This document discusses methods for detecting botnet infections and activity through network traffic analysis. It begins with an introduction to bots and botnets, describing how bots are typically installed on machines and how they communicate with command and control servers. It then discusses approaches for detecting botnet infections by observing executable transfers between newly registered domains and signs of updates. Detection of post-infection activity focuses on patterns of mass HTTP posts to generated domains. Case studies provide examples of specific botnets and their detection through domain registration patterns, IP addresses, and network behaviors.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
Finding target for hacking on internet is now easierDavid Thomas
Finding target on internet for penetration testing involves searching internet using google or using Google Hacking/Dorking. There are google hacking queries available on internet, according to ethical hacking researcher of International Institute of Cyber Security it is the main source of passive attacks on internet. This whole process of finding target on internet using GHDB is automated using python based framework named as Katana framework.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
Finding target for hacking on internet is now easierDavid Thomas
Finding target on internet for penetration testing involves searching internet using google or using Google Hacking/Dorking. There are google hacking queries available on internet, according to ethical hacking researcher of International Institute of Cyber Security it is the main source of passive attacks on internet. This whole process of finding target on internet using GHDB is automated using python based framework named as Katana framework.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Retour sur des conférences assistées durant DrupalCon 2016 à Dublin avec des sujets DevOps mais également Drupal 8 : docker, kubernetes, jenkins 2 pipeline, Lcache, configuration management, migrate, cache
We need t go deeper - Testing inception apps.SecuRing
When it comes to thick-clients, java applets, embedded devices or mobile apps - often, the idea is to forget about HTTP/S stack, plaintext POST parameters, and instead, implement a custom communication protocol. - Sending files for printing? Caesar cipher does not support full UTF-8, so use AES in ECB mode. - Malware attacking online banking? Even over HTTPS, double-encrypt POST parameters. If your clients are rich, use asymetric encryption, for better protection. - Planning SOAP WS? Use WCF Binary XML and put it in a START-TLS tunnel wrapped over a TCP connection. Welcome to the world of application/x-inception-data content types, <meta charset=obscure> encoding and custom cryptography. Ideas that usually implement methods of 'security by obscurity'. Once the outer layer of obfuscation is off, very often the server backend reveals simple access control issues, SQL query shells or code execution vulnerabilities. I will discuss real-world examples from enterprise solutions tests which require a bit more effort to allow tampering with data send from the client: - intercepting the traffic, bypassing NAC - decapsulating encryption and encoding layers - hooking into function calls, modifying packages - reverse-engineer proprietary protocols and encryption.
Язык докладаРусскийЗанимается «бумажной» и практической информационной безопасностью более 6 лет. Аналитик SOC в «Лаборатории Касперского». В прошлом руководитель подразделения ИБ на одном из промышленных предприятий. Закончил специалитет и магистратуру СибГАУ им. академика М. Ф. Решетнева (в котором в дальнейшем читал курсы по ИБ). Участник ряда CTF. Выступал на ZeroNights.Теймур Хеирхабаров Теймур Хеирхабаров Управление рисками: как перестать верить в иллюзииFast Track
Iedereen kan inspiratie gebruiken.
Adem, leef, beweeg....geniet van al het moois in de Natuur en op Aarde.
Laat je ziel, hart, geest en lichaam gevoed worden door al die mooie teksten, woorden, kleuren, energieën...
Geniet van alles in dit Leven...schenk jezelf een grotere Levenskwaliteit !
Hugo Van Verdegem, Psycholoog en Energetische Levenscoach
www.hugovanverdegem.be - http://hartsgedragenbewustzijn.wordpress.com/
TEDxTableMountain - 'The case for the maximum wage'leavesoflanguage
Understanding the true costs for South Africa - and the world - of excessive inequality and excessive wealth - and how we should consume less and share more for societies that serve everyone (including the currently very wealthy) even better.
