Covertly contain risks while
learning from the attacker.
Contain:
Isolate the attacker but don’t
fully evict.
Evict:
Full removal of the attacker.
Remediate:
Fix underlying issues that
allowed the infiltration.
Recover:
Restore full functionality.
Realign:
Change security posture.
Each has pros and cons.
The right choice depends on
your metrics.
Taking the Attacker Eviction Red Pill [updated]Frode Hommedal
This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.
Everyone is talking about or asking for red teaming. Most of them are getting it wrong. I talk about the history and definitions of red teaming, what you should be doing before you bother with red teaming and critical issues to watch out for when you do leverage it.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Recently, NTT published the Global Threat Intelligence Report 2016 (GTIR). This year’s report focused both on the changes in threat trends and on how security organizations around the world can use the kill chain to help defend the enterprise.
Turning threat intelligence data from multiple sources into actionable, contextual information is a challenge faced by many organizations today. The Global Threat Intelligence Platform provides increased efficiency, reduces risks and focuses on global coverage with accurate and up-to-date threat intelligence.
This presentation was given at Carnegie Mellon University by Kenji Takahashi, VP of Product Management, Security at NTT Innovation Institute.
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Haylee Mills, Splunk
Having ATT&CK to identify threats, prioritize data sources, and improve security posture has been a huge step forward for our industry, but how do we actualize those insights for better detection and alerting? By shifting to observations of behavior over one-to-one direct alerts, noisy datasets become valuable treasure troves with ATT&CK metadata. Additionally, we can begin to look at detection and threat hunting on behavior instead of users or systems. In this presentation, Haylee will discuss the shift in mindset and the nuts and bolts of detections that leverage this metadata in Splunk, but the concept can be applied with custom tools to any valuable security dataset.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Taking the Attacker Eviction Red Pill [updated]Frode Hommedal
This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.
Everyone is talking about or asking for red teaming. Most of them are getting it wrong. I talk about the history and definitions of red teaming, what you should be doing before you bother with red teaming and critical issues to watch out for when you do leverage it.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Recently, NTT published the Global Threat Intelligence Report 2016 (GTIR). This year’s report focused both on the changes in threat trends and on how security organizations around the world can use the kill chain to help defend the enterprise.
Turning threat intelligence data from multiple sources into actionable, contextual information is a challenge faced by many organizations today. The Global Threat Intelligence Platform provides increased efficiency, reduces risks and focuses on global coverage with accurate and up-to-date threat intelligence.
This presentation was given at Carnegie Mellon University by Kenji Takahashi, VP of Product Management, Security at NTT Innovation Institute.
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Haylee Mills, Splunk
Having ATT&CK to identify threats, prioritize data sources, and improve security posture has been a huge step forward for our industry, but how do we actualize those insights for better detection and alerting? By shifting to observations of behavior over one-to-one direct alerts, noisy datasets become valuable treasure troves with ATT&CK metadata. Additionally, we can begin to look at detection and threat hunting on behavior instead of users or systems. In this presentation, Haylee will discuss the shift in mindset and the nuts and bolts of detections that leverage this metadata in Splunk, but the concept can be applied with custom tools to any valuable security dataset.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
https://www.enoinstitute.com/training-tutorials-courses/cyber-threat-hunting-training-ccthp/ Learn how to find, assess, and remove threats from your organization in our Certified Cyber Threat Hunting Training (CCTHP) designed to prepare you for the Certified Cyber Threat Hunting Professional (CCTHP) exam.
In this Cyber Threat Hunting Training (CCTHP) course, we will deep dive into “Threat hunting” and searching for threats and mitigate before the bad guy pounce. And we will craft a series of attacks to check Enterprise security level and hunt for threats. An efficient Threat hunting approach towards Network, Web, Cloud, IoT Devices, Command & Control Channel(c2), Web shell, memory, OS, which will help you to gain a new level of knowledge and carry out all tasks with complete hands-on.
RESOURCES:
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2020 Edition By Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2019 Edition By: Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Hunting Cyber Criminals: A Hacker’s Guide to Online Intelligence Gathering Tools and Techniques 1st Edition by Vinny Troia/Amazon.com
Cyber Threat Hunting Training: Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer by Muniz Joseph and Lakhani Aamir/Amazon.com
CUSTOMIZE It:
We can adapt this Cyber Threat Hunting Training (CCTHP) course to your group’s background and work requirements at little to no added cost.
