Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
THOTCON - The War over your DNS QueriesJohn Bambenek
Talk given at THOTCON on October 9, 2021 entitled the War over your DNS queries and what to do about it. Covers DNS security and privacy and the importance of running your own DNS resolver.
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
While we have many products and tools to protect enterprises and government networks, we are not using those same tools to protect consumers who cannot afford products and services by security companies. This talk will focus on the building of a RPZ service that can use already existing threat intelligence feeds that are freely accessible to protect consumers against threats we already know about.
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
Domain Generation Algorithms (DGAs) and DNS provide a layer of resilience to botnets and malware. They also provide new and novel ways to monitor and surveil malicious networks. This talk will discuss methods you can use to turn DGAs and DNS against malware operators in order to better protect your enterprise.
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.
Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
Talk given at PHDAYS V in Moscow, May 2015.
This talk will focus on a research into Domain Generation Algorithms used in several malware families. By reverse engineering the DGA, it became possible to create near-time intelligence feeds used to monitor malicious networks and provide information required for network protection.
THOTCON - The War over your DNS QueriesJohn Bambenek
Talk given at THOTCON on October 9, 2021 entitled the War over your DNS queries and what to do about it. Covers DNS security and privacy and the importance of running your own DNS resolver.
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
While we have many products and tools to protect enterprises and government networks, we are not using those same tools to protect consumers who cannot afford products and services by security companies. This talk will focus on the building of a RPZ service that can use already existing threat intelligence feeds that are freely accessible to protect consumers against threats we already know about.
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
Domain Generation Algorithms (DGAs) and DNS provide a layer of resilience to botnets and malware. They also provide new and novel ways to monitor and surveil malicious networks. This talk will discuss methods you can use to turn DGAs and DNS against malware operators in order to better protect your enterprise.
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.
Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
Talk given at PHDAYS V in Moscow, May 2015.
This talk will focus on a research into Domain Generation Algorithms used in several malware families. By reverse engineering the DGA, it became possible to create near-time intelligence feeds used to monitor malicious networks and provide information required for network protection.
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
DNS: STRATEGIES FOR REDUCING DATA LEAKAGE & PROTECTING ONLINE PRIVACY
DNS is the foundational protocol used to directly nearly all Internet traffic making the collection and analysis of DNS traffic highly valuable. This talk will examine ways in which you can effectively limit the disclosure of your online habits through securing the way your local DNS resolvers work.
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
Thotcon Presentation by John Bambenek on how some security solutions are leaking sensitive data to the internet making it easy to spy on individuals and companies without breaking any laws.
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
In this presentation, we will discuss using GreyNoise, a geographically and logically distributed system of passive Internet scan traffic collector nodes, to identify statistical anomalies in global opportunistic Internet scan traffic and correlate these anomalies with publicly disclosed vulnerabilities, large-scale DDoS attacks, and other newsworthy events. We will discuss establishing (and identifying any deviations away from) a “standard” baseline of Internet scan traffic. We will discuss successes and failures of different methods employed over the past six months. We will explore open questions and future work on automated anomaly detection of Internet scan traffic. Finally, we will provide raw data and a challenge as an exercise to the attendees.
The last five to ten years has seen massive advancements in open source Internet-wide mass-scan tooling, on-demand cloud computing, and high speed Internet connectivity. This has lead to a massive influx of different groups mass-scanning all four billion IP address in the IPv4 space on a constant basis. Information security researchers, cyber security companies, search engines, and criminals scan the Internet for various different benign and nefarious reasons (such as the WannaCry ransomware and multiple MongoDB, ElasticSearch, and Memcached ransomware variants). It is increasingly difficult to differentiate between scan/attack traffic targeting your organization specifically and opportunistic mass-scan background radiation packets.
Grey Noise is a system that records and analyzes all the collective omnidirectional background noise of the Internet, performs enrichments and analytics, and makes the data available to researchers for free. Traffic is collected by a large network of geographically and logically diverse “listener” servers distributed around different data centers belonging to different cloud providers and ISPs around the world.
In this talk I will candidly discuss motivations for developing the system, a technical deep dive on the architecture, data pipeline, and analytics, observations and analysis of the traffic collected by the system, business impacts for network operators, pitfalls and lessons learned, and the vision for the system moving forward.