ADVANCED PAYLOADS
The MA THOR Twin system provides versatile multi-payload configurations utilizing cutting edge sensors and systems with modular installation to accomplish a wide variety of missions. The advanced modular MA THOR Twin UAS architecture separates safety critical flight systems from mission systems providing great flexibility and cost optimization in integration of new and indigenous payloads.
www.marquesaviation.com
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Retour sur des conférences assistées durant DrupalCon 2016 à Dublin avec des sujets DevOps mais également Drupal 8 : docker, kubernetes, jenkins 2 pipeline, Lcache, configuration management, migrate, cache
We need t go deeper - Testing inception apps.SecuRing
When it comes to thick-clients, java applets, embedded devices or mobile apps - often, the idea is to forget about HTTP/S stack, plaintext POST parameters, and instead, implement a custom communication protocol. - Sending files for printing? Caesar cipher does not support full UTF-8, so use AES in ECB mode. - Malware attacking online banking? Even over HTTPS, double-encrypt POST parameters. If your clients are rich, use asymetric encryption, for better protection. - Planning SOAP WS? Use WCF Binary XML and put it in a START-TLS tunnel wrapped over a TCP connection. Welcome to the world of application/x-inception-data content types, <meta charset=obscure> encoding and custom cryptography. Ideas that usually implement methods of 'security by obscurity'. Once the outer layer of obfuscation is off, very often the server backend reveals simple access control issues, SQL query shells or code execution vulnerabilities. I will discuss real-world examples from enterprise solutions tests which require a bit more effort to allow tampering with data send from the client: - intercepting the traffic, bypassing NAC - decapsulating encryption and encoding layers - hooking into function calls, modifying packages - reverse-engineer proprietary protocols and encryption.
Язык докладаРусскийЗанимается «бумажной» и практической информационной безопасностью более 6 лет. Аналитик SOC в «Лаборатории Касперского». В прошлом руководитель подразделения ИБ на одном из промышленных предприятий. Закончил специалитет и магистратуру СибГАУ им. академика М. Ф. Решетнева (в котором в дальнейшем читал курсы по ИБ). Участник ряда CTF. Выступал на ZeroNights.Теймур Хеирхабаров Теймур Хеирхабаров Управление рисками: как перестать верить в иллюзииFast Track
Iedereen kan inspiratie gebruiken.
Adem, leef, beweeg....geniet van al het moois in de Natuur en op Aarde.
Laat je ziel, hart, geest en lichaam gevoed worden door al die mooie teksten, woorden, kleuren, energieën...
Geniet van alles in dit Leven...schenk jezelf een grotere Levenskwaliteit !
Hugo Van Verdegem, Psycholoog en Energetische Levenscoach
www.hugovanverdegem.be - http://hartsgedragenbewustzijn.wordpress.com/
TEDxTableMountain - 'The case for the maximum wage'leavesoflanguage
Understanding the true costs for South Africa - and the world - of excessive inequality and excessive wealth - and how we should consume less and share more for societies that serve everyone (including the currently very wealthy) even better.
ADVANCED PAYLOADS
The MA THOR Twin system provides versatile multi-payload configurations utilizing cutting edge sensors and systems with modular installation to accomplish a wide variety of missions. The advanced modular MA THOR Twin UAS architecture separates safety critical flight systems from mission systems providing great flexibility and cost optimization in integration of new and indigenous payloads.
www.marquesaviation.com
Here you can find out everything you need to know about the UK's latest financial and economic data, including the HSBC Swiss bank account scandal, house prices, the unemployment rate and Fitch's views on the purchase of UK mortgage servicers.
Since 2007 GOFORTUTION.coM is the search engine of tutors & Students in Delhi and all over India .It provides cheapest and best home tutors to students and it also helps to Tutors who are seeking students for home tution. We at Mentor Me provide highly qualified, result oriented, enthusiastic and responsible tutors for all classes, all subjects and in all locations across Delhi & all over India. Here we have tutors for all subjects of CBSE, ICSE,B.com, B.Sc, BBA, BCA,MBA,CA,CS,MCA,BCA,”O” Level, “A” Level etc.GOFORTUTION is a best portal for tutors and students it is not only a site.
