Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Toolkit

•

0 likes•44 views

Welcome to the world of “Toolkit Titans,” where a global lack of funding, limited manpower, and inadequate support doesn’t stop us from saving the world! In this action-packed talk, we’ll dive into the depths of defensive security operations to build a toolkit that serves your needs. Security analytics, incident response, and adversary emulation – I’ll focus on the cost-effective integration of powerful open-source tools like Elastic, Zeek, Suricata, and Jupyter Notebooks. I’ll demonstrate how these tools can be combined to form a flexible solution for state response, in-garrison support, or austere operations. The best part? I’ve done a lot of the work for you and all the resources will be provided via a GitHub project during the presentation. So gear up, brave Titan, and let’s build the ultimate cyber defense!

Technology

Toolkit Titans:
Crafting a Cutting-Edge, Open-Source
Security Operations Toolkit
ShieldCon 2023
Brandon DeVault
Principal Security Author, Pluralsight
Defensive Cyber Operations, FL Air National Guard
/in/brandon-devault www.devaultsecurity.com @Vivicat

Agenda
• Challenges and Use Cases
• Toolkits
• Software
• Hardware
• Conclusion / Q&A

The Solution!
Unlimited manpower
Unlimited budget
Unlimited time

Requirements
Alerts
Protocol Analysis
Centralized Logs
Visualization

Operations
• Security Analytics
• Storage
• Incident Response
• Case Management
• Adversary Emulation
• Framework / Reporting

CVA/H Architecture v3.x(ish)
12
STENOGRAPHER
STENOGRAPHER

Alerts
Typical Network log data
16
Packet captures
(PCAP)
Session and Protocol
Metadata Logs

Suricata vs Snort
18
• Port independent protocol analysis
• File extraction for HTTP and SMTP
• Multithreaded (ahead of Snort by a decade)
• Backwards compatible with Snort rules
1998

Suricata
• Suricata uses a rule-set to compare against
incoming traffic and it fires off alerts if it
matches on a rule.
• Open Information Security Foundation
• Active community
• Truly open source (not tied to corp.)
• Fast rule writing / updating cycle
• Extended Snort Language
• Multithreaded (scaleable)
19

Additional
Features
• Extracts files (http & smtp)
• IPv4 / v6
• GeoIP / Reputation
• Port-independent protocol detection
• Outputs to `eve.json`
• Extensible Event Format
• DNS parse / match / log
• “NSM runmode”
• just events (no alerting)
20

Zeek
• Passive, open-source traffic Analysis
platform
• Most often used in cybersecurity, but
helpful for performance monitoring and
troubleshooting
• Generates rich set of logs that summarize
network protocol sessions*
* But there’s so much more!
22

200.1.1.6
Packet vs Network Events
23
10.0.0.1 (S)
10.0.0.1 (D)
10.0.0.1 (S)
10.0.0.1 (D)
200.1.1.6 (D)
200.1.1.6 (S)
200.1.1.6 (D)
200.1.1.6 (S)
10.0.0.1
10.0.0.1
200.1.1.6
200.1.1.6
Client Server
● Based on individual packets
● Source and destination change based on the
direction of the communication
10.0.0.1 200.1.1.6
TCPdump
Wireshark
Suricata
Zeek
● Based on who initiated the conversation
● Client and Server do not change over the course of
the connection
Packet Events
(Source/Destination)
Network Events
(Client/Server)
10.0.0.1

Zeek Data Flow
24
OR
conn.log
files.log
http.log
I saw an HTTP
connection that
where a file was
transferred!

Store, Search, &
Analyze
Visualize &
Manage
Ingest
Elastic Stack
Elastic Stack
Kibana
Elasticsearch
Beats Logstash
What is the stack?

Atomic Red
Team
• Library of Scripted Attacks
• Red Canary
• Community Developed

Jupyter
Notebooks
• Live code and documentation
• Over 40-languages
• Integrated code and text
• Interactive Output
• Reproducibility

Laptop – ASUS
VivoBook 14
($400 - $500)
• AMD Ryzen 5 (4-Core)
• 8GB RAM
• 256GB SSD

Laptop: Acer Swift X
($850)
• AMD Ryzen 7
• 16GB RAM
• 512GB SSD
• NVIDIA 3050Ti

Intel NUC
($1,000 - $2,000)
• 6x USB-A
• 1x USB-C
• 2x Thunderbolt
• 2x Ethernet
• 2x HDMI
• And it’s silent!

