Mining Your Logs - Gaining Insight Through VisualizationRaffael Marty
In this two part presentation we will explore log analysis and log visualization. We will have a look at the history of log analysis; where log analysis stands today, what tools are available to process logs, what is working today, and more importantly, what is not working in log analysis. What will the future bring? Do our current approaches hold up under future requirements? We will discuss a number of issues and will try to figure out how we can address them.
By looking at various log analysis challenges, we will explore how visualization can help address a number of them; keeping in mind that log visualization is not just a science, but also an art. We will apply a security lens to look at a number of use-cases in the area of security visualization. From there we will discuss what else is needed in the area of visualization, where the challenges lie, and where we should continue putting our research and development efforts.
Slide deck for the Secruity Weekly session on Oct 25th 2018. Code is up on www.github/YossiSassi. Special thanks to Eyal Neemany & Omer Yair who helped prep this talk.
THOR is a lightweight and portable scanner for IOCs. It ships with a huge set of Yara signatures and other indicators of compromise in order to detect attacker activity on Windows systems.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Valerie Parham-Thompson
Lead Database Consultant with Pythian
Find more by Valerie Parham-Thompson: https://speakerdeck.com/dataindataout
All Things Open
October 26-27, 2016
Raleigh, North Carolina
This interactive hands on Lab was given at the RSA APJ conference by the Velocidex team in July 2018.
Follow along as a self guided tour of Velociraptor.
Mining Your Logs - Gaining Insight Through VisualizationRaffael Marty
In this two part presentation we will explore log analysis and log visualization. We will have a look at the history of log analysis; where log analysis stands today, what tools are available to process logs, what is working today, and more importantly, what is not working in log analysis. What will the future bring? Do our current approaches hold up under future requirements? We will discuss a number of issues and will try to figure out how we can address them.
By looking at various log analysis challenges, we will explore how visualization can help address a number of them; keeping in mind that log visualization is not just a science, but also an art. We will apply a security lens to look at a number of use-cases in the area of security visualization. From there we will discuss what else is needed in the area of visualization, where the challenges lie, and where we should continue putting our research and development efforts.
Slide deck for the Secruity Weekly session on Oct 25th 2018. Code is up on www.github/YossiSassi. Special thanks to Eyal Neemany & Omer Yair who helped prep this talk.
THOR is a lightweight and portable scanner for IOCs. It ships with a huge set of Yara signatures and other indicators of compromise in order to detect attacker activity on Windows systems.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Valerie Parham-Thompson
Lead Database Consultant with Pythian
Find more by Valerie Parham-Thompson: https://speakerdeck.com/dataindataout
All Things Open
October 26-27, 2016
Raleigh, North Carolina
This interactive hands on Lab was given at the RSA APJ conference by the Velocidex team in July 2018.
Follow along as a self guided tour of Velociraptor.
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
Slides to the talk delivered at Blackhat USA 2018. "The New Pentest? Rise of the Compromise Assessment" discusses the rising trend of breach discovery and threat hunting engagements delivered by a 3rd party. Additionally, I recommend specific technology and methodologies in order to deliver this service most efficiently and effectively.
https://www.youtube.com/watch?v=2ocAdstunk8
Managing Your Security Logs with ElasticsearchVic Hargrave
The ELK stack (Elasticsearch-Logstash-Kibana) provides a cost effective alternative to commercial SIEMs for ingesting and managing OSSEC alert logs. This presentation will show you how to construct a low cost SIEM based on ELK that rivals the capabilties of commercials SIEMs.
Докладчик расскажет о технических аспектах разработки с нуля прототипа межсетевого экрана уровня систем управления базами данных Database Firewall: о том, что нужно чтобы разработать DBFW, о возможности применения методов машинного обучения для эффективного обнаружения SQL-инъекций по SQL-запросам, обнаружении SQL-инъекций на основе методов синтаксического анализа, реализации ролевого и атрибутного управление доступом. Также речь пойдет о перспективных механизмах защиты приложений на основе технологий межсетевого экранирования и статического анализа кода.
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
Admit it: mobile is sexy. Unfortunately, companies are giving into corporate peer pressure and publishing mobile apps before integrating appsec into the mobile app development process. This gives attackers another venue of attack, one with the potential of circumventing the host, network, and application security controls that the security team has already implemented. The purpose of this presentation is to show attendees how attackers can deconstruct mobile apps to find these attack vectors and (more importantly) how to close these security holes before the apps are published to public app stores.
