BSides JAX 2019 - Threat Hunting with the Elastic Stack

•

0 recomendaciones•414 vistas

Brandon DeVault

Slides for a presentation at BSides Jacksonville 2019.

1
BSides Jacksonville
16 Nov 2019
Threat Hunting with
the Elastic Stack

$whoami
Brandon DeVault
●
●
●
●
●
linkedin.com/in/brandondevault
@Oofles brandon.devault@elastic.co
@SolderSwag

3
Agenda
• Technology
• Threat Hunting
• Demo!

4
Elastic Stack Overview

5
SIEM & security analytics
thrive on search
Elastic is a search company

9
Store, Search, &
Analyze
Visualize &
Manage
Ingest
Elastic Stack
Elastic Stack
Kibana
Elasticsearch
Beats Logstash

10
Logstash
ETL for Elasticsearch
Ingest data of all shapes,
sizes, and sources
Parse and dynamically
transform data
Transport data to any
output
Secure and encrypt data
inputs
Build your own pipelines Lots of plugins

11
Beats
Lightweight data shippers
Ship data from the source
Ship and centralize in
Elasticsearch
Ship to Logstash for
transformation and parsing
Ship to Elastic Cloud Libbeat: API framework to
build custom beats 70+ community Beats

12
Elasticsearch
Distributed by design, scales horizontally

13
Kibana
Window into the Elastic Stack
Visualize and analyze Geospatial Customize and Share
Reports
Graph Exploration UX to secure and manage
the Elastic Stack
Build Custom Apps

Core of ROCK
●
●
●
●
●

16
What is ROCK?
Yeah, but what’s
in it?

17
Zeek (Bro) Network Security Monitor
• Analyzes network data and creates a session log
• Uses the terms Originator and Responder
‒ originator ≠ source
‒ responder ≠ destination
• Used to construct full timeline of events
• See the bigger picture

18
Threat Hunting

19
Why are we doing this?
Make. Them. Pay.
Jason Batchelor

24
Aperture

Precise, Targeted ...errr Collection

26
What could possibly go wrong?
- Every live demo ever...

27
Web : www.elastic.co
Demos: demo.elastic.co
Products : https://www.elastic.co/products
Forums : https://discuss.elastic.co/
Community :
https://www.elastic.co/community/meetups
Twitter : @elastic
Thank you!

Más contenido relacionado

La actualidad más candente

How to run Elasticsearch on Azure in just a few minutes

How to run Elasticsearch on Azure in just a few minutes

How to run Elasticsearch on Azure in just a few minutes

( ELK Stack Training - https://www.edureka.co/elk-stack-trai... ) This Edureka tutorial on What Is ELK Stack will help you in understanding the fundamentals of Elasticsearch, Logstash, and Kibana together and help you in building a strong foundation in ELK Stack. Below are the topics covered in this ELK tutorial for beginners: 1. Need for Log Analysis 2. Problems with Log Analysis 3. What is ELK Stack? 4. Features of ELK Stack 5. Companies Using ELK Stack

What Is ELK Stack | ELK Tutorial For Beginners | Elasticsearch Kibana | ELK S...

What Is ELK Stack | ELK Tutorial For Beginners | Elasticsearch Kibana | ELK S...

What Is ELK Stack | ELK Tutorial For Beginners | Elasticsearch Kibana | ELK S...

Análisis del roadmap del Elastic Stack

Análisis del roadmap del Elastic Stack

Análisis del roadmap del Elastic Stack

Elastic at Procter & Gamble: A Network Story

Elastic at Procter & Gamble: A Network Story

Elastic at Procter & Gamble: A Network Story

Logging, Metrics, and APM: The Operations Trifecta (P)

Logging, Metrics, and APM: The Operations Trifecta (P)

Logging, Metrics, and APM: The Operations Trifecta (P)

Kibana Tutorial | Kibana Dashboard Tutorial | Kibana Elasticsearch | ELK Stac...

Kibana Tutorial | Kibana Dashboard Tutorial | Kibana Elasticsearch | ELK Stac...

Kibana Tutorial | Kibana Dashboard Tutorial | Kibana Elasticsearch | ELK Stac...

Better Search and Business Analytics at Southern Glazer’s Wine & Spirits

Better Search and Business Analytics at Southern Glazer’s Wine & Spirits

Better Search and Business Analytics at Southern Glazer’s Wine & Spirits

Elasticsearch and the Database Market

Elasticsearch and the Database Market

Elasticsearch and the Database Market

https://www.elastic.co/elasticon/tour/2019/paris/logging-metrics-and-apm-the-operations-trifecta Pour une meilleure visibilité opérationnelle, centralisez les logs, les indicateurs et, désormais, les données APM. Découvrez comment Elasticsearch regroupe efficacement ces types de données au même endroit. De même, découvrez comment utiliser Kibana pour rechercher des logs, analyser des indicateurs et exploiter les fonctionnalités APM afin de mieux surveiller les performances et de résoudre les problèmes plus rapidement.