With the rise of disruptive forces such as cloud computing and mobile technology, the enterprise network has become larger and more complex than ever before. Meanwhile, sophisticated cyber-attackers are taking advantage of the expanded attack surface to gain access to internal networks and steal sensitive data. Perimeter security is no longer enough to keep threat actors out, and organizations need to be able to detect and mitigate threats operating inside the network. NetFlow, a context-rich and common source of network traffic metadata, can be utilized for heightened visibility to identify attackers and accelerate incident response. Join Richard Laval to discuss the security applications of NetFlow using StealthWatch. This session will cover: - An overview of NetFlow, what it is, how it works, and how it benefits security - Design, deployment, and operational best practices for NetFlow security monitoring - How to best utilize NetFlow and identity services for security telemetry - How to investigate and identify threats using statistical analysis of NetFlow telemetry

SDN_and_NFV_technologies_in_IoT_Networks

Srinivasa Addepalli

This document discusses using SDN and NFV technologies to achieve visibility and security in IoT networks. It describes typical IoT network topologies using IP connectivity. It then discusses how SDN can provide centralized control of network functions through a controller. NFV allows network functions to run as virtual machines on common hardware. The document proposes using SDN to implement security applications like traffic filtering and monitoring. It suggests using NFV to run security services like WAF and APIs as docker containers on IoT edge gateways. Together SDN and NFV provide a way to flexibly add and manage new security services in IoT networks.

Data center webinar_v2_1

Lancope, Inc.

The document discusses securing data centers from cyber threats. It describes how attacks have evolved from manual to mechanized to sophisticated human-led attacks. It advocates employing segmentation, threat defense and visibility measures like firewalls, IDS/IPS, and NetFlow. The Cisco Cyber Threat Defense solution places these tools at the access, aggregation and core layers, including the ASA firewall, Nexus switches, and StealthWatch for network monitoring and analytics. This provides visibility into network traffic across physical and virtual infrastructure to detect threats and policy violations.

Acceleration_and_Security_draft_v2

Srinivasa Addepalli

Distributed intelligence using edge computing addresses challenges with centralized cloud computing like high latency and bandwidth usage. However, it introduces new security challenges with multiple providers and tenants. Solutions include encrypting all data, communications and keys; using technologies like TPM and SGX for secure execution; and reducing overhead of encryption through hardware accelerators to ensure security and performance in fog computing environments.

Introduction to Software Defined Networking (SDN) presentation by Warren Finc...

APNIC

Introduction to Software Defined Networking (SDN)

Bangladesh Network Operators Group

This document provides an overview of software defined networking (SDN), including its evolution from traditional router architectures, the seminal Clean Slate project and OpenFlow protocol, and the current SDN architecture. It discusses key SDN concepts like the separation of the control and data planes, standardization bodies, example applications like VOLTHA and ONOS, and related technologies like NFV and P4.

Security defined routing_cybergamut_v1_1

Joel W. King

Splunk App for Stream

Splunk

Wire data provides deep insights across IT, security and business use cases by capturing the communications transmitted over the wire between machines and applications in real-time. The Splunk App for Stream enables new operational intelligence by indexing this wire data without needing instrumentation. It provides enhanced visibility, efficient cloud-ready collection, and fast time to value through interface-driven deployment. Key features include protocol decoding, attribute filtering, aggregations, and custom content extraction for analysis in Splunk.

Modern IT and application environments are increasingly complex, transitioning to cloud, and large in scale. The managed resources, services and applications in these environments generate tremendous data that needs to be observed, consumed and analyzed in real time (or later) by management tools to create insights and to drive operational actions and decisions. In this talk, Srikanth Natarajan will share Micro Focus’ adoption story of Pulsar, including the experience in consuming from and contributing to Apache Pulsar, the lessons learned, and the help that Micro Focus received from a development support partner in their Pulsar journey.

Protocol and Integration Challenges for SDN

Gerardo Pardo-Castellote

SDN programming and operations requires continuous monitoring of network and application state as well as consistent configuration and update of (forwarding) policies across heterogeneous devices. This is resulting in significant challenges. Multiple open protocols such as OpenFlow, OF-CONFIG, OnePK , etc. are being adopted by different vendors causing an integration problem for developers. Internet of Things applications are pushing the size and volume of data handled by SDN systems demanding more efficient and scalable protocols for information distribution and coordination of SDN devices. This presentation will describe these and other SDN challenges and ways in which various open protocols, such as DDS, XMPP, AMQP, are being used to address them.

