One Key to Rule Them All: Detecting the Skeleton Key Malware

•Descargar como PPTX, PDF•

1 recomendación•2,496 vistas

Identity is one of the cornerstones of application security. On windows domains, identity is managed through Active Directory (AD) Domain service on the Domain Controller (DC). Therefore, it should come as no surprise that advanced attackers are actively targeting the DC. Earlier this year, Dell Secureworks had shared a report on an advanced attack campaign utilizing a dedicated DC malware, named “Skeleton Key” Malware. The Skeleton Key malware modifies the DC behavior to accept authentications specifying a secret ”Skeleton key” (i.e. “master key”) password, thus enabling the attackers to login from any computer as any domain user without installing any additional malware while keeping the original users’ authentication behavior. On this talk, we will explore the unique interaction between such malware functionality and the Kerberos authentication protocol; We will put a special emphasis on its manifestation over the network traffic. We will also share a script that implements the remotes detection of the skeleton key malware functionality. The talk was given on TCE2015 summer school, Technion, Israel

TCE2015 Summer School, September 2015

• The Villain:
• The Damsel:
• Damsel in distress:
• Knight in shining Armor:

campaign
http://www.tibco.com/blog/wp-content/uploads/2013/01/Hackers-With-An-Agenda.jpg

admin123

wrongpassword

P@$$w0rd1

admin
123
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt
(NTLM/md4)
cc36cf7a8514893e
fccd332446158b1a
aes128_hmac
8451bb37aa6d7ce3
d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1
f498ff41614cc7800
1cbf6e3142857cce2
566ce74a7f25b
KDC
KDC
TGT
TGS
③ TGS-REQ (Server)
④ TGS-REP
⑤ Usage
User
Server

• AES uses the username for salt
• RC4-HMAC doesn’t have any!
• AES uses PBKDF2= Thousands of SHA
rounds
• RC4-HMAC doesn’t have any!

KDC
admin
123
User1
des_cbc_md5 f8fd987fa7153185
LSASS (kerberos)
rc4_hmac_nt
(NTLM/md4)
cc36cf7a8514893e
fccd332446158b1a
aes128_hmac
8451bb37aa6d7ce3
d2a5c2d24d317af3
aes256_hmac
1a7ddce7264573ae1
f498ff41614cc7800
1cbf6e3142857cce2
566ce74a7f25b
user rc4_hmac
_nt
aes256_
hmac
Joe 21321… 543..
user1 cc36cf7a
…
1a7ddc
…
Doe
TGT

KDC
User1
des_cbc_md5
LSASS (kerberos)
rc4_hmac_nt
(NTLM/md4)
aes128_hmac
aes256_hmac
user rc4_hmac
_nt
aes256_
hmac
Joe 21321… 543..
user1 cc36cf7a
…
1a7ddc
…
TGT
ff687678....
Pa$$w0rd1
ff687678…

KDC

1
ATA Analyzes all Active Directory-
related traffic and collects relevant
events from SIEM
3
ATA Builds the organizational security
graph, detects abnormal behavior,
protocol attacks and weaknesses and
constructs an attack timeline
2
ATA automatically learns all entities’
behaviors
ANALYZE LEARN DETECT

Abnormal Behavior
• Anomalous logins
• Abnormal behavior
• Unknown threats
• Password sharing
• Lateral-movement
Security Risks
• Weak Protocols
• Known protocol vulnerabilities
• Broken Trust
Attacksinreal-time
• Pass-the-Ticket (PtT)
• Pass-the-Hash (PtH)
• Forged PAC (MS14-068)
• Reconnaissance
• Bruteforce
1
2
3

https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73

https://gallery.technet.microsoft.com/Aorato-
Skeleton-Key-24e46b73
https://www.microsoft.com/en-
us/evalcenter/evaluate-microsoft-advanced-
threat-analytics

@TalBeerySec
@ItaiGrady

Más contenido relacionado

La actualidad más candente

iostat await svctm の見かた、考え方

iostat await svctm の見かた、考え方

iostat await svctm の見かた、考え方

PostgreSQLの実行計画を読み解こう(OSC2015 Spring/Tokyo)

PostgreSQLの実行計画を読み解こう(OSC2015 Spring/Tokyo)

PostgreSQLの実行計画を読み解こう(OSC2015 Spring/Tokyo)