If you are familiar with some aspects of this Cyber Threat Hunting (CCTHP) course, we can omit or shorten their discussion.
We can adjust the emphasis placed on the various topics or build the Cyber Threat Hunting Training (CCTHP) around the mix of technologies of interest to you (including technologies other than those included in this outline).
If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Cyber Threat Hunting Training (CCTHP) course in manner understandable to lay audiences.
As we get to know what life in the digital domain is like, one of the revelations we've had is that many large and plenty of smaller organisations are targets of espionage, of the nefarious APT.
During the last decade, it has become gospel to wait, watch, analyse and learn if you detect such an attacker in your infrastructure. Why? Because you get one chance to do the eviction of the attacker right. And if you fail, all your efforts will eventually have been for nothing.
But for how long should you wait and watch? When have you watched long enough? When have you learned enough? And how do you make that decision?
That is the challenge I hope the Cyber Threat Intelligence Matrix can help you face in a more structured manner.
MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
From ATT&CKcon 3.0
By Matt Snyder, VMWare
Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks.
These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix
The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats.
In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.).
They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
OSINT is defined by both the U.S. Director of National Intelligence and the U.S. Department of Defense (DoD), as "produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.
SOURCE :https://en.wikipedia.org/wiki/Open-source_intelligence
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...Puppet
Adding Windows servers to a Puppet instance can feel like a daunting task, even more so when you already have a large number of Linux servers in Puppet already. Learn how Walmart integrated their Windows servers into Puppet Enterprise. We’ll discuss not only why we chose Puppet over other tools, but why and how we still use tools like DSC, SCCM and GPOs. We’ll also go over the successes and pitfalls we had along the way in using Puppet on Windows, onboarding other teams, and evangelizing our team’s vision to others.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
https://www.enoinstitute.com/training-tutorials-courses/cyber-threat-hunting-training-ccthp/ Learn how to find, assess, and remove threats from your organization in our Certified Cyber Threat Hunting Training (CCTHP) designed to prepare you for the Certified Cyber Threat Hunting Professional (CCTHP) exam.
In this Cyber Threat Hunting Training (CCTHP) course, we will deep dive into “Threat hunting” and searching for threats and mitigate before the bad guy pounce. And we will craft a series of attacks to check Enterprise security level and hunt for threats. An efficient Threat hunting approach towards Network, Web, Cloud, IoT Devices, Command & Control Channel(c2), Web shell, memory, OS, which will help you to gain a new level of knowledge and carry out all tasks with complete hands-on.
RESOURCES:
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2020 Edition By Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2019 Edition By: Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Hunting Cyber Criminals: A Hacker’s Guide to Online Intelligence Gathering Tools and Techniques 1st Edition by Vinny Troia/Amazon.com
Cyber Threat Hunting Training: Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer by Muniz Joseph and Lakhani Aamir/Amazon.com
CUSTOMIZE It:
We can adapt this Cyber Threat Hunting Training (CCTHP) course to your group’s background and work requirements at little to no added cost.
If you are familiar with some aspects of this Cyber Threat Hunting (CCTHP) course, we can omit or shorten their discussion.
We can adjust the emphasis placed on the various topics or build the Cyber Threat Hunting Training (CCTHP) around the mix of technologies of interest to you (including technologies other than those included in this outline).
If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Cyber Threat Hunting Training (CCTHP) course in manner understandable to lay audiences.
As we get to know what life in the digital domain is like, one of the revelations we've had is that many large and plenty of smaller organisations are targets of espionage, of the nefarious APT.
During the last decade, it has become gospel to wait, watch, analyse and learn if you detect such an attacker in your infrastructure. Why? Because you get one chance to do the eviction of the attacker right. And if you fail, all your efforts will eventually have been for nothing.
But for how long should you wait and watch? When have you watched long enough? When have you learned enough? And how do you make that decision?
That is the challenge I hope the Cyber Threat Intelligence Matrix can help you face in a more structured manner.
MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
From ATT&CKcon 3.0
By Matt Snyder, VMWare
Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks.
These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix
The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats.
In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.).
They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
OSINT is defined by both the U.S. Director of National Intelligence and the U.S. Department of Defense (DoD), as "produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.