ONF & iSDX Webinar

Katie Hyman

The presentation discussed software-defined internet exchange points (SDXs) and the iSDX platform. SDXs can help solve internet routing problems by offering more flexible traffic control and innovative services compared to traditional Border Gateway Protocol (BGP)-based internet exchanges. The iSDX project developed an industrial-scale SDX that can support the data plane performance and scalability required for a major internet exchange through optimization techniques. It is deployed via an open source software stack and several organizations are working to adopt iSDX in public internet exchanges and enterprise networks.

SDN, OpenFlow, NFV, and Virtual Network

Tim4PreStartup

Mr201304 open flow_security_eng

FFRI, Inc.

This document provides an overview of OpenFlow technology and analyzes potential security threats. It describes OpenFlow and SDN concepts, the OpenFlow specification version 1.0, and example network designs using OpenFlow. The document then analyzes threats to OpenFlow assets like flow entries and network capabilities. Specific threats addressed include information leakage, traffic tampering, denial of service attacks, and system hacking. Countermeasures suggested involve using TLS, hardening switches and controllers, adding redundancy, and restricting traffic.

Splunk App for Stream for Enhanced Operational Intelligence from Wire Data

Splunk

The Splunk App for Stream provides concise summaries of wire data in 3 sentences or less: The Splunk App for Stream enables capturing and analyzing wire data from public, private, and hybrid cloud infrastructures for real-time operational insights. It delivers rapid deployment and scalability along with efficient wire data collection. The app captures critical events not found in logs to enhance operational intelligence through wire data analysis.

WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...

Amir Zmora

On September 19-23 there was the W3C TPAC meeting in Lisbon. Dan will cover some of the highlights of the recent Lisbon WebRTC meeting, including what items are the sticking points, where work is focusing, progress estimates, and thoughts on what might go into the next version of WebRTC after 1.0 is finished. Alex will cover the W3C testing platform: "Test The Web Forward". W3C, unlike IETF, is developing and maintaining a complete test suite for all its JS APIs. No specification is actually accepted by W3C and final without the corresponding test suite. Topics that will be addressed include what this testing platform implements, its status with respect to WebRTC and now it is used by different browser vendors as an indication of their compliance with the standards. As always, we encourage you to submit your general WebRTC related questions beforehand in the Questions & Topics section to make sure we answer them during the session. Event sponsored by WebRTC.Ventures & Blacc Spot Media

DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch

Jim St. Leger

Leverage the Network to Detect and Manage Threats

Cisco Canada

Introduction to NBL

Fei Ji Siao

This document discusses the development of test tools and RealFlow testing at a third-party testing lab. It describes various self-designed test tools developed to automate testing of devices like routers, switches, and wireless products. It also outlines how RealFlow testing uses real network traffic replay techniques to test products under realistic conditions captured from a beta testing site. Finally, it mentions some experiments conducted with Software Defined Networking and OpenFlow technologies.

Design and Deploy Secure Clouds for Financial Services Use Cases

PLUMgrid

This document discusses using Red Hat OpenStack Platform and micro-segmentation to securely deploy financial services clouds. It covers common OpenStack security challenges, how Red Hat OpenStack Platform addresses these challenges through automation and templates, and how micro-segmentation provides isolation and strict access controls. The presentation then demonstrates micro-segmentation using virtual domains to separate workloads and apply fine-grained security policies in a demo.

NUVX Technologies general solutions

NUVX

Nozomi Networks SCADAguardian - Data-Sheet

Nozomi Networks

Detecting Hacks: Anomaly Detection on Networking Data

James Sirota

Big datadc skyfall_preso_v2

abramsm

Cisco Stealtwatch

Rayudu Babu

Stealthwatch is a network monitoring tool developed by Cisco that provides complete network visibility. It monitors all network traffic and host behavior, storing data for months. It detects anomalies like unauthorized data downloads or performance issues. Stealthwatch works by collecting IP flow data from network devices using the IPFIX protocol. It has several components, including the Stealthwatch Management Console for managing and viewing network data, FlowCollectors for aggregating flow data, and optional FlowSensors and UDP Directors to enhance data collection and routing. The tool detects threats by correlating local network data with external threat intelligence feeds.