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)Jared Atkinson
Slides for Jared Atkinson's talk at BSidesDC titled "**** it, Do It Live (PowerShell Digital Forensics)". The presentation was given on 17 October 2015
ION Bucharest, 12 October 2016 - DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
Automated Discovery of Deserialization Gadget ChainsPriyanka Aash
Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat, Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk, I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability and allowing penetration testers to quickly develop working exploits. At the conclusion, I will also be releasing a FOSS toolkit which utilizes this methodology and has been used to successfully develop many deserialization exploits in both internal applications and open source projects.
Workshop: Big Data Visualization for SecurityRaffael Marty
Big Data is the latest hype in the security industry. We will have a closer look at what big data is comprised of: Hadoop, Spark, ElasticSearch, Hive, MongoDB, etc. We will learn how to best manage security data in a small Hadoop cluster for different types of use-cases. Doing so, we will encounter a number of big-data open source tools, such as LogStash and Moloch that help with managing log files and packet captures.
As a second topic we will look at visualization and how we can leverage visualization to learn more about our data. In the hands-on part, we will use some of the big data tools, as well as a number of visualization tools to actively investigate a sample data set.
The geopolitical conflicts in the Middle East have deepened in the last few years. Syria is no exception, with the crisis there taking many forms, and the cyberspace conflict is intensifying as sides try to tilt the struggle in their favor by exploiting cyber intelligence and using distortion.
The Global Research & Analysis Team (GReAT) at Kaspersky Lab has discovered new malware attacks in Syria, using some techniques to hide and operate malware, in addition to proficient social engineering tricks to deliver malware by tricking and tempting victims to open and launch malicious files. The malware files were found on activist sites and social networking forums, some other files were also reported by local organizations like CyberArabs and Technicians for Freedom.
All technical details are available in this report ans related blog post at https://securelist.com/blog/research/66051/the-syrian-malware-house-of-cards/.
For any inquire please contact intelreports@kaspersky.com
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
Slides to the talk delivered at Blackhat USA 2018. "The New Pentest? Rise of the Compromise Assessment" discusses the rising trend of breach discovery and threat hunting engagements delivered by a 3rd party. Additionally, I recommend specific technology and methodologies in order to deliver this service most efficiently and effectively.
https://www.youtube.com/watch?v=2ocAdstunk8
Managing Your Security Logs with ElasticsearchVic Hargrave
The ELK stack (Elasticsearch-Logstash-Kibana) provides a cost effective alternative to commercial SIEMs for ingesting and managing OSSEC alert logs. This presentation will show you how to construct a low cost SIEM based on ELK that rivals the capabilties of commercials SIEMs.
Докладчик расскажет о технических аспектах разработки с нуля прототипа межсетевого экрана уровня систем управления базами данных Database Firewall: о том, что нужно чтобы разработать DBFW, о возможности применения методов машинного обучения для эффективного обнаружения SQL-инъекций по SQL-запросам, обнаружении SQL-инъекций на основе методов синтаксического анализа, реализации ролевого и атрибутного управление доступом. Также речь пойдет о перспективных механизмах защиты приложений на основе технологий межсетевого экранирования и статического анализа кода.
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
Admit it: mobile is sexy. Unfortunately, companies are giving into corporate peer pressure and publishing mobile apps before integrating appsec into the mobile app development process. This gives attackers another venue of attack, one with the potential of circumventing the host, network, and application security controls that the security team has already implemented. The purpose of this presentation is to show attendees how attackers can deconstruct mobile apps to find these attack vectors and (more importantly) how to close these security holes before the apps are published to public app stores.
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
The APWG has been sharing threat data for over 12 years to help protect organizations and the all internet users against cyber threats. Initially founded to focus on the phishing, as the threat landscape on the internet has grown so has APWG. Today our vetted member community shares information to fight cybercrime and fraud not only on phishing but numerous other types of threat data including malicious IP addresses and ransomware information. This session will look at the history of sharing these types of data, how sharing has changed over the years and the necessity to automate these process.
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)Jared Atkinson
Slides for Jared Atkinson's talk at BSidesDC titled "**** it, Do It Live (PowerShell Digital Forensics)". The presentation was given on 17 October 2015
ION Bucharest, 12 October 2016 - DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the business reasons for, and financial implications of, deploying DNSSEC, from staying ahead of the technological curve, to staying ahead of your competition, to keeping your customers satisfied and secure on the Internet. We’ll also examine some of the challenges operators have faced and the opportunities to address those challenges and move deployment forward.
