This document provides an overview and agenda for the Elastic Tour 2018 conference. It introduces the speaker, Cyb3rWard0g, and outlines their background and expertise in threat hunting. The agenda covers topics like threat hunting techniques and data, the role of threat hunters, integrating threat hunting with SIEMs, and pre-hunt activities. It also introduces HELK, an open source project that extends the Elastic Stack with advanced analytics capabilities to empower threat hunters. Key components of HELK include Apache Spark, Elasticsearch, and Jupyter notebooks. The document discusses how these tools can help with tasks like threat modeling, data analysis, and developing threat hunting playbooks. It concludes by discussing potential future directions for the HELK
Adversary emulation involves leveraging your Red Teams to use real world adversary tactics, techniques and procedures (TTPs), alongside attack frameworks such as MITRE ATT&CK to: Identify control gaps (and weaknesses); Validate your monitoring, detection and response capabilities; Prioritising your security investments towards mitigating any shortcoming that may be observed using this approach.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Adversary emulation involves leveraging your Red Teams to use real world adversary tactics, techniques and procedures (TTPs), alongside attack frameworks such as MITRE ATT&CK to: Identify control gaps (and weaknesses); Validate your monitoring, detection and response capabilities; Prioritising your security investments towards mitigating any shortcoming that may be observed using this approach.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
https://www.enoinstitute.com/training-tutorials-courses/cyber-threat-hunting-training-ccthp/ Learn how to find, assess, and remove threats from your organization in our Certified Cyber Threat Hunting Training (CCTHP) designed to prepare you for the Certified Cyber Threat Hunting Professional (CCTHP) exam.
In this Cyber Threat Hunting Training (CCTHP) course, we will deep dive into “Threat hunting” and searching for threats and mitigate before the bad guy pounce. And we will craft a series of attacks to check Enterprise security level and hunt for threats. An efficient Threat hunting approach towards Network, Web, Cloud, IoT Devices, Command & Control Channel(c2), Web shell, memory, OS, which will help you to gain a new level of knowledge and carry out all tasks with complete hands-on.
RESOURCES:
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2020 Edition By Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2019 Edition By: Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Hunting Cyber Criminals: A Hacker’s Guide to Online Intelligence Gathering Tools and Techniques 1st Edition by Vinny Troia/Amazon.com
Cyber Threat Hunting Training: Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer by Muniz Joseph and Lakhani Aamir/Amazon.com
CUSTOMIZE It:
We can adapt this Cyber Threat Hunting Training (CCTHP) course to your group’s background and work requirements at little to no added cost.
If you are familiar with some aspects of this Cyber Threat Hunting (CCTHP) course, we can omit or shorten their discussion.
We can adjust the emphasis placed on the various topics or build the Cyber Threat Hunting Training (CCTHP) around the mix of technologies of interest to you (including technologies other than those included in this outline).
If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Cyber Threat Hunting Training (CCTHP) course in manner understandable to lay audiences.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
In this three hour hands-on workshop you will play the role of Cyber Threat Intelligence, the red team, and the blue team. We have set up an isolated environment for each attendee to go through a Purple Team Exercise.
Attendees will:
- Consume Cyber Threat Intelligence from a known adversary
- Extract adversary behaviors/TTPs
- Play the Red Team by creating adversary emulation plans
- Emulate the adversary in a small environment consisting of a domain controller and member server
- Play the Blue Team and look for Indicators of Compromise
- Use Wireshark to identify heartbeat and jitter
- Enable Sysmon configurations to detect adversary behavior
- All mapped to MITRE ATT&CK
- Have FUN!
What do you need?
All you need is a web browser on a workstation/laptop (no iPads, sorry).
If you want to come better prepared, download and read the free Purple Team Exercise Framework (PTEF): https://scythe.io/ptef
How will it work?
We are using VMware learning platform to give everyone their own isolated environment. This means we need your real email upon registration so we can provision your environment before the start of the workshop.
Threat hunting and achieving security maturityDNIF
In this virtual meetup of DNIF KONNNECT (04.04.2019), where the growing DNIF community connects, interacts, shares and helps each other to grow and learn about the latest in threat hunting and many more...this time we have Mr. Ankit Panchal from NSDL who shall demonstrate an end to end demo of how you can achieve security maturity.
