Empire Your best Friend to Secure
|
|
- Asher Hoover
- 5 years ago
- Views:
Transcription
1 Empire Your best Friend to Secure
2 Hello! I Offensive Engineer and Red Teamer Developer: Veil-Framework, PowerView, PowerUp, Empire/Empyre, BloodHound Speaker: DEF CON, BlueHat IL, DerbyCon, et al. Other: Microsoft PowerShell/CDM MVP, BlackHat Trainer
3 Hello! I Forensicator, Incident Responder, and Hunter Developer: PowerForensics, Uproot IDS Speaker: 44CON, BSides DC, PowerShell Summit, PS Conference EU Other: U.S. Air Force Hunt Team, Microsoft PowerShell/CDM MVP, BlackHat Trainer
4 tl;dr Offensive and Defensive Philosophy Building an Empire Uprooting the Adversary PowerForensics Demos!
5 1 Offensive and Defensive Philosophy
6 Fundamentally, if someone wants to get in, they re getting in accept that. What we tell clients is: Number one, you re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated. Michael Hayden Former Director of NSA & CIA Microsoft Enterprise Cloud Red Teaming Whitepaper
7 Assume Breach For offense: Focus on post-exploitation Blend with the noise to slip under the blue team s detections For defense: Proactively hunt for malicious actors Blend with the noise to slip under the actor s detections
8 Living Off the Land Focus on blending in with normal host and network actions For offense: Utilize built in capabilities Powershell.exe, WMI, msbuild, netsh, etc. For defense: WMI, ETW Raw disk handles to minimize the trust required for other build in actions that may tip your hand
9 Why PowerShell? Microsoft s post-exploitation language -@obscuresec PowerShell provides, out of the box: Full.NET access Direct access to the Win32 API Ability to assemble malicious (or defensive) binaries and capabilities in memory Default installation on Windows 7+!
10 Our Goal We want to show how to how PowerShell can be used to both break and secure your enterprise systems We will walk through some of PowerShell Empire s offensive capabilities, Uproot s intrusion detections, and using PowerForensics post-analysis abilities
11 2 Building An Empire With PowerShell
12 First Things First Empire would not be possible without the help and phenomenal work from: Posh-SecMod UnmanagedPowerShell Mimikatz and Vincent LE TOUX Everyone who contributed modules, bugs, fixes, and time! You all rock!
13 What Is Empire? Empire is a fully-featured PowerShell (and Python!) based remote access trojan (RAT) released at BSides LV 2015 Provides a rich set of post-exploitation actions in line with the assume breach philosophy
14 Why Build This? Started as a thought exercise! We wanted to: Provide a rapidly extensible platform to integrate offensive/defensive PowerShell work Build a platform that s easily customizable Train defenders on the capabilities of offensive PowerShell!
15
16
17 ^ the guy who invented PowerShell
18 Empire Design Decisions Asynchronous communications GET/POST tasking structure We care about crypto! Perfect forward secrecy w/ encrypted key exchange Modularity Common module format w/ a variety of options Post-exploitation modules can be loaded and removed live
19 Empire Capabilities code_execution - ways to run more code collection - post exploitation data collection credentials - collect and use creds lateral_movement - move around the network management - host management and auxiliary persistence - survive the reboot privesc - escalation capabilities situational_awareness - network awareness trollsploit - have fun with defenders :)
20
21
22 Empire 2.0 Empire/EmPyre Wanted one single controller for our Python Linux/OS X agents and PowerShell agents. Modularize C2 Expandable listeners that you can drag/drop into the framework for additional transports. Code Rot Fix our past mistakes and build a foundation for the future viability of the project.
23
24 Modular C2 Previously, listeners were hard integrated into the code base, adding transports was extremely difficult Now listeners are encapsulated in self-contained modules Allows you to drag/drop modules into the framework just like post-exploitation modules Can even use third-party sites like...