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
ARE YOUR CLOUD SERVERS UNDER ATTACK
For this presentation, I built out a test lab in AWS and allowed someone to hack the servers. I will talk about what we saw when we opened RDP to the internet, what the hackers did once they got in, and someone trying to kick me off my own servers.
Wireless technology is inherently insecure in general, however this presentation details some unconventional attacks that have been around for years but are still incredibly effective. Discussing the basics of AP cloning, abusing captive portals, and more.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
When your job is to act as a malicious attacker on a daily basis for the good of helping organizations, you can’t help but wonder “What if I decided to embrace the evil within?” What if one day I woke up evil? Every day as a pentester, I compromise organizations through a variety of ways. If I were to wake up one day and decide to completely throw my ethics out the window, how profitable could I be, and could I avoid getting caught?
In this talk I will walk through a detailed methodology about how I personally would go about exploiting organizations for fun and profit, this time not under the “white hat.” Non-attribution, target acquisition, exploitation, and profitization will be the focal points. Blue teamers will get a peek into the mindset of a dedicated attacker. Red teamers will learn a few new techniques for their attack methodologies.
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
Our security practices need to evolve in order to address the new challenges propped up by the rapid adoption of technologies and products to enable the world to WFH. The mantra of the attacker remains consistent -- attack that which yields maximum result -- and that is usually something used by a very very large number of users. This webinar will discuss the Top 10 Security Gaps that CISOs should be aware of as they brace for long WFH periods.
What will you learn :
-New Attack techniques hackers are using targeting WFH
-How to handle decentralisation of IT and technology decisions?
-Application risks as enterprises pivot to online/new business model(s)
-New risks in the Cloud and due to Shadow IT
-Security risks due to uninformed employees & their home infrastructure
-How to handle Misconfigurations & Third party risks
-How to build a robust breach response and recovery program?
Full video - https://youtu.be/bQLfnmhDnQs
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks.
In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools.
The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.
One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.
Presenters: Jaime Blasco and Santiago Bassett
Cornerstones of Trust 2014:
https://www.cornerstonesoftrust.com
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
DNS: STRATEGIES FOR REDUCING DATA LEAKAGE & PROTECTING ONLINE PRIVACY
DNS is the foundational protocol used to directly nearly all Internet traffic making the collection and analysis of DNS traffic highly valuable. This talk will examine ways in which you can effectively limit the disclosure of your online habits through securing the way your local DNS resolvers work.
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
Thotcon Presentation by John Bambenek on how some security solutions are leaking sensitive data to the internet making it easy to spy on individuals and companies without breaking any laws.
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
In this presentation, we will discuss using GreyNoise, a geographically and logically distributed system of passive Internet scan traffic collector nodes, to identify statistical anomalies in global opportunistic Internet scan traffic and correlate these anomalies with publicly disclosed vulnerabilities, large-scale DDoS attacks, and other newsworthy events. We will discuss establishing (and identifying any deviations away from) a “standard” baseline of Internet scan traffic. We will discuss successes and failures of different methods employed over the past six months. We will explore open questions and future work on automated anomaly detection of Internet scan traffic. Finally, we will provide raw data and a challenge as an exercise to the attendees.
The last five to ten years has seen massive advancements in open source Internet-wide mass-scan tooling, on-demand cloud computing, and high speed Internet connectivity. This has lead to a massive influx of different groups mass-scanning all four billion IP address in the IPv4 space on a constant basis. Information security researchers, cyber security companies, search engines, and criminals scan the Internet for various different benign and nefarious reasons (such as the WannaCry ransomware and multiple MongoDB, ElasticSearch, and Memcached ransomware variants). It is increasingly difficult to differentiate between scan/attack traffic targeting your organization specifically and opportunistic mass-scan background radiation packets.
Grey Noise is a system that records and analyzes all the collective omnidirectional background noise of the Internet, performs enrichments and analytics, and makes the data available to researchers for free. Traffic is collected by a large network of geographically and logically diverse “listener” servers distributed around different data centers belonging to different cloud providers and ISPs around the world.
In this talk I will candidly discuss motivations for developing the system, a technical deep dive on the architecture, data pipeline, and analytics, observations and analysis of the traffic collected by the system, business impacts for network operators, pitfalls and lessons learned, and the vision for the system moving forward.