SOURCE :https://en.wikipedia.org/wiki/Open-source_intelligence
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...Puppet
Adding Windows servers to a Puppet instance can feel like a daunting task, even more so when you already have a large number of Linux servers in Puppet already. Learn how Walmart integrated their Windows servers into Puppet Enterprise. We’ll discuss not only why we chose Puppet over other tools, but why and how we still use tools like DSC, SCCM and GPOs. We’ll also go over the successes and pitfalls we had along the way in using Puppet on Windows, onboarding other teams, and evangelizing our team’s vision to others.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.
Slides for Building Better Backdoors with WMI - DerbyCon 2017 - Legacy
Code:
https://github.com/0xbadjuju/PowerProvider/
https://github.com/0xbadjuju/WheresMyImplant
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
"Windows Defender Advanced Threat Protection will soon be available for all Blue Teams to utilize within Windows 10 Enterprise, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics. Combined with Microsoft Advanced Threat Analytics for user behavior analytics across the Domain, Red Teamers will soon face a significantly more challenging time maintaining stealth while performing internal recon, lateral movement, and privilege escalation in Windows 10/Active Directory environments.
This talk highlights challenges to red teams posed by Microsoft's new tools based on common hacking tools/techniques, and covers techniques which can be used to bypass, disable, or avoid high severity alerts within Windows Defender ATP and Microsoft ATA, as well as TTP used against mature organizations that may have additional controls in place such as Event Log Forwarding and Sysmon."
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
With advanced cyber-actors evolving quickly and becoming more stealthy, it has become imperative to question the status quo of our existing cyber-operations. This session will outline how a case study and incident response led to changes in focus and philosophy and how that changed the structure of Defensive Cyber Operations.
(Source: RSA Conference USA 2017)
There is increased discussion around threats that adopt so-called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.
Further reading:
Attackers are increasingly living off the land (https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land)
Living off the land and fileless attack techniques (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)
In this presentation I have explained about difference between regular malware attack and fileless attack. Also added ways to capture it using EventTracker.
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
This session discusses Deloitte’s purple teaming approach which is using ATT&CK as a guiding principle to help both teams improve.
This session shows how this works in a customer scenario, how to scope that scenario, how to plan the scenario and choose the various TTPs to be covered to how we assist the customers blue team in understanding the TTPs and helping them design detective capabilities for them.
When the Blue Team is able to connect the dots from offensive activities in the network and what they see in their logs, firewalls, SIEMs, etc. they have the ability to fully understand what adversaries do and what the TTP’s of attackers actually look like if they are active in their network.
It’s much easier to find the needle in the haystack if you know there is a needle to find to begin with. Purple teaming is providing this pointy needle, used to accelerate the Blue Team.
Statistics show that organizations face an ever increasing threat from compromised insiders. These trusted end users routinely have their endpoint security tested by malware and viruses.
Industry analysts are now questioning the current and future capability of anti-virus and anti-malware solutions to mitigate these insider threats. There have been numerous high profile events over the past two years to demonstrate the problems of prioritizing security at the end-point.
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
When you are responding to severe intrusions, it has been gospel for the past years to observe, learn and plan before your start cleaning up. This is very sound advice, and probably the only way you can successfully evict a determined and mission driven adversary from your networks. But when is the right time? When do you actually know enough to evict, and more importantly, resist immediate re-entry? Enter the Cyber Threat Intelligence Matrix.
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Core Security
Vulnerability Assessments, Penetration Tests and Red Teaming – Do you know what these tactics are all about? In this session, we will present our understanding of these practices in terms of when to apply them and what to expect. Nowadays, organizations run on top of hundreds, if not thousands, of Information Technology assets with some of them on premise and others cloud based. Having control over all of this is a challenging task. Based on our extensive experience with securing our customers, I will show what real findings and attack trends look like while hopefully, shedding some light on how to be prepared to resist current attacks.
Threat hunters are security professionals who proactively search for threats and vulnerabilities in an organization's systems and networks. They use a variety of tools and techniques to identify potential threats, investigate suspicious activity, and respond to security incidents.
To improve your (threat) modeling career, you need a better (threat) agent (library)! Threat modeling is a process for capturing, organizing, and analyzing the security of a system based on the perspective of a threat agent. Threat modeling enables informed decision-making about application security risk. In addition to producing a model, typical threat modeling efforts also produce a prioritized list of security improvements to the concept, requirements, design, or implementation. In 2009, OWASP posted wiki pages on threat modeling. Although there was the start of a section on threat agents, it has yet to be completed.