Logging, indicateurs et APM : le trio gagnant pour des opérations réussies

Logging, indicateurs et APM : le trio gagnant pour des opérations réussies

Logging, indicateurs et APM : le trio gagnant pour des opérations réussies

What’s Evolving in the Elastic Stack

What’s Evolving in the Elastic Stack

What’s Evolving in the Elastic Stack

Monitoring docker, k8s and your applications with the elastic stack

Monitoring docker, k8s and your applications with the elastic stack

Monitoring docker, k8s and your applications with the elastic stack

FIWARE Global Summit - QuantumLeap: Time-series and Geographic Queries

FIWARE Global Summit - QuantumLeap: Time-series and Geographic Queries

FIWARE Global Summit - QuantumLeap: Time-series and Geographic Queries

Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...

Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...

Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...

Community day ppt_kinesisv1.0

Community day ppt_kinesisv1.0

Community day ppt_kinesisv1.0

Sridevi Murugayen

Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics

Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics

Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics

Elastic at KPN

Migrating a legacy logging system: Etsy’s journey to Elastic Cloud

Migrating a legacy logging system: Etsy’s journey to Elastic Cloud

Migrating a legacy logging system: Etsy’s journey to Elastic Cloud

Quick Intro to Google Cloud Technologies

Quick Intro to Google Cloud Technologies

Quick Intro to Google Cloud Technologies

Building a reliable and cost effect logging system at Box

Building a reliable and cost effect logging system at Box

Building a reliable and cost effect logging system at Box

Protecting Your Cluster from Your Humans

Protecting Your Cluster from Your Humans

Protecting Your Cluster from Your Humans

La actualidad más candente (20)

How to run Elasticsearch on Azure in just a few minutes

How to run Elasticsearch on Azure in just a few minutes

How to run Elasticsearch on Azure in just a few minutes

What Is ELK Stack | ELK Tutorial For Beginners | Elasticsearch Kibana | ELK S...

What Is ELK Stack | ELK Tutorial For Beginners | Elasticsearch Kibana | ELK S...

What Is ELK Stack | ELK Tutorial For Beginners | Elasticsearch Kibana | ELK S...

Análisis del roadmap del Elastic Stack

Análisis del roadmap del Elastic Stack

Análisis del roadmap del Elastic Stack

Elastic at Procter & Gamble: A Network Story

Elastic at Procter & Gamble: A Network Story

Elastic at Procter & Gamble: A Network Story

Logging, Metrics, and APM: The Operations Trifecta (P)

Logging, Metrics, and APM: The Operations Trifecta (P)

Logging, Metrics, and APM: The Operations Trifecta (P)

Kibana Tutorial | Kibana Dashboard Tutorial | Kibana Elasticsearch | ELK Stac...

Kibana Tutorial | Kibana Dashboard Tutorial | Kibana Elasticsearch | ELK Stac...

Kibana Tutorial | Kibana Dashboard Tutorial | Kibana Elasticsearch | ELK Stac...

Better Search and Business Analytics at Southern Glazer’s Wine & Spirits

Better Search and Business Analytics at Southern Glazer’s Wine & Spirits

Better Search and Business Analytics at Southern Glazer’s Wine & Spirits

Elasticsearch and the Database Market

Elasticsearch and the Database Market

Elasticsearch and the Database Market

Logging, indicateurs et APM : le trio gagnant pour des opérations réussies

Logging, indicateurs et APM : le trio gagnant pour des opérations réussies

Logging, indicateurs et APM : le trio gagnant pour des opérations réussies

What’s Evolving in the Elastic Stack

What’s Evolving in the Elastic Stack

What’s Evolving in the Elastic Stack

Monitoring docker, k8s and your applications with the elastic stack

Monitoring docker, k8s and your applications with the elastic stack

Monitoring docker, k8s and your applications with the elastic stack

FIWARE Global Summit - QuantumLeap: Time-series and Geographic Queries

FIWARE Global Summit - QuantumLeap: Time-series and Geographic Queries

FIWARE Global Summit - QuantumLeap: Time-series and Geographic Queries

Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...

Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...

Divide & Conquer - Logging Architecture in Distributed Ecosystems with Elasti...