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
Demo 1: https://www.youtube.com/watch?v=cpnrCkj1308
Demo 2: https://www.youtube.com/watch?v=JmtjtiI3-fc
Demo 2 1/2: https://www.youtube.com/watch?v=KRdNbYbJSiI
Demo 3: https://www.youtube.com/watch?v=6gB-upKXTZ4
Automated adversary simulation is often perceived as a hard, dangerous and complicated program to implement and run. Fear no longer, our methodology and tooling will let you test and measure your defenses throughout your production environment to test not only your detection rule’s resilience but the whole event pipeline as well as your team’s response procedures. In this talk, we’ll share with the audience the open source tools we built and the methodology we use that will allow them to hit the ground running at nearly no cost.
https://www.enoinstitute.com/training-tutorials-courses/cyber-threat-hunting-training-ccthp/ Learn how to find, assess, and remove threats from your organization in our Certified Cyber Threat Hunting Training (CCTHP) designed to prepare you for the Certified Cyber Threat Hunting Professional (CCTHP) exam.
In this Cyber Threat Hunting Training (CCTHP) course, we will deep dive into “Threat hunting” and searching for threats and mitigate before the bad guy pounce. And we will craft a series of attacks to check Enterprise security level and hunt for threats. An efficient Threat hunting approach towards Network, Web, Cloud, IoT Devices, Command & Control Channel(c2), Web shell, memory, OS, which will help you to gain a new level of knowledge and carry out all tasks with complete hands-on.
RESOURCES:
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2020 Edition By Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2019 Edition By: Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Hunting Cyber Criminals: A Hacker’s Guide to Online Intelligence Gathering Tools and Techniques 1st Edition by Vinny Troia/Amazon.com
Cyber Threat Hunting Training: Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer by Muniz Joseph and Lakhani Aamir/Amazon.com
CUSTOMIZE It:
We can adapt this Cyber Threat Hunting Training (CCTHP) course to your group’s background and work requirements at little to no added cost.
If you are familiar with some aspects of this Cyber Threat Hunting (CCTHP) course, we can omit or shorten their discussion.
We can adjust the emphasis placed on the various topics or build the Cyber Threat Hunting Training (CCTHP) around the mix of technologies of interest to you (including technologies other than those included in this outline).
If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Cyber Threat Hunting Training (CCTHP) course in manner understandable to lay audiences.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
In this three hour hands-on workshop you will play the role of Cyber Threat Intelligence, the red team, and the blue team. We have set up an isolated environment for each attendee to go through a Purple Team Exercise.
Attendees will:
- Consume Cyber Threat Intelligence from a known adversary
- Extract adversary behaviors/TTPs
- Play the Red Team by creating adversary emulation plans
- Emulate the adversary in a small environment consisting of a domain controller and member server
- Play the Blue Team and look for Indicators of Compromise
- Use Wireshark to identify heartbeat and jitter
- Enable Sysmon configurations to detect adversary behavior
- All mapped to MITRE ATT&CK
- Have FUN!
What do you need?
All you need is a web browser on a workstation/laptop (no iPads, sorry).
If you want to come better prepared, download and read the free Purple Team Exercise Framework (PTEF): https://scythe.io/ptef
How will it work?
We are using VMware learning platform to give everyone their own isolated environment. This means we need your real email upon registration so we can provision your environment before the start of the workshop.
Threat hunting and achieving security maturityDNIF
In this virtual meetup of DNIF KONNNECT (04.04.2019), where the growing DNIF community connects, interacts, shares and helps each other to grow and learn about the latest in threat hunting and many more...this time we have Mr. Ankit Panchal from NSDL who shall demonstrate an end to end demo of how you can achieve security maturity.
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
View webinar: "Cyber Threat Hunting: Identify and Hunt Down Intruders": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gwfd
View companion webinar:
"Red Team Operations: Attack and Think Like a Criminal": https://www2.infosecinstitute.com/l/12882/2018-11-29/b9gw5q
Are you red team, blue team — or both? Get an inside look at the offensive and defensive sides of information security in our webinar series.