Intel developed a unique standardized threat agent library (TAL) that provides a consistent, up-to-date reference describing the human agents (AKA; threat actors) that pose threats to IT systems and other information assets. Instead of picking threat agents based on vendor recommendations and space requirements in Powerpoint, the TAL produces a repeatable, yet flexible enough for a range of risk assessment uses. We will cover both the TAL, the Threat Agent Risk Assessment (TARA), how they can be used to improve threat modeling.
Speaker
Eric Jernigan
Information Security Architect, Umpqua Bank
Key Learnings
-----------------
•Tools and techniques - understanding the taxonomy
•Top use cases for the SOC
•Attack surfaces
-Insider threat (ignored at the moment)
-Credential theft
-Endpoint compromise
-Application attack
•Monitoring / Building / SWIFT Fraud
•Analytics and hunting playbooks for SWIFT
A Security Incident Response Trust Framework for Federated Identity. A mechanism for ensuring collaborative incident response within federated communities.
Phil Williams, Principal Cloud Solutions Architect, explains how to evaluate your exposure to DDoS attack and how to best shape your defenses to budget requirements.
The changing threat landscape reality and
the frequency, sophistication and targeted
nature of adversaries requires an evolution of
security operational practices to a combination
of prevention, detection and response of
cyber attacks.
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.
Footprinting is a part of reconnaissance process which is used for gathering possible information about a target computer system or network. Footprinting could be both passive and active. Reviewing a company’s website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering.
Footprinting is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target.
Learn to identify, manage, and block threats faster with intelligence.
The ThreatConnect Platform was specifically designed to help you understand adversaries, automate workflows, and mitigate threats faster using threat intelligence. But we know security operations and threat intelligence are not one size fits all. That’s why we have options.
You'll See:
The products: Whether your security team is large or small, advanced or just getting started with threat intelligence, there is a ThreatConnect product that fits your specific needs.
Innovative features in the platform:
Collective Analytics Layer, which offers immediate insight into how widespread and relevant a threat is.
Playbooks: automate nearly any security operation or task - sending alerts, enriching data, or assigning tasks to a teammate; all done with an easy drag-and-drop interface - no coding needed.
How ThreatConnect will adapt with your organization as it grows and changes.
M-Trends® 2010: The Advanced Persistent ThreatFireEye, Inc.
The inaugural M-Trends report details threat intelligence learned while conducting intrusion investigations for the U.S. government, the defense industrial base, and commercial organizations. This report focuses on the Advanced Persistent Threat (APT), and outlines trends, techniques, and real details of how the APT successfully compromises any target it desires. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
Where there is money, there is crime – and financial institutions are among the prime targets for cyber criminals. This session will cover the threat that cybercrime poses to financial institutions, our first-hand run-ins with advanced attackers, real-world case studies, and the rise of cheap and damaging "hacking-as-a-service" tools that we’re seeing with increasing frequency and the damaging effects they have on financial institutions.
Ondrej Krehel, CEO & Founder, LIFARS, LLC
Dusan Petricko, Incident Response Manager, LIFARS, LLC
Similar to Taking the Attacker Eviction Red Pill (v2.0) (20)
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
2. Taking the Attacker Eviction
RED PILL
Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
3. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Or how to structure your
thinking when countering
espionage
and
sabotage
from
“APT”
4. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
In this talk we will look at the
attempted eviction
of a
mission driven
and well organized
adversary
5. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Beware that this is
work in progress
and still a bit rough around the edges
6. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Incident Response
PICERL:
Prepare
Identify
Contain
Eradicate
Recover
Lessons Learned
NIST:
Preparation
Detect & Analyze
Contain & Eradicate & Recover
Post IncidentActivities
Bottom Line:
Eventually you will try to get the
attacker off your network
7. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Incident Response
PICERL:
Prepare
Identify
Contain
Eradicate
Recover
Lessons Learned
NIST:
Preparation
Detect & Analyze
Contain & Eradicate & Recover
Post IncidentActivities
Bottom Line:
Eventually you will try to get the
attacker off your network
8. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Turns out there’s a lot of
uncertainty
to deal with when
responding
to a targeted and advanced
“APT breach”
9. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Incident Response
when facing an APT threat
Best Practice:
Scope before you start responding.