Community day ppt_kinesisv1.0

Community day ppt_kinesisv1.0

Community day ppt_kinesisv1.0

Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics

Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics

Elastic on a Hyper-Converged Infrastructure for Operational Log Analytics

Elastic at KPN

Migrating a legacy logging system: Etsy’s journey to Elastic Cloud

Migrating a legacy logging system: Etsy’s journey to Elastic Cloud

Migrating a legacy logging system: Etsy’s journey to Elastic Cloud

Quick Intro to Google Cloud Technologies

Quick Intro to Google Cloud Technologies

Quick Intro to Google Cloud Technologies

Building a reliable and cost effect logging system at Box

Building a reliable and cost effect logging system at Box

Building a reliable and cost effect logging system at Box

Protecting Your Cluster from Your Humans

Protecting Your Cluster from Your Humans

Protecting Your Cluster from Your Humans

Similar a BSides JAX 2019 - Threat Hunting with the Elastic Stack

Elastic Stack Introduction

Elastic Stack Introduction

Elastic Stack Introduction

Serverless data lake architecture

Serverless data lake architecture

Serverless data lake architecture

Maik Wiesmüller

Splunk @ Adobe

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

ELK at LinkedIn - Kafka, scaling, lessons learned

ELK at LinkedIn - Kafka, scaling, lessons learned

ELK at LinkedIn - Kafka, scaling, lessons learned

The challenge with today’s “data explosion” is finding the most appropriate answer to the question, “So where do I put my data?” while avoiding the longer-term problem: data warehouses, data lakes, cloud storage, NoSQL databases, … are often the places where “big” data goes to die. Enter Physics 101, and my corollary to Newton’s First Law of Motion: Data in motion tends to stay in motion until it comes rest on disk. Similarly, if data is at rest, it will remain at rest until an external “force” puts it in motion again. Data inevitably comes to rest at some point. Without “external forces”, data often gets lost or becomes stale where it lands. “Modern” architectures tend to involve data pipelines where downstream consumers of data make use of data generated upstream, often with built-for-purpose repositories at each stage. This session will explore how data that has come to rest can be put in motion again; how Kafka can keep it in motion longer; and how pipelined architectures might be created to make use of that data.

Data in Motion: Building Stream-Based Architectures with Qlik Replicate & Kaf...

Data in Motion: Building Stream-Based Architectures with Qlik Replicate & Kaf...

Data in Motion: Building Stream-Based Architectures with Qlik Replicate & Kaf...

HostedbyConfluent

Examining OpenData with a Search Index using Elasticsearch

Examining OpenData with a Search Index using Elasticsearch

Examining OpenData with a Search Index using Elasticsearch

The Briefing Room with Dr. Robin Bloor and Think Big, a Teradata Company Live Webcast April 7, 2015 Watch the archive: https://bloorgroup.webex.com/bloorgroup/lsr.php?RCID=4114b87441ab7b2b4c52f6b24776e5a1 The more things change in Big Data, the more they stay the same. Indeed, there are many similarities between a Hadoop-based Data Lake and today’s modern Data Warehouse. Regardless of platform, information workers must still be able to turn their assets into action quickly, without taking a hit on governance or downstream performance. Register for this episode of The Briefing Room to hear veteran Analyst Dr. Robin Bloor as he explains the challenges facing organizations who endeavor on Big Data projects. He’ll be briefed by Rick Stellwagen of Think Big, a Teradata Company, who will outline his company’s approach to handling Big Data implementations. Rick will discuss the role of the data lake, and how timely response of queries is critical for reporting and analysis. Visit InsideAnalysis.com for more information.

The Great Lakes: How to Approach a Big Data Implementation

The Great Lakes: How to Approach a Big Data Implementation

The Great Lakes: How to Approach a Big Data Implementation

Inside Analysis

Docker containers add portability but can also introduce complexity into your environment. In this session learn about why monitoring your container environment is essential to maintaining service reliability, and how Splunk software can help you monitor different layers of infrastructure running in a Docker environment, including third-party tools, instances, and custom code. Learn how to use Splunk software to collect, search and correlate container data with other infrastructure data for better service context, root cause monitoring and reporting. Additionally, receive introduction to the product integrations between Splunk and Docker such as the Splunk Logging Driver, Splunk Forwarder, and Splunk Logging Libraries.

Take an Analytics-driven Approach to Container Performance with Splunk for Co...

Take an Analytics-driven Approach to Container Performance with Splunk for Co...

Take an Analytics-driven Approach to Container Performance with Splunk for Co...

Semplificare l'analisi dei dati con architetture "Serverless": architetture e...

Semplificare l'analisi dei dati con architetture "Serverless": architetture e...

Semplificare l'analisi dei dati con architetture "Serverless": architetture e...

Amazon Web Services

The annual review session by the AMIS team on their findings, interpretations and opinions regarding news, trends, announcements and roadmaps around Oracle's product portfolio. This presentation discusses architecture trends, container technology, disruptive movements such as IoT, Blockchain, Intelligent Bots and Machine Learning, Modern User Experience, Enterprise Integration, Autonomous Systems in general and Autonomous Database in particular, Security, Cloud, Networking, Java, High PaaS & Low PaaS, DevOps, Microservices, Hybrid Cloud. This Oracle OpenWorld - more than any in recent history - rocked the foundations of the Oracle platform and opened up some real new roads ahead. This presentation leads you through the most relevant announcements and new directions.

Oracle OpenWorld 2017 Review (31st October 2017 - 250 slides)

Oracle OpenWorld 2017 Review (31st October 2017 - 250 slides)

Oracle OpenWorld 2017 Review (31st October 2017 - 250 slides)

Getting value from IoT, Integration and Data Analytics

Open Distro for Elasticsearch is a 100% open-source distribution of Elasticsearch, the popular search and analytics engine. In this session, we explore its many new advanced features—previously available only in commercial software—including encryption in transit, role-based access control (RBAC), event monitoring and alerting, SQL support, cluster diagnostics, and more. We also show you how you can join the Open Distro for Elasticsearch community to accelerate open innovation for Elasticsearch.