Senior Security Researcher and InfoSec Instructor Jeremy Martin discusses what it takes to be modern-day threat hunter during our webinar, Cyber Threat Hunting: Identify and Hunt Down Intruders.
The webinar covers:
- The job duties of a Cyber Threat Hunting professional
- Frameworks and strategies for Cyber Threat Hunting
- How to get started and progress your defensive security career
- And questions from live viewers!
Learn about InfoSec Institute's Cyber Threat Hunting couse here: https://www.infosecinstitute.com/courses/cyber-threat-hunting/
How to Hunt for Lateral Movement on Your NetworkSqrrl
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
Demo 1: https://www.youtube.com/watch?v=cpnrCkj1308
Demo 2: https://www.youtube.com/watch?v=JmtjtiI3-fc
Demo 2 1/2: https://www.youtube.com/watch?v=KRdNbYbJSiI
Demo 3: https://www.youtube.com/watch?v=6gB-upKXTZ4
Automated adversary simulation is often perceived as a hard, dangerous and complicated program to implement and run. Fear no longer, our methodology and tooling will let you test and measure your defenses throughout your production environment to test not only your detection rule’s resilience but the whole event pipeline as well as your team’s response procedures. In this talk, we’ll share with the audience the open source tools we built and the methodology we use that will allow them to hit the ground running at nearly no cost.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
This presentation was delivered at SkyDogCon 6 in October 2016. The A/V is available here: https://www.youtube.com/watch?list=PLLEf-wPc7Tyae19iTuzKOXmPj-IQBIWuU&v=mKxGulV2Z74
It is an updated version of the original deck presented at BSides Augusta 2016 - Added original content including information on use cases and added definition/clarity.
Abstract:
"We can all agree that threat ("Evil") detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for insecure conditions ("Ways for Evil to do Evil things") that might allow threat actors to succeed in their mission.
This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune-ranked organizations and challenge you to expand your security operations thinking beyond signature-based detection.
- What is Hunting?
- How have we done it?
- What have we found, and what should be done about those findings?
- How might you achieve similar outcomes in your own environment?"
Speakers:
- Jacqueline Stokes (@find_evil) is an infosec enthusiast who picked up hacking as a preteen and cut her teeth over multiple years in Iraq. Her ongoing mission is to assess and advise clients on the most actionable and forward-thinking methods to improve detection, response, and containment of advanced threats. Jackie likes long walks on the beach, 90's nostalgia, and is the president and founding member of the Kevin Mandia Fan Club.
AI on Spark for Malware Analysis and Anomalous Threat DetectionDatabricks
At Avast, we believe everyone has the right to be safe. We are dedicated to creating a world that provides safety and privacy for all, not matter where you are, who you are, or how you connect. With over 1.5 billion attacks stopped and 30 million new executable files monthly, big data pipelines are crucial for the security of our customers. At Avast we are leveraging Apache Spark machine learning libraries and TensorflowOnSpark for a variety of tasks ranging from marketing and advertisement, through network security to malware detection. This talk will cover our main cybersecurity usecases of Spark. After describing our cluster environment we will first demonstrate anomaly detection on time series of threats. Having thousands of types of attacks and malware, AI helps human analysts select and focus on most urgent or dire threats. We will walk through our setup for distributed training of deep neural networks with Tensorflow to deploying and monitoring of a streaming anomaly detection application with trained model. Next we will show how we use Spark for analysis and clustering of malicious files and large scale experimentation to automatically process and handle changes in malware. In the end, we will give comparison to other tools we used for solving those problems.
Empowering red and blue teams with osint c0c0n 2017reconvillage
This talk will discuss Open Source Intelligence (OSINT) gathering tools and techniques that are highly useful and effective for both Blue teams and Red teams.
Agile development of data science projects | Part 1 Anubhav Dhiman
Broadly data science encompasses quantitative research, advanced analytics, predictive modelling and machine learning.
How reliably and sustainably can data science team deliver value for organizations?
Data Science Readiness Levels
How to make collaboration easier across organization?
The extent and impact of recent security breaches is showing that current security approaches are just not working. But what can we do to protect our business? We have been advocating monitoring for a long time as a way to detect subtle, advanced attacks that are still making it through our defenses. However, products have failed to deliver on this promise.