Common Misstep:
Acting too soon, giving your
adversary time to adapt.
10. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Incident Response
when facing an APT threat
Best Practice:
Scope before you start responding.
Common Misstep:
Acting too soon, giving your
adversary time to adapt.
11. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
It turns out
“acting too soon”
is a thing when responding to an
APT threat
12. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
If you want to respond
effectively you need to
reduce the
uncertainty
and understand when it’s the right time
to act
13. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Understanding common
APT patterns
14. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Intrusion Patterns
of “APT” threats
Sting Operation:
Also called “smash and grab”. A
direct attack to get a specific
piece of information.
Persistent Infiltration:
A long running campaign against
you, where your adversary will
gain and sustain unauthorized
access to your infrastructure for
a long period of time.
Response:
When responding, you should
take into consideration what
kind of pattern you are seeing.
15. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Intrusion Patterns
of “APT” threats
Sting Operation:
Also called “smash and grab”. A
direct attack to get a specific
piece of information.
Persistent Infiltration:
A long running campaign against
you, where your adversary will
gain and sustain unauthorized
access to your infrastructure for
a long period of time.
Response:
When responding, you should
take into consideration what
kind of pattern you are seeing.
16. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The Structure
of an APT infiltration
Access:
An APT infiltration is all about
access.They work a lot to gain
and sustain access.
Extract:
The purpose of gaining access is
to find and extract useful
information (or abuse your
infrastructure).
Deliver:
All of this is done to deliver on
goals set for the attacker’s
mission.
17. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The Structure
of an APT infiltration
Access:
An APT infiltration is all about
access.They work a lot to gain
and sustain access.
Extract:
The purpose of gaining access is
to find and extract useful
information (or abuse your
infrastructure).
Deliver:
All of this is done to deliver on
goals set for the attacker’s
mission.
18. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The Structure
of an APT infiltration
Access:
An APT infiltration is all about
access.They work a lot to gain
and sustain access.
Extract:
The purpose of gaining access is
to find and extract useful
information (or abuse your
infrastructure).
Deliver:
All of this is done to deliver on
goals set for the attacker’s
mission.
19. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Why you are targeted
by an APT attack team
Adversarial Relationship:
For you to ever be targeted by
an APT attack team you must be
relevant for some kind of
adversarial relationship.
Provide Access:
And you must provide access to
something that will help the
offensive party gain an
advantage in that relationship.
Collection:
What you are observing though
is only the collection part of a
much bigger process.
20. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Why you are targeted
by an APT attack team
Adversarial Relationship:
For you to ever be targeted by
an APT attack team you must be
relevant for some kind of
adversarial relationship.
Provide Access:
And you must provide access to
something that will help the
offensive party gain an
advantage in that relationship.
Collection:
What you are observing though
is only the collection part of a
much bigger process.
21. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Why you are targeted
by an APT attack team
Adversarial Relationship:
For you to ever be targeted by
an APT attack team you must be
relevant for some kind of
adversarial relationship.
Provide Access:
And you must provide access to
something that will help the
offensive party gain an
advantage in that relationship.
Collection:
What you are observing though
is only the collection part of a
much bigger process.
22. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Why you are targeted
by an APT attack team
Adversarial Relationship:
For you to ever be targeted by
an APT attack team you must be
relevant for some kind of
adversarial relationship.
Provide Access:
And you must provide access to
something that will help the
offensive party gain an
advantage in that relationship.
Collection:
What you are observing though
is only the collection part of a
much bigger process.
23. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Why you are targeted
by an APT attack team
Adversarial Relationship:
For you to ever be targeted by
an APT attack team you must be
relevant for some kind of
adversarial relationship.
Providing Access:
And you must provide access to
something that will help the
offensive party gain an
advantage in that relationship.
Observing Collection:
What you are observing though
is only the collection part of a
much bigger process.
24. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Intermission
25. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The IR and eviction process should not really be about
evicting the attackers
but rather
keeping them out
and preventing them from effortlessly re-entering
26. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
It also shouldn’t be about
cleaning networks
but rather
mitigating risk
as effectively as possible
27. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
And sometimes this actually means leaving your
network compromised
while covertly containing the
most important risks
by using what you learn from the attackers
28. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
So how do we
make that decision?
29. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
By structured analytical thinking using
analytical models
30. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
DwellTime
The time an attacker has stayed
undetected in your network.
Short:
Hours to day. Good changes of
catching up with the attacker.
Medium:
Days to weeks.You may catch
up if you have a capable and
enabled team.
Long:
Months to years. Depending on
the attacker your chances are in
all fairness pretty slim without a
full purge or migration.
31. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
DwellTime
The time an attacker has stayed
undetected in your network.
Short:
Hours to day. Good changes of
catching up with the attacker.
Medium:
Days to weeks.You may catch
up if you have a capable and
enabled team.
Long:
Months to years. Depending on
the attacker your chances are in
all fairness pretty slim without a
full purge or migration.
32. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Intrusion Patterns
of APT threats
Sting Operation:
Also called “smash and grab”. A
direct attack to get a specific
piece of information.
Persistent Infiltration:
A long running campaign against
you, where your adversary will
gain and sustain unauthorized
access to your infrastructure for
a long period of time.
Response:
When responding, you should
take into consideration what
kind of pattern you are seeing.
33. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
TheThreatType Matrix
ThreatType:
Strategic |Tactical | Operational
Capability:
Low | Medium | High
Strategic:
You are a high priority and long
term target for your adversary
Tactical:
You are a short/medium term
target for a specific reason
Operational:
You are a target because the
attacker wants infrastructure
34. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
TheThreatType Matrix
ThreatType:
Strategic |Tactical | Operational
Capability:
Low | Medium | High
Strategic:
You are a high priority and long
term target for your adversary
Tactical:
You are a short/medium term
target for a specific reason
Operational:
You are a target because the
attacker wants infrastructure
35. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
TheThreatType Matrix
ThreatType:
Strategic |Tactical | Operational
Capability:
Low | Medium | High
Strategic:
You are a high priority and long
term target for your adversary
Tactical:
You are a short/medium term
target for a specific reason
Operational:
You are a target because the
attacker wants infrastructure
36. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The RiskType Matrix
RiskType:
Strategic |Tactical | Operational
Impact:
Low | Medium | High
Strategic:
Affects your org’s long term
strategic goals
Tactical:
Affects your org’s current and
near future execution
Operational:
Affects your org’s (IT) operation
37. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The RiskType Matrix
RiskType:
Strategic |Tactical | Operational
Impact:
Low | Medium | High
Strategic:
Affects your org’s long term
strategic goals
Tactical:
Affects your org’s current and
near future execution
Operational:
Affects your org’s (IT) operation
38. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The RiskType Matrix
RiskType:
Strategic |Tactical | Operational
Impact:
Low | Medium | High
Strategic:
Affects your org’s long term
strategic goals
Tactical:
Affects your org’s current and
near future execution
Operational:
Affects your org’s (IT) operation
39. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The CyberThreat
Intelligence Matrix
Mapping your knowledge gaps.
Depth of knowledge:
Footprint | Arsenal |Tradecraft
Stages of attack:
Prep. | Intrusion | Execution
Presentation:
https://www.slideshare.net/Frod
eHommedal/the-cyber-threat-
intelligence-matrix
Essay:
https://www.mnemonic.no/secu
rity-report/making-your-move
40. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The CyberThreat
Intelligence Matrix
Mapping your knowledge gaps.
Depth of knowledge:
Footprint | Arsenal |Tradecraft
Stages of attack:
Prep. | Intrusion | Execution
Presentation:
https://www.slideshare.net/Frod
eHommedal/the-cyber-threat-
intelligence-matrix
Essay:
https://www.mnemonic.no/secu
rity-report/making-your-move
41. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The CyberThreat
Intelligence Matrix
Mapping your knowledge gaps.
Depth of knowledge:
Footprint | Arsenal |Tradecraft
Stages of attack:
Prep. | Intrusion | Execution
Presentation:
https://www.slideshare.net/Frod
eHommedal/the-cyber-threat-
intelligence-matrix
Essay:
https://www.mnemonic.no/secu
rity-report/making-your-move
42. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The CyberThreat
Intelligence Matrix
Mapping your knowledge gaps.
Depth of knowledge:
Footprint | Arsenal |Tradecraft
Stages of attack:
Prep. | Intrusion | Execution
Presentation:
https://www.slideshare.net/Frod
eHommedal/the-cyber-threat-
intelligence-matrix
Essay:
https://www.mnemonic.no/secu
rity-report/making-your-move
43. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The CyberThreat
Intelligence Matrix
Mapping your knowledge gaps.