25
26 3 Uproot IDS
27 WMI Introduction Windows Management Instrumentation Microsoft s Implementation of Common Information Model Standard Allows administrators to query system information: System Applications Hardware Networks PowerShell allows simple interface Get-WmiObject Get-CimInstance
28 WMI Event Subscriptions WMI interface for monitoring changes to the model Classes built specifically for event monitoring Subscriptions are persistent Maintained in the WMI Repository Built with troubleshooting in mind, but: Attackers leverage for persistence Defenders leverage for Intrusion Detection Three parts to a subscription: Filter Consumer Binding
29 Uproot Introduction Intrusion Detection System Leverages WMI Permanent Event Subscriptions to detect: General System Information Introduction of Persistence Lateral Movement Abstracts complexity of permanent WMI Event Subscriptions Register-PermanentWmiEvent Reports Events via: Windows Event Log (Ideal) HTTP POST (Splunk or ELK) Flat Log File
30 Intrusion Detection Real time monitoring (Push vs. Pull) Pull - Query data from a centralized point Push - Endpoint agent sends data to centralized location Removes blind spots between pulls Monitoring is distributed to endpoints instead of server Requires some sort of presence (agent) on the endpoint Built in monitoring capabilities WMI Event Subscriptions Event Tracing for Windows (ETW)
31 Basics - Filter EventFilter defines the event to detect using WMI Query Language (WQL) Event filter example: SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2 SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName LIKE '%chrome%' SELECT * FROM InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Service' and TargetInstance.State = 'Running SELECT * FROM InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_StartupCommand'
32 Basics - Consumer EventConsumer ActiveScriptEventConsumer runs a predefined script in an arbitrary scripting language CommandLineEventConsumer starts an arbitrary process in the local system LogFileEventConsumer writes customized strings to a text log file NTEventLogEventConsumer logs a specific message to the operating system event log SMTPEventConsumer sends an message by using Simple Mail Transfer Protocol (SMTP)
33 Basics - Binding FilterToConsumerBinding Registration of permanent event consumers to relate an instance of the EventConsumer to an instance of EventFilter Filter Consumer Binding
34 4 Forensicating with PowerShell
35 PowerForensics Introduction PowerShell Module for Live Forensic Investigation Binary Module (Compiled C# DLL) Minimizes Use of Operating System APIs.NET Core Compatible (Windows, MacOS, *nix) Currently Parses: NTFS and FAT Data Structures Windows Specific Data Structures Windows Registry Windows Event Log Scheduled Jobs Prefetch Files
36 Design Decisions Forensically sound Parse raw disk structures Don t alter NTFS timestamps Can execute on a live (running) host Operationally fast Collect forensic data in seconds or minutes Modular capabilities Cmdlets perform discrete tasks and can be tied together for more complicated tasks Capable of working remotely
37 Getting the Data Create read handle to Physical Disk/Logical Volume CreateFile API (Windows) Open API (Mac/*nix) Read from the Handle FileStream Read Method
38 Forensic Timelining Investigate file system activity temporally Aggregate artifacts from different sources: Master File Table UsnJrnl Registry Prefetch Event Logs
39 PowerForensics Portable Allows PowerForensics to be run on remote system Loads the PowerForensics Assembly in Memory Assembly exposes public API to query data
40 5 Attacking and Defending with PowerShell
41
42 Other Detections
43 Previous Talks
44 Thanks! Any questions? You can find us (will [at] (jared [at] invoke-ir.com)
A YEAR OF PURPLE. By Ryan Shepherd
A YEAR OF PURPLE By Ryan Shepherd WHOAMI DETECTION and RESPONSE Investigator for Countercept Threat Hunter PURPLE Team Consultant Offensive Security Certified Professional (OSCP) Crest Registered Intrusion
More informationRAPID INCIDENT RESPONSE
OSDFCon 2017 RAPID INCIDENT RESPONSE Asif Matadar @d1r4c #whoami o Director of Incident Response for Stroz Friedberg in the U.K. o Lead complex incidents around the world: Advanced Targeted Attacks State
More informationBuilding a Threat-Based Cyber Team
Building a Threat-Based Cyber Team Anthony Talamantes Manager, Defensive Cyber Operations Todd Kight Lead Cyber Threat Analyst Sep 26, 2017 Washington, DC Forward-Looking Statements During the course of
More informationState of the. Union. (or: How not to use Krebs as an IDS ) (Information Security) Jeff McJunkin Senior Technical Analyst Counter Hack Challenges
State of the (Information Security) Union (or: How not to use Krebs as an IDS ) Jeff McJunkin Senior Technical Analyst Counter Hack Challenges My background IT Systems / Network Administrator for City
More informationAnatomy of a Hack. John H. Sawyer Senior Managing Consultant InGuardians, Inc. Bryce Lay - Comsys
Anatomy of a Hack John H. Sawyer Senior Managing Consultant InGuardians, Inc. Bryce Lay - Comsys Agenda Introduction Threat Hunting Deception Powershell Tools Additional Tools Adversarial Emulation Conclusion
More informationTrain as you Fight: Are you ready for the Red Team?