Fiware: Connecting to robots

Jaime Martin Losa

Open Ethernet: an open-source approach to modern network design

Alexander Petrovskiy

The era of closed proprietary hardware platforms is coming to an end. Today, in the world of Web-scale IT, the industry is starting to adopt new approach, based on the principles of openness, scalabilty and customizability. However, in more conservative networking industry, traditional equipment and proprietary technologies from a single vendor are often being used, which limits the flexibility, prevents innovation and narrows down the choice. The "Open Ethernet" initiative from Mellanox brings open source principles into the world of modern networking and allows customers to select the best hardware and software to design network infrastructure, based on open and standard protocols and technologies, also opening the way for broad adoption of SDN.

Java in the Air: A Case Study for Java-based Environment Monitoring Stations

Eurotech

sdnppt.pdf

AbhayDonde

Software defined networking (SDN) separates the network control plane from the forwarding plane, allowing a single, centralized control plane to control multiple forwarding devices. SDN gives network administrators the ability to abstract the underlying network infrastructure and program how network traffic is handled. This allows SDN to simplify network management and make the network more flexible, programmable, and adaptable to changing needs. However, implementing SDN also presents challenges related to changing traditional network architectures, security, and specialized technical knowledge requirements.

grrcon-2023-scheduled-tasks.pdf

Brandon DeVault

Unleash the power of scheduled tasks and uncover hidden secrets in Windows! Did you know that lurking beneath the surface are approximately 150 scheduled tasks by default, with over 40 set to hidden by default? Prepare to dive deep into the fascinating (aka, frustrating) world of these elusive artifacts! Join me as we embark on an enthralling journey, delving into the intricate details and challenges surrounding scheduled tasks. Discover how Microsoft typos, baffling naming schemes, and cryptic execution details make detecting anomalies a “thrilling” pursuit. But fear not, for there is hope! This captivating presentation will arm you with potent PowerShell scripts, powerful Elasticsearch dashboards, and an enhanced understanding of hunting down malicious persistence. Get ready to transform your perspective on scheduled tasks and become a hero in shining a spotlight on their hidden mysteries!

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Brandon DeVault

I always thought scheduled tasks fell into the category of low-level adversaries. Did you know that a standard build of Windows 10 or 11 contains about 150 scheduled tasks by default? Did you know over 40 of these tasks are hidden by default? Cue misery… In this talk, I’ll explore the various details we can extract about scheduled tasks and why it’s so difficult to find anomalies. Everything from Microsoft typos, inconsistent naming schemes, and obfuscated execution details. And don’t worry, it’s not all doom and gloom. You’ll leave this presentation with PowerShell scripts, Elasticsearch dashboards, and a better understanding on how to hunt for malicious persistence.

Similar to Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Toolkit

Why Micro Focus Chose Pulsar for Data Ingestion - Pulsar Summit NA 2021

StreamNative

Protocol and Integration Challenges for SDN

Gerardo Pardo-Castellote

ONF & iSDX Webinar

Katie Hyman

SDN, OpenFlow, NFV, and Virtual Network

Tim4PreStartup

Mr201304 open flow_security_eng

FFRI, Inc.

Splunk App for Stream for Enhanced Operational Intelligence from Wire Data

Splunk

WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...

Amir Zmora

DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch

Jim St. Leger

Leverage the Network to Detect and Manage Threats

Cisco Canada

Introduction to NBL

Fei Ji Siao

Design and Deploy Secure Clouds for Financial Services Use Cases

PLUMgrid

NUVX Technologies general solutions

NUVX

Nozomi Networks SCADAguardian - Data-Sheet

Nozomi Networks

Detecting Hacks: Anomaly Detection on Networking Data

James Sirota

Big datadc skyfall_preso_v2

abramsm

Cisco Stealtwatch

Rayudu Babu

Fiware: Connecting to robots

Jaime Martin Losa

Open Ethernet: an open-source approach to modern network design

Alexander Petrovskiy

Java in the Air: A Case Study for Java-based Environment Monitoring Stations

Eurotech

sdnppt.pdf

AbhayDonde

Similar to Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Toolkit (20)

Why Micro Focus Chose Pulsar for Data Ingestion - Pulsar Summit NA 2021

Protocol and Integration Challenges for SDN

ONF & iSDX Webinar

SDN, OpenFlow, NFV, and Virtual Network

Mr201304 open flow_security_eng

Splunk App for Stream for Enhanced Operational Intelligence from Wire Data

WebRTC Webinar & Q&A - W3C WebRTC JS API Test Platform & Updates from W3C Lis...

DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch

Leverage the Network to Detect and Manage Threats

Introduction to NBL

Design and Deploy Secure Clouds for Financial Services Use Cases

NUVX Technologies general solutions

Nozomi Networks SCADAguardian - Data-Sheet

Detecting Hacks: Anomaly Detection on Networking Data

Big datadc skyfall_preso_v2

Cisco Stealtwatch

Fiware: Connecting to robots

Open Ethernet: an open-source approach to modern network design

Java in the Air: A Case Study for Java-based Environment Monitoring Stations

sdnppt.pdf

More from Brandon DeVault

grrcon-2023-scheduled-tasks.pdf

Brandon DeVault

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Brandon DeVault

Tracing Transactions - BSides Orlando.pdf

Brandon DeVault

You’ve got a secure environment and alerting in-place, yet the adversaries are still able to bypass your defenses. How do you find and stop the adversary before they are able to compromise your environment? In this workshop we’ll explore through a real-world attack chain from FIN7 and showcase strategies on how to hunt for specific techniques. This workshop focuses on network analysis and covers the following topics: SMTP Email Header Analysis Bidirectional C2 using legitimate cloud services Lateral Movement with RDP and SSH Exfiltration using cloud storage We’ll be using open-source tools like Zeek and Elasticsearch so we can really focus on the methodology and hunting for the behaviors. And hopefully, you’ll leave this workshop with some new skills for network threat hunting. I’ll also be releasing some threat hunting focused dashboards you can use in your own environment.

Log4Shell Case Study - Suricon2022.pdf

Brandon DeVault

Log4j? Log4Shell? I feel like I’ve heard those terms before… Perhaps you were so bogged down with remediation and incident response that you didn’t get the necessary time to research and understand the full scope of what happened. In this hands-on talk, we’ll walk through how the vulnerability is exploited and what part it plays in the attack chain. You’ll have an opportunity to emulate the attack or follow along as I demonstrate the attack and various open-source detection methods. This talk takes a purple team approach by discussing the defender’s and attacker’s infrastructure, attack execution, and how to analyze the traffic for identification and detection. We’ll finish up by discussing the aftermath of attacks seen in the wild, current APT approaches to this vulnerability, and address any security concerns that remain. I’ll leave you with configured docker containers, detection mechanisms, and full instructions on how to emulate and detect this attack within your own environment.

Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

Brandon DeVault

This document discusses tactics and techniques related to the FIN7 threat group. It mentions that FIN7 has been known to use PHP Mailer in phishing campaigns for initial access. It also notes that FIN7 has used legitimate services like Google Docs and Pastebin for command and control. The document further states that FIN7 generally uses existing credentials and built-in remote access applications to move laterally within networks.

Level up your SOC - Guide for a Resilient Education Program.pdf

Brandon DeVault

The document outlines a plan for leveling up a security operations center's education program to better assess threats and roles. The plan involves assessing adversaries and defenders, defining roles, creating a sustainable education plan, and tackling advanced persistent threats. The education plan proposes an approach with initial skills training, initial qualification training using tools, and mission qualification training for the specific environment, plus continued research, workshops and conferences. Addressing advanced threats requires moving from reactive to proactive security tactics like threat hunting and emulation.

Log4j vulnerability - CCC - Workshop.pdf

Brandon DeVault

The document discusses the log4j vulnerability and its widespread impact. It provides an infographic showing that the vulnerability affected over 35% of internet-facing services and outlines the stages an attacker can leverage it for initial access, execution, persistence, and privilege escalation. It also notes several high severity vulnerabilities disclosed in 2022 related to improper input validation and deserialization that could similarly be exploited.

Log4j vulnerability - CCC - Talk.pdf

Brandon DeVault

Handling Open-Source Code - ISF 2022.pdf

Brandon DeVault

Dealing with the fallout from a massive exploit is everyone’s nightmare. Time and time again these vulnerabilities are found in open-source software. Does this mean we can’t trust open-source and should be developing everything from scratch? No, it’s not feasible or sustainable for anyone’s environment. So how do you handle this code that is embedded everywhere? In this talk, I’ll discuss the concerns open-source code and dependencies bring to any environment. We’ll start off by taking a historical look at vulnerabilities and their impact. Through this, we’ll look at methods for discovery, triage, and remediation. I focus on core tenants of remaining flexible, scalable, and integrating automation with the overall goal of reducing both risk and operational costs. The tradeoff between productivity, cost, and security doesn’t have to be a pick 2, lose 1 type scenario.