Things fail. It’s a fact of life. But that doesn’t mean that your applications and services need to fail. In this talk, David Prinzing described a solution architecture that has been proven to deliver amazing performance at scale with continuous availability on Amazon Web Services. You can’t just move your application to the cloud and expect this – you need to design for it. Technology selections include Amazon Web Services, Ubuntu Linux, Apache Cassandra for the database, Dropwizard for providing RESTful web services, and AngularJS as the foundation for an HTML5 web application. Event: http://www.meetup.com/AWS-EASTBAY/events/225570266
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Covers building a malware analysis environment for enterprises that don't currently have a dedicated team for such purposes. Presented at Blackhat DC 2010.
Stanford Drupal Camp 2015 - Repelling Bots, DDOS, and other FiendsSuzanne Aldrich
Long ago, in the misty annals of the early Internet, by simply placing a well-formed robots.txt file at the root of a website directory, you could ban unwanted indexing bots from crawling through a few dozen hand-stitched pages and consuming an entire month’s outgoing bandwidth allowance. The only DDOS was getting “Slashdotted”, and having that happen to your website was a big honor. Nowadays, however, our concerns are much more diverse in scope, and far riskier by nature. From email harvesting operations and spam generation factories, to denial-of-service and malware breeding farms, these zombie-staffed distributed botnets are spewing enormous rivers of malicious garbage upon our once pristine, networked shores. Meanwhile, the stakes are only getting higher, as all the top brands and levels of government alike begin to heavily rely on the wholesome appearance and reliable service of their websites to be intimately connected with consumers online.
How might besieged web operators repel the gross onslaught of spam traffic, DDOS attacks, and other malicious behavior promulgated through our nets? In this session, Suzanne Aldrich of Pantheon and Martijn Gonlag of CloudFlare will reconnoiter the Internet robot armies, and disseminate effective strategies for website fortification:
* Diagnosing bot traffic spikes with logs and analytics
* Best practices for obscuring emails and using nofollow links
* Standard spam evasion methods and why they’re mostly flawed
* Strengths and pitfalls of using external spam filtering services
* CDNs, caching, and other performance optimization techniques for withstanding high traffic volume
* Anti-DDOS and WAF protection
After this session you’ll be armed with all the knowledge needed to defend any Drupal site from a bot assault, and live to tell the tale.
Practical Operation Automation with StackStormShu Sugimoto
Automation is getting more and more important these days, but it is not always easy to achieve, because it requires tremendous effort to convert existing procedures machine-friendly. That often means, you need to change almost everything!
StackStorm (aka st2, https://stackstorm.com/) is an open source IFTTT-ish middleware that ships with powerful workflow engine and unique features called "inquiries".
I'll focus on this workflow engine functionalities of st2 and show how these can ease the "automation" of day to day tasks. The example I'll show in this presentation is the actual workflow that we use at JPNAP, the real world IXP operation.
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
Monitoring tools record the result of what happened to your web application when a problem arises, but for some classes of problems, monitoring systems are only a starting point. Sometimes it is necessary to take more intrusive steps to plan for the unexpected by embedding mechanisms that will allow you to interact with a live deployed web application and extract even more detailed information.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScalePatrick Chanezon
Google Developer Days Japan 2009 - Designing OpenSocial Apps For Speed and Scale
Original slides from Arne Roomann-Kurrik & Chris Chabot with a few Zen quotes and references added by me:-)
Spenser Reinhardt's presentation on Detecting Security Breaches With Docker, Honeypots, & Nagios.
The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference
Diagnosing WordPress: What to do when things go wrongWordCamp Sydney
Everyone hates seeing the White Screen of Death, especially if it’s discovered by the client calling to tell you their site is down. Even more frustrating can be intermittent error and/or slow response times, as these can be much harder to diagnose.
Aimed at newer WordPress developers and advanced users, this talk will start with the basic diagnostics tools available and go all the way through to advanced debugging. Attendees should be able to leave this talk with an informed diagnostic approach to errors, rather than just panic.