Introducing Open Distro for Elasticsearch - ADB201 - New York AWS Summit

Introducing Open Distro for Elasticsearch - ADB201 - New York AWS Summit

Introducing Open Distro for Elasticsearch - ADB201 - New York AWS Summit

Amazon Web Services

Webinar: Rearchitecting Storage for the Next Wave of Splunk Data Growth

Webinar: Rearchitecting Storage for the Next Wave of Splunk Data Growth

Webinar: Rearchitecting Storage for the Next Wave of Splunk Data Growth

Storage Switzerland

Architecting Data Lakes on AWS

Architecting Data Lakes on AWS

Architecting Data Lakes on AWS

Sajith Appukuttan

Regina Pison - Elastic - OSL19

Regina Pison - Elastic - OSL19

Regina Pison - Elastic - OSL19

AWS Dev Day Kyiv 2019 Track: Analytics & Machine Learning Session: "Building a Modern Data platform in the Cloud" Speaker: Alex Casalboni, AWS Technical Evangelist Level: 300 AWS Dev Day is a free, full-day technical event where new developers will learn about some of the hottest topics in cloud computing, and experienced developers can dive deep on newer AWS services. Provectus has organized AWS Dev Day Kyiv in close collaboration with Amazon Web Services: 800+ participants, 18 sessions, 3 tracks, a really AWSome Day!  Now, together with Zeo Alliance, we're building and nurturing AWS User Group Ukraine — join us on Facebook to stay updated about cloud technologies and AWS services: https://www.facebook.com/groups/AWSUserGroupUkraine Video: https://youtu.be/HIDnAG9AxZo

"Building a Modern Data platform in the Cloud", Alex Casalboni, AWS Dev Day K...

"Building a Modern Data platform in the Cloud", Alex Casalboni, AWS Dev Day K...

"Building a Modern Data platform in the Cloud", Alex Casalboni, AWS Dev Day K...

A tale of two BI standards: Data warehouses and data lakes by Shant Hovsepian, Co-Founder and CTO, Arcadia Data Data lakes as part of the logical data warehouse (LDW) have entered the trough of disillusionment. Some failures are due to lack of value from businesses focusing on the big data challenges and not the big analytics opportunity. After all, data is just data until you analyze it. While the data management aspect has been fairly well understood over the years, the success of business intelligence (BI) and analytics on data lakes lags behind. In fact, data lakes often fail because they are only accessible by highly skilled data scientists and not by business users. But BI tools have been able to access data warehouses for years, so what gives? Shant Hovsepian explains why existing BI tools are architected well for data warehouses but not data lakes, the pros and cons of each architecture, and why every organization should have two BI standards: one for data warehouses and one for data lakes.

Data Con LA 2018 - A tale of two BI standards: Data warehouses and data lakes...

Data Con LA 2018 - A tale of two BI standards: Data warehouses and data lakes...

Data Con LA 2018 - A tale of two BI standards: Data warehouses and data lakes...

Data Analytics Week at the San Francisco Loft Using Data Lakes A data lake can be used as a source for both structured and unstructured data - but how? We'll look at using open standards including Spark and Presto with Amazon EMR, Amazon Redshift Spectrum and Amazon Athena to process and understand data. Speakers: John Mallory - Principal Business Development Manager Storage (Object), AWS Hemant Borole - Sr. Big Data Consultant, AWS

Using Data Lakes: Data Analytics Week SF

Using Data Lakes: Data Analytics Week SF

Using Data Lakes: Data Analytics Week SF

Amazon Web Services

Zenko @Cloud Native Foundation London Meetup March 6th 2018

Zenko @Cloud Native Foundation London Meetup March 6th 2018

Zenko @Cloud Native Foundation London Meetup March 6th 2018

Sqrrl real time_big_data_20130411

Sqrrl real time_big_data_20130411

Sqrrl real time_big_data_20130411

Similar a BSides JAX 2019 - Threat Hunting with the Elastic Stack (20)

Elastic Stack Introduction

Elastic Stack Introduction

Elastic Stack Introduction

Serverless data lake architecture

Serverless data lake architecture

Serverless data lake architecture

Splunk @ Adobe

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

ELK at LinkedIn - Kafka, scaling, lessons learned

ELK at LinkedIn - Kafka, scaling, lessons learned

ELK at LinkedIn - Kafka, scaling, lessons learned

Data in Motion: Building Stream-Based Architectures with Qlik Replicate & Kaf...

Data in Motion: Building Stream-Based Architectures with Qlik Replicate & Kaf...

Data in Motion: Building Stream-Based Architectures with Qlik Replicate & Kaf...

Examining OpenData with a Search Index using Elasticsearch

Examining OpenData with a Search Index using Elasticsearch

Examining OpenData with a Search Index using Elasticsearch

The Great Lakes: How to Approach a Big Data Implementation

The Great Lakes: How to Approach a Big Data Implementation

The Great Lakes: How to Approach a Big Data Implementation

Take an Analytics-driven Approach to Container Performance with Splunk for Co...

Take an Analytics-driven Approach to Container Performance with Splunk for Co...

Take an Analytics-driven Approach to Container Performance with Splunk for Co...

Semplificare l'analisi dei dati con architetture "Serverless": architetture e...

Semplificare l'analisi dei dati con architetture "Serverless": architetture e...

Semplificare l'analisi dei dati con architetture "Serverless": architetture e...

