Threat hunting foundations: People, process and technology.pptxInfosec
Â
Ever wonder what threat hunting is all about? Join Infosec Principal Security Researcher Keatron Evans as he breaks down the basics of what it’s like to have a career hunting down potential cyber threats.
Join us on for an inside look at a day in the life of a threat hunter, including:
Why threat hunters are more critical today than ever before
Knowledge and skills needed to drive threat hunting success
Live demos of essential threat hunting skills and tools used to detect and mitigate adversarial behavior
One lucky attendee will win a free year of Infosec Skills. Complete the form to save your seat!
P.S. Want to go even deeper into threat hunting? Don’t miss our advanced threat hunting session on June 28, Join the hunt: Threat hunting for proactive cyber defense.
Threat hunting foundations: People, process and technology.pptxInfosec
Â
Ever wonder what threat hunting is all about? Join Infosec Principal Security Researcher Keatron Evans as he breaks down the basics of what it’s like to have a career hunting down potential cyber threats.
Join us on for an inside look at a day in the life of a threat hunter, including:
Why threat hunters are more critical today than ever before
Knowledge and skills needed to drive threat hunting success
Live demos of essential threat hunting skills and tools used to detect and mitigate adversarial behavior
One lucky attendee will win a free year of Infosec Skills. Complete the form to save your seat!
P.S. Want to go even deeper into threat hunting? Don’t miss our advanced threat hunting session on June 28, Join the hunt: Threat hunting for proactive cyber defense.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
Â
From MITRE ATT&CKcon Power Hour October 2020
By:
Aunshul Rege, Associate Professor, Temple University, @prof_rege
Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928
This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
Â
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives. Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls.
The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decision making when called upon to emulate and adversary TTPs.
It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls.
The C2 Matrix currently has 35 command and control frameworks documented in a Google Sheet, web site, and questionnaire format.
https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0
https://www.thec2matrix.com/matrix
https://ask.thec2matrix.com/
Learn how Red Teams and Blue Teams work together in virtual Purple Teams
Leverage Cyber Threat Intelligence to understand adversary tactics, techniques, and procedures
Perform adversary emulations in Red or Purple Team Exercises
Choose which command and control to use for the assessment to provide the most value
Measure and improve people, process, and technology
From ATT&CKcon 3.0
By Ivan Ninichuck and Andy Shepard, Siemplify
The MITRE ATT&CK framework has improved many areas within the infosec workflow. But many of these select areas are those that are relatively isolated from the tactical operations faced every day by lower or mid-tier analysts. When faced with alert fatigue and an ever-growing number of data sources, the impact of ATT&CK can become esoteric to non-existent. In this presentation experts from Siemplify propose the problem be looked at like an orchestra with its dozens of instrument types. Without a conductor to guide each section there would only be noise, but with the conductor leading, beautiful symphonies can now be played. The Siemplify team plan to show how a SOAR platform can be that conductor using the ATT&CK framework as its sheet music, and turn the constant noise into a threat intel driven security program.
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
Â
Abstract:
While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security.
Join AlienVault for this session to learn:
*The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated
*Vulnerability scores and how to interpret them
*Best practices for prioritizing vulnerability remediation
*How threat intelligence can help you pinpoint the vulnerabilities that matter
 most
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
Â
From ATT&CKcon 3.0
By David Barroso, CounterCraft
When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness.
During the presentation we will see some real examples of how we can use different ATT&CK techniques in order to plan different adversary engagement activities.
In our webinar “What is Threat Hunting and why do you need it?" we discussed the folowing key points:
1. What Threat hunting is.
2. Why it is becoming so popular and what kinds of attacks are making it necessary.
3. What the challenges are.
4. Threat Hunting and Investigation services for attacks.
5. Case studies.
Find out more on https://www.pandasecurity.com/business/adaptive-defense/?utm_source=slideshare&utm_medium=social&utm_content=SM_EN_WEB_adaptive_defense&track=180715
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
Â
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Threat hunting and achieving security maturityDNIF
Â
In this virtual meetup of DNIF KONNNECT (04.04.2019), where the growing DNIF community connects, interacts, shares and helps each other to grow and learn about the latest in threat hunting and many more...this time we have Mr. Ankit Panchal from NSDL who shall demonstrate an end to end demo of how you can achieve security maturity.
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
Â
Brucon 2016
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
Â
From MITRE ATT&CKcon Power Hour October 2020
By:
Aunshul Rege, Associate Professor, Temple University, @prof_rege
Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928
This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
Â
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives. Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls.
The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decision making when called upon to emulate and adversary TTPs.
It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls.
The C2 Matrix currently has 35 command and control frameworks documented in a Google Sheet, web site, and questionnaire format.
https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0
https://www.thec2matrix.com/matrix
https://ask.thec2matrix.com/
Learn how Red Teams and Blue Teams work together in virtual Purple Teams
Leverage Cyber Threat Intelligence to understand adversary tactics, techniques, and procedures
Perform adversary emulations in Red or Purple Team Exercises
Choose which command and control to use for the assessment to provide the most value
Measure and improve people, process, and technology
From ATT&CKcon 3.0
By Ivan Ninichuck and Andy Shepard, Siemplify
The MITRE ATT&CK framework has improved many areas within the infosec workflow. But many of these select areas are those that are relatively isolated from the tactical operations faced every day by lower or mid-tier analysts. When faced with alert fatigue and an ever-growing number of data sources, the impact of ATT&CK can become esoteric to non-existent. In this presentation experts from Siemplify propose the problem be looked at like an orchestra with its dozens of instrument types. Without a conductor to guide each section there would only be noise, but with the conductor leading, beautiful symphonies can now be played. The Siemplify team plan to show how a SOAR platform can be that conductor using the ATT&CK framework as its sheet music, and turn the constant noise into a threat intel driven security program.
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
Â
Abstract:
While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security.
Join AlienVault for this session to learn:
*The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated
*Vulnerability scores and how to interpret them
*Best practices for prioritizing vulnerability remediation
*How threat intelligence can help you pinpoint the vulnerabilities that matter
 most
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
Â
From ATT&CKcon 3.0
By David Barroso, CounterCraft
When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness.
During the presentation we will see some real examples of how we can use different ATT&CK techniques in order to plan different adversary engagement activities.
In our webinar “What is Threat Hunting and why do you need it?" we discussed the folowing key points:
1. What Threat hunting is.
2. Why it is becoming so popular and what kinds of attacks are making it necessary.
3. What the challenges are.
4. Threat Hunting and Investigation services for attacks.
5. Case studies.
Find out more on https://www.pandasecurity.com/business/adaptive-defense/?utm_source=slideshare&utm_medium=social&utm_content=SM_EN_WEB_adaptive_defense&track=180715
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
Â
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Threat hunting and achieving security maturityDNIF
Â
In this virtual meetup of DNIF KONNNECT (04.04.2019), where the growing DNIF community connects, interacts, shares and helps each other to grow and learn about the latest in threat hunting and many more...this time we have Mr. Ankit Panchal from NSDL who shall demonstrate an end to end demo of how you can achieve security maturity.
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
Â
Brucon 2016
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
Â
Can we really detect advanced attacks? This session walks through 4 published attacks to point out what we can learn and detect using malware management, some cheat sheets and Security 101. LOG-MD, FILE-MD, Malware Archaeology
Incident Response Fails – What we see with our clients, and their fails. As Incident Responders, what do we see as Incident Responders that you can do to be better prepared, reduce your incident costs, get answers faster and reduce the cost of an IR Firm if needed.
HackerHurricane
Malware Archaeology
MalwareArchaeology
LOG-MD
Malware Archaeology
LOG-MD
Are Malware Sandboxes as good as manual malware analysis?
A look at some samples sent through automated malware sandboxes vs. manaul analysis
The top 10 windows logs event id's used v1.0Michael Gough
Â
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Secure Yourself, Practice what we preach - BSides Austin 2015Michael Gough
Â
We all practice Information Security, but do we practice what we preach? Do we do what we ask of our employees and clients to our own, family and work computers?
SpiceWorks Webinar: Whose logs, what logs, why logs AlienVault
Â
Securing your environment requires an understanding of the current and evolving threat landscape as well as knowledge of network technology and system design. This session will combine lecture, demo and interactive Q/A that will highlight how to build out a security plan to defend against today’s threats. Join AlienVault for this webinar to learn:
• What network, system and host data you should be collecting for the quickest path to security visibility
• Best practices for network, perimeter and host monitoring
• Security advantages of new AlienVault Threat Alerts coming soon to SpiceWorks
How we do it better than IR firms. Learn what you need to know to catch commoditized malware to advanced malware. Ask a Blue Team Ninja, Logoholic and Malware Archaeologist how we do ti.
How to Leverage Log Data for Effective Threat DetectionAlienVault
Â
Event logs provide valuable information to troubleshoot operational errors, and investigate potential security exposures. They are literally the bread crumbs of the IT world. As a result, a commonly-used approach is to collect logs from everything connected to the network "just in case" without thinking about what data is actually useful. But, as you're likely aware, the "collect everything" approach can actually make threat detection and incident response more difficult as you wade through massive amounts of irrelevant data.
Join us for this session to learn practical strategies for defining what you actually need to collect (and why) to help you improve threat detection and incident response, and satisfy compliance requirements. In this session, you'll learn :
*What log data you always need to collect and why
*Best practices for network, perimeter and host monitoring
*Key capabilities to ensure easy, reliable access to logs for incident response efforts
*How to use event correlation to detect threats and add valuable context to your logs
Anyone handling sensitive information in this day and age needs to to have a solid security setup and a plan for when something goes wrong. This webinar aims to get you looking at your security with fresh eyes and give you an outline of an action plan.
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
Windows IR made easier and faster Find the head of the snake using Logs, AutoRuns, Large Registry Keys, Locked Files, IP/WhoIs and Netflow
Malware Archaeology
LOG-MD
BSidesNOLA
LOG-MD
Malware Archaeology
MalwareArchaeology.com
Email is the #1 way we get pwned, so how do they keep getting by our defenses and what can we do about it
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
Â
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
Â
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Â
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Â
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
đź“• Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
Â
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Â
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
Â
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Â
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
Â
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Windows Incident Response is hard, but doesn't have to be
1. Incident Response is haaaaard
But it doesn’t have to be
Michael Gough – Founder
MalwareArchaeology.com
IMFSecurity.com
MalwareArchaeology.com
2. Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”
“Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”
“Windows Splunk Logging Cheat Sheet”
“Malware Management Framework”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– CoHost - Brakeing Down Incident Response PodCast (BDIR)
MalwareArchaeology.com
3. Background
• I worked for a video gaming company that got
pwned BAD by the Chinese Winnti group
• They got by all the security tools
• Like Red Teams often do
• So what did we learn and How did we catch
them?
MalwareArchaeology.com
4. Background
• I was asked by an IR consulting firm, with all
the organizations I deal with, are any of them
mature?
• Sadly.. No.
• They buy stuff, think prevention works, but
lack Security 101, the basics they already have
MalwareArchaeology.com
5. Prevention vs. Reduction
• I do not like or believe in “Prevention”
• If prevention worked.. Why are we all here
learning?
• Or still buying security solutions?
• “Reduction” is a more realistic term
• We reduce our likelihood of an incident
and/or the attack surface that can be taken
advantage or exploited
MalwareArchaeology.com
7. Preparation
• Security 101, the basics is sadly ignored, or IT and
management do not understand it well enough
– Maybe that includes InfoSec
• If you do some basic things, that by the way are
FREE, and you already have, an incident is MUCH
easier and faster to deal with
• It also is why we caught the WinNTI hacks, and
many others since
MalwareArchaeology.com
8. Prepare
• Help us help YOU !
• Show of hands
• How many of you have Windows Advanced
Audit Policies configured to at least the CIS
Benchmarks or the “Windows Logging Cheat
Sheet(s)”?
MalwareArchaeology.com
9. Prepare
• Security 101
• Enable your logs to collect all the things
• Increase the size of the local log so you can
collect more than minutes
• Enable Command Line Logging – PLEEEEEASE
• NIX and Apple have logs too
MalwareArchaeology.com
10. Prepare
• Do you have a Log Management solution, EDR, or
other security “prevention” solution?
• EDR solutions can often collect local logs as files
or add them to the triage
• Log Management obviously with a good agent
collecting the “right things” provides a TON of
data for incident investigtion
• Logs can make it easier and faster to deal with an
incident, or for an IR firm to find it faster, thus
cheaper for you in the long run
MalwareArchaeology.com
11. Prepare
Do you, or can you monitor for…
– New account creation?
– Admin accounts logging in to multiple systems?
– New Service creations?
– New Task creations?
– Email, VPN, Citrix, Cloud logins?
– Suspicious processes in C:Users?
• Not without better logging you can’t
MalwareArchaeology.com
12. Prepare
• You can’t monitor for anything if you don’t
enable the logging to collect the RIGHT things
• Then you can collect them and monitor for all
kinds of things
• IF.. You have a log management solution
• But still, the logging MUST be enabled or I
can’t even use ARTHIR (Demo 2pm Friday) and
LOG-MD-Pro (come to our booth) to hunt for
artifacts of an incident
MalwareArchaeology.com
13. Prepare
• Have you considered a Free/Paid cloud logging
solution that you can push agents out to all
your assets and enable the agent IF you have
an incident to get it to a Cloud Log
Management solution that you or an IR firm
can use to investigate?
• Pay as you need it, but prepare to use it
• Humio for example has a Free/Paid solution
– ~5 systems, 2GB per day, 7 day retention for free
MalwareArchaeology.com
15. Prepare
• Local account passwords
• Is anyone using LAPS? Local Administrator
Password Solution
• Unique password for each local admin stored
in AD
• Makes it harder for lateral movement
• Causes failed logins if used, alerting you
MalwareArchaeology.com
16. Prepare
• Group Policy security
• There is all kinds of things you can do
• DerbyCon 2019 Sean Metcalf of ADSecurity did a
great job and is coming out with a White Paper
on it
– http://www.irongeek.com/i.php?page=videos/derbyc
on9/1-18-active-directory-security-beyond-the-easy-
button-sean-metcalf
• Slow them down, making noise, or break recon
and other exploited things
MalwareArchaeology.com
17. Prepare
• 2-Factor anyone?
• If you have Email, Citrix, VPN, RDP, etc. facing
the Internet, you are vulnerable
• MFA will cripple attacks from cred stealing
campaigns and passwords harvested from
other breaches, make noise too, alerting you
• This will help so many things that hit
organizations today, ransomware, RDP attacks,
stolen or recycled creds, etc.
MalwareArchaeology.com
18. Prepare
• How about email…
• How many are blocking the known bad file
extensions?
– Sept 2019 - 38 added by Microsoft
• https://www.zdnet.com/article/microsoft-bans-38-file-
extensions-in-outlook-for-the-web/
– These have been around a while
• https://support.office.com/en-us/article/blocked-
attachments-in-outlook-434752e1-02d3-4e90-9124-
8b81e49a8519
MalwareArchaeology.com
19. Prepare
• Better yet, have you considered changing the
way these extensions act when a user double-
clicks them?
• Group Policy to the rescue
• Change the double-click to open say, Notepad
• Anything that executes a script engine
could/should be broken if double-clicked
• This will not affect how scripts are properly
called, just mouse happy clicking users
MalwareArchaeology.com
20. Network Prep
• Can you see Producer Consumer Ratio (PCR) in
your network gear?
– -1 to +1 range
• Closer to +1 indicates exfil
• Can you see it ?
• How about DNS TXT records?
• Length can indicate bad
MalwareArchaeology.com
21. Email and Web Prep
• Show of hands
• How many BLOCK unregistered domains?
• These domains have not been categorized,
and heavily used for bad
• Can you prepare to block it in the event of an
incident?
MalwareArchaeology.com
23. Prepare
• Does everyone have an enterprise solution that
can run something on a remote system in your
organization?
• Would you believe you already have one…
• It’s FREE
• It’s built-in, so no agent needed
• Windows Remote Management (WinRM)
• PowerShell to the rescue
• Come see the ARTHIR Demo Fri at 2pm ;-)
MalwareArchaeology.com
24. Prepare
• WinRM is a free option that you can use to get
execute commands, and tools remotely
• You can secure who runs it using the Windows
Firewall
• Again it logs things so you can monitor who
does what
MalwareArchaeology.com
25. Prepare
• Enable the Windows Firewall !!!
• Stop lateral movement
• Secure WinRM
• Better logging !!!
MalwareArchaeology.com
27. Hunting
• Some say Hunting is the creation of a
hypotheses and then you go searching for it
• I say do that AFTER you search for obvious
well known artifacts/IOCs
• ~90% of attacks have several things in
common
MalwareArchaeology.com
28. Hunting
• If you do good preparation, then IR becomes
MUCH easier and faster to do
• By you, us, or an IR Consultancy
• It also enables you to be able to hunt as you will
have a LOT more data you can use and hunt with
• Remember that WinRM and ARTHIR… (Demo
2pm Friday) – It’s FREE !!!!
• You can look and verify that you DON’T have
certain things proactively, we call this HUNTING
MalwareArchaeology.com
29. Hunting
• I say hunt for things to know you DON’T have
them, and eliminate them if you do
– AutoRuns
– Large Keys containing payloads or scripts
– Null byte entries in the registry hiding entries
– Suspicious WMI database entries
– Suspicious PowerShell executions, obfuscation
– Suspicious executions in C:Users dirs
– Suspicious Admin / LOLBin executions
– Injected processes
– Many more
MalwareArchaeology.com
30. Hunting
• If you hunt for things that are found in 90% of
today’s malware on your systems, you can
eliminate or reduce the probability that you
do not have obvious indicators
• This helps you in an incident too, you can use
the same tool(s) and logic to apply to an
incident
• Because you prepared and enabled things
MalwareArchaeology.com
32. MITRE ATT&CK
• You can map your preparation to MITRE ATT&CK
• You can map your hunts to the ATT&CK
Techniques
• Help know you DON’T have these things going on
in your environment
• Preparation helps you do this, and will help you
during an incident
MalwareArchaeology.com
33. MITRE ATT&CK
• ATT&CK gives you things to map your defenses
to, or what you can and have, everyone will
have gaps
• Knowing the gaps allows you to prepare better
and identify items for budget
• What do your current defenses map to?
• Prepare means know what you can and can
NOT do, have, or do NOT have
MalwareArchaeology.com
35. Conclusion
• IR is Harrrrd, but it doesn’t have to be
• Preparation is key
• Security 101, enable what you have
• Block well known exploited file types
• Disable the users double-click of bad file types
• Block unknown domains, or prepare to
• Unique local admin passwords
• Prep your network to see things
• Enable something to allow you to hunt
• Map what you have to MITRE ATT&CK
MalwareArchaeology.com
36. Resources
LOG-MD.COM
• Websites
– Log-MD.com The tool
– ARTHIR.com Free on GitHub
• The “Windows Logging Cheat Sheet(s)”
– MalwareArchaeology.com
• This presentation and others on SlideShare
– Search for MalwareArchaeology or LOG-MD