Presented by Tim Butler @timbutler at WordCamp Sydney 2018
When third parties stop being polite... and start getting realCharles Vazac
By Nic Jansma and Charles Vazac (Akamai)
Fluent 2018
http://www.youtube.com/watch?v=L3LKtFh1HkQ
Would you give the Amazon Prime delivery robot the key to your house, just because it stops by to deliver delicious packages every day? Even if you would, do you still have 100% confidence that it wouldn’t accidentally drag in some mud, let the neighbor in, steal your things, or burn your house down? Worst-case scenarios such as these are what you should be planning for when deciding whether or not to include third-party libraries and services on your website. While most libraries have good intentions, by including them on your site, you have given them complete control over the kingdom. Once on your site, they can provide all of the great services you want—or they can destroy everything you’ve worked so hard to build.
It’s prudent to be cautious: we’ve all heard stories about how third-party libraries have caused slowdowns, broken websites, and even led to downtime. But how do you evaluate the actual costs and potential risks of a third-party library so you can balance that against the service it provides? Every library requires nonzero overhead to provide the service it claims. In many cases, the overhead is minimal and justified, but we should quantify it to understand the real cost. In addition, libraries need to be carefully crafted so they can avoid causing additional pain when the stars don’t align and things go wrong.
Nic Jansma and Charles Vazac perform an honest audit of several popular third-party libraries to understand their true cost to your site, exploring loading patterns, SPOF avoidance, JavaScript parsing, long tasks, runtime overhead, polyfill headaches, security and privacy concerns, and more. From how the library is loaded, to the moment it phones home, you’ll see how third-parties can affect the host page and discover best practices you can follow to ensure they do the least potential harm.
With all of the great performance tools available to developers today, we’ve gained a lot of insight into just how much third-party libraries are impacting our websites. Nic and Charles detail tools to help you decide if a library’s risks and unseen costs are worth it. While you may not have the time to perform a deep dive into every third-party library you want to include on your site, you’ll leave with a checklist of the most important best practices third-parties should be following for you to have confidence in them.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
2. agenda
● Introduction
● Bots and botnets: short walk-through
● Taming botnets: Detection and Evasion
● Our approach
● Case studies
● Conclusion
● Disclaimer:
We steal our images
From google image :)
3. Introduction
● Why we are doing this research?
● Objectives
● Our data sources
● Our environment
bunch of code in node.js
and python. Customized sandboxing platform
(cuckoo based). Data indexed in solr
4. Introduction: bots
● “bot”: a software program, installed on target
machine(s) for the purpose of utilizing that
machine computational/network resources or
collect information
● A typical bot is controlled by external party
therefore needs to be able to utilize a
communication channel in order to receive
commands and pass information
● Bots typically are used for malicious purposes ;-)
5. Introduction: bots (lifecycle)
● Installation (infection) phase: often by means of
a software exploit or a social engineering
technique (fake antivirus, fake software update)
● Post-infection phase: communication (C&C,
peer etc)
6. Introduction
● Our basic assumption is that a bot needs to be
able to communicate back in order to be useful.
● Our analysis is primarily “blackbox” by observing
network traffic of a large network infrastructure in
order to identify possible infections and
“communication” links
● We also utilize sandboxing techniques to
observe behavior (mainly from the network side)
● We do not attempt to reverse engineer
(manually or automatically) botnet software
7. Botnets
● Infection vectors → often targetting enduser
machines (clients) in large number of
occurrences by exploiting a software
vulnerability in browser or related components
● C&C communication:
● Remember IRC bots? :)
● over HTTP (most common)
● Proprietary protocol
● Centralized or P2P infrastructure
10. How do you get bots on your
machine? ;-)
● Compromised servers: most widespread, often
through silly vulns (i.e. wordpress!), but also
high profile web sites are affected, or domains
taken over (DNS poisoning and more)
● Placing a javascript iframe on compromised
high-traffic machine is way more profitable than
defacing (hacktivism is only for hippies? ;)
11. How do you get bots (pt 2)
● SEO poisoning/manipulation.
12. How you get bots (pt 3)
● Advertisements and malvertisements: whole
new ecosystem:
OpenX is a huge security hole ;)
13. Anyways
● Once infected, the bot talks back...
Lets look at some real-life cases. (data is very
recently, mostly past few months).