Current solutions don't scale in both data volume and analytical insights. In this presentation we will explore what security monitoring is. Specifically, we are going to explore the question of how to visualize a billion log records. A number of security visualization examples will illustrate some of the challenges with big data visualization. They will also help illustrate how data mining and user experience design help us get a handle on the security visualization challenges - enabling us to gain deep insight for a number of security use-cases.
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...Chris Hammerschmidt
achine Learning for DFIR with Velociraptor: From Setting Expectations to a Case Study
By Christian Hammerschmidt, PhD - Head of Engineering/ML, APTA Technologies
Machine learning (ML) or artificial intelligence (AI) often comes with great promise and large marketing budgets for cybersecurity, especially in monitoring (such as EDR/XDR solutions). Post-breach, it often turns out that the actual performance falls short of its promises.
In this talk, we’ll briefly look at ML for DFIR: What tasks can ML solve, generally speaking? What requirements do we have for a useful ML system in cybersecurity/DFIR contexts, such as reliability, robustness to attackers, and explainability? What makes ML difficult to apply in cybersecurity, e.g. when thinking about false alerts or attackers attempting to circumvent automated systems?
After discussing the basics, we look at ML for velociraptor:
How can we process forensic data collected with VQL using machine learning (with a typical Python/Jupyter/scikit-learn/PyTorch stack)?
And how can we build artifacts that run ML directly on each endpoint, avoiding central data collection?
The talk concludes with a case study, showing how we significantly reduced time to analyze EVTX files in incident response cases, saving thousands of USD in costs and reducing time to resolution.
Bio: Chris Hammerschmidt did his PhD research on machine learning methods for reverse engineering software systems. Now, he’s heading APTA Technologies, a start-up building machine learning tools to understand software behavior .
Affiliation: APTA Technologies, https://apta.tech
Applied Data Science: Building a Beer Recommender | Data Science MD - Oct 2014Austin Ogilvie
Applied Data Science: Building a Beer Recommender | Data Science MD - Oct 2014
-----------
Slides from a talk by Greg Lamp, CTO of Yhat, about building recommendation systems using Python and deploying them to production.
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
We can all agree that threat detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for ways for evil to do evil things. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune ranked organizations. We hope to challenge you to expand your security operations, moving beyond traditional signature based detection.
How to make the agile team work with security requirements? To get secure coding practices into agile development is often hard work. A security functional requirement might be included in the sprint, but to get secure testing, secure architecture and feedback of security incidents working is not an easy talk for many agile teams. In my role as Scrum Master and security consultant I have developed a recipe of 7 steps that I will present to you. Where we will talk about agile secure development, agile threat modelling, agile security testing and agile workflows with security. Many of the steps can be made without costly tools, and I will present open source alternatives for all steps. This to make a test easier and to get a lower startup of your teams security process.
Amundsen: From discovering to security datamarkgrover
Hear about how Lyft and Square are solving data discovery and data security challenges using a shared open source project - Amundsen.
Talk details and abstract:
https://www.datacouncil.ai/talks/amundsen-from-discovering-data-to-securing-data
OSINT for Proactive Defense - RootConf 2019RedHunt Labs
A presentation about using Open Source Intelligence for proactive defense delivered at Rootconf 2019 Bangalore, India.
RedHunt Labs
https://redhuntlabs.com/
Monitoring Big Data Systems - "The Simple Way"Demi Ben-Ari
Once you start working with distributed Big Data systems, you start discovering a whole bunch of problems you won’t find in monolithic systems.
All of a sudden to monitor all of the components becomes a big data problem itself.
In the talk we’ll mention all of the aspects that you should take in consideration when monitoring a distributed system once you’re using tools like:
Web Services, Apache Spark, Cassandra, MongoDB, Amazon Web Services.
Not only the tools, what should you monitor about the actual data that flows in the system?
And we’ll cover the simplest solution with your day to day open source tools, the surprising thing, that it comes not from an Ops Guy.
Demi Ben-Ari is a Co-Founder and CTO @ Panorays.
Demi has over 9 years of experience in building various systems both from the field of near real time applications and Big Data distributed systems.
Describing himself as a software development groupie, Interested in tackling cutting edge technologies.