Train as you Fight: Are you ready for the Red Team? An inside look at Red Teaming Yves Morvan Twitter: @morvan_yves Email: Yves@securenorth.ca Agenda Introduction What is Red Teaming? VA s vs. Penetration
More informationNo Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017
No Country for Old Security Compliance in the Cloud Joel Sloss, CDSA Board of Directors May 2017 Emerging Threats Specific/sequential targeting Effective reconnaissance Practiced tool usage Sophisticated
More informationSubverting INSERT PRODUCT NAME Sysmon. Application of a Formalized Security Product Evasion Methodology
Subverting INSERT PRODUCT NAME Sysmon Application of a Formalized Security Product Evasion Methodology Matt Graeber and Lee Christensen Black Hat USA 2018 Who are we? Matt Graeber, Security Researcher
More informationPieter Wigleven Windows Technical Specialist
Pieter Wigleven Windows Technical Specialist HOW DO BREACHES OCCUR? Malware and vulnerabilities are not the only thing to worry about 46% of compromised systems had no malware on them 99.9% of exploited
More informationWHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX
WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX 1 INTRODUCTION The MITRE Corporation Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) Matrix provides a model
More informationATT&CKing for better Defense: An Introduction to the MITRE ATT&CK Framework
ATT&CKing for better Defense: An Introduction to the MITRE ATT&CK Framework Random Image Taken From: http://www.flickr.com/photos/sophos_germany/3321556353/ Agenda Introductions The Problem MITRE ATT&CK
More informationColin Gibbens Director, Product Management
SOAR = Human Intelligence and Creativity at Speed of Machine Abhishek Narula EVP, Head of Product and Engineering Colin Gibbens Director, Product Management 1 2 What is Security Orchestration Why do I
More informationDetecting Modern PowerShell Attacks with SIEM
SEC555 Presentation based on SEC555: SIEM with Tactical Analytics Detecting Modern PowerShell Attacks with SIEM Justin Henderson (GSE # 108) @SecurityMapper About Us Author of SEC555: SIEM with Tactical
More informationLive Adversary Simulation: Red and Blue Team Tactics
SESSION ID: HTA-T06 Live Adversary Simulation: Red and Blue Team Tactics James Lyne Head of R&D SANS Institute @JamesLyne Stephen Sims Security Researcher & Fellow SANS Institute @Steph3nSims Agenda 2
More informationCarlos Perez TrustedSec Research Practice Lead
Carlos Perez TrustedSec Research Practice Lead Carlos Perez has been active in the security community since 1999 when he began working for the government of Puerto Rico, and he now leads TrustedSec's research
More informationProduct Page: https://digitalrevolver.com/product/automating-administration-with-windows-powershell/
Automating Administration with Windows PowerShell Course Code: Duration: 5 Days Product Page: https://digitalrevolver.com/product/automating-administration-with-windows-powershell/ This course provides
More information: 10961C: Automating Administration With Windows PowerShell
Module Title Duration : 10961C: Automating Administration With Windows PowerShell : 5 days About this course This course provides students with the fundamental knowledge and skills to use Windows PowerShell
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
More informationThe story of Greendale. FOSS tools to automate your DFIR process
The story of Greendale FOSS tools to automate your DFIR process Why are you here? This talk will cover a big chunk of our forensics toolkit It s all Free and Open Source Software Showcase how they work
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
More informationAdvanced Threat Hunting:
Advanced Threat Hunting: Identify and Track Adversaries Infiltrating Your Organization In Partnership with: Presented by: Randeep Gill Tony Shadrake Enterprise Security Engineer, Europe Regional Director,
More informationAutomating Administration with Windows PowerShell
Automating Administration with Windows PowerShell Course 10961C - Five Days - Instructor-led - Hands on Introduction This five-day, instructor-led course provides students with the fundamental knowledge
More informationTanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018
Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018 $> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years
More informationStreaming Prevention in Cb Defense. Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV
Streaming Prevention in Cb Defense Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV 2 STREAMING PREVENTION IN Cb DEFENSE OVERVIEW Over the past three years, cyberattackers
More informationIncorporating Hunt Teams To Defend Your Enterprise
Incorporating Hunt Teams To Defend Your Enterprise How the application of military-grade investigative techniques can defend the network from cyber threats Produced in partnership with Cognitio Copyright
More informationA Process is No One: Hunting for Token Manipulation. Jared Atkinson & Robby Winchester
