Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Blue Teaming on a Budget of Zero

415 visualizaciones

Publicado el

Learn how to build a robust cyber security program with little to no investment in software.

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Blue Teaming on a Budget of Zero

  1. 1. THREATCARE Open Source Defense Building a Security Program with Zero Budget
  2. 2. Agenda •Budget challenges beyond CapEx/OpEx •Foundations: The big picture and where to start •Specific free & open-source tools to help at each step •Real-World Experiences and Fun Stories* *Randomly dispersed throughout
  3. 3. whoami – Kyle Bubp • Just a dude trying to make things better.
  4. 4. Security: What’s the “True Cost”? • Security = People + Processes + Products People • Salary • Training • Personal Dev • Management Processes • Plan (policy) • Build (tech) • Test • Improvement Products • CapEx/OpEx • Support • Time to Value • Labor:Value
  5. 5. Why FOSS? Not just for people with budget constraints! It’s about time and control.
  6. 6. Commercial 1. Google search 2. Choose three 3. Contact vendors 4. Proof of concept 5. Wine & dine 6. Procurement 7. Implementation Elapsed time: weeks/months FOSS 1. Google search 2. Download 3. Configure Elapsed time: minutes/hours Why FOSS?
  7. 7. Shelfware Products that are purchased, but never get used or never fully achieve their intended value
  8. 8. What ends up on the Shelf? What would get them off the shelf?
  9. 9. Start with a solid foundation.
  10. 10. Foundational Blueprints and Frameworks •NIST Standards and Frameworks •CIS Critical Security Controls •ISO 27000 •MITRE ATT&CK
  11. 11. Document everything! A core documentation repository is critical •Policy, procedure, how-tos, etc: • MediaWiki • Atlassian Confluence ($10 for up to 10 users) •Incident Response Ticketing/Documentation: • RTIR ( • The Hive (
  12. 12. Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
  13. 13. The Asset Discovery Dilemma Active Scanning? Nmap? Vuln Scanner? No. Ask your network! NetDB .ova available at
  14. 14. Other network mapping approaches •nmap + ndiff/yandiff • Not just for red teams. • Export results, diff for changes. • Alert if something changed. •Netdisco • • Uses SNMP to inventory your network devices
  15. 15. Data Discovery •Users are good at putting sensitive data on the network. •Find it with OpenDLP
  16. 16. OpenVAS •Fork of Nessus •Still maintained •Default vuln scanner in AlienVault •Does a great job in comparison w/ commercial products
  17. 17. Web Apps too! •Arachni Framework ( •OWASP ZAP (Zed Attack Proxy) •Nikto2 (more of a server config scanner) •Portswigger Burp Suite (not free - $350) •For a comparison –
  18. 18. In addition to fixing vulnerabilities… •Build in some additional security on your web servers. (also part of a secure configuration) •Fail2ban Python-based IPS that runs off of Apache Logs •Modsecurity Open source WAF for Apache, IIS, & nginx
  19. 19. Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
  20. 20. Protect
  21. 21. Intrusion Detection and Prevention
  22. 22. Host-based IDS • Monitor Critical and Sensitive Files via Integrity Checks • Detects Rootkits • Can monitor Windows Registry • Alert on Changes
  23. 23. Windows 10 – Out of the box – CIS Benchmark
  24. 24. Secure Configuration •CIS Benchmarks / DISA Stigs •Configuration Management, while not exciting, is important •Deploy configs across your enterprise using tools like GPO, Chef, Puppet, or Ansible •Change Management is also important • Use git repo for tracking changes to your config scripts
  25. 25. PATCH IT ALL (kinda)
  26. 26. Patching Windows +
  27. 27. Patching Linux +
  28. 28. Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
  29. 29. What’s happening on the endpoint? •Facebook-developed osquery is effectively free EDR • Agents for MacOS, Windows, Linux • Deploy across your enterprise w/ Chef, Puppet, Ansible, or SCCM • Do fun things like, search for IoCs (hashes, processes, etc.) • Pipe the data into ElasticStack for visibility & searchability •If you only need Windows, check out Microsoft Sysinternals Sysmon
  30. 30. What’s happening on the network? •Elkstack •Suricata •Bro •Snort •SecurityOnion: put it all together
  31. 31. Logging and Monitoring •Central logging makes detection and analysis easier •Many options here, such as Windows Event Subscription, rsyslog •Can also pipe to one central location with dashboards, such as ElasticStack •Good idea to include DNS logs!
  32. 32. Testing Controls
  33. 33. Breach and Attack Simulation • CALDERA (Based ATT&CK) • Uber Metta • Endgame RTA • Guardicore’s Infection Monkey • Barkly’s Stackhackr • Nextron Systems’ APTSimulator • AlphaSOC’s flightsim
  34. 34. Education
  35. 35. Phishing Education • Phishing Frenzy • Social Engineering Toolkit (SET) • GoPhish
  36. 36. Parting thoughts… • Build versus Buy • Security Requirements don’t change, regardless of budget. • Build a strong foundation and branch out. • Consider scenarios – solve one scenario at a time, NOT all at once! • Stay curious and contribute to projects you like. • Community! Share ideas – learn from others • DOCUMENT EVERYTHING
  37. 37. Kyle Bubp @kylebubp @threatcare