The talk "Kubernetes and Docker Forensics & Incident Response" will focus on the Digital Forensics and Incident Response (DFIR) investigation of containerized environments using Kubernetes and Docker. With the increasing adoption of containerization technologies, it is crucial for organizations to have a robust security strategy in place to handle security incidents. This talk will cover the key concepts of containerization technologies such as Docker and Kubernetes, and their security implications. We will discuss the forensic techniques and methodologies that can be used to identify the root cause of security incidents in these environments, including container forensics, network traffic analysis, and memory forensics. The talk will also provide insights into the challenges and limitations of conducting a DFIR investigation in a containerized environment, such as the ephemeral nature of containers and the need for specialized tooling. Attendees will learn about the best practices for implementing logging and monitoring in Docker and Kubernetes environments, as well as the importance of having a well-defined incident response plan for containerized environments. Overall, this talk will provide valuable insights into the DFIR investigation of containerized environments using Kubernetes and Docker, and how organizations can better prepare themselves to respond to security incidents in these environments.

Kubernetes Docker Forensics & Incident Response.pdf

Kubernetes Docker Forensics & Incident Response.pdf

Kubernetes Docker Forensics & Incident Response.pdf

Christopher Doman

JPC2017 [D4] Microsoft 365 が実現するデジタル時代のセキュリティ

JPC2017 [D4] Microsoft 365 が実現するデジタル時代のセキュリティ

JPC2017 [D4] Microsoft 365 が実現するデジタル時代のセキュリティ

Reverse shell

C++のライブラリを簡単に眺めてみよう

C++のライブラリを簡単に眺めてみよう

C++のライブラリを簡単に眺めてみよう

PostgreSQL WAL for DBAs

PostgreSQL WAL for DBAs

PostgreSQL WAL for DBAs

漢のPort forwarding

漢のPort forwarding

漢のPort forwarding

Passwords: they just seem to work. You connect to your PostgreSQL database and you are prompted for your password. You type in the correct character combination, and presto! you're in, safe and sound. But what if I told you that all was not as it seemed. What if I told you there was a better, safer way to use passwords with PostgreSQL? What if I told you it was imperative that you upgraded, too? PostgreSQL 10 introduced SCRAM (Salted Challenge Response Authentication Mechanism), introduced in RFC 5802, as a way to securely authenticate passwords. The SCRAM algorithm lets a client and server validate a password without ever sending the password, whether plaintext or a hashed form of it, to each other, using a series of cryptographic methods. In this talk, we will look at: * A history of the evolution of password storage and authentication in PostgreSQL * How SCRAM works with a step-by-step deep dive into the algorithm (and convince you why you need to upgrade!) * SCRAM channel binding, which helps prevent MITM attacks during authentication * How to safely set and modify your passwords, as well as how to upgrade to SCRAM-SHA-256 (which we will do live!) all of which will be explained by some adorable elephants and hippos! At the end of this talk, you will understand how SCRAM works, how to ensure your PostgreSQL drivers supports it, how to upgrade your passwords to using SCRAM-SHA-256, and why you want to tell other PostgreSQL password mechanisms to SCRAM!