Jared Atkinson Robert Winchester A Process is No One: Hunting for Token Manipulation Jared Atkinson & Robby Winchester @jaredcatkinson Adversary Detection Technical Lead @ SpecterOps Developer: PowerForensics
More informationINCIDENT HANDLING & RESPONSE PROFESSIONAL VERSION 1
INCIDENT HANDLING & RESPONSE PROFESSIONAL VERSION 1 The most practical and comprehensive training course on incident handling & response elearnsecurity has been chosen by students in over 140 countries
More informationICS Security Monitoring
ICS Security Monitoring INFRASTRUCTURE MINING & METALS NUCLEAR, SECURITY & ENVIRONMENTAL OIL, GAS & CHEMICALS Moses Schwartz Security Engineer Computer Incident Response Team Bechtel Corporation State
More informationCorporate Training Centre (306)
Corporate Training Centre www.sbccollege.ca/corporate (306)244-6340 corporate@sbccollege.ca Automating Administration with Windows PowerShell: 10961C 5 Day Training Program November 5-9, 2018 Cost: $2,700.00
More informationPowershell And Wmi. Powershell And Wmi
We have made it easy for you to find a PDF Ebooks without any digging. And by having access to our ebooks online or by storing it on your computer, you have convenient answers with powershell and wmi.
More informationSECURITY REIMAGINED WINDOWS MANAGEMENT INSTRUMENTATION (WMI) OFFENSE, DEFENSE, AND FORENSICS
W H I T E P A P E R WINDOWS MANAGEMENT INSTRUMENTATION (WMI) OFFENSE, DEFENSE, AND FORENSICS William Ballenthin, Matt Graeber, Claudiu Teodorescu FireEye Labs Advanced Reverse Engineering (FLARE) Team,
More informationReal-time, Unified Endpoint Protection
Real-time, Unified Endpoint Protection Real-Time, Unified Endpoint Protection is a next-generation endpoint protection company that delivers realtime detection, prevention and remediation of advanced threats
More informationAutomating Administration with Windows PowerShell 2.0
Automating Administration with Windows PowerShell 2.0 Course No. 10325 5 Days Instructor-led, Hands-on Introduction This course provides students with the knowledge and skills to utilize Windows PowerShell
More informationModern Realities of Securing Active Directory & the Need for AI
Modern Realities of Securing Active Directory & the Need for AI Our Mission: Hacking Anything to Secure Everything 7 Feb 2019 Presenters: Dustin Heywood (EvilMog), Senior Managing Consultant, X-Force Red
More informationReducing the Cost of Incident Response
Reducing the Cost of Incident Response Introduction Cb Response is the most complete endpoint detection and response solution available to security teams who want a single platform for hunting threats,
More information(Re)Investigating PowerShell Attacks
(Re)Investigating PowerShell Attacks BruCON 0x0A Retro Talks Matt Hastings, Ryan Kazanciyan 2 Investigating PowerShell Attacks, 2014 Desired State: Compromised, 2015 3 Revisiting Investigating PowerShell
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationThe Veil-Framework. Will Veris Group Adaptive Threat Division
The Veil-Framework Will (@harmj0y) Veris Group Adaptive Threat Division The Veil-Framework A toolset aiming to bridge the gap between pentesting and red teaming capabilities Veil-Evasion: flagship tool,
More informationTesting for cyber resilience tools & techniques for adversary simulation and improved defense
Testing for cyber resilience tools & techniques for adversary simulation and improved defense Adrian Ifrim & Teodor Cimpoesu, Deloitte Cyber Resilience in Focus NIS Directive to bring cybersecurity capabilities
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationSOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE
RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE KEY CUSTOMER BENEFITS: Gain complete visibility across enterprise networks Continuously monitor all traffic Faster analysis reduces risk exposure
More informationDefending the Gibson in 2015
Incident Response: Defending the Gibson in 2015 Darren Bilby - Digital Janitor dbilby@google.com ACSC 2015, Canberra Incidents are Messy If it were business as usual you would have stopped it Attacker
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More informationAutomating Administration with Windows PowerShell
Course Code: M10961 Vendor: Microsoft Course Overview Duration: 5 RRP: POA Automating Administration with Windows PowerShell Overview This course provides students with the fundamental knowledge and skills
More informationBUILT TO STOP BREACHES. Cloud-Delivered Endpoint Protection
BUILT TO STOP BREACHES Cloud-Delivered Endpoint Protection CROWDSTRIKE FALCON: THE NEW STANDARD IN ENDPOINT PROTECTION ENDPOINT SECURITY BASED ON A SIMPLE, YET POWERFUL APPROACH The CrowdStrike Falcon
More informationBecoming the Adversary
SESSION ID: CIN-R06 Becoming the Adversary Tyrone Erasmus Managing Security Consultant MWR InfoSecurity @metall0id /usr/bin/whoami Most public research == Android Something different today 2 Overview Introduction
More informationReal-time Monitoring, Inventory and Change Tracking for. Track. Report. RESOLVE!
