SlideShare a Scribd company logo

Unity Makes Strength SOURCE Dublin 2013

Xavier Mertens
Xavier Mertens

This is the talk I gave at SOURCE Dublin in May 2013 about improving information security by dynamically reconfiguring security devices already in place.

Technology
1 of 47
Download to read offline
Unity Makes Strength “Why keep this valuable information in a corner?” SOURCE Dublin 2013
$ whoami • Xavier Mertens (@xme) • Consultant @ day • Blogger @ night • BruCON co-organizer 2
$ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.” 3
Agenda • Some facts • Current situation • Toolbox • Examples 4
Defense vs.Attack • Offensive security is funny (w00t! We break things) • Defensive security can also be fun! (proud to not be pwn3d ;-) • “Know your enemy!” 5
Welcome to Belgium! 6
Welcome to Belgium! 7
Belgique, België, Belgien But with a very complicated political landscape! 8
Belgian Motto “L’union fait la force” (“Unity Makes Strength”) 9
And Infosec? Why not apply this to our security infrastructures? 10
Agenda • Some facts • Current situation • Toolbox • Examples 11
Initial Situation Firewall IDS Proxy Malware Analysis Action Action Action Action 12
Then Came the god “SIEM” Firewall IDS Proxy Malware Analysis Logs Logs Logs Logs Centralized Logging Solutions / SIEM 13
Weaknesses? • Independent solutions • Static configurations • Only logs are centralized • No global protection • Useful data not shared • Real-time protection not easy 14
TheValue of Data • IP addresses • User names • URLs • Domains • Digests (MD5, SHA1, etc) 15
Multiple Sources • Online repositories • Internal resources • Automatic process 16
Nothing New! Input OutputProcess 17
Back to the Roots • REXX is a scripting language invented by IBM. • ARexx was implemented in AmigaOS in 1987. • Allow applications having an ARexx interface to communicate to exchange data. 18
RTFM! • Security is a big market ($$$) • The “Microsoft Office” effect (<10% of features really used) • Invest time to learn how your products work. • Be a hacker: Learn how it work and make it work like you want. 19
Backdoors... • CLI • WebAPI (JSON, XML) • Databases • Scripting languages • Serial console 20
Protocols • HTTP(S) • TFTP • SSH • SNMP • IF-MAP • Proprietary tools (dbedit) 21
Automation is the Key • We’re all lazy people! • Expect! use Expect; my $e = Expect->new(); my $c = “ssh $user@$host”; $e = Expect->spawn($c) or die “No SSH?”; $e->Expect($timeout, [ qr’password: $’, sub { my $fh = shift; print $fh $passwordn”; } ] 22
A New Architecture Firewall IDS Proxy Malware Analysis Logs Logs Logs Logs Centralized Logging Solutions / SIEM 23 Action Action Action Action Toolbox
Agenda • Some facts • Current situation • Toolbox • Examples 24
HTTPS • Generate an API key https://10.0.0.1/api/?type=keygen&user=foo&password=bar • Submit XML requests https://10.0.0.1/api/?type=config&key=xxx&action=set&xpath=/ config/device/entry[@name=localhost]/vsys/ entry[@name=vsys1]/address/ entry[@name=NewHost]&element=<ip- netmask>192.168.0.1</ip-netmask><description>Test</ description> 25
Snort-Rules Generator • Lot of Security tools accept Snort rules use Snort::Rule my $rule = Snort::Rule->new( -action => ‘alert’, -proto => ‘tcp’, -src => ‘10.0.0.1’, -sport => ‘any’, -dst => ‘any’, -dport => ‘any’, ); $rule->opts(‘msg’,‘Detect traffic from 10.0.0.1’); $rule->opts(‘sid’,‘666666’); 26