Depth of knowledge:
Footprint | Arsenal |Tradecraft
Stages of attack:
Prep. | Intrusion | Execution
Presentation:
https://www.slideshare.net/Frod
eHommedal/the-cyber-threat-
intelligence-matrix
Essay:
https://www.mnemonic.no/secu
rity-report/making-your-move
44. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The CyberThreat
Intelligence Matrix
Mapping your knowledge gaps.
Depth of knowledge:
Footprint | Arsenal |Tradecraft
Stages of attack:
Prep. | Intrusion | Execution
Presentation:
https://www.slideshare.net/Frod
eHommedal/the-cyber-threat-
intelligence-matrix
Essay:
https://www.mnemonic.no/secu
rity-report/making-your-move
45. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
The CyberThreat
Intelligence Matrix
Mapping your knowledge gaps.
Depth of knowledge:
Footprint | Arsenal |Tradecraft
Stages of attack:
Prep. | Intrusion | Execution
Presentation:
https://www.slideshare.net/Frod
eHommedal/the-cyber-threat-
intelligence-matrix
Essay:
https://www.mnemonic.no/secu
rity-report/making-your-move
46. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Threat Metrics
to help you navigate
CTI Matric:
Identifying knowledge gaps.
ThreatType Matric:
Identifying type of threat.
RiskType Matric:
Identifying type of risk.
Intrusion Pattern:
Identifying type of infiltration.
DwellTime:
Identifying length of infiltration.
47. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
With these models in mind we will look at some
response patterns
48. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Response Patterns
for your consideration
Ignore:
Ignorance or actively ignoring.
Disrupt:
Continuous remediation.
Engage:
A game of chess heavily reliant
on intelligence and a high
operational tempo.
Clean:
Scope, shut down and clean.
Migrate:
Build new and migrate.
49. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Response Patterns
for your consideration
Ignore:
Ignorance or actively ignoring.
Disrupt:
Continuous remediation.
Engage:
A game of chess heavily reliant
on intelligence and a high
operational tempo.
Clean:
Scope, shut down and clean.
Migrate:
Build new and migrate.
50. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Response Patterns
for your consideration
Ignore:
Ignorance or actively ignoring.
Disrupt:
Continuous remediation.
Engage:
A game of chess heavily reliant
on intelligence and a high
operational tempo.
Clean:
Scope, shut down and clean.
Migrate:
Build new and migrate.
51. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Response Patterns
for your consideration
Ignore:
Ignorance or actively ignoring.
Disrupt:
Continuous remediation.
Engage:
A game of chess heavily reliant
on intelligence and a high
operational tempo.
Clean:
Scope, shut down and clean.
Migrate:
Build new and migrate.
52. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Wrap up
53. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
So what truth is
THE RED PILL
of attacker eviction exposing?
A way more
complex and
adversarial
incident response reality than most
responders are ready to acknowledge
54. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Yet the key takeaway is that if you
understand
your attacker you will be able to
improve
your response significantly
55. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Then you can apply the right
response pattern
to the identified
intrusion pattern
and the identified
threat and risk types
56. Taking the Attacker Eviction Red Pill Frode Hommedal | Telenor | CM2017
Always outnumbered.
Never outgunned!
@FrodeHommedal
no.linkedin.com/in/hommedal
frodehommedal.no
Editor's Notes
This talk is about models. Models to help you structure your thinking when you plan your response to an APT breach.
More specifically it will focus on models to structure your thinking regarding the eviction of your attacker from your infrastructure.
More specifically it will focus on models to structure your thinking regarding the eviction of your attacker from your infrastructure.
You’re not cleaning up garbage. You’re (literally) chasing rats. Highly intelligent and organized rodents with malicious intent. This makes it all very fluid and unpredictable.
Compromised assets might actually not be your biggest risks. And sometimes ”cleaning up” your compromised assets will leave you worse off containing the biggest risks.
”Purge” is sometimes called “nuke and pave”. Or maybe it’s “scorched earth”?
This is military forces used against civilians, in peace time. This is being a fire fighter, and every fire you fight is lit by an arsonist. This is the absence of rule of law. This is being constantly outnumbered and outgunned.