Automated Discovery of Deserialization Gadget ChainsPriyanka Aash
Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat, Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk, I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability and allowing penetration testers to quickly develop working exploits. At the conclusion, I will also be releasing a FOSS toolkit which utilizes this methodology and has been used to successfully develop many deserialization exploits in both internal applications and open source projects.
Workshop: Big Data Visualization for SecurityRaffael Marty
Big Data is the latest hype in the security industry. We will have a closer look at what big data is comprised of: Hadoop, Spark, ElasticSearch, Hive, MongoDB, etc. We will learn how to best manage security data in a small Hadoop cluster for different types of use-cases. Doing so, we will encounter a number of big-data open source tools, such as LogStash and Moloch that help with managing log files and packet captures.
As a second topic we will look at visualization and how we can leverage visualization to learn more about our data. In the hands-on part, we will use some of the big data tools, as well as a number of visualization tools to actively investigate a sample data set.
The geopolitical conflicts in the Middle East have deepened in the last few years. Syria is no exception, with the crisis there taking many forms, and the cyberspace conflict is intensifying as sides try to tilt the struggle in their favor by exploiting cyber intelligence and using distortion.
The Global Research & Analysis Team (GReAT) at Kaspersky Lab has discovered new malware attacks in Syria, using some techniques to hide and operate malware, in addition to proficient social engineering tricks to deliver malware by tricking and tempting victims to open and launch malicious files. The malware files were found on activist sites and social networking forums, some other files were also reported by local organizations like CyberArabs and Technicians for Freedom.
All technical details are available in this report ans related blog post at https://securelist.com/blog/research/66051/the-syrian-malware-house-of-cards/.
For any inquire please contact intelreports@kaspersky.com
"Defensive techniques and tools keep getting better and therefore the creation of implants that are not detected is a harder and time consuming task every Red Team operator has to go through. Focusing on the network detection field; recent Intrusion Detection Systems (IDS) that uses new network analysis techniques can detect easily some of our handcrafted implants by analyzing connection fingerprints from both client and server side. In some environments , techniques like Deep Packet Inspection can map our implants to possible threats to be addressed.
In this talk, I provide solutions that can be used on implants; a modified TLS Go package that allows circumventing tools like JA3 by providing desired fingerprints that will help to mimic rightful client software, egression to Gmail servers and techniques like steganography/encryption to hide obvious payloads. All these ideas are tailored into a new network modules for the Siesta Time Framework, to help to automate the creation of desired Implants. As a finale, possible new defensive techniques to improve tools like JA3 will be explained.
Automated prevention of ransomware with machine learning and gposPriyanka Aash
This talk will highlight a signature-less method to detect malicious behavior before the delivery of the ransomware payload can infect the machine. The ML-driven detection method is coupled with the automated generation of a Group Policy Object and in this way we demonstrate an automated way to take action and create a policy based on observed IOC’s detected in a zero-day exploit pattern.
( Source : RSA Conference USA 2017)
stackconf 2021 | Why you should take care of infrastructure driftNETWAYS
As infrastructure as code (IaC) becomes widely adopted by users with heterogenous skillsets, and as IaC codebases become larger and larger, it becomes harder to track drift. Drift is a deviation between the actual infrastructure state and the IaC codebase. It causes issues for security posture management, collaborative work, and maintenance. There are a lot of juicy stories from the trenches to be told on infrastructure drift. Sure enough, we all do GitOps by the book! Or we all have the right processes in place. But we also have to interact with other teams. We also have to grant some level of access to our infrastructures to some services or tools that may eventually generate uncontrolled changes. You can’t efficiently improve what you don’t track. We track coverage for unit tests, why not infrastructure as code coverage? How can we make sure our infrastructure code matches our actual infrastructure state? In this talk, using Terraform with AWS resources, I will show how infrastructure drift can go undetected despite our best efforts or tooling and cause issues and end the talk by showing our own free and open source tool driftctl, (just released under Apache-2.0 licence) that tracks IaC coverage and warns of infrastructure drift.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
Presented at NSA User Group. Steps through recent activities and technologies in use across NSA and the IC. Specifically mentions data ingress/egress with JBoss Messaging and MRG-M, storage of data with XFS and GFS, and data presentation capabilities with JBoss Enterprise Middleware Portfolio. 15-20min on Security Automation with SCAP.