IF-MAP • Open standard to allow authorized devices to publish/search relevant information • Information could be • IP • Login • Location (devices) • Domain 27
IF-MAP use Ifmap; use Ifmap::Util; my $r=Ifmap::Request::NewSession->new(); my $ip=Ifmap::Identifier::IpAddress->new(ip_address,‘10.0.0.1’); my $mac=Ifmap::Identifier::MacAddress->new(mac_address,‘aa:bb:cc:dd:ee:ff’); my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’); my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’); 28
SNMP $ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp 29 • SNMP can be used to push configuration changes • Example: • Router 10.0.0.1 will pull the access-list “acl.tmp” from TFTP server 10.0.0.2
TCL event manager applet Interface_Event event syslog pattern “.*UPDOWN.*FastEthernet0/1.* changed state to .*” event 1.0 cli command “tclsh flash:notify.tcl” 30 • Cisco devices have a framework called EEM: “Embedded Event Manager” • Example: • The router may communicate information based on its status
Puppet 31 • Configuration Management Software • Deploy security patches • Manage SSH keys • Modify thousands of servers in one shot “DevOps to the rescue”
The Conductor • OSSEC • Log Management • Active-Response • Powerful alerts engine 32
Action? Reaction! • Example of OSSEC rule <rule id=”100101” level=”5” frequency=”5” timeframe=”60”> <match>access denied</match> <group>invalid_login,</group> </rule> <active-response> <command>ad-block-user</command> <location>local</location> <rules_id>100101</rules_id> </active-response> 33
Agenda • Some facts • Current situation • Toolbox • Examples 34
$ cat disclaimer2.txt <warning> Some slides contain examples based on open source as well as v€ndor$ solutions. I’m not affiliated with any of them! </warning> 35
Online Resources • DNS-BH $ wget -N http://dns-bh.sagadc.org/domains.txt • Google SafeBrowsing use Net::Google::SafeBrowsing2; use Net::Google::SafeBrowsing2:::Sqlite; my gsb = Net::Google::SafeBrowsing2->new( key => “xxx”, storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”) ); $gsb->update(); my $match = $gsb->lookup(url => “http://evil.com”); if ($match eq MALWARE) { ... } 36
Dynamic Firewall Config • FireEye malware analysis box • Firewalls • Checkpoint • PaloAlto • IPtables • <insert your preferred fw $VENDOR here> • OSSEC 37
Dynamic Firewall Config FireEye OSSEC PaloAlto Checkpoint IPtables 38
Dynamic User Blacklist • Syslog Concentrator • OSSEC • SSLVPN • LDAP directory 39
Dynamic User Blacklist sshd OSSEC LDAP sshd sshd $ ldapmodify -D ‘cn=admin’ -w ‘pass’ dn:uid=jdoe,o=acme.org changetype: modify replace:userpassword userpassword:newpass 40
SMTP Malware Analysis • Postfix MTA • Cuckoo • CuckooMX (Perl) 41
SMTP Malware Analysis CuckooMXPostfix Cuckoo 42
MySQL Self-Defense • MySQL Server • MySQL Proxy • lib_mysqludf_log 43
MySQL Self-Defense mysql-proxyclient mysqld 44 error.log
Controls • Security first! • Strong controls must be implemented • Authentication/Authorization • Could break your compliance • Use an OoB network • Risk of DoS! 45
Conclusions • Don’t buy just “a box” • RTFM • Control • It’s up to you! 46
ThankYou! Questions? No? Beers! 47