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
ARE YOUR CLOUD SERVERS UNDER ATTACK
For this presentation, I built out a test lab in AWS and allowed someone to hack the servers. I will talk about what we saw when we opened RDP to the internet, what the hackers did once they got in, and someone trying to kick me off my own servers.
Wireless technology is inherently insecure in general, however this presentation details some unconventional attacks that have been around for years but are still incredibly effective. Discussing the basics of AP cloning, abusing captive portals, and more.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
When your job is to act as a malicious attacker on a daily basis for the good of helping organizations, you can’t help but wonder “What if I decided to embrace the evil within?” What if one day I woke up evil? Every day as a pentester, I compromise organizations through a variety of ways. If I were to wake up one day and decide to completely throw my ethics out the window, how profitable could I be, and could I avoid getting caught?
In this talk I will walk through a detailed methodology about how I personally would go about exploiting organizations for fun and profit, this time not under the “white hat.” Non-attribution, target acquisition, exploitation, and profitization will be the focal points. Blue teamers will get a peek into the mindset of a dedicated attacker. Red teamers will learn a few new techniques for their attack methodologies.
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
Our security practices need to evolve in order to address the new challenges propped up by the rapid adoption of technologies and products to enable the world to WFH. The mantra of the attacker remains consistent -- attack that which yields maximum result -- and that is usually something used by a very very large number of users. This webinar will discuss the Top 10 Security Gaps that CISOs should be aware of as they brace for long WFH periods.
What will you learn :
-New Attack techniques hackers are using targeting WFH
-How to handle decentralisation of IT and technology decisions?
-Application risks as enterprises pivot to online/new business model(s)
-New risks in the Cloud and due to Shadow IT
-Security risks due to uninformed employees & their home infrastructure
-How to handle Misconfigurations & Third party risks
-How to build a robust breach response and recovery program?
Full video - https://youtu.be/bQLfnmhDnQs
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks.
In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools.
The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.
One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.
Presenters: Jaime Blasco and Santiago Bassett
Cornerstones of Trust 2014:
https://www.cornerstonesoftrust.com
Microsegmentation from strategy to executionAlgoSec
Organizations heavily invest in security solutions to keep their networks safe, but still struggle to close the security gaps. Micro-segmentation helps protect against the lateral movement of malware and minimizes the risk of insider threats. Micro-segmentation has received lots of attention as a possible solution, but many IT security professionals aren’t sure where to begin or what approach to take.
In this practical webinar, Prof. Avishai Wool, AlgoSec’s CTO and co-founder will guide you through each stage of a micro-segmentation project – from developing the correct micro-segmentation strategy to effectively implementing it and continually maintaining your micro-segmented network.
Register now for this live webinar and get a practical blueprint to creating your micro-segmentation policy:
What is micro-segmentation.
Common pitfalls in micro-segmentation projects and how to avoid them.
The stages of a successful micro-segmentation project.
The role of policy change management and automation in micro-segmentation.
Automation attacks are currently plaguing organizations in industries ranging from financial to retail, to gaming & entertainment. These attacks exploit stolen credential leaks, black market & custom attack toolkits, and massively scalable infrastructure to launch widely distributed attacks that are extremely difficult to detect, let alone attribute. In this presentation we will inform the audience of the scale of this problem, discuss a detection methodology to counter these attacks, and walk through 3 real-world examples of how attackers created and monetized the distributed infrastructure they require to launch these attacks.
Presentation on current security trends, prevention and detection. This presentation was initially given at a WatchGuard partner event for Equinox IT. http://www.equinoxits.com/
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceJohn Bambenek
This is a talk given at the MISP summit in Luxembourg on how the Barncat malware configuration uses MISP to share data and the interesting things you can do with a huge body of malware configurations.
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
Can we really detect advanced attacks? This session walks through 4 published attacks to point out what we can learn and detect using malware management, some cheat sheets and Security 101. LOG-MD, FILE-MD, Malware Archaeology
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
Respond proactively to threats like a defense contractor. It’s more realistic than you might think!
A practical guide of how to build intelligence-driven cyber defenses using open source software, based on real implementations of best practices, adapted from the Lockheed Martin Cyber Kill Chain model.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
LoginCat - the only application layer, zero trust, and negative trust cybersecurity solution out there.