Demi is also a co-founder of the “Big Things” Big Data community: http://somebigthings.com/big-things-intro/
My talk in GDG DEvFest Hellas 2020:
"Automated Machine Learning in 2020"
An Overview of available techniques and tools to help you to automate the process of building Machine Learning pipelines, using Auto ML tools.
Google Cloud Platform case study based on Tables Auto ML functionality using the Numerai dataset.
Similar to Threat Hunting with Elastic at SpectorOps: Welcome to HELK (20)
An introduction to Elasticsearch's advanced relevance ranking toolboxElasticsearch
The hallmark of a great search experience is always delivering the most relevant results, quickly, to every user. The difficulty lies behind the scenes in making that happen elegantly and at a scale. From App Search’s intuitive drag and drop interface to the advanced relevance capabilities built into the core of Elasticsearch — Elastic offers a range of tools for developers to tune relevance ranking and create incredible search experiences. In this session, we’ll explore some of Elasticsearch’s advanced relevance ranking features, such as dense vector fields, BM25F, ranking evaluation, and more. Plus we’ll give you some ideas for how these features are being used by other Elastic users to create world-class, category defining search experiences.
Eze Castle Integration is a managed service provider (MSP), cloud service provider (CSP), and internet service provider (ISP) that delivers services to more than 1,000 clients around the world. Different departments within Eze Castle have devised their own log aggregation solutions in order to provide visibility, meet regulatory compliance requirements, conduct cybersecurity investigations, and help engineers with troubleshooting infrastructure issues. In 2019, they partnered with Elastic to consolidate the data generated from different systems into a single pane of glass. And thanks to the ease of deployment on Elastic Cloud, professional consultation services from Elastic engineers, and on-demand training courses available on Elastic Learning, Eze Castle was able to go from proof-of-concept to a fully functioning ""Eze Managed SIEM"" product within a month!
Learn about Eze Castle's journey with Elastic and how they grew Eze Managed SIEM from zero to 100 customers In less than 14 months.
Cómo crear excelentes experiencias de búsqueda en sitios webElasticsearch
Descubre lo fácil que es crear búsquedas relevantes y enriquecidas en sitios web de cara al público para impulsar las conversiones, incrementar el consumo de contenido y ayudar a los visitantes a encontrar lo que necesitan. Realiza un recorrido por las herramientas de Elastic a las que puedes sacar partido para transformar con facilidad tu sitio web, lo que incluye nuestro nuevo y potente rastreador web.
Te damos la bienvenida a una nueva forma de realizar búsquedas Elasticsearch
Al igual que la mayoría de las organizaciones modernas, tus equipos probablemente usan más de 10 aplicaciones basadas en la nube a diario, pero dedican demasiado tiempo a buscar la información que necesitan en todas estas. Gracias a las características integradas de Elastic Workplace Search, podrás comprobar lo sencillo que resulta poner el contenido relevante al alcance de tus equipos gracias a la búsqueda unificada para todas las aplicaciones que usan para llevar a cabo su trabajo.
Tirez pleinement parti d'Elastic grâce à Elastic CloudElasticsearch
Découvrez pourquoi Elastic Cloud est la solution idéale pour exploiter toutes les offres d'Elastic. Bénéficiez d'une flexibilité d'achat et de déploiement au sein de Google Cloud, de Microsoft Azure, d'Amazon Web Services ou des trois à la fois. Apprenez quels avantages vous apporte une offre de service géré et déterminez la solution qui vous permet de la gérer par vous-même grâce à des outils intégrés d'automatisation et d'orchestration. Et ce n'est pas tout ! Familiarisez-vous avec les fonctionnalités qui peuvent vous aider à scaler vos opérations au fur et à mesure de l'évolution de votre déploiement, à stocker vos données d'une manière rentable et à optimiser vos recherches. Ainsi, vous n'aurez plus à abandonner de données et obtiendrez les informations exploitables dont vous avez besoin pour assurer le fonctionnement de votre entreprise.
Comment transformer vos données en informations exploitablesElasticsearch
Découvrez des fonctionnalités stratégiques de la Suite Elastic, notamment Elasticsearch, un moteur de données incomparable, et Kibana, véritable fenêtre ouverte sur la Suite Elastic.