15. Carberp
● Bot Infection: Drive-By-HTTP
● Payload and intermediate malware domains: normal, just
registered/DynDNS
● Distributed via: Many many compromised web-sites, top
score > 100 compromised resources detected during 1
week.
● C&C domains usually generated, but some special cases
below ;-).
● C&C and Malware domains located on the same AS (from
bot point of view). Easy to detect.
● Typical bot activity: Mass HTTP Post
19. Detection during infection and by
postinfection activity
● Infection: executable transfer from just
registered, example lifenews-sport.org or
Dyn-DNS domains, like
uphchtxmji.homelinux.com
● Updates: executable transfer from just
registered or DynDNS domain
● Postinfection activity: Mass HTTP Post to
generated domains like
n87e0wfoghoucjfe0id.org, URL ends with
different extensions
20. Netprotocol.exe
● Bot Infection was: Drive-By-FTP,
now: Drive-By-FTP, Drive-By-HTTP
● Payload and intermediate malware domains:Normal, Obfuscated
● Distributed via: compromised web-sites
● C&C domains usually generated, many domains in .be zone.
● C&C and Malware domains located on the different AS. Bot
updates payload via HTTP
● Typical bot activity: HTTP Post, payload updates via HTTP.
22. Attack analysis
- Script from www. Java.com used during attack.
- Applet exp.jar loaded by FTP
- FTP Server IP address obfuscated to avoid
detection
24. Activity example
Date/Time 2012-04-29 Date/Time 2012-04-29
02:05:48 MSD 02:06:08 MSD
Tag Name HTTP_Post Tag Name HTTP_Post
Target IP Address Target IP Address
217.73.60.107 208.73.210.29
:server :server
rugtif.be eksyghskgsbakrys.com
● :URL :URL
/check_system.php /check_system.php
Domain registered:
2012-04-21
25. Onhost deteciton and activity
Payload: usually netprotocol.exe. Located in
UsersUSER_NAMEAppDataRoaming,
which periodically downloads other malware
Further payload loaded via HTTP
http://64.191.65.99/view_img.php?c=4&
k=a4422297a462ec0f01b83bc96068e064
26. Detection By AV Sample from May
09 2012 Detect ratio 1/42
● (demos, recoreded as videos)
27. Detection during infection and by
postinfection activity
● Infection: .jar and .dat file downloaded by FTP, server name
= obfuscated IP Addres, example ftp://3645456330/6/e.jar
Java version in FTP password, example Java1.6.0_29@
● Updates: executable transfer from some Internet host,
example GET http://184.82.0.35/f/kwe.exe
● Postinfection activity: Mass HTTP Post to normal and
generated domains with URL: check_system.php
09:04:46 POST http://hander.be/check_system.php
09:05:06 POST http://aratecti.be/check_system.php
09:06:48 POST http://hander.be/check_system.php
09:07:11 POST http://aratecti.be/check_system.php
28. Noproblemslove.com,
whoismistergreen.com, etc...
● Bot Infection: Drive-By-HTTP
● Payload and intermediate malware
domains:Normal /DynDNS
● Distributed via: Compromised web-sites.
● C&C domains: normal.
● C&C and Malware domains located on the
different AS. Sophisticated attack scheme.
Timeout before activity.
● Typical bot activity: Mass HTTP Post
30. Interesting domains from range
184.82.149.178-184.82.149.180 (Feb 2012)
Domain Name IP
www.google-analylics.com 184.82.149.179
google-anatylics.com 184.82.149.178
www.google-analitycs.com 184.82.149.180
webmaster-google.ru 184.82.149.178
paged2.googlesyndlcation.com 184.82.149.179
googlefilter.ru 184.82.149.179
rambler-analytics.ru 184.82.149.179
site-yandex.net 184.82.149.180
paged2.googlesyndlcation.com 184.82.149.179
www.yandex-analytics.ru 184.82.149.178
googles.4pu.com 184.82.149.178
googleapis.www1.biz 184.82.149.178
syn1-adriver.ru 184.82.149.178
31. HOSTER RANGE AND AS
www.google-analylics.com looks good,
BUT
Google, Rambler and Yandex together on
184.82.149.176/29 ?
hoster range and autonomous system (AS)
are useful, when you analyze suspicious events.