Python And The MySQL X DevAPI - PyCaribbean 2019Dave Stokes
This presentation covers how to use the MySQL X DevAPI with the Python Programming Language, presented at the first PyCaribbean Conference, Santo Domino February 16th 2019
aleph - Malware analysis pipelining for the massesJan Seidl
Analyzing malware and correlating huge databases of samples is a job for few. Big AV companies have their own systems for cataloging and analyzing malware and our goal is to bring that power to the masses through our OpenSource malware analysis pipeline system called Aleph <https: />.
Aleph is not restricted to malware since it is artifact-oriented. It was built with no specific file-type in mind but with the possibility to work with any filetype and have plugins to extract information and correlate with other artifacts for further analysis. This makes aleph also very useful in forensics and other types of work.
Aleph is a multi-compartmentalized framework. There are sample collectors that will fetch samples from local folders, RSS feeds and IMAP folders (for now). These samples are queued where the sample workers will grab them and apply specific filters depending on it's file type. Those plugins might enrich sample metadata, extract other artifacts and retrofeed into Aleph for further analysis making all the cross-reference chain in place.
The plugins may also add some warning flags based on their findings to give the researcher a more digested info than interpreting all the data.
All sample data is stored into a ElasticSearch database which makes easy to query and manage it's metadata fields without rebuilding tables and such.
All time and date data is UTC and converted on the fly to user's Timezone. We have internationalization and localization fully implemented and Aleph is available currently in English, Brazilian Portuguese and Spanish
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
This deck contains a few improvements based on received feedback, such as the addition of links and reworded some points for clarity.
A talk about the existing ways to mitigate Java deserialization attacks from the JVM. The talk was presented at the BSides Luxembourg conference on October 2017.
It describes the use of Instrumentation Agents and Serialization Filtering and their limitations.
It also talks about Runtime Virtualization and Runtime privilege de-escalation.
At the talk there was also a PoC demo that demonstrated how an Instrumentation Agent could be tampered from a file upload vulnerability at the application level.
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...Demi Ben-Ari
Once you start working with distributed Big Data systems, you start discovering a whole bunch of problems you won’t find in monolithic systems.
All of a sudden to monitor all of the components becomes a big data problem itself.
In the talk we’ll mention all of the aspects that you should take in consideration when monitoring a distributed system once you’re using tools like:
Web Services, Apache Spark, Cassandra, MongoDB, Amazon Web Services.
Not only the tools, what should you monitor about the actual data that flows in the system?
And we’ll cover the simplest solution with your day to day open source tools, the surprising thing, that it comes not from an Ops Guy.
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...Codemotion
Once you start working with Big Data systems, you discover a whole bunch of problems you won’t find in monolithic systems. Monitoring all of the components becomes a big data problem itself. In the talk we’ll mention all of the aspects that you should take in consideration when monitoring a distributed system using tools like: Web Services,Spark,Cassandra,MongoDB,AWS. Not only the tools, what should you monitor about the actual data that flows in the system? We’ll cover the simplest solution with your day to day open source tools, the surprising thing, that it comes not from an Ops Guy.
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Demi Ben-Ari
Once you start working with distributed Big Data systems, you start discovering a whole bunch of problems you won’t find in monolithic systems.
All of a sudden to monitor all of the components becomes a big data problem itself.
In the talk we’ll mention all of the aspects that you should take in consideration when monitoring a distributed system once you’re using tools like:
Web Services, Apache Spark, Cassandra, MongoDB, Amazon Web Services.
Not only the tools, what should you monitor about the actual data that flows in the system?
And we’ll cover the simplest solution with your day to day open source tools, the surprising thing, that it comes not from an Ops Guy.
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
Speaker 1: Rod Soto
Speaker 2: Jose Hernandez
This presentation shows how to use Splunk to provide the analyst with a comprehensive vision of AWS/GCP/Azure security posture. Presenters will outline how to ingest the audit data provided by open source tool Cloud Security Suite into Splunk to analyze cloud vulnerability, harden multi-cloud deployments and visualize multi-cloud threat surface. Presenters will also demonstrate use cases based on Splunk knowledge objects (Tables, Dashboards, Alerts, Field extractions, Lookups, etc), in order to take advantage of the information provided by various supporting tools like Scout2 and G-Scout projects for cloud API auditing.