Dans cette session, vous apprendrez à :
injecter des données dans la Suite Elastic ;
stocker des données ;
analyser des données ;
exploiter des données.
Plongez au cœur de la recherche dans tous ses états.Elasticsearch
À l'instar de la plupart des entreprises modernes, vos équipes utilisent probablement plus de 10 applications hébergées dans le cloud chaque jour, mais passent aussi bien trop de temps à chercher les informations dont elles ont besoin dans ces outils. Grâce aux fonctionnalités prêtes à l'emploi d'Elastic Workplace Search, découvrez combien il est facile de mettre le contenu pertinent à portée de la main de vos équipes grâce à une recherche unifiée sur l'ensemble des applications qu'elles utilisent pour faire leur travail.
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]Elasticsearch
Knowledge management needs in the legal sector, why Linklaters decided to move away from its legacy KM search engine, Kin+Carta's management of the migration process, and how the switch revitalised a well-established system and opened up new possibilities for its future development.
An introduction to Elasticsearch's advanced relevance ranking toolboxElasticsearch
The hallmark of a great search experience is always delivering the most relevant results, quickly, to every user. The difficulty lies behind the scenes in making that happen elegantly and at a scale. From App Search’s intuitive drag and drop interface to the advanced relevance capabilities built into the core of Elasticsearch — Elastic offers a range of tools for developers to tune relevance ranking and create incredible search experiences. In this session, we’ll explore some of Elasticsearch’s advanced relevance ranking features, such as dense vector fields, BM25F, ranking evaluation, and more. Plus we’ll give you some ideas for how these features are being used by other Elastic users to create world-class, category defining search experiences.
Like most modern organizations, your teams are likely using upwards of 10 cloud-based applications on a daily basis, but spending far too many hours a day searching for the information they need across all of them. With the out-of-the-box capabilities of Elastic Workplace Search, see how easy it is to put relevant content right at your teams’ fingertips with unified search across all the apps they rely on to get work done.
Building great website search experiencesElasticsearch
Discover how easy it is to create rich, relevant search on public facing websites that drives conversion, increases content consumption, and helps visitors find what they need. Get a tour of the Elastic tools you can leverage to easily transform your website, including our powerful new web crawler.
Keynote: Harnessing the power of Elasticsearch for simplified searchElasticsearch
Get an overview of the innovation Elastic is bringing to the Enterprise Search landscape, and learn how you can harness these capabilities across your technology landscape to make the power of search work for you.
Cómo transformar los datos en análisis con los que tomar decisionesElasticsearch
Descubre las áreas de características estratégicas de Elastic Stack: Elasticsearch, un motor de datos inigualable y Kibana, la ventana que da acceso a Elastic Stack.
En la sesión hablaremos sobre:
Cómo incorporar datos a Elastic Stack
Almacenamiento de datos
Análisis de los datos
Actuar en función de los datos
Explore relève les défis Big Data avec Elastic Cloud Elasticsearch
Spécialisée dans le développement et la gestion de solutions de veille documentaire et commerciale, Explore offre à ses clients une lecture précise et organisée de l’actualités des marchés et projets sur leurs territoires d'intervention. Afin de rendre leur offre plus agile et performante, Explore a choisi l’offre Elastic Cloud hébergée sur Microsoft Azure. Découvrez comment les équipes de production et de développement sont désormais en mesure de mieux exploiter les données pour les clients d’Explore et gagnent du temps sur la gestion de leur infrastructure.
Comment transformer vos données en informations exploitablesElasticsearch
Découvrez des fonctionnalités stratégiques de la Suite Elastic, notamment Elasticsearch, un moteur de données incomparable, et Kibana, véritable fenêtre ouverte sur la Suite Elastic.
Dans cette session, vous apprendrez à :
injecter des données dans la Suite Elastic ;
stocker des données ;
analyser des données ;
exploiter des données.
Transforming data into actionable insightsElasticsearch
Learn about the strategic feature areas of the Elastic Stack—Elasticsearch, a data engine like no other, and Kibana, the window into the Elastic Stack.
The session will cover:
Bringing data into the Elastic Stack
Storing data
Analyzing data
Acting on data
"Elastic enables the world’s leading organization to exceed their business objectives and power their mission-critical systems by eliminating data silos, connecting the dots, and transforming data of all types into actionable insights.