Secure your Enterprise applications, at the application layer, which is exactly what hackers are after, without any modification to the applications themselves.
I'm All Up in Your Blockchain - Hunting Down the NazisJohn Bambenek
In the wake of the white supremacist rally in Charlottesville, Virginia and the car attack in the aftermath, normal people wondered what is behind the resurgence of racial extremism. In looking at some of the figureheads of this movement, it was immediately apparent that several fund their operations with bitcoin with several holding thousands of dollars and a few holding millions (as of today's exchange rate). This talk will cover the research efforts into figuring out the adversaries behind the white supremacist movement, who is funding them, and the results of publishing their transactions on a live twitter feed at @neonaziwallets. We will show how they are getting their big money and what can be done to disrupt their activities. This talk will also cover an open-source twitter bot script that can monitor transactions to defined wallets and demonstrate how various exchanges leak information that allow visibility into other altcoins, particularly monero.
SANSFIRE - Elections, Deceptions and Political BreachesJohn Bambenek
Its been the year of political breaches. While campaigns are odd entities, there are lessons enterprises can draw from what happened in 2016 to protect their organizations from attacks.
Exploit kits are a critical piece of the malware delivery infrastructure, delivering banking trojans, click fraud engines and ransomware. This small talk will be designed to aid collaboration on a means to tackle these threats with a long-term goal of eventual prosecution of the actors and partners behind exploit kits and their associated malware campaigns. We will discuss the latest research into the backend infrastructure and surveillance techniques of the Nuclear, RIG and Angler exploit kits, to enable all participants to learn what others are doing to stay ahead of them.
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
In March of this year, a Romanian man killed himself and his 4-year old son because of a ransomware he received after visiting adult websites. This "police impersonation" malware instructed him to pay a massive fine or else go to jail for 11 years. Ransomware isn't a new threat; however, it introduced new life with CryptoLocker, the very first variant to perform encryption correctly, thussignificantly inhibiting security researchers and their typical countermeasures. Due to its unique nature, CryptoLocker is one of the few current malware campaigns that spawned its own working group focused around remediation. As time progressed, other ransomware copycat campaigns emerged, some of which got media attention even though they were nothing but vaporware.
This talk will focus on what the threat intelligence community did in response to this threat, including the development of near-time tracking of its infrastructure and what can be learned in order to manage new threats as they emerge.
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
This talk by John Bambenek, "What Small Businesses and Entrepreneurs Need to Know About Cybercrime" was given at IESBGA 2014 on May 30th, 2014 at Illinois State University.
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
Every day we hear more and more about credit cards getting stolen, businesses getting hacked and national secrets being pilfered from our government. In this seminar, you’ll learn:
- what threats small businesses need to be aware of
- what threats are hype
- how small businesses can protect themselves in a cost-effective way
- you’ll walk away with 5 things you can do in your small business to be more secure without having to buy a single piece of software
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
1. John Bambenek
VP, Security Research and Intelligence, ThreatSTOP
War Stories on Using Automated Threat
Intelligence for Defense
2. About me
• SANS ISC Handler
• VP of Security Research and Intelligence at ThreatSTOP
• Lecturer at the University of Illinois at Urbana-Champaign
• Producer of open-source threat feeds
• Involved in DNC, DCCC, et al investigations in 2016
3. The Problem – the “too much” issues
• “1,000,000 unfilled cybersecurity jobs”
• Too much work and not enough skilled people to do it.
• Too much data, no clear prioritization.
• Too much manual work to investigate and respond to incidents.
• What’s Worth Responding To? What is the Intention of the Attacker?
3
4. The Problem in Numbers
• Average dwell time during a breach: 4-5 months
• Percentage of breaches were evidence was in logs: 80+%
• These two data points mean that if a SOC knew what to look for and
had the tools to respond quickly, a great deal of damage could be
mitigated.
4
6. The Reality
There is a much smaller set of actual malware tools, many
are used by multiple people.
Problem: How to use this data effectively?
How to manage large data sets to correlate behavior over
time?
6
8. War Story #1 – Election Hacking
• Brief overview of DNC, et al related hacks.
• The private sector was “highly confident” of FSB/GRU attribution even
before the news was released in the summer of 2016.