34. What's common
whoismistergreen.com noproblemslove.com
IP-адрес: 213.5.68.105 213.5.68.105
Create: 2011-07-26 Created: 2011-12-07
Registrant Name: JOHN Registrant Contact:
ABRAHAM Whois Privacy Protection Service
Address: ul. Dubois 119 Whois Agent
City: Lodz gmvjcxkxhs@whoisservices.cn
patr1ckjane.com noproblemsbro.com
IP Was 176.65.166.28 176.65.166.28
IP Now 213.5.68.105 Created: 2011-12-07
Registrant Contact:
Create: 2011-07-21
Whois Privacy Protection Service
Registrant Name: patrick jane Whois Agent
Address: ul. Dubois 119 gmvjcxkxhs@whoisservices.cn
City: Lodz
35. Detection during infection and by
postinfection activity
● Infection: executable transfer from just
registered, or Dyn-DNS domains, like
fx58.ddns.us
● Updates: application/octet-stream bulk data
load from C&C
● Postinfection activity: Mass HTTP Post to
seem-normal domains,i.e:
noproblemslove.com,
whoismistergreen.com, etc...
38. Cross-correlation data sources
● WHOIS (including team cymru whois)
● Our own DNS index, also talking to ISC about
possibilities of data swaps
● Sandbox farm (mainly to detect compromised
websites automagically and study behavior)
● Public “malicious IP address” databases.
● Public reputation (I.e ToS) databases.
● (still work in progress)
39. Detection
● Manual and Automated
● Automated detection is largely based on
analysis of network traffic:
● Anomaly detection
● Pattern based-analysis
● Signatures (snort!)
● Traffic profiling (DNS traffic profiling, HTTP traffic
profiling etc)
40. Detection
● Detecting malicious botnet activity is very
popular in academia (interesting problem).
● In our research we do not claim extreme
novelty but rather will demonstrate our
experience and a few practical solutions that
seem to work :-)
42. Detection: intreresting bits
● Botnet detection evolved from pattern based
approach (hardcoded bot CMD patterns and
capture then with snort) to a complex field of
generic detection of automated “call-back”
communication channels..
43. Detection
● Different “callback” methods, as seen in the
wild, possess interesting properties, such as:
● Large number of failed DNS requests
● Large number of DNS requests for IP addresses,
which are offline
● Connection attempts to mostly dead IP addresses
● Traffic pattern (differs from regular browsing)
44. Cat and mouse game
● Of course all of this is easy to evade. Once you
know the method. But security is always about
'cat-n-mouse' game ;-)
45. Detection
● Detecting botnet activities by analyzing DNS
traffic
● Analyzing DNS names (dictionary-comparison,
alpha numeric characters, detection of “generated”
domain names (similarities/patterns)
● Analyzing failed DNS queries
● DNS “ranking” (based on whois information)
49. Detection
● Further step: cross-correlation to domain
names which have the same WHOIS attributes
● Sandboxing (we use modified version of
cuckoosandbox, with user event simulation, not
perfect but works)
● Challenges:
– Simulate complex user behavior (mouse movements)
– Simulate complex user browsing pattern (visiting X with
search engine (image?) as referer)
51. Detection
(visualization)
● Parallel coordinates (also see recent talk by
Alexandre Dulaunoy from CIRCL.LU and
Sebastien Tricaud from Picviz Labs at
cansectwest)
52. Detection
● (demos, lets look at some videos :)
53. Conclusions
● Detection is still trivial, but keep your methods
“private” ;-)
● Detecting 'advanced' botnets (name your
favourite traffic profiling evasion method!) is out
of question here. Unless this becomes wide-
spread
● Cat and mouse game is still fun! ;-)
54. Tips and recommendations
● For infected machines: boot from clean media
and periodically do OFFLINE AV checking
● Monitor network traffic for any unusual activity
● Default-deny firewall policies + block any active
executable content
55. questions
● Contact us at:
● fygrave@gmail.com
● vladimir.b.kropotov@gmail.com
http://github.com/fygrave/dnslyzer for some code