Real-time Monitoring, Inventory and Change Tracking for Track. Report. RESOLVE! Powerful Monitoring Tool for Full Visibility over Your Hyper-V Environment VirtualMetric provides the most comprehensive
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More information"Charting the Course... MOC C: Automating Administration with Windows PowerShell. Course Summary
Course Summary Description This course provides students with the fundamental knowledge and skills to use Windows PowerShell for administering and automating administration of Windows servers. This course
More informationSOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE
SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE 1 EXECUTIVE SUMMARY Attackers have repeatedly demonstrated they can bypass an organization s conventional defenses. To remain effective,
More informationBuilding Resilience in a Digital Enterprise
Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationAutomating Administration with Windows PowerShell (10961)
Automating Administration with Windows PowerShell (10961) Duration: 5 Days Live Course Delivery Price: $2795 *California residents and government employees call for pricing. MOC On-Demand Price: $895 Discounts:
More informationThe story of Greendale. Turbinia: Automation of forensic processing in the cloud
The story of Greendale Turbinia: Automation of forensic processing in the cloud Why are WE here? Thomas Chopitea @tomchop_ Aaron Peterson @aarontpeterson DFIR @ Google We write code, we use it to hunt
More informationThe story of Greendale. Turbinia: Automation of forensic processing in the cloud
The story of Greendale Turbinia: Automation of forensic processing in the cloud Why are WE here? Thomas Chopitea @tomchop_ Aaron Peterson @aarontpeterson DFIR @ Google We write code, we use it to hunt
More informationFast Incident Investigation and Response with CylanceOPTICS
Fast Incident Investigation and Response with CylanceOPTICS Feature Focus Incident Investigation and Response Identifying a potential security issue in any environment is important, however, to protect
More informationINCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER
INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER 1 INCIDENT RESPONDER'S FIELD GUIDE TABLE OF CONTENTS 03 Introduction
More informationCyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems
Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational
More informationHunting Lateral Movement with Windows Events Logs. SANS Threat Hunting Summit 2018 Mauricio
Hunting Lateral Movement with Windows Events Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco $whoami Peruvian Recovering pentester, threat management lead @mvelazco Derbycon, Bsides, Defcon
More informationSANS IR and Forensics Summit 2009 Keynote
SANS IR and Forensics Summit 2009 Keynote Richard Bejtlich Director of Incident Response, General Electric richard@taosecurity.com taosecurity.blogspot.com 1 Introduction Bejtlich ("bate-lik") biography
More informationINSIGHTS FROM NSA S CYBERSECURITY THREAT OPERATIONS CENTER
INSIGHTS FROM NSA S CYBERSECURITY THREAT OPERATIONS CENTER Dave Hogue Technical Director National Security Agency s Cybersecurity Threat Operations Center NSA CYBERSECURITY MISSION OVERVIEW NEXUS OF NSA
More informationPOST-EXPLOITATION WITH WINDOWS POWERSHELL
POST-EXPLOITATION WITH WINDOWS POWERSHELL Jerold Hoong, OSCP Associate, Singapore 27 th May 2015 ASPAC Hacknet Conference and Security Training Agenda No. CHAPTER 1 PowerShell 101 2 Exploitation Frameworks
More informationReduce the Breach Detection Gap to Minutes. What is Forensic State Analysis (FSA)?
Reduce the Breach Detection Gap to Minutes Whether cloud-hosted or situated on premise, Cyber Threat Hunting as a Service is an essential and complimentary addition to any organization serious about security.
More informationFirst Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.
