar Network Insights (QNI) uses innovative network threat analytics to identify malicious content – including those hidden in data transmissions, SSL certificate violations, protocol obfuscation, file tags, and suspicious network flows – and then pieces together those indicators of attack to provide security teams with real-time alerts. These alerts help organizations detect attacks that are in progress, as well as determine what damage may have already been inflicted.
View this on-demand webinar to learn how QRadar Network Insights can:
Remove network blind spots and reduce complexities in log data to reveal previously hidden threats and malicious behaviors;
Record application activities, capture file metadata and artifacts, and identify assets, applications and users participating in network communications;
Reduce the impact of threats associated with malware, phishing emails, data exfiltration, and the lateral network movements of advanced attacks.
How To Handle Breach Disclosures? Bug Bounty, Coordinated Vulnerability Discl...Priyanka Aash
Breaches are at all time high. In this webinar learn the do's and don't of handling breach disclosure. Best practices of how to set up a bounty program . How to respond to responsible disclosures? Do's and Don'ts and learning from the industry.
Key Points To Be Discussed:
-How to build a vulnerability disclosure program?
-What are various types of vulnerability disclosures programs?
-When and when NOT to have a bug bounty program?
-Do's and Don'ts for handling a breach disclosure
Primer on DNS tunneling used as a vector for data theft via malware and insider threats with mitigation techniques and pointers on improving outbound DNS security architecture.
Similar to R-CISC Summit 2016 Borderless Threat Intelligence (20)
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
R-CISC Summit 2016 Borderless Threat Intelligence
1. Borderless Threat Intelligence
Using External Threat Intelligence for Brand &
Supply Chain Monitoring
Jason Trost
R-CISC Summit 2016
April 26th, 2016
2. whoami
•Jason Trost
•VP of Threat Research @ Anomali
•Previously at Sandia, DoD, Booz Allen, Endgame Inc.
•Background in Big Data Analytics, Security Research, and Machine
Learning
•Big advocate and contributor to open source:
• Modern Honey Network, BinaryPig, Honeynet Project
• Apache Accumulo, Apache Storm, Elasticsearch
3. Anomali
•Formerly known as ThreatStream, Inc.
•Cyber Security company founded in 2013 and venture backed by Google
Ventures, Paladin Capital Group, Institutional Venture Partners, and General
Catalyst Partners.
•SaaS based enterprise security software that provides actionable threat
intelligence and breach analytics to large enterprises and government
agencies.
•Our customers hail from the financial services, healthcare, retail, energy, and
technology sectors.
4. Agenda
• Overview
• Supply Chain Monitoring
• External Threat Intelligence
• Suspicious Domains
• Network Cleanliness
• Social Media and DarkWeb
• Credential Exposures
• Operationalizing
• Wrap up
5. Overview
• External threat intelligence based Breach Analytics
• i.e. using intelligence about events that may not be observable on
your network to detect breaches or other security events
• We apply this beyond your borders to your supply chain
• Types of threat intelligence covered include:
• Suspicious Domains
• Network Cleanliness
• Social Media and DarkWeb
• Credential Exposures
6. Defining Your Supply Chain
• Any vendor, partner, or customer that your organization relies on or
trusts implicitly or explicitly
• Supply chain members are a dependency in your vulnerable graph
• Breaches within your supply chain may impact your organization
• Supply chain examples:
• Contractors or vendors
• Software, Third Party Libraries, Remote Access Tools (VPN)
• Environmental Control
• Power, Utilities, and Telecomms
• Computing, Hosting, and ISPs
• SaaS Services
7. On Premises Controls
• On Premises Controls will only work for supply chain events within
your network
• Code / Library Reviews
• Network Flow and Account Access Reviews
• Internal Pivoting
• Threat Feeds correlated with log events (DNS, web proxy, firewall,
etc.)
• They cannot detect events occurring outside your network
8. Zero Premises Controls
• How can you use Your Threat Intelligence solution to identify Supply
Chain Threats?
• Zero Premises Controls will extend your capabilities deep within your
suppliers infrastructure!
• Public Credential Exposures (Yourself, Partners, Suppliers)
• Threat Feeds (External Organizations on Block lists)
• Portscan/Web crawl Data Reviews (Shodan/Censys)
• Suspicious Domain Registrations (Yourself, Partners, Suppliers)
• Social Media / DarkWeb Monitoring
9. Supply Chain Threat Intelligence
• Document and Research
• Supply chain company’s security posture?
• Network cleanliness? Web footprint?