CircleCityCon - Threat Hunting with the Elastic Stack

Brandon DeVault

Alamo ACE - Threat Hunting with CVAH

Brandon DeVault

1. The document discusses threat hunting using the Cyber Vulnerability Assessment/Hunter (CVA/H) platform, which utilizes technologies like Docker, Kubernetes, Elasticsearch, Logstash, Kibana, Apache Kafka, and Suricata. 2. It provides an overview of the Elastic stack for storing, searching, analyzing, visualizing, and managing data, as well as technologies like Logstash, Beats, and Elasticsearch that ingest and transport data. 3. The presentation covers the CVA/H threat hunting methodology, which takes a passive approach first by analyzing network data with tools like Zeek before moving to more active hunting techniques.

BSides JAX 2019 - Threat Hunting with the Elastic Stack

Brandon DeVault

This document provides an overview of using the Elastic Stack for threat hunting. It discusses the key components of the Elastic Stack including Logstash, Beats, Elasticsearch, and Kibana. It also discusses using Zeek (formerly Bro) as a network security monitor to analyze network data and construct a full timeline of events to help with threat hunting. The presentation concludes by noting that every live demo risks something going wrong.

How Microsoft will MiTM your network

Brandon DeVault

More from Brandon DeVault (13)

grrcon-2023-scheduled-tasks.pdf

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Tracing Transactions - BSides Orlando.pdf

Log4Shell Case Study - Suricon2022.pdf

Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

Level up your SOC - Guide for a Resilient Education Program.pdf

Log4j vulnerability - CCC - Workshop.pdf

Log4j vulnerability - CCC - Talk.pdf

Handling Open-Source Code - ISF 2022.pdf

CircleCityCon - Threat Hunting with the Elastic Stack

Alamo ACE - Threat Hunting with CVAH

BSides JAX 2019 - Threat Hunting with the Elastic Stack

How Microsoft will MiTM your network

Recently uploaded

Northern Engraving | Nameplate Manufacturing Process - 2024

Northern Engraving

Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!

Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips

ScyllaDB

ScyllaDB monitoring provides a lot of useful information. But sometimes it’s not easy to find the root of the problem if something is wrong or even estimate the remaining capacity by the load on the cluster. This talk shares our team's practical tips on: 1) How to find the root of the problem by metrics if ScyllaDB is slow 2) How to interpret the load and plan capacity for the future 3) Compaction strategies and how to choose the right one 4) Important metrics which aren’t available in the default monitoring setup.

GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...

GlobalLogic Ukraine

Під час доповіді відповімо на питання, навіщо потрібно підвищувати продуктивність аплікації і які є найефективніші способи для цього. А також поговоримо про те, що таке кеш, які його види бувають та, основне — як знайти performance bottleneck? Відео та деталі заходу: https://bit.ly/45tILxj

Harnessing the Power of NLP and Knowledge Graphs for Opioid Research

Neo4j

Introducing BoxLang : A new JVM language for productivity and modularity!

Ortus Solutions, Corp

Just like life, our code must adapt to the ever changing world we live in. From one day coding for the web, to the next for our tablets or APIs or for running serverless applications. Multi-runtime development is the future of coding, the future is to be dynamic. Let us introduce you to BoxLang. Dynamic. Modular. Productive. BoxLang redefines development with its dynamic nature, empowering developers to craft expressive and functional code effortlessly. Its modular architecture prioritizes flexibility, allowing for seamless integration into existing ecosystems. Interoperability at its Core With 100% interoperability with Java, BoxLang seamlessly bridges the gap between traditional and modern development paradigms, unlocking new possibilities for innovation and collaboration. Multi-Runtime From the tiny 2m operating system binary to running on our pure Java web server, CommandBox, Jakarta EE, AWS Lambda, Microsoft Functions, Web Assembly, Android and more. BoxLang has been designed to enhance and adapt according to it's runnable runtime. The Fusion of Modernity and Tradition Experience the fusion of modern features inspired by CFML, Node, Ruby, Kotlin, Java, and Clojure, combined with the familiarity of Java bytecode compilation, making BoxLang a language of choice for forward-thinking developers. Empowering Transition with Transpiler Support Transitioning from CFML to BoxLang is seamless with our JIT transpiler, facilitating smooth migration and preserving existing code investments. Unlocking Creativity with IDE Tools Unleash your creativity with powerful IDE tools tailored for BoxLang, providing an intuitive development experience and streamlining your workflow. Join us as we embark on a journey to redefine JVM development. Welcome to the era of BoxLang.