18 QUALYS SECURITY CONFERENCE 2018 First Look Showcase Expanding our prevention, detection and response solutions Marco Rottigni Chief Technical Security Officer, Qualys, Inc. Secure Enterprise Mobility
More informationHow Breaches Really Happen
How Breaches Really Happen www.10dsecurity.com About Dedicated Information Security Firm Clients Nationwide, primarily in financial industry Services Penetration Testing Social Engineering Vulnerability
More informationHunting Adversaries with "rastrea2r" and Machine Learning
Hunting Adversaries with "rastrea2r" and Machine Learning Gabriel Infante-Lopez, @gainlo Ismael Valenzuela, @aboutsecurity SANS SOC Summit 2017 Crystal City, VA 1 How do we investigate? Results of a survey
More informationesendpoint Next-gen endpoint threat detection and response
DATA SHEET esendpoint Next-gen endpoint threat detection and response esendpoint powered by Carbon Black eliminates endpoint blind-spots that traditional technologies miss. Operating on a philosophy that
More informationGRR Rapid Response. An exercise in failing to replace yourself with a small script.
GRR Rapid Response An exercise in failing to replace yourself with a small script. Darren Bilby - Digital Janitor - Google Tech Lead Incident Response / Forensics Agenda Why GRR? What we built Demo 1 Key
More informationTHE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM
THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM Modern threats demand analytics-driven security and continuous monitoring Legacy SIEMs are Stuck in the Past Finding a mechanism to collect, store
More informationWhat are we going to talk about today?
For those of you who haven t worked with me over the past 6 years, I m Bryan Senter. I ve been in Wiesbaden in a different role for 5 years. I followed the crowd from Heidelberg before that. EPMSaaS stands
More informationFirst Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.
18 QUALYS SECURITY CONFERENCE 2018 First Look Showcase Expanding our prevention, detection and response solutions Sumedh Thakar Chief Product Officer, Qualys, Inc. Secure Enterprise Mobility Identity (X.509,
More informationOne Incident Responder's Wish List of Events
One Incident Responder's Wish List of Events Founder and president of Vertigrate Digital forensics, incident response, and malware reverse engineering Proactively engages with business and security teams
More informationCourse Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture
About this Course This course will best position your organization to analyse threats and detect anomalies that could indicate cybercriminal behaviour. The payoff for this new proactive approach would
More informationFTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.
FTA 2017 SEATTLE Cybersecurity and the State Tax Threat Environment 1 Agenda Cybersecurity Trends By the Numbers Attack Trends Defensive Trends State and Local Intelligence What Can You Do? 2 2016: Who
More informationAttackers Process. Compromise the Root of the Domain Network: Active Directory
Attackers Process Compromise the Root of the Domain Network: Active Directory BACKDOORS STEAL CREDENTIALS MOVE LATERALLY MAINTAIN PRESENCE PREVENTION SOLUTIONS INITIAL RECON INITIAL COMPROMISE ESTABLISH
More informationEvolution Of Cyber Threats & Defense Approaches
Evolution Of Cyber Threats & Defense Approaches Antony Abraham IT Architect, Information Security, State Farm Kevin McIntyre Tech Lead, Information Security, State Farm Agenda About State Farm Evolution
More informationMicrosoft Automating Administration with Windows PowerShell
1800 ULEARN (853 276) www.ddls.com.au Microsoft 10961 - Automating Administration with Windows PowerShell Length 5 days Price $4290.00 (inc GST) Version C Overview This course provides students with the
More informationApplication Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9
Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9 About Me Chief Security Officer @ Bit9 Former Director of Technical Operations and Information Security @ Center for
More informationDefending Microsoft environments at scale. Vineet Bhatia 15 Mar 2018
Defending Microsoft environments at scale Vineet Bhatia (@ThreatHunting) 15 Mar 2018 Agenda Introduction and Background Microsoft security stack in Windows 10 Defense model based on MITRE ATTACK and the
More informationIS THERE A HOLE IN YOUR RISC-V SECURITY STACK? JOTHY ROSENBERG DOVER MICROSYSTEMS
IS THERE A HOLE IN YOUR RISC-V SECURITY STACK? JOTHY ROSENBERG DOVER MICROSYSTEMS I understand the difference in destruction is dramatic, but this has a whiff of August 1945. Someone just used a new weapon,
More information18-642: Security Mitigation & Validation