Oracle OpenWorld 2017 Review (31st October 2017 - 250 slides)

Oracle OpenWorld 2017 Review (31st October 2017 - 250 slides)

Oracle OpenWorld 2017 Review (31st October 2017 - 250 slides)

Introducing Open Distro for Elasticsearch - ADB201 - New York AWS Summit

Introducing Open Distro for Elasticsearch - ADB201 - New York AWS Summit

Introducing Open Distro for Elasticsearch - ADB201 - New York AWS Summit

Webinar: Rearchitecting Storage for the Next Wave of Splunk Data Growth

Webinar: Rearchitecting Storage for the Next Wave of Splunk Data Growth

Webinar: Rearchitecting Storage for the Next Wave of Splunk Data Growth

Architecting Data Lakes on AWS

Architecting Data Lakes on AWS

Architecting Data Lakes on AWS

Regina Pison - Elastic - OSL19

Regina Pison - Elastic - OSL19

Regina Pison - Elastic - OSL19

"Building a Modern Data platform in the Cloud", Alex Casalboni, AWS Dev Day K...

"Building a Modern Data platform in the Cloud", Alex Casalboni, AWS Dev Day K...

"Building a Modern Data platform in the Cloud", Alex Casalboni, AWS Dev Day K...

Data Con LA 2018 - A tale of two BI standards: Data warehouses and data lakes...

Data Con LA 2018 - A tale of two BI standards: Data warehouses and data lakes...

Data Con LA 2018 - A tale of two BI standards: Data warehouses and data lakes...

Using Data Lakes: Data Analytics Week SF

Using Data Lakes: Data Analytics Week SF

Using Data Lakes: Data Analytics Week SF

Zenko @Cloud Native Foundation London Meetup March 6th 2018

Zenko @Cloud Native Foundation London Meetup March 6th 2018

Zenko @Cloud Native Foundation London Meetup March 6th 2018

Sqrrl real time_big_data_20130411

Sqrrl real time_big_data_20130411

Sqrrl real time_big_data_20130411

Más de Brandon DeVault

Unleash the power of scheduled tasks and uncover hidden secrets in Windows! Did you know that lurking beneath the surface are approximately 150 scheduled tasks by default, with over 40 set to hidden by default? Prepare to dive deep into the fascinating (aka, frustrating) world of these elusive artifacts! Join me as we embark on an enthralling journey, delving into the intricate details and challenges surrounding scheduled tasks. Discover how Microsoft typos, baffling naming schemes, and cryptic execution details make detecting anomalies a “thrilling” pursuit. But fear not, for there is hope! This captivating presentation will arm you with potent PowerShell scripts, powerful Elasticsearch dashboards, and an enhanced understanding of hunting down malicious persistence. Get ready to transform your perspective on scheduled tasks and become a hero in shining a spotlight on their hidden mysteries!

grrcon-2023-scheduled-tasks.pdf

grrcon-2023-scheduled-tasks.pdf

grrcon-2023-scheduled-tasks.pdf

Brandon DeVault

Welcome to the world of “Toolkit Titans,” where a global lack of funding, limited manpower, and inadequate support doesn’t stop us from saving the world! In this action-packed talk, we’ll dive into the depths of defensive security operations to build a toolkit that serves your needs. Security analytics, incident response, and adversary emulation – I’ll focus on the cost-effective integration of powerful open-source tools like Elastic, Zeek, Suricata, and Jupyter Notebooks. I’ll demonstrate how these tools can be combined to form a flexible solution for state response, in-garrison support, or austere operations. The best part? I’ve done a lot of the work for you and all the resources will be provided via a GitHub project during the presentation. So gear up, brave Titan, and let’s build the ultimate cyber defense!

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...

Brandon DeVault

I always thought scheduled tasks fell into the category of low-level adversaries. Did you know that a standard build of Windows 10 or 11 contains about 150 scheduled tasks by default? Did you know over 40 of these tasks are hidden by default? Cue misery… In this talk, I’ll explore the various details we can extract about scheduled tasks and why it’s so difficult to find anomalies. Everything from Microsoft typos, inconsistent naming schemes, and obfuscated execution details. And don’t worry, it’s not all doom and gloom. You’ll leave this presentation with PowerShell scripts, Elasticsearch dashboards, and a better understanding on how to hunt for malicious persistence.

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Brandon DeVault

You’ve got a secure environment and alerting in-place, yet the adversaries are still able to bypass your defenses. How do you find and stop the adversary before they are able to compromise your environment? In this workshop we’ll explore through a real-world attack chain from FIN7 and showcase strategies on how to hunt for specific techniques. This workshop focuses on network analysis and covers the following topics: SMTP Email Header Analysis Bidirectional C2 using legitimate cloud services Lateral Movement with RDP and SSH Exfiltration using cloud storage We’ll be using open-source tools like Zeek and Elasticsearch so we can really focus on the methodology and hunting for the behaviors. And hopefully, you’ll leave this workshop with some new skills for network threat hunting. I’ll also be releasing some threat hunting focused dashboards you can use in your own environment.