Session 1 - Intro to Robotic Process Automation.pdf

UiPathCommunity

👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program: https://bit.ly/Automation_Student_Kickstart In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC. 📕 Detailed agenda: What is RPA? Benefits of RPA? RPA Applications The UiPath End-to-End Automation Platform UiPath Studio CE Installation and Setup 💻 Extra training through UiPath Academy: Introduction to Automation UiPath Business Automation Platform Explore automation development with UiPath Studio 👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/

What is an RPA CoE? Session 1 – CoE Vision

DianaGray10

Leveraging the Graph for Clinical Trials and Standards

Neo4j

Apps Break Data

Ivo Velitchkov

How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?

Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck

FilipTomaszewski5

"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk

Fwdays

At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience

AWS Certified Solutions Architect Associate (SAA-C03)

HarpalGohil4

"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba

Fwdays

This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application. In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy. We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.

JavaLand 2024: Application Development Green Masterplan

Miro Wengner

AppSec PNW: Android and iOS Application Security with MobSF

Ajin Abraham

Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application. This talk covers: Using MobSF for static analysis of mobile applications. Interactive dynamic security assessment of Android and iOS applications. Solving Mobile app CTF challenges. Reverse engineering and runtime analysis of Mobile malware. How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.

What is an RPA CoE? Session 2 – CoE Roles

DianaGray10

LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...

DanBrown980551

This LF Energy webinar took place June 20, 2024. It featured: -Alex Thornton, LF Energy -Hallie Cramer, Google -Daniel Roesler, UtilityAPI -Henry Richardson, WattTime In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms. This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups. Three primary specifications will be discussed: -Discovery and client registration, emphasizing transparent processes and secure and private access -Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure -Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data

Day 2 - Intro to UiPath Studio Fundamentals

UiPathCommunity

In our second session, we shall learn all about the main features and fundamentals of UiPath Studio that enable us to use the building blocks for any automation project. 📕 Detailed agenda: Variables and Datatypes Workflow Layouts Arguments Control Flows and Loops Conditional Statements 💻 Extra training through UiPath Academy: Variables, Constants, and Arguments in Studio Control Flow in Studio

A Deep Dive into ScyllaDB's Architecture

ScyllaDB

QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...

AlexanderRichford

QR Secure: A Hybrid Approach Using Machine Learning and Security Validation Functions to Prevent Interaction with Malicious QR Codes. Aim of the Study: The goal of this research was to develop a robust hybrid approach for identifying malicious and insecure URLs derived from QR codes, ensuring safe interactions. This is achieved through: Machine Learning Model: Predicts the likelihood of a URL being malicious. Security Validation Functions: Ensures the derived URL has a valid certificate and proper URL format. This innovative blend of technology aims to enhance cybersecurity measures and protect users from potential threats hidden within QR codes 🖥 🔒 This study was my first introduction to using ML which has shown me the immense potential of ML in creating more secure digital environments!

Recently uploaded (20)

Northern Engraving | Nameplate Manufacturing Process - 2024

Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips

GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...

Harnessing the Power of NLP and Knowledge Graphs for Opioid Research

Introducing BoxLang : A new JVM language for productivity and modularity!

Session 1 - Intro to Robotic Process Automation.pdf

What is an RPA CoE? Session 1 – CoE Vision

Leveraging the Graph for Clinical Trials and Standards

Apps Break Data

Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck

"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk

AWS Certified Solutions Architect Associate (SAA-C03)

"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba

JavaLand 2024: Application Development Green Masterplan

AppSec PNW: Android and iOS Application Security with MobSF

What is an RPA CoE? Session 2 – CoE Roles

LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...

