Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Maturity Model of Security Disciplines Florian Roth
A slide deck that was created for a private talk outlining the maturity model of security disciplines, recommendations on security monitoring, log source priority, low hanging fruits and some highlights
Hunting for Evil with the Elastic StackElasticsearch
Whether you are threat hunting or responding to a signature-based alert, learn how to use Elastic tools to tell the entire story and more efficiently root out adversaries in your environment.
See the video: https://www.elastic.co/elasticon/tour/2019/washington-dc/hunting-for-evil-with-the-elastic-stack
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
The 2012 Verizon Data Breach Investigations Report quantified the sharp increase in cyber threats, noting that 68% were due to malware, up 20% from 2011. What is most concerning is that 85% of breaches took weeks or more to discover. Despite the focus on threat prevention, breaches will happen. In this environment the ability to identify risk, protect vulnerable assets and manage threats become critical. Learn how these combined solutions can help your organization identify behavioral anomalies, internal and external threats, and prevent breaches based on accurate enterprise security intelligence.
To download a free Nexpose demo, clock here: http://www.rapid7.com/products/nexpose/compare-downloads.jsp
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Maturity Model of Security Disciplines Florian Roth
A slide deck that was created for a private talk outlining the maturity model of security disciplines, recommendations on security monitoring, log source priority, low hanging fruits and some highlights
Hunting for Evil with the Elastic StackElasticsearch
Whether you are threat hunting or responding to a signature-based alert, learn how to use Elastic tools to tell the entire story and more efficiently root out adversaries in your environment.
See the video: https://www.elastic.co/elasticon/tour/2019/washington-dc/hunting-for-evil-with-the-elastic-stack
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
The 2012 Verizon Data Breach Investigations Report quantified the sharp increase in cyber threats, noting that 68% were due to malware, up 20% from 2011. What is most concerning is that 85% of breaches took weeks or more to discover. Despite the focus on threat prevention, breaches will happen. In this environment the ability to identify risk, protect vulnerable assets and manage threats become critical. Learn how these combined solutions can help your organization identify behavioral anomalies, internal and external threats, and prevent breaches based on accurate enterprise security intelligence.
To download a free Nexpose demo, clock here: http://www.rapid7.com/products/nexpose/compare-downloads.jsp
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
If organizations are truly working to limit Internet abuse and protect end users, we need to take a more thoughtful approach to botnet takedowns – or once again bots will veer their ugly heads.
There are three main causes of ineffective takedowns:
The organizations performing botnet takedowns do so in a haphazard manner.
The organizations do not account for secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA) that may be used by the malware.
The takedowns do not result in the arrest of the malware actor.
So what does a successful botnet take down actually look like? In his presentation on Botnet SmackDowns, Brian Foster, CTO of Damballa will share with attendees how to effectively takedown botnets for good. The only way botnet takedowns will have a lasting impact on end user safety is if security researchers use a comprehensive and systematic process that renders the botnet inoperable.
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
Get Certified as a Sumo Security Power User!
With security threats on the rise, come join our Security and Compliance experts to learn how Sumo Logic’s Threat Intelligence can help you stay on top of your environment by matching IOCs like IP address, domain names, URL, email addresses, MD5 hashes and more, to increase velocity and accuracy of threat detection. Hands on labs help cement the knowledge learned.
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
Are WAFs the best approach for defending your website against malicious bots? How can you optimize your WAF for bot detection and mitigation? Watch this webinar and learn practical tips on how to defend your web infrastructure against the OWASP Top 10 as well as brute force attacks, web scraping, unauthorized vulnerability scans, fraud, spam and man-in-the-middle attacks.
World renowned expert and author of Web Application Firewalls: A Practical Approach, John Stauffacher, shares his expertise. He has over 17 years of experience in IT Security and is a certified Network Security and Engineering specialist.
Learn more : http://resources.distilnetworks.com/h/i/95930604-tune-in-for-the-ultimate-waf-torture-test-bots-attack/177622
How the Cloud Shifts the Burden of Security to DevelopmentErika Barron
The move to the cloud brings a number of new security challenges, but the application remains your last line of defense. Developers are extremely well-poised to perform tasks critical for securing the application—provided that certain key obstacles are overcome. [Presented at Cloud Expo - November 2014]
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
Finding the source of Ransomware - Wire data analyticsNetFort
Ransomware continues to be a major problem for network managers and detecting the source/destination of it is critical in preventing it from spreading. In this presentation, we discuss how wire data can be used to detect the source of Ransomware on your network.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
This presentation examines the business case for and against penetration testing. It also includes some low hanging fruit as it relates to common security vulnerabilities.
On Tuesday, June 22nd Jonny Griffin, Security Engineer at Working Group Two, gave a presentation at a three day conference at GSMA FASG.
In the last three years, Working Group Two has been developing a DevSecOps framework to ensure their cloud-native mobile core network is secure.
Automating Cloud Security introduces the topics around cloud computing, DevSecOps, cloud-native Security Layers, and how WG2 built a security tool chain that can be leveraged by any organisation.