• We have a long history of APT 28/29 history with a variety of TTPs and
other info that allowed not just the responders, but those who verified the
work of responders, to make determinations quickly.
• And see what they were doing during the French Presidential Election, and
some 2018 activity….
10. War Story #1 – Election Hacking
• TTP – likes impersonating “vendors”/”partners”.
• MIS Department in case of DNC
• Using DomainTools Brand Monitor or Farsight Brand Sentry,
you can proactively look for impersonation.
• WHOIS details also provide clues.
10
11. WHOIS Registrant Intel
• Often actors may re-use registrant information across
different campaigns. There may be other indicators too.
• Sometimes *even with WHOIS privacy protection* it may
be possible to correlate domains and by extension the
actor.
• Most criminal prosecution in cybercrime is due to an OPSEC
fail and the ability to map backwards in time of what the
actor did to find that fail that exposes them.
11
12. War Story #1 – Election Hacking
12
Maltego graph from Motherboard: https://motherboard.vice.com/en_us/article/vvaxy8/evidence-linking-
russian-hackers-fancy-bear-to-macron-phishing
13. War Story #1 – Election Hacking
• Trend Micro was looking for domains with “en-marche” in
the name and found 4.
• En Marche! Said they fed fake information to the adversary.
• Contrast with American response.
• You COULD hack back here… but why?
• There are dangers of deception though.
13
14. What we can do in 2018?
• Because of the shear number of targets, any in-depth attempt to
target political or election organizations will be “loud”.
• If data is shared (IPs, domains, etc), AND you automatically block
them, you can have a good layer of protection.
• MS-ISAC, DHS AIS, other…
15. Malware Configs
• Every malware has different configurable items.
• Not every configuration item is necessarily valuable for intelligence
purposes. Some items may have default values.
• Free-form text fields provide interesting data that may be useful for
correlation.
• Mutex can be useful for correlating binaries to the same actor.
• How to get to the identity of someone using Cobalt Strike to attack you?
• KEY POINT: Non-operational data is still useful for intelligence purposes.
15
16. Where to get Malware
• Everyone uses Virustotal
• You can buy a malware feed…
• Better is to mine your spam / e-mail for attacks.
• This is the targeted malware no one can sell you.
• Eliminate malware seen by VT (other sources), that is
unique
• Who are the repeat visitors? Advanced attackers need to
go low and slow...
16
20. War Story #2 – Understanding Locky
• Locky uses combination of static domains and a DGA for C2.
• Has an affiliate program.
• Seems to heavily favor necurs for delivery (but not
exclusively)
20
22. War Story #2 – Understanding Locky
• We know there is a close relationship between necurs and
Locky. (What about specific affiliates?)
• We can see it’s likely Locky operator runs C2 infrastructure
on behalf of affiliates.
• This can inform prosecutorial decisions or potential “hack
back” operatiors (i.e. stealing encryption keys)
22
23. Using DNS to Track the Adversary
• Only certain ways you can contact a C2 server:
• Static IP / Hostname Lists
• Proxied C2s
• Dynamic DNS
• Fast Flux / Double Flux Networks
• Domain Generation Algorithms
• Tor / i2p hidden services
23
24. Domain Generation Algorithms
Usually a complex math algorithm to create pseudo-random
but predictable domain names.
Now instead of a static list, you have a dynamic list of
hundreds or thousands of domains and adversary only
needs to have a couple registered at a time.
Can search for “friendly” registrars to avoid suspension.
24
25. Reverse Engineering DGAs
Many blog posts about reversing specific DGAs, Johannes Bader
has the most online at his blog:
Johannesbader.ch
No real shortcuts except working through IDA/Debugger and
reversing the function.
Look for functions that iterate many times.
There will be at least a function to generate the domains and a
function to connect to all of them to find the C2.
As with all reverse engineering, be aware of obfuscation and decoy
code meant to deceive you.
26. Types of DGAs
Almost all DGAs use some time of “Seed”.
Types:
Date-based
Static seed
Dynamic seed
Seed has to be globally consistent so all victims use the same
one at the same time.
27. Feed generation on DGAs
• sjuemopwhollev.co.uk,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13
• meeeqyblgbussq.info,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13
• ntjqyqhqwcwost.com,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13,
• nvtvqpjmstuvju.net,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13
• olyiyhprjuwrsl.biz,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13
• sillomslltbgyu.ru,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13
• gmqjihgsfulcau.org,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13,
• From here you could easily feed this into RPZ or other technology to
protect your organization.