Tracing Transactions - BSides Orlando.pdf

Tracing Transactions - BSides Orlando.pdf

Tracing Transactions - BSides Orlando.pdf

Brandon DeVault

Log4j? Log4Shell? I feel like I’ve heard those terms before… Perhaps you were so bogged down with remediation and incident response that you didn’t get the necessary time to research and understand the full scope of what happened. In this hands-on talk, we’ll walk through how the vulnerability is exploited and what part it plays in the attack chain. You’ll have an opportunity to emulate the attack or follow along as I demonstrate the attack and various open-source detection methods. This talk takes a purple team approach by discussing the defender’s and attacker’s infrastructure, attack execution, and how to analyze the traffic for identification and detection. We’ll finish up by discussing the aftermath of attacks seen in the wild, current APT approaches to this vulnerability, and address any security concerns that remain. I’ll leave you with configured docker containers, detection mechanisms, and full instructions on how to emulate and detect this attack within your own environment.

Log4Shell Case Study - Suricon2022.pdf

Log4Shell Case Study - Suricon2022.pdf

Log4Shell Case Study - Suricon2022.pdf

Brandon DeVault

Presentation given at GrrCON 2022 on threat hunting. Abstract: You’ve got a secure environment and alerting in-place, yet the adversaries are still able to bypass your defenses. How do you find and stop the adversary before they are able to compromise your environment? In this talk I’ll walk through a real-world attack chain from FIN7 and showcase strategies on how to hunt for specific techniques. This talk focuses on network analysis and covers the following topics: – SMTP Email Header Analysis – Bidirectional C2 using legitimate cloud services – Lateral Movement with RDP and SSH I’ll be using open-source tools like Zeek and Elasticsearch so we can really focus on the methodology and hunting for the behaviors. And hopefully, you’ll leave this talk with some new skills for network threat hunting. I’ll also be releasing some threat hunting focused dashboards you can use in your own environment.

Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

Brandon DeVault

Level up your SOC - Guide for a Resilient Education Program.pdf

Level up your SOC - Guide for a Resilient Education Program.pdf

Level up your SOC - Guide for a Resilient Education Program.pdf

Brandon DeVault

Log4j vulnerability - CCC - Workshop.pdf

Log4j vulnerability - CCC - Workshop.pdf

Log4j vulnerability - CCC - Workshop.pdf

Brandon DeVault

Log4j vulnerability - CCC - Talk.pdf

Log4j vulnerability - CCC - Talk.pdf

Log4j vulnerability - CCC - Talk.pdf

Brandon DeVault

Dealing with the fallout from a massive exploit is everyone’s nightmare. Time and time again these vulnerabilities are found in open-source software. Does this mean we can’t trust open-source and should be developing everything from scratch? No, it’s not feasible or sustainable for anyone’s environment. So how do you handle this code that is embedded everywhere? In this talk, I’ll discuss the concerns open-source code and dependencies bring to any environment. We’ll start off by taking a historical look at vulnerabilities and their impact. Through this, we’ll look at methods for discovery, triage, and remediation. I focus on core tenants of remaining flexible, scalable, and integrating automation with the overall goal of reducing both risk and operational costs. The tradeoff between productivity, cost, and security doesn’t have to be a pick 2, lose 1 type scenario.

Handling Open-Source Code - ISF 2022.pdf

Handling Open-Source Code - ISF 2022.pdf

Handling Open-Source Code - ISF 2022.pdf

Brandon DeVault

How Microsoft will MiTM your network

How Microsoft will MiTM your network

How Microsoft will MiTM your network

Brandon DeVault

Más de Brandon DeVault (11)

grrcon-2023-scheduled-tasks.pdf

grrcon-2023-scheduled-tasks.pdf

grrcon-2023-scheduled-tasks.pdf

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Tracing Transactions - BSides Orlando.pdf

Tracing Transactions - BSides Orlando.pdf

Tracing Transactions - BSides Orlando.pdf

Log4Shell Case Study - Suricon2022.pdf

Log4Shell Case Study - Suricon2022.pdf

Log4Shell Case Study - Suricon2022.pdf

Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf

Level up your SOC - Guide for a Resilient Education Program.pdf

Level up your SOC - Guide for a Resilient Education Program.pdf

Level up your SOC - Guide for a Resilient Education Program.pdf

Log4j vulnerability - CCC - Workshop.pdf

Log4j vulnerability - CCC - Workshop.pdf

Log4j vulnerability - CCC - Workshop.pdf

Log4j vulnerability - CCC - Talk.pdf

Log4j vulnerability - CCC - Talk.pdf

Log4j vulnerability - CCC - Talk.pdf

Handling Open-Source Code - ISF 2022.pdf

Handling Open-Source Code - ISF 2022.pdf

Handling Open-Source Code - ISF 2022.pdf

How Microsoft will MiTM your network

How Microsoft will MiTM your network

How Microsoft will MiTM your network

Último

Syngulon’s technology expands the capacity for selection of microorganisms. The ability to select individual microbes with a behavior of interest is essential, whether for simple cloning at the bench, or for industry-scale production. Synthetic biology uses the concept of “bioengineering” to improve or modify existing genetic systems to create microbes with desired behaviors, and Syngulon uses this approach to develop its selection technologies. This selection technology is based on bacteriocins, ribosomally-produced peptides naturally made by most bacteria to kill competitive microbial species. These bacteriocins can have a limited or wide target range against other microbial species. This technology offers advantageous over antibiotic selection for several reasons: it avoids the use of antibiotics in the first place, helping to reduce the spread of antibiotic resistant microbes. The technology also increases product yield; as bacteriocins are generally smaller peptides, they do not impose a heavy metabolic burden on the producing cell. They can have a wide target specificity, helping to avoid genetic drift. Finally, our system is 100% plasmid-based (e.g. without chromosomal mutations), making it applicable for use in any E. coli strains.