18-642: Security Mitigation & Validation 11/27/2017 Security Migitation & Validation Anti-Patterns for security mitigation & validation Poorly considered password policy Poorly considered privilege management
More informationn Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test
Chapter Objectives n Explain penetration testing concepts n Explain vulnerability scanning concepts Chapter #4: Threats, Attacks, and Vulnerabilities Vulnerability Scanning and Penetration Testing 2 Penetration
More informationEFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave
EFFECTIVELY TARGETING ADVANCED THREATS Terry Sangha Sales Engineer at Trustwave THE CHALLENGE PROTECTING YOUR ENVIRONMENT IS NOT GETTING EASIER ENDPOINT POINT OF SALE MOBILE VULNERABILITY MANAGEMENT CYBER
More informationTransforming Security from Defense in Depth to Comprehensive Security Assurance
Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationINSIGHTS FROM NSA S CYBERSECURITY THREAT OPERATIONS CENTER
SESSION ID: AIR-T08 INSIGHTS FROM NSA S CYBERSECURITY THREAT OPERATIONS CENTER Dave Hogue Technical Director National Security Agency s Cybersecurity Threat Operations Center NSA CYBERSECURITY MISSION
More informationCybersecurity Risk Mitigation: Protect Your Member Data. Introduction
Cybersecurity Risk Mitigation: Protect Your Member Data Presented by Matt Mitchell, CISSP Knowledge Consulting Group Introduction Matt Mitchell- Director Risk Assurance 17 years information security experience
More informationAttacking and Defending Active Directory July, 2017
Attacking and Defending Active Directory July, 2017 About: Adam Steed - @aboy 20 years of experience in IAM, working for financial, websites, and healthcare organizations Associate Director Protiviti Security
More informationThis course incorporates materials from the Official Microsoft Learning Product M10961: Automating Administration with Windows PowerShell.
Microsoft - Automating Administration with Windows PowerShell Code: URL: OD10961 View Online In this course, you will gain the fundamental knowledge and skills to use Windows PowerShell for administering
More informationWhitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response
Advanced Threat Hunting with Carbon Black Enterprise Response TABLE OF CONTENTS Overview Threat Hunting Defined Existing Challenges and Solutions Prioritize Endpoint Data Collection Over Detection Leverage
More informationCYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION
SELF-AUDIT GUIDE CYBER SECURITY EFFECTIVENESS FOR THE RESOURCE-CONSTRAINED ORGANIZATION A Primer for Moving Beyond AV and Firewalls 1 The Problem As software systems become more distributed and interactive
More informationPart 2: How to Detect Insider Threats
Part 2: How to Detect Insider Threats Amichai Shulman Chief Technology Officer Imperva Amichai Shulman CTO, Imperva Speaker at Industry Events RSA, Appsec, Info Security UK, Black Hat Lecturer on information
More informationSandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees
SandBlast Agent FAQ What is Check Point SandBlast Agent? Check Point SandBlast Agent defends endpoints and web browsers with a complete set of realtime advanced browser and endpoint protection technologies,
More informationRemote Control in Detail: PowerShell Remoting
Remote Control in Detail: PowerShell Remoting Remoting with Microsoft PowerShell consolidates all server management into a single port and protocol PowerShell is highly configurable PowerShell provides
More informationDATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.
RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE. KEY CUSTOMER BENEFITS: Gain complete visibility into all endpoints, regardless of whether they are on or off the
More informationCOURSE 10961B: AUTOMATING ADMINISTRATION WITH WINDOWS POWERSHELL
ABOUT THIS COURSE Learn how with Windows PowerShell 3.0, you can remotely manage single or multiple Windows-based servers and automate day-to-day management and administration tasks. This five day course
More informationEliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat
WHITE PAPER Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat Executive Summary Unfortunately, it s a foregone conclusion that no organisation is 100 percent safe
More informationThe Bad Guys Are Winning So Now What?
The Bad Guys Are Winning So Now What? Ed Skoudis v1q13 Bad Guys Are Winning Now What? - 2013 Ed Skoudis 1 $ cut -f5 -d: /etc/passwd Ed Skoudis grep -i skoudis Started infosec career at Bellcore in 1996
More informationA Game between Adversary and AI Scientist
A Game between Adversary and AI Scientist NULLCON March 3, 2018 Satnam, Arunabha, Deepak, Waseem, Nirmesh, Santosh, Balamurali, Narayana Acalvio Technologies Who am I At Acalvio from Day 1 15+ Years in
More information