Recommended

What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)Xavier Mertens
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?Xavier Mertens
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free SoftwareXavier Mertens
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 

Recommended

What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)Xavier Mertens
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?Xavier Mertens
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free SoftwareXavier Mertens
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat Security Conference
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
OpenStack Folsom Summit: Melange overview
OpenStack Folsom Summit: Melange overviewOpenStack Folsom Summit: Melange overview
OpenStack Folsom Summit: Melange overviewtroytoman
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesGuglielmo Scaiola
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesPantheon
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesGuglielmo Scaiola
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopAndrew Morris
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...David Timothy Strauss
 
Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018randomuserid
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem FraudXavier Mertens
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" NetworkXavier Mertens
 

More Related Content

What's hot

BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat Security Conference
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
OpenStack Folsom Summit: Melange overview
OpenStack Folsom Summit: Melange overviewOpenStack Folsom Summit: Melange overview
OpenStack Folsom Summit: Melange overviewtroytoman
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesGuglielmo Scaiola
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesPantheon
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesGuglielmo Scaiola
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopAndrew Morris
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...David Timothy Strauss
 
Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018randomuserid
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 

What's hot (20)

BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
BlueHat v17 || 28 Registrations Later: Measuring the Exploitation of Residual...
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
 
OpenStack Folsom Summit: Melange overview
OpenStack Folsom Summit: Melange overviewOpenStack Folsom Summit: Melange overview
OpenStack Folsom Summit: Melange overview
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniques
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 Sites
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniques
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
 
Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 

Viewers also liked

The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" NetworkXavier Mertens
 
Introduction to MBAin as part of the JobsinNetwork
Introduction to MBAin as part of the JobsinNetworkIntroduction to MBAin as part of the JobsinNetwork
Introduction to MBAin as part of the JobsinNetworkThe Synergist.org
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
Break Dengue - Building a Global Alliance
Break Dengue - Building a Global AllianceBreak Dengue - Building a Global Alliance
Break Dengue - Building a Global AllianceThe Synergist.org
 
BruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkBruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkXavier Mertens
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerXavier Mertens
 

Viewers also liked (9)

ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem Fraud
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" Network
 
Introduction to MBAin as part of the JobsinNetwork
Introduction to MBAin as part of the JobsinNetworkIntroduction to MBAin as part of the JobsinNetwork
Introduction to MBAin as part of the JobsinNetwork
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
Break Dengue - Building a Global Alliance
Break Dengue - Building a Global AllianceBreak Dengue - Building a Global Alliance
Break Dengue - Building a Global Alliance
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOME
 
BruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkBruCON 2010 Lightning Talk
BruCON 2010 Lightning Talk
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
 

Similar to Unity Makes Strength SOURCE Dublin 2013

Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?Xavier Mertens
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaudstricaud
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraNelson Brito
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014Tomas Doran
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionDefconRussia
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
Smart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSSmart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSJames Huston
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andAlisa Esage Шевченко
 

Similar to Unity Makes Strength SOURCE Dublin 2013 (20)

Unity makes strength
Unity makes strengthUnity makes strength
Unity makes strength
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaud
 
C days2015
C days2015C days2015
C days2015
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT eraReversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
Reversing Engineering: Dissecting a "Client Side" Vulnerability in the APT era
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014
 
Esage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interactionEsage on non-existent 0-days, stable binary exploits and user interaction
Esage on non-existent 0-days, stable binary exploits and user interaction
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Smart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSSmart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWS
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 

More from Xavier Mertens

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)Xavier Mertens
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018Xavier Mertens
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusXavier Mertens
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE EditionXavier Mertens
 
Automatic MIME Attachments Triage
Automatic MIME Attachments TriageAutomatic MIME Attachments Triage
Automatic MIME Attachments TriageXavier Mertens
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015Xavier Mertens
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humansXavier Mertens
 
Social Networks - The Good and the Bad
Social Networks - The Good and the BadSocial Networks - The Good and the Bad
Social Networks - The Good and the BadXavier Mertens
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Belnet events management
Belnet events managementBelnet events management
Belnet events managementXavier Mertens
 

More from Xavier Mertens (15)

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from Venus
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
 
Automatic MIME Attachments Triage
Automatic MIME Attachments TriageAutomatic MIME Attachments Triage
Automatic MIME Attachments Triage
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web Coding
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humans
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Social Networks - The Good and the Bad
Social Networks - The Good and the BadSocial Networks - The Good and the Bad
Social Networks - The Good and the Bad
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
Belnet events management
Belnet events managementBelnet events management
Belnet events management
 