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
In this talk Rod Soto and I propose a common set of categories use to audit the security posture of multiple cloud providers. Then we proceed to show how we have implemented the security checks using cs-suite using ELK and Splunk.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elizabeth Buie - Older adults: Are we really designing for our future selves?
STIX Patterning: Viva la revolución!
1. STIX Patterning: Viva la revolución!
Cyber Threat Intelligence Matters
FIRST Technical Symposium and OASIS Borderless Cyber
Conference
Jason Keirstead - STSM, IBM Security
Trey Darley - Director of Standards Development, New Context
3. What was wrong in STIX 1.x
● Too many ways to define matches (multiple meanings of "Equals")
● Too many ways to define expressions (ANDs and ORs in both Indicators and
Observables)
○ One analysis found twelve different ways to compare two IP addresses
● Lists are just plain "weird" ( ##comma## - need I say more?)
● Despite all this complexity, lacked fundamental capabilities such as temporal
matching (A followed by B)
4. But (Snort|YARA|OpenIOC|Sigma) already exist?!
● Snort only makes sense on the network
● YARA library only works on a file-like blob
○ Neither allows encoding of malware behaviour information
● OpenIOC limited in expressivity; also limited in network coverage
● Basic use case: malware matching signature X will beacon with traffic that
looks like Y before dropping Z
○ Combination of file attributes, network attributes, sequential / temporal matching
○ This extremely simple use case is impossible to model using any of these standards
● Sigma: https://github.com/Neo23x0/sigma
○ Their effort started after we'd already achieved our Committee Specification Draft. We
reached out to collaborate but got zero acknowledgement. :-(
5. Questions we asked
● Should we think beyond simple CTI use cases of "find this IOC" ?
● What if our cybersecurity tools could share rules and searches for analytics
and correlations?
● What factors have been preventing this from emerging in the industry? Could
we have an opportunity to finally move the needle?
● What if SIEM vendor lock-in were to just die in a fire?
"We're here to put a dent in the universe." — Steve Jobs
6. Basic design principles
● One way to do things (not 12)!
● Base things on a grammar, not nested XML or JSON
○ Makes things easier for humans to understand, and for machines to parse!
● Base that grammar on something that as many folks are familiar with as
possible
○ Candidates: SQL, Lucene, YARA, Snort/OpenSig…
○ We ended with SQL-like after some debate
● Define a grammar that allows sharing descriptions of advanced threats, not
just simple atomic IOCs (ip = 1.2.3.4)
● Define it in a way that was expandable in the future without "breaking
changes"
9. How this ties to STIX Cyber Observables
● Cyber Observables provide a data model for describing things you've actually
seen.
● STIX Patterning is a language for describing chaotic maliciousness one might
see.
● SCO (STIX Cyber Observables) : nouns :: STIX Patterning : language
● SCO : DB Tables :: STIX Patterning : SQL
11. It's not that bad, see!
Finding an IP
Finding a URL
Finding one of two registry keys
[ip-addr.value = '8.8.8.8']
[url:value MATCHES
'^(?:https?://)?(?:www.)?example.com/.*']
[windows-registry-key:key =
'HKEY_CURRENT_USERSoftwareCryptoLockerFiles
' OR windows-registry-key:key =
'HKEY_CURRENT_USERSoftwareMicrosoftCurrentV
ersionRunCryptoLocker_0388']
12. Currently-defined Cyber Observables
● Artifact
● AS
● Directory
● Email Address
● Email Message
● File
○ Archive Extension
○ NTFS File Extension
○ PDF File Extension
○ Raster Image File Extension
○ Windows PE Binary File Extension
● IPv4 Address
● IPv6 Address
● MAC Address
● Mutex
● Network Traffic
○ HTTP Request Extension
○ ICMP Extension
○ Network Socket Extension
○ TCP Extension
● Process
○ Windows Process Extension
○ Windows Service Extension
● Software
● User Account
○ UNIX Account Extension
● Windows Registry Key
● X.509 Certificate