Come learn how the power of search can help you quickly surface relevant insights at scale. Whether you are an executive looking to reduce operational costs, a department head striving to do more with fewer tools, or engineer monitoring and protecting your IT environment, this session is for you. "
Empowering agencies using Elastic as a Service inside GovernmentElasticsearch
It has now been four years since the beta release of Elastic Cloud Enterprise which kicked off a wave of the Elastic public sector community running Elastic as a service within Government rather than utilizing purely hosted solutions. Fast forward to 2021 and we have multiple options for multiple mission needs. Learn top tips from Elastic architects and their experience enabling their teams with the automation and provisioning of Elastic tech to change the game in how government delivers solutions.
The opportunities and challenges of data for public goodElasticsearch
Data is an increasingly valuable resource for delivering economic and social benefit. Heather will discuss the challenges and opportunities, and how communities at all levels of the public sector can play a part in leading the change.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
7. Pre-Hunt Activities
● Identification of adversarial techniques
● Identification of data sources required to validate the detection of
adversarial techniques
● Data Documentation (Data Dictionaries)
● Data Modeling
● Data quality Assessment
○ Completeness & Standardization
● Development of data analytics
● Development of playbooks
7
8. Pre-Hunt Activities
● Identification of adversarial techniques
● Identification of data sources required to validate the detection of
adversarial techniques
● Data Documentation (Data Dictionaries)
● Data Modeling
● Data quality Assessment
○ Completeness & Standardization
● Development of data analytics
● Development of playbooks
8
10. Threat Hunting
What can be
automated?
- Not everything can be
automated
- Enhance SOC
operations
Lessons Learned
- Metrics
- Report Findings
- Transition to IR?
- What didn’t work?
Hunt
- Data Analytics
> Behavioral
> Anomalies/Outliers
- Validate Detection
Pre-Hunt
- Define Hunt Model
- Set Scope
- Define Team Roles
- Identify Adversarial
Technique
- Develop Hypothesis
Threat
Hunting
10
11. Threat Hunting
What can be
automated?
- Not everything can be
automated
- Enhance SOC
operations
Lessons Learned
- Metrics
- Report Findings
- Transition to IR?
- What didn’t work?
Hunt
- Data Analytics
> Behavioral
> Anomalies/Outliers
- Validate Detection
Threat
Hunting
11
Pre-Hunt
- Define Hunt Model
- Set Scope
- Define Team Roles
- Identify Adversarial
Technique
- Develop Hypothesis
12. Threat Hunting
What can be
automated?
- Not everything can be
automated
- Enhance SOC
operations
Lessons Learned
- Metrics
- Report Findings
- Transition to IR?
- What didn’t work?
Hunt
- Data Analytics
> Behavioral
> Anomalies/Outliers
- Validate Detection
Threat
Hunting
12
Pre-Hunt
- Define Hunt Model
- Set Scope
- Define Team Roles
- Identify Adversarial
Technique
- Develop Hypothesis
13. What can be
automated?
- Not everything can be
automated
- Enhance SOC
operations
Lessons Learned
- Metrics
- Report Findings
- Transition to IR?
- What didn’t work?
Hunt
- Data Analytics
> Behavioral
> Anomalies/Outliers
- Validate Detection
Threat
Hunting
13
Threat Hunting
Pre-Hunt
- Define Hunt Model
- Set Scope
- Define Team Roles
- Identify Adversarial
Technique
- Develop Hypothesis
14. What can be
automated?
- Not everything can be
automated
- Enhance SOC
operations
Lessons Learned
- Metrics
- Report Findings
- Transition to IR?
- What didn’t work?