Syngulon - Selection technology May 2024.pdf

Syngulon - Selection technology May 2024.pdf

Syngulon - Selection technology May 2024.pdf

The Epson EcoTank L3210 is a high-performance and cost-efficient printer designed to meet the printing needs of both home users and small businesses. Equipped with Epson’s revolutionary EcoTank ink tank system, the Epson eliminates the need for traditional ink cartridges, thereby significantly reducing printing costs and plastic waste. With its PrecisionCore technology, this printer delivers sharp, vibrant prints for both documents and photos. Its user-friendly design ensures easy setup and operation, while its compact form factor saves valuable desk space. Whether it’s everyday printing jobs or creative projects, the Epson EcoTank L3210 provides a reliable and eco-friendly printing solution.

Buy Epson EcoTank L3210 Colour Printer Online.pdf

Buy Epson EcoTank L3210 Colour Printer Online.pdf

Buy Epson EcoTank L3210 Colour Printer Online.pdf

EasyPrinterHelp

Welcome to UiPath Test Automation using UiPath Test Suite series part 2. In this session, we will cover API test automation along with a web automation demo. Topics covered: Test Automation introduction API Example of API automation Web automation demonstration Speaker Pathrudu Chintakayala, Associate Technical Architect @Yash and UiPath MVP Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UiPath Test Automation using UiPath Test Suite series, part 2

UiPath Test Automation using UiPath Test Suite series, part 2

UiPath Test Automation using UiPath Test Suite series, part 2

Intro in Product Management - Коротко про професію продакт менеджера

Intro in Product Management - Коротко про професію продакт менеджера

Intro in Product Management - Коротко про професію продакт менеджера

Unlock the mysteries of successful Salesforce interviews in this insightful session hosted by Hugo Rosario (Salesforce Customer), a seasoned hiring manager that leads the Salesforce Department of multinational company with over 100 interviews under their belt. Step into the manager's chair and gain exclusive behind-the-scenes insights into what makes a Salesforce consultant stand out during the interview process. From deciphering the unspoken cues to mastering key strategies, we'll explore the intricacies of the interview process and provide practical tips for consultants looking to not only pass interviews but also thrive in their roles. Whether you're a seasoned professional or just starting your Salesforce journey, this session is your backstage pass to the secrets that hiring managers wish you knew.

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

How to differentiate Sales Cloud and CPQ on first glance might be tricky if you do not know where to look and what to look at. You will know :-) Managing the sales process within Salesforce is a common use case that can be managed with standart Sales Cloud. If you want to do entire quoting process you will find out Salesforce CPQ solution exists. What is then the difference if both can handle selling products? You will see comparison of 10 different features, which Sales Cloud and Salesforce CPQ handle differently. Simple question you will always remember if you should consider using Salesforce CPQ will be a cherry on top.

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

Screen flow is a powerful automation tool that is commonly designed for internal and external users. However, what about the guest users? We will dive into various methods of launching screen flows and understand how to make them publicly accessible, extending their usability to a broader audience. The presentation will also cover the implementation of security layers and highlight best practices for a smooth and protected user experience. Discover the potential of screen flows beyond conventional use and learn how to leverage them effectively.

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

The Epson EcoTank L3210 is a high-performance and cost-efficient printer designed to meet the printing needs of both home users and small businesses. Equipped with Epson’s revolutionary EcoTank ink tank system, the Epson eliminates the need for traditional ink cartridges, thereby significantly reducing printing costs and plastic waste. With its PrecisionCore technology, this printer delivers sharp, vibrant prints for both documents and photos. Its user-friendly design ensures easy setup and operation, while its compact form factor saves valuable desk space. Whether it’s everyday printing jobs or creative projects, the Epson EcoTank L3210 provides a reliable and eco-friendly printing solution.

Buy Epson EcoTank L3210 Colour Printer Online.pptx

Buy Epson EcoTank L3210 Colour Printer Online.pptx

Buy Epson EcoTank L3210 Colour Printer Online.pptx

EasyPrinterHelp

This talk offers actionable insights at an executive level for enhancing productivity and refining your portfolio management approach to propel your organization to greater heights. Key Points Covered: 1. Experience Transformation: - The core challenge remains consistent across organizations: converting budget into user-centric designs. - Strategies for deploying design resources effectively in both startups and large enterprises. 2. Strategic Frameworks: - Introduction to the "Ziggurat of Impact" model, detailing layers from basic system interactions to comprehensive customer experiences. - Practical insights on creating frameworks that scale with organizational complexity. 3. Organizational Impact: - Real-world examples of navigating design in large settings, focusing on the synthesis of consumer products and customer experiences. - Emphasis on the importance of designing systems that directly influence customer interactions. 4. Design Execution: - Detailed walkthrough of organizational layers affecting design execution, from touchpoints and customer activities to shared capabilities. - How to ensure design influences both the micro and macro aspects of customer interactions. 5. Measurement and Adaptation: - Techniques for measuring the impact of design decisions and adapting strategies based on data-driven insights. - The critical role of continuous improvement and feedback in refining customer experiences.