Get Your Insecure PostgreSQL Passwords to SCRAM

Get Your Insecure PostgreSQL Passwords to SCRAM

Get Your Insecure PostgreSQL Passwords to SCRAM

MySQLとPostgreSQLの基本的なパラメータ比較

MySQLとPostgreSQLの基本的なパラメータ比較

MySQLとPostgreSQLの基本的なパラメータ比較

Shinya Sugiyama

Présentation ELK/SIEM et démo Wazuh

Présentation ELK/SIEM et démo Wazuh

Présentation ELK/SIEM et démo Wazuh

Aurélie Henriot

PostgreSQL16新機能紹介 - libpq接続ロード・バランシング（第41回PostgreSQLアンカンファレンス@オンライン発表資料）

PostgreSQL16新機能紹介 - libpq接続ロード・バランシング（第41回PostgreSQLアンカンファレンス@オンライン発表資料）

PostgreSQL16新機能紹介 - libpq接続ロード・バランシング（第41回PostgreSQLアンカンファレンス@オンライン発表資料）

NTT DATA Technology & Innovation

SecurityFest-22-Fitzl-beyond.pdf

SecurityFest-22-Fitzl-beyond.pdf

SecurityFest-22-Fitzl-beyond.pdf

Redis data modeling examples

Redis data modeling examples

Redis data modeling examples

2023 COSCUP - Whats new in PostgreSQL 16

2023 COSCUP - Whats new in PostgreSQL 16

2023 COSCUP - Whats new in PostgreSQL 16

Active Directory 侵害と推奨対策

Active Directory 侵害と推奨対策

Active Directory 侵害と推奨対策

Yurika Kakiuchi

PostgreSQL14の pg_stat_statements 改善（第23回PostgreSQLアンカンファレンス@オンライン発表資料）

PostgreSQL14の pg_stat_statements 改善（第23回PostgreSQLアンカンファレンス@オンライン発表資料）

PostgreSQL14の pg_stat_statements 改善（第23回PostgreSQLアンカンファレンス@オンライン発表資料）

NTT DATA Technology & Innovation

iostatの見方

Using Wildcards with rsyslog's File Monitor imfile

Using Wildcards with rsyslog's File Monitor imfile

Using Wildcards with rsyslog's File Monitor imfile

Rainer Gerhards

【さくらのクラウド】DNSアプライアンス導入ガイド

【さくらのクラウド】DNSアプライアンス導入ガイド

【さくらのクラウド】DNSアプライアンス導入ガイド

さくらインターネット株式会社

La actualidad más candente (20)

iostat await svctm の見かた、考え方

iostat await svctm の見かた、考え方

iostat await svctm の見かた、考え方

PostgreSQLの実行計画を読み解こう(OSC2015 Spring/Tokyo)

PostgreSQLの実行計画を読み解こう(OSC2015 Spring/Tokyo)

PostgreSQLの実行計画を読み解こう(OSC2015 Spring/Tokyo)

Kubernetes Docker Forensics & Incident Response.pdf

Kubernetes Docker Forensics & Incident Response.pdf

Kubernetes Docker Forensics & Incident Response.pdf

JPC2017 [D4] Microsoft 365 が実現するデジタル時代のセキュリティ

JPC2017 [D4] Microsoft 365 が実現するデジタル時代のセキュリティ

JPC2017 [D4] Microsoft 365 が実現するデジタル時代のセキュリティ

Reverse shell

C++のライブラリを簡単に眺めてみよう

C++のライブラリを簡単に眺めてみよう

C++のライブラリを簡単に眺めてみよう

PostgreSQL WAL for DBAs

PostgreSQL WAL for DBAs

PostgreSQL WAL for DBAs

漢のPort forwarding

漢のPort forwarding

漢のPort forwarding

Get Your Insecure PostgreSQL Passwords to SCRAM

Get Your Insecure PostgreSQL Passwords to SCRAM

Get Your Insecure PostgreSQL Passwords to SCRAM

MySQLとPostgreSQLの基本的なパラメータ比較

MySQLとPostgreSQLの基本的なパラメータ比較

MySQLとPostgreSQLの基本的なパラメータ比較

Présentation ELK/SIEM et démo Wazuh

Présentation ELK/SIEM et démo Wazuh

Présentation ELK/SIEM et démo Wazuh

PostgreSQL16新機能紹介 - libpq接続ロード・バランシング（第41回PostgreSQLアンカンファレンス@オンライン発表資料）

PostgreSQL16新機能紹介 - libpq接続ロード・バランシング（第41回PostgreSQLアンカンファレンス@オンライン発表資料）

PostgreSQL16新機能紹介 - libpq接続ロード・バランシング（第41回PostgreSQLアンカンファレンス@オンライン発表資料）

SecurityFest-22-Fitzl-beyond.pdf

SecurityFest-22-Fitzl-beyond.pdf

SecurityFest-22-Fitzl-beyond.pdf

Redis data modeling examples

Redis data modeling examples

Redis data modeling examples

2023 COSCUP - Whats new in PostgreSQL 16

2023 COSCUP - Whats new in PostgreSQL 16

2023 COSCUP - Whats new in PostgreSQL 16

Active Directory 侵害と推奨対策

Active Directory 侵害と推奨対策

Active Directory 侵害と推奨対策

PostgreSQL14の pg_stat_statements 改善（第23回PostgreSQLアンカンファレンス@オンライン発表資料）

PostgreSQL14の pg_stat_statements 改善（第23回PostgreSQLアンカンファレンス@オンライン発表資料）

PostgreSQL14の pg_stat_statements 改善（第23回PostgreSQLアンカンファレンス@オンライン発表資料）

iostatの見方

Using Wildcards with rsyslog's File Monitor imfile

Using Wildcards with rsyslog's File Monitor imfile

Using Wildcards with rsyslog's File Monitor imfile

【さくらのクラウド】DNSアプライアンス導入ガイド

【さくらのクラウド】DNSアプライアンス導入ガイド

【さくらのクラウド】DNSアプライアンス導入ガイド

Similar a One Key to Rule Them All: Detecting the Skeleton Key Malware

Skeleton key malware detection owasp

Skeleton key malware detection owasp

Skeleton key malware detection owasp

Debugging linux

Debugging linux