Day 2 - Intro to UiPath Studio Fundamentals

A Deep Dive into ScyllaDB's Architecture

QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Toolkit

1. Toolkit Titans: Crafting a Cutting-Edge, Open-Source Security Operations Toolkit ShieldCon 2023 Brandon DeVault Principal Security Author, Pluralsight Defensive Cyber Operations, FL Air National Guard /in/brandon-devault www.devaultsecurity.com @Vivicat

2. Agenda • Challenges and Use Cases • Toolkits • Software • Hardware • Conclusion / Q&A

3. Challenges & Use Cases

4. The Solution! Unlimited manpower Unlimited budget Unlimited time

5. Requirements Alerts Protocol Analysis Centralized Logs Visualization

6. Operations • Security Analytics • Storage • Incident Response • Case Management • Adversary Emulation • Framework / Reporting

7. Toolkits

8. So, my toolkit is unique… right?

9. 9

10. The Hunting ELK (HELK) 10

11. 11

12. CVA/H Architecture v3.x(ish) 12 STENOGRAPHER STENOGRAPHER

13. So, what do I use?

14.

15. Software

16. Alerts Typical Network log data 16 Packet captures (PCAP) Session and Protocol Metadata Logs

17.

18. Suricata vs Snort 18 • Port independent protocol analysis • File extraction for HTTP and SMTP • Multithreaded (ahead of Snort by a decade) • Backwards compatible with Snort rules 1998

19. Suricata • Suricata uses a rule-set to compare against incoming traffic and it fires off alerts if it matches on a rule. • Open Information Security Foundation • Active community • Truly open source (not tied to corp.) • Fast rule writing / updating cycle • Extended Snort Language • Multithreaded (scaleable) 19

20. Additional Features • Extracts files (http & smtp) • IPv4 / v6 • GeoIP / Reputation • Port-independent protocol detection • Outputs to `eve.json` • Extensible Event Format • DNS parse / match / log • “NSM runmode” • just events (no alerting) 20

21.

22. Zeek • Passive, open-source traffic Analysis platform • Most often used in cybersecurity, but helpful for performance monitoring and troubleshooting • Generates rich set of logs that summarize network protocol sessions* * But there’s so much more! 22

23. 200.1.1.6 Packet vs Network Events 23 10.0.0.1 (S) 10.0.0.1 (D) 10.0.0.1 (S) 10.0.0.1 (D) 200.1.1.6 (D) 200.1.1.6 (S) 200.1.1.6 (D) 200.1.1.6 (S) 10.0.0.1 10.0.0.1 200.1.1.6 200.1.1.6 Client Server ● Based on individual packets ● Source and destination change based on the direction of the communication 10.0.0.1 200.1.1.6 TCPdump Wireshark Suricata Zeek ● Based on who initiated the conversation ● Client and Server do not change over the course of the connection Packet Events (Source/Destination) Network Events (Client/Server) 10.0.0.1

24. Zeek Data Flow 24 OR conn.log files.log http.log I saw an HTTP connection that where a file was transferred!

25.

26. Store, Search, & Analyze Visualize & Manage Ingest Elastic Stack Elastic Stack Kibana Elasticsearch Beats Logstash What is the stack?

27.

28. Atomic Red Team • Library of Scripted Attacks • Red Canary • Community Developed

29.

30. Jupyter Notebooks • Live code and documentation • Over 40-languages • Integrated code and text • Interactive Output • Reproducibility

31. Hardware

32. Laptop – ASUS VivoBook 14 ($400 - $500) • AMD Ryzen 5 (4-Core) • 8GB RAM • 256GB SSD

33. Laptop: Acer Swift X ($850) • AMD Ryzen 7 • 16GB RAM • 512GB SSD • NVIDIA 3050Ti

34. Intel NUC ($1,000 - $2,000) • 6x USB-A • 1x USB-C • 2x Thunderbolt • 2x Ethernet • 2x HDMI • And it’s silent!

35. 1GB Network TAP ($210)

36. Conclusion

37. Questions? • www.devaultsecurity.com • linkedin. • twitter. devaultsecurity.com • github. • brandon-devault@pluralsight.com • https://app.pluralsight.com/profile/author/brandon-devault • https://github.com/1dentified/Eldritch_Knowledge • https://github.com/Pluralsight-SORCERI/Incident-Response-Resources • https://github.com/Pluralsight-SORCERI/Threat-Hunting-Resources }

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Toolkit

Recommended

Recommended

More Related Content

Similar to Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Toolkit

Similar to Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Toolkit (20)

More from Brandon DeVault

More from Brandon DeVault (13)

Recently uploaded

Recently uploaded (20)

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Toolkit