28. DGA surveillance
Pre-generate all domains 2 days before to 2 days in future.
Pipe all those domains into adnshost using parallel to limit the
number of lines.
Able to process over 700,000 domains inside 10 minutes (and
I’m not done optimizing).
• parallel -j4 --max-lines=3500 --pipe adnshost -a -f < $list-of-domains | fgrep -v
nxdomain >> $outputfile
30. What to do with this data?
• With IP addresses, you can just block them at the firewall.
• Inbound **AND** outbound traffic.
• If you control DNS, you control the endpoint. Use a DNS Firewall!
• Which means you can limit what the device can talk to in order to prevent
exploitation or command-and-control.
• DNS is on everything… even IoT devices!
31. What is a DNS Firewall?
• Uses RPZ (Response Policy Zones) or the Microsoft equivalent.
• Response Policy Zones are zone files you put into your DNS resolver
that can block, redirect, or alert on specific queries.
• Can flag on:
• Specific hostname, domain, or TLD (i.e. www.google.com or *.ru)
• The resolved IP address
• The authoritative nameserver hostnames used
• The authoritative nameserver IP addresses used
32. Block Bad Neighborhoods
• There are many networks you can be pretty sure they are “always”
safe (i.e. CDNs).
• There are many networks you can treat as completely malicious (i.e.
bullet proof hosters).
• Some countries you may not have (or want) to talk to.
• ITAR/OFAC
• Why should your MRI machine talk to a Russian IP?
33. War Story #3 – Operation Tovar
• One of the first modern successful ransomware attacks.
• Was able to proactively monitor all new registrations for
domains, mine registrant details, and ultimately get quicker
to look at proxies.
• This not only allowed us to grind to get to an indictment of
Evgeniy Bogachev, but also to retrieve the private
encryption keys so people could get their files back.
• Was able to do a bulk takedown and shut the whole system
down.
33
34. Tracking Malware Functions
• We have tools to correlate IP addresses, domains,
registration information, malware families, malware
configs…
• What about specific functions or portions of code?
• The more we can correlate, the more we can get visibility
into how code is shared, developed, and the ecosystem
behind it.
34
35. FIRST IDA Plugin
• Developed by Cisco Talos: https://github.com/vrtadmin/FIRST-
plugin-ida
• In essence, ties a database into IDA so you can search for
functions that exist elsewhere to find code level relationships.
• Presentation: https://www.botconf.eu/wp-
content/uploads/2016/11/PR11-Function-Identification-and-
Recovery-Signature-Tool-Villegas.pdf
35
37. War Story #4 - Wannacry
• We all know Wannacry, worm-based ransomware using
disclosed exploits (Thanks NSA!).
• Very quickly we noticed that the payment infrastructure
was not sound (and neither was NotPetya)
• What’s the point of cryptographic ransomware if you aren’t
getting paid? (Made only about $100k USD)
37
38. War Story #4 - Wannacry
38
From Costin Raiu twitter, 40 byte code reuse from Lazarus backdoor
39. War Story #4 - Wannacry
• 40 bytes of code were identical to a Lazarus Group (DPRK)
backdoor used in 2015.
• Found by “spot checking” and memory.
• This is not ideal
• Not found anywhere else.
• Inconclusive but suggests DPRK (since proven).
• We NEED to figure out a way to make this a database search
problem, not a tribal lore in analyst’s mind problem.
39
40. Last Key Point
• Ending this talk with WannaCry and NotPetya was intentional.
• Most of the techniques here are useful for crime.
• Increasingly, however, APT is using crime tools as “obfuscation”.
• WannaCry and NotPetya (if we’re right) are precursors to future
APT attacks using criminals tools.
• What if our research leads to a kinetic response?
• We need to get the above right to disambiguate their intentions
and to find investigate leads and potential weaknesses (hack
back?)
40
41. Solution
• Lots of us are all working on the same problems
independently, we need to be working together more and
sharing data.
• Sharing data isn’t to contribute more to “admiring the
problem”. Need to block stuff.
• Back to Pyramid of Pain, block as much as you can as low as
you can to focus limited people/resources on ”what’s left”.
41