Recently uploaded

10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfalexjohnson7307
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfChristopherTHyatt
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfAnthony Lucente
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀DianaGray10
 

Recently uploaded (20)

10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdf
 
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 

Unity Makes Strength SOURCE Dublin 2013

  • 1. Unity Makes Strength “Why keep this valuable information in a corner?” SOURCE Dublin 2013
  • 2. $ whoami • Xavier Mertens (@xme) • Consultant @ day • Blogger @ night • BruCON co-organizer 2
  • 3. $ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.” 3
  • 4. Agenda • Some facts • Current situation • Toolbox • Examples 4
  • 5. Defense vs.Attack • Offensive security is funny (w00t! We break things) • Defensive security can also be fun! (proud to not be pwn3d ;-) • “Know your enemy!” 5
  • 8. Belgique, België, Belgien But with a very complicated political landscape! 8
  • 9. Belgian Motto “L’union fait la force” (“Unity Makes Strength”) 9
  • 10. And Infosec? Why not apply this to our security infrastructures? 10
  • 11. Agenda • Some facts • Current situation • Toolbox • Examples 11
  • 12. Initial Situation Firewall IDS Proxy Malware Analysis Action Action Action Action 12
  • 13. Then Came the god “SIEM” Firewall IDS Proxy Malware Analysis Logs Logs Logs Logs Centralized Logging Solutions / SIEM 13
  • 14. Weaknesses? • Independent solutions • Static configurations • Only logs are centralized • No global protection • Useful data not shared • Real-time protection not easy 14
  • 15. TheValue of Data • IP addresses • User names • URLs • Domains • Digests (MD5, SHA1, etc) 15
  • 16. Multiple Sources • Online repositories • Internal resources • Automatic process 16
  • 18. Back to the Roots • REXX is a scripting language invented by IBM. • ARexx was implemented in AmigaOS in 1987. • Allow applications having an ARexx interface to communicate to exchange data. 18
  • 19. RTFM! • Security is a big market ($$$) • The “Microsoft Office” effect (<10% of features really used) • Invest time to learn how your products work. • Be a hacker: Learn how it work and make it work like you want. 19
  • 20. Backdoors... • CLI • WebAPI (JSON, XML) • Databases • Scripting languages • Serial console 20
  • 21. Protocols • HTTP(S) • TFTP • SSH • SNMP • IF-MAP • Proprietary tools (dbedit) 21
  • 22. Automation is the Key • We’re all lazy people! • Expect! use Expect; my $e = Expect->new(); my $c = “ssh $user@$host”; $e = Expect->spawn($c) or die “No SSH?”; $e->Expect($timeout, [ qr’password: $’, sub { my $fh = shift; print $fh $passwordn”; } ] 22
  • 23. A New Architecture Firewall IDS Proxy Malware Analysis Logs Logs Logs Logs Centralized Logging Solutions / SIEM 23 Action Action Action Action Toolbox
  • 24. Agenda • Some facts • Current situation • Toolbox • Examples 24
  • 25. HTTPS • Generate an API key https://10.0.0.1/api/?type=keygen&user=foo&password=bar • Submit XML requests https://10.0.0.1/api/?type=config&key=xxx&action=set&xpath=/ config/device/entry[@name=localhost]/vsys/ entry[@name=vsys1]/address/ entry[@name=NewHost]&element=<ip- netmask>192.168.0.1</ip-netmask><description>Test</ description> 25