14. File-based Pattern (vs. YARA)
Basic File with Hexadecimal Payload
STIX Indicator Pattern
[file:contents_ref.payload_bin MATCHES 'x65x78x61x6dx70x6cx65' AND file:size > '31284']
Corresponding YARA Rule
rule Example
{
strings:
$hex_string = { 65 78 61 6d 70 6c 65 }
condition:
$hex_string and filesize > 31284
}
Basic File with Textual Payload
STIX Indicator Pattern
[file:contents_ref.payload_bin MATCHES 'this is an example']
Corresponding YARA Rule
rule Example
{
strings:
$text_string = “this is an example”
condition:
$text_string
}
15. Network-based Pattern (vs. Snort)
Basic TCP Network Traffic
STIX Indicator Pattern
[network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '192.0.2.1' AND network-traffic:dst_ref.type =
'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.10' AND network-traffic:dst_port = '21' AND network-traffic:protocols[*]
= 'tcp']
Corresponding Snort Rule
alert tcp 192.0.2.1 any -> 203.0.113.10 21
HTTP Network Traffic with User Agent
STIX Indicator Pattern
[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.11' AND network-traffic:dst_port = '80'
AND network-traffic:protocols[*] = 'tcp' AND network-traffic:extended_properties.http-ext.request_header.User-Agent =
'Mazilla/5.0']
Corresponding Snort Rule
alert tcp any any -> 203.0.113.11 80 (content:"User-Agent|3a|
Mazilla/5.0"; http_header;)
16. Watching for "Fileless" UAC Bypass
[
( windows-registry-key:key =
'HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand' AND windows-registry-
key:values[*].name = 'isolatedCommand' )
]
OR
[
( windows-registry-key:key = 'HKEY_CURRENT_USERMicrosoftWindowsCurrentVersionApp
Pathscontrol.exe' AND windows-registry-key:values[*].data != "C:WindowsSystem32cmd.exe" )
]
17. Bad Powershell!
Suspicious Powershell has been used
[
process:command_line MATCHES
'((.*NewObject(System)?NetWebClient.*DownloadFile.*((StartProcess)|(shellexecute)|(win32_proc
ess)|(start)|(saps)).*)|(.*((iex)|(InvokeExpression)).*NewObject(System)?NetWebClient.*Downlo
adString.*)|(.*NewObject(System)?NetWebClient.*DownloadString.*((iex)|(InvokeExpression)).*)|
(.*IEX.*[SystemDiagnosticsProcess]::Start.*)|(.*StartBitsTransfer.*InvokeItem.*))'
]
18. Necurs Botnet
Looks for a particular malware payload followed by HTTP beaconing traffic
generated by the payload:
[file:name = 'rekakva32.exe' AND file:parent_directory_ref.path MATCHES
'C:Users[ws]+AppDataLocalTemp'] FOLLOWEDBY [network-
traffic:protocols[*] = 'http' AND network-traffic:extensions.'http-request-
ext'.request_method = 'post' AND network-traffic:extensions.'http-request-
ext'.request_header.'User-Agent' = 'Windows-Update-Agent']
Source: https://isc.sans.edu/forums/diary/Necurs+Botnet+malspam+pushes+Locky+using+DDE+attack/22946/
20. Github all the things!
OASIS Open Repository: TAXII 2 Server Library Written in Python
cti-taxii-server: https://github.com/oasis-open/cti-taxii-server
OASIS Open Repository: TAXII 2 Client Library Written in Python
cti-taxii-client: https://github.com/oasis-open/cti-taxii-client
OASIS Open Repository: Python APIs for STIX 2
cti-python-stix2: https://github.com/oasis-open/cti-python-stix2
OASIS Open Repository: Match STIX content against STIX patterns
cti-pattern-matcher: https://github.com/oasis-open/cti-pattern-matcher
OASIS Open Repository: Convert STIX 1.2 XML to STIX 2.0 JSON
cti-stix-elevator: https://github.com/oasis-open/cti-stix-elevator
21. Github all the things (2)!
Translate STIX 2 Patterning Queries Into Splunk and ElasticSearch
stix2patterns_translator: https://github.com/mitre/stix2patterns_translator
Downgrade STIX2 content to STIX1
cti-stix-slider: https://github.com/oasis-open/cti-stix-slider
Malware Information Sharing Platform & Threat Sharing
MISP: https://github.com/MISP/MISP
A cyber threat intelligence server based on TAXII 2 and written in Golang
freetaxii-server: https://github.com/freetaxii/freetaxii-server
APIs for generating STIX 2.x messages with Go (Golang)
libstix2: https://github.com/freetaxii/libstix2
The CaRT file format is used to store/transfer malware and its associated metadata