As security is evolving so is WG2's capabilities for identifying, preventing, and responding to security events in our networks.
Similar to Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021 (20)
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
2. § Florian Roth
§ Head of Research @ Nextron Systems
§ IT Sec since 2000,
Nation State Cyber Attacks since 2012
§ THOR Scanner
§ Twitter @cyb3rops
§ Open Source Projects:
§ Sigma (Generic SIEM Rule Format)
§ LOKI (Open Source Scanner)
§ APT Groups and Operations Mapping
§ Antivirus Event Analysis Cheat Sheet
§ ...
About Me
3. § What is Sigma?
§ ATT&CK Integration in Sigma
§ Hall of Fame: The 5 most successful Sigma rules
§ Where’s the Sigma project going?
§ Cool new or upcoming related projects
Overview
4. What is Sigma?
Sigma is a generic rule format
to express detection ideas in form of rules
that match on log data .
5. What is Sigma?
Sigma is for log data what
YARA is for files and
Snort is for network traffic .
6. § Simplicity and Usability
§ Users like it: Easy to read and write
§ Developers like it: Manageable specs and expressions
§ Immediate Benefit
§ Big rule base with more than 1000 rules
§ Integrated converter for 17+ backends (query generator)
§ Active community: you quickly get new rules for burning issues
§ No Product-Specific Focus
§ No overreaching vendor
§ No SIEM specific expressions
§ No vendor lock-in
Why Sigma?
7. § Sigma rules contain ATT&CK
techniques as tags
§ A matching rule points to one or more
techniques
§ The tests check against attackcti.com
to compare the tags in new rules with
a list of all valid ones (live)
MITRE ATT&CK® Integration
9. § Very effective due to generic character
§ Low false positive rate
§ Detects serious threats
§ Detects very common threats
Key Selection Criteria for the Hall of Fame
Efficiency
Low False Positive Rate
Threat Severity
Prevalence
16. § The new converter uses this module
§ Complete rewrite of the old converter
§ Support for the new Sigma correlation
rules
§ New backends should be built with with
this module
§ All credits go to Thomas @blubbfiction
https://github.com/SigmaHQ/pySigma
pySigma
sigma
(sigmac + rules)
pySigma
(converter)
sigma
(rules)
pySigma
17. § Correlation rules provide an easy to use
solution to complex detection ideas
§ Time-based, statistical or sequential
correlations
§ Correlation rules refer to simple rules
(different files)
§ The old converter will not support the new
correlation rules (> new pySigma)
Draft (already partly outdated)
https://onedrive.live.com/view.aspx?resid=34
54E59DF98D7D65!7485&ithint=file%2cdocx&
authkey=!ADb97TgRX9Fr4xQ
Sigma Correlation Rules
Sigma
Correlation Rule
Sigma Rule X
5 matches of rule X
then
1 match of rule Y Sigma Rule Y
Sigma Rule Z
Sigma
Correlation Rule
10 matches of rule Z
within 5 minutes
/correlation-rules /rules
19. § Applies Sigma rules on EVTX files
§ Digital Forensics Incident Response (DFIR)
Use Cases
§ Forensic investigations
§ Collect EVTX files from end points and scan them in
the lab
§ Rust based – precompiled executables for
Windows and Linux
§ GPL
https://labs.f-secure.com/tools/chainsaw/
F-Secure: Chainsaw
20. § Applies Sigma rules on EVTX files
§ Digital Forensics Incident Response (DFIR)
Use Cases
§ Forensic investigations
§ Collect EVTX files from end points and scan them in
the lab
§ Python-based
§ LGPL
https://github.com/wagga40/Zircolite
Zircolite by @waggabat
21. § Transforms IOCs into
Queries
§ Online and free
(limits apply)
§ Support for many
different backends: Azure
Sentinel, Elastic, Splunk,
SentinelOne, Carbon Blac,
LogPoint, FireEye Helix,
CrowdStrike … and more
https://cti.uncoder.io/
SOC Prime: Uncoder CTI
22. § Lightweight agent that applies Sigma rules on log
data in real-time on endpoints
§ Free
(Pro version has additional features)
§ Uses ETW
§ Supports the upcoming Sigma correlation rules
§ Extends the Sigma standard with response
actions ⚡
§ Kill, KillParent, Suspend, Dump
§ Custom actions: e.g.
copy %Image% %%ProgramData%%%ProcessID%.bin
§ Consider it your “custom Sigma-based HIPS”
Release: December 2021 🤞
Nextron: Aurora Agent
Sigma Rules
Sigma
Config
Agent
Config
ETW Eventlog
Log File
Process
response
Eventlog
Channels
23. Thanks to all contributors
Rules: @cyb3rops and frack113
Rule Converter: @blubbfic:on Thomas Patzke
TwiBer: @sigma_hq
Slack: siemexchange.slack.com (contact us for invites)
More informa:on: hBps://github.com/SigmaHQ/sigma