Hunt
- Data Analytics
> Behavioral
> Anomalies/Outliers
- Validate Detection
Threat
Hunting
14
Threat Hunting
Pre-Hunt
- Define Hunt Model
- Set Scope
- Define Team Roles
- Identify Adversarial
Technique
- Develop Hypothesis
15. Diverse Attacks Call for Diverse Data Sets
● Endpoint Data Sets
○ Built-In Windows Logs
○ Sysmon Logs
○ Antivirus Logs
○ Data Loss Prevention (DLP) Logs
● Network Data Sets
○ Proxy Logs
○ Bro (Now Zeek) Logs
○ Full Packet Capture
15
16. Data Lakes & Threat Hunting (In-Theory)
E XTRACT
T RANSFORM
L OAD
E XTRACT
T RANSFORM
L OAD
16
24. Enable Threat Hunters
● Perform flexible data analysis at scale
● Go beyond Indicators of compromise (IOC)
○ Basic queries to find an IP address from an intel report
● Identify specific structured patterns
○ Streaming, Graphing
● Describe the data in a more intuitive and efficient way
● Integrate with other threat hunting procedures
○ Playbooks
○ Training
24
27. Data Dictionaries (Sysmon Event ID 1)
27
Windows
Sysmon
https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf
28. Sysmon Data Model After Documentation
28https://github.com/Cyb3rWard0g/presentations/blob/master/SANS_THIR_2018.pdf
29. Adversary
Technique
29
Process Creation
Process created Process
Process Write To Process
Process Process
Process Access
Process Process
Security
4688
Sysmon
1
Security
4689
Sysmon
5
Sysmon
8
Sysmon
10
Process Termination
user terminated Process
wrote_to
accessed
Data Sources & Data Modeling
https://github.com/Cyb3rWard0g/presentations/tree/master/ATTACKcon
30. Threat Hunting & Data
30
Identify technique(s)
Define Technique
Variation
Generate Hypothesis
Simulate Technique
Variation
Identify
Recommended Data
Sources
Define Data Analytics
Validate Detection
Perform Data Quality
Assessment
Execute Hunt
Hunter Notes / Report
https://github.com/Cyb3rWard0g/presentations/tree/master/ATTACKcon
32. What the HELK?
● An ecosystem composed of several open source frameworks
● Main goal of empowering threat hunters and extending the
functionalities of an Elastic ELK stack by enabling advanced analytics
capabilities
● First Public Documented & Standardized Pipeline
○ OSSEM Project: https://github.com/Cyb3rWard0g/OSSEM
○ Documenting new events as they show up in new tests
● Awesome additions to the pipeline by Nate Guagenti @neu5ron
32https://github.com/Cyb3rWard0g/HELK
34. Why Spark?
“Apache Spark is a unified computing
engine and a set of libraries for
parallel data processing on computer
clusters”
34Chambers, Bill; Zaharia, Matei. Spark: The Definitive Guide: Big Data Processing Made Simple (Kindle Locations 141-144).
O'Reilly Media. Kindle Edition
35. Why Spark?
35Chambers, Bill; Zaharia, Matei. Spark: The Definitive Guide: Big Data Processing Made Simple (Kindle Locations 141-144).
O'Reilly Media. Kindle Edition
39. Why Jupyter?
● The Jupyter Notebook is an open-source web application that allows you to
create and share documents that contain live code, equations, visualizations
and narrative text.
● Uses include:
○ data cleaning and transformation
○ numerical simulation
○ statistical modeling
○ data visualization
○ machine learning, and much more.
39http://jupyter.org/
47. IdentifyTechnique: Pass the Hash
“Pass the hash (PtH) is a
method of authenticating as
a user without having access
to the user's cleartext
password.”
https://attack.mitre.org/wiki/Technique/T1075 47
48. Define Technique Variation: Overpass-The-Hash
https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf 48
● Authentication via Kerberos
○ Authentication Protocol based on keys and tickets
● “Upgrading a NT hash into a full Kerberos ticket”
● It may require elevated privileges (privilege::debug or SYSTEM
account)
○ Depends on how this attack is performed.
○ You might not need to be admin
49. Technical Details: Normal kerberos Authentication
https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it 49
51. Technical Details: Rubeus -Overpass-the-hash
https://github.com/GhostPack/Rubeus 51
● Rubeus is a C# re-implementation of some of the functionality from
Benjamin Delpy’s Kekeo project
○ Kerberos structures built by hand…
○ Rubeus works nicely with execute-assembly
○ So why not use Kekeo? Because ASN.1!
■ Requires a commercial ASN.1 library to customize/rebuild the
Kekeo codebase
● Author: Will Schroeder @harmj0y @SpecterOps
● DEMO