cse cart: https://bitbucket.org/cse-assemblyline/cart
22. Github all the things (3)!
Convert STIX2 to GraphML or GEXF (Gephi format)
StixConvert: https://github.com/workingDog/StixConvert
Convert STIX2 and load into Neo4j graph database
StixToNeoDB: https://github.com/workingDog/StixToNeoDB
Browser-based STIX2 editor, with ability to publish to a TAXII2 server
cyberstation: https://github.com/workingDog/cyberstation
STIX2 Scala library
scalastix: https://github.com/workingDog/scalastix
TAXII2 Scala library
Taxii2LibScala: https://github.com/workingDog/Taxii2LibScala
TAXII2 JS library
taxii2lib: https://github.com/workingDog/taxii2lib
24. Beyond indicators - analytics use cases
● Threat Intelligence sharing has received a lot of focus; however the analytics
to actually find things, not so much
● People re-build the same analytics over and over because they either don't
know of, or have access to, what has been done many times before
● In order to share analytics in a scalable fashion, a vendor-neutral language
for said analytics has to be developed
● We believe SCO Pattern could be the basis for this
● CAR - The MITRE Cyber Analytics Repository
○ PRE-ATT&CK and ATT&CK based analytics
○ Long-term goal: ability to define the analytics in STIX Patterning
○ Collaborative ecosystem for analytics development
25. Correlation rules
● SIEM correlation rules share a lot of the same challenges as analytics
○ In fact, they are analytics! Imagine!
● Future vision / desire is for SIEM vendors to support SCO Pattern as a method
to define rules
○ Reduce / eliminate vendor lock-in
○ Enable broader ecosystem of cross-vendor solutions sharing tools
○ Seamless integration of STIX 2.0 compatible threat intelligence with SIEM correlation engines
● Again, speak to your vendor!
○ Nothing moves ahead without customers demanding it
26. It's not perfect...yet.
● Known gaps in SCO object model itself
● Known gaps in language
● We need your help!
● While we believe that STIX Patterning is amongst the most long-term
significant innovations in STIX 2.x, it is nevertheless a work product coming
out of a very small team of people. If we have succeeded in convincing you
that we are not in fact smoking crazy goat-weed, please come join the party!
27. tl;dr
● Make sure to grab a quick
reference card.
● We're having a ½ day
STIX/TAXII 2.0 training
followed by a ½ day hackathon
Friday where you can learn
more and try out the tools we
discussed.
● Kudos to our colleagues from
CIRCL for being so supportive
and for early adoption in MISP.
● Thanks to FIRST and OASIS for
making this event happen and
to you for giving us your
attention today!
Thank you!
Editor's Notes
Do we need to introduce ourselves? Assuming so, try to do 20 seconds or less.
TODO: add more cat memes!
Trey presents
Cool project but unfortunately it's typical OSS wheel reinvention.
Jason presents
A pattern consists of one or more observation expressions joined by observation operators.
Valid observation operators are AND, OR, and FOLLOWEDBY
Each one of those observation expressions may be a simple test (eg. ip-addr.value = '1.2.3.4'), or may be multiple tests that create a comparison expression.
Comparisons within an expression are separated by comparison operators.
There are several comparison operators, including things like =, >, <, IN, LIKE, etc.
An entire observation expression MAY be followed by a qualifier, such as 'REPEATS X TIMES' or 'WITHIN Y SECONDS'.
TODO: add a slide with what's currently defined in SCO <= WILL DO
TODO: add a slide enumerating what we'd like help with adding to SCO
TODO: define an additional example illustrating succinctly something like malware beaconing, with both host and network-based patterning
TODO: consider ditching the Powershell and UAC bypass examples (per Ivan)
tag-team present
Point out here that we expect that many vendors will likely generate patterns automatically for you from SCO observations seen on the wire or endpoint
When was the last time you wrote a YARA rule by hand, vs copy/paste it from somewhere, take it from a content package, or use a tool?
Yes, Snort is more succinct. Yes, we are looking at refactoring how network traffic works in STIX Patterning. But there are still significant advantages to STIX Patterning over either Snort or Yara insofar as it provides the ability to correlate across both network and endpoint telemetry.
Trey presents
TODO: break this out into 3-4 pages with project descriptions
TODO: review this stuff https://github.com/workingDog?tab=repositories
TODO: break this out into 3-4 pages with project descriptions
TODO: review this stuff https://github.com/workingDog?tab=repositories
TODO: break this out into 3-4 pages with project descriptions
TODO: review this stuff https://github.com/workingDog?tab=repositories
Jason presents
TODO: add an example!
TODO: talk about integrating with osquery, Bro, and other OSS security tools