(Services/Capabilities)
• Supply chain company compromised?
• How Recent? Repeated? May put you at risk
• Supply chain company’s brand used to phish you?
• Pay Special Attention to Service Desk Companies!
• Supply chain company being targeted?
• Examples may not be so obvious
• DNS Registrars hold the keys
14. Case Study: Suspicious Domain Registration
• Abuse isn’t always about network compromises
• Major US Based Cable and Telecommunications company
• Fraudulent procurement attempt
• Email sent from johnsmith@${company}-us.com, but with the
correct letter head and markings
• Discovered by SIEM scanning incoming email logs and flagged
messages as suspicious
• Security team prevented fraudulent transaction, fraud team seized
domain
15. Network Cleanliness Monitoring
• Systems from your IP space or your supply chain’s showing up as …
• Bot IPs
• Scanning IPs
• Brute force IPs
• Spam IPs
• Your webserver hosting malicious content?
• Vulnerable or unexpected services running and discoverable?
• Inventory Items: IP Address Space of organization and key executives
(if possible)
• Data Sources: Threat intelligence feeds, honeypot events, botnet
sinkhole, Portscan/Web crawl data
• Operations: SIEM integration, Email notifications, passive audits of
portscan/webcrawl data
16. Case Study: Network Cleanliness
• Large Hi-tech firm evaluating IT staffing company for outsourcing some
development and IT services
• IT Staffing company would need VPN access and access to other internal IT
resources
• Passive vendor audit performed using threat intelligence data and public
portscan repository
• Upon inspection, IT staffing company had very poor network hygiene
• tens of IPs regularly checked in to malware sinkholes
• tens of IPs regularly scanned honeypot sensors
• thousands of compromised credentials
• IT staffing company deemed too risky
17. Social Network and Darkweb Monitoring
• Inventory Items: Brand names, key executive names
• Data Sources: Social media feeds, Crawling DarkWeb, analysts
monitoring darkweb, Google Dorks
• Operations: SIEM integration, Email notifications
Credential Exposure
Posting from the Hell
Darkweb forum
18. Case Study: Social Media/Darkweb Monitoring
• Brand monitoring for Major US Based Retailer
• Discovered a custom built attack tool designed
for the sole purpose of brute forcing a specific
part of the retailer’s web infrastructure
• Provided the sample and a report about what it
did, how it worked and who built it to the
retailer
19. Credential Exposure Monitoring
• Inventory Items: email domains, email addresses of key executives
• Data sources: Paste sites, Google Dorks, Darkweb
• Operations: SIEM integration / orchestration system – notify users/reset
passwords, Email alerts
20. Case Study: Credential Exposures
• Brand monitoring for a Major Food and Beverage Company
• Discovered leaked credentials from an internal IT wiki page that was
accidently exposed
• Company alerted and changed all passwords within 24 hours
• No evidence that these credentials were abused in that time
22. Build an Inventory
• Create an inventory
• Yourself
• Critical supply chain partners
• The adversaries this, you should too
• Email domains names
• Internal and External domain names
• Personal email addresses of key executives
• Company’s IP address space
• IP address space of key executives’ home networks
• Brand names
• Names of key executives
23. Data Sources and Integration Points
Data Sources Integration Points
Suspicious
Domains
• New domain registration data (Whois)
• Passive DNS
• Virustotal Hunting
• Repeated reviews of DynDNS
• SIEM integrations
• Email based alerting
Network
Cleanliness
• Honeypots / C2 Sinkholes
• Open source threat feeds
• Spammer feeds
• Commercial Threat intelligence providers
• Portscan / Web crawl data
• Search/Alert on your IP network or your supply
chain’s network showing up on these lists.
• SIEM integrations
• Email based alerting
• Periodic review of external internet facing assets
Social Media and
Dark Web
• DarkWeb / DeepWeb Forums
• Social Media Sites
• Google Dorks
• Search/Alert on your brand or your supply chains’
• SIEM integrations
Compromised
Credentials
• Paste sites
• DarkWeb / DeepWeb monitoring
• Google dorks
• Commercial Threat intelligence providers
• Search/Alert on your email domains or those of your
supply chain
• Notify users
• Reset passwords as needed
24. Summary
• Organizations must watch more than themselves and their industry
vertical
• High Tech Suppliers such as Web and Domain Services, Firewall and
Desktop Application vendors are increasingly targeted
• Chatter on social media and DarkWeb forums can provide early
warning
• Compromised Credentials may be used by third party contractors on
your network
• Passive vendors audits should be part of your procurement process