Structuring Teams and Portfolios for Success

Structuring Teams and Portfolios for Success

Structuring Teams and Portfolios for Success

Already know how to write a basic SOQL query? Great! But what about an *aggregate* SOQL query? You know, the kind that uses aggregate functions like COUNT & MAX along with GROUP BY and HAVING clauses? No? Well, get ready to learn how to slice & dice your org’s data right inside your own dev console. From finding duplicate records to prototyping summary & matrix reports, learn the ins and outs of aggregate queries during this fast-paced but admin-friendly session on advanced SOQL concepts.

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

The standard Salesforce Approval process can be limiting in many ways, especially in complex scenarios. What if there was a way to implement very flexible approvals where one can use Apex code to make data updates in unrelated records, dynamically generate next steps details, and compute assignees on the fly? And still use UI-based configurations to implement concrete approval processes. In this session, we will share ideas behind such a solution and show a few lines of code to get you started.

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...

IoT Analytics Company Presentation May 2024

IoT Analytics Company Presentation May 2024

IoT Analytics Company Presentation May 2024

Agentic RAG What it is its types applications and implementation.pdf

Agentic RAG What it is its types applications and implementation.pdf

Agentic RAG What it is its types applications and implementation.pdf

ChristopherTHyatt

PLAI - Acceleration Program for Generative A.I. Startups

PLAI - Acceleration Program for Generative A.I. Startups

PLAI - Acceleration Program for Generative A.I. Startups

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

Último (20)

Syngulon - Selection technology May 2024.pdf

Syngulon - Selection technology May 2024.pdf

Syngulon - Selection technology May 2024.pdf

Buy Epson EcoTank L3210 Colour Printer Online.pdf

Buy Epson EcoTank L3210 Colour Printer Online.pdf

Buy Epson EcoTank L3210 Colour Printer Online.pdf

UiPath Test Automation using UiPath Test Suite series, part 2

UiPath Test Automation using UiPath Test Suite series, part 2

UiPath Test Automation using UiPath Test Suite series, part 2

Intro in Product Management - Коротко про професію продакт менеджера

Intro in Product Management - Коротко про професію продакт менеджера

Intro in Product Management - Коротко про професію продакт менеджера

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

Buy Epson EcoTank L3210 Colour Printer Online.pptx

Buy Epson EcoTank L3210 Colour Printer Online.pptx

Buy Epson EcoTank L3210 Colour Printer Online.pptx

Structuring Teams and Portfolios for Success

Structuring Teams and Portfolios for Success

Structuring Teams and Portfolios for Success

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...

IoT Analytics Company Presentation May 2024

IoT Analytics Company Presentation May 2024

IoT Analytics Company Presentation May 2024

Agentic RAG What it is its types applications and implementation.pdf

Agentic RAG What it is its types applications and implementation.pdf

Agentic RAG What it is its types applications and implementation.pdf

PLAI - Acceleration Program for Generative A.I. Startups

PLAI - Acceleration Program for Generative A.I. Startups

PLAI - Acceleration Program for Generative A.I. Startups

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

BSides JAX 2019 - Threat Hunting with the Elastic Stack

1. 1 BSides Jacksonville 16 Nov 2019 Threat Hunting with the Elastic Stack

2. $whoami Brandon DeVault ● ● ● ● ● linkedin.com/in/brandondevault @Oofles brandon.devault@elastic.co @SolderSwag

3. 3 Agenda • Technology • Threat Hunting • Demo!

4. 4 Elastic Stack Overview

5. 5 SIEM & security analytics thrive on search Elastic is a search company

9. 9 Store, Search, & Analyze Visualize & Manage Ingest Elastic Stack Elastic Stack Kibana Elasticsearch Beats Logstash

10. 10 Logstash ETL for Elasticsearch Ingest data of all shapes, sizes, and sources Parse and dynamically transform data Transport data to any output Secure and encrypt data inputs Build your own pipelines Lots of plugins

11. 11 Beats Lightweight data shippers Ship data from the source Ship and centralize in Elasticsearch Ship to Logstash for transformation and parsing Ship to Elastic Cloud Libbeat: API framework to build custom beats 70+ community Beats

12. 12 Elasticsearch Distributed by design, scales horizontally

13. 13 Kibana Window into the Elastic Stack Visualize and analyze Geospatial Customize and Share Reports Graph Exploration UX to secure and manage the Elastic Stack Build Custom Apps

15. Core of ROCK ● ● ● ● ●

16. 16 What is ROCK? Yeah, but what’s in it?

17. 17 Zeek (Bro) Network Security Monitor • Analyzes network data and creates a session log • Uses the terms Originator and Responder ‒ originator ≠ source ‒ responder ≠ destination • Used to construct full timeline of events • See the bigger picture

18. 18 Threat Hunting

19. 19 Why are we doing this? Make. Them. Pay. Jason Batchelor

22.

24. 24 Aperture

25. Precise, Targeted ...errr Collection

26. 26 What could possibly go wrong? - Every live demo ever...

27. 27 Web : www.elastic.co Demos: demo.elastic.co Products : https://www.elastic.co/products Forums : https://discuss.elastic.co/ Community : https://www.elastic.co/community/meetups Twitter : @elastic Thank you!