  • 26. Snort-Rules Generator • Lot of Security tools accept Snort rules use Snort::Rule my $rule = Snort::Rule->new( -action => ‘alert’, -proto => ‘tcp’, -src => ‘10.0.0.1’, -sport => ‘any’, -dst => ‘any’, -dport => ‘any’, ); $rule->opts(‘msg’,‘Detect traffic from 10.0.0.1’); $rule->opts(‘sid’,‘666666’); 26
  • 27. IF-MAP • Open standard to allow authorized devices to publish/search relevant information • Information could be • IP • Login • Location (devices) • Domain 27
  • 28. IF-MAP use Ifmap; use Ifmap::Util; my $r=Ifmap::Request::NewSession->new(); my $ip=Ifmap::Identifier::IpAddress->new(ip_address,‘10.0.0.1’); my $mac=Ifmap::Identifier::MacAddress->new(mac_address,‘aa:bb:cc:dd:ee:ff’); my $id = Ifmap::Identifier::Identity->new(name=> ‘john’, type=>‘username’); my $meta=Ifmap::Metadata::Element->new(name=>‘name’, value=‘employee’); 28
  • 29. SNMP $ snmpset 10.0.1 Pr1v4t3 .1.3.6.1.4.1.9.2.1.53.10.0.2 acl.tmp 29 • SNMP can be used to push configuration changes • Example: • Router 10.0.0.1 will pull the access-list “acl.tmp” from TFTP server 10.0.0.2
  • 30. TCL event manager applet Interface_Event event syslog pattern “.*UPDOWN.*FastEthernet0/1.* changed state to .*” event 1.0 cli command “tclsh flash:notify.tcl” 30 • Cisco devices have a framework called EEM: “Embedded Event Manager” • Example: • The router may communicate information based on its status
  • 31. Puppet 31 • Configuration Management Software • Deploy security patches • Manage SSH keys • Modify thousands of servers in one shot “DevOps to the rescue”
  • 32. The Conductor • OSSEC • Log Management • Active-Response • Powerful alerts engine 32
  • 33. Action? Reaction! • Example of OSSEC rule <rule id=”100101” level=”5” frequency=”5” timeframe=”60”> <match>access denied</match> <group>invalid_login,</group> </rule> <active-response> <command>ad-block-user</command> <location>local</location> <rules_id>100101</rules_id> </active-response> 33
  • 34. Agenda • Some facts • Current situation • Toolbox • Examples 34
  • 35. $ cat disclaimer2.txt <warning> Some slides contain examples based on open source as well as v€ndor$ solutions. I’m not affiliated with any of them! </warning> 35
  • 36. Online Resources • DNS-BH $ wget -N http://dns-bh.sagadc.org/domains.txt • Google SafeBrowsing use Net::Google::SafeBrowsing2; use Net::Google::SafeBrowsing2:::Sqlite; my gsb = Net::Google::SafeBrowsing2->new( key => “xxx”, storage => Net::Google::SafeBrowsing2::Sqlite->new(file => “google.db”) ); $gsb->update(); my $match = $gsb->lookup(url => “http://evil.com”); if ($match eq MALWARE) { ... } 36
  • 37. Dynamic Firewall Config • FireEye malware analysis box • Firewalls • Checkpoint • PaloAlto • IPtables • <insert your preferred fw $VENDOR here> • OSSEC 37
  • 38. Dynamic Firewall Config FireEye OSSEC PaloAlto Checkpoint IPtables 38
  • 39. Dynamic User Blacklist • Syslog Concentrator • OSSEC • SSLVPN • LDAP directory 39
  • 40. Dynamic User Blacklist sshd OSSEC LDAP sshd sshd $ ldapmodify -D ‘cn=admin’ -w ‘pass’ dn:uid=jdoe,o=acme.org changetype: modify replace:userpassword userpassword:newpass 40
  • 41. SMTP Malware Analysis • Postfix MTA • Cuckoo • CuckooMX (Perl) 41
  • 43. MySQL Self-Defense • MySQL Server • MySQL Proxy • lib_mysqludf_log 43
  • 45. Controls • Security first! • Strong controls must be implemented • Authentication/Authorization • Could break your compliance • Use an OoB network • Risk of DoS! 45
  • 46. Conclusions • Don’t buy just “a box” • RTFM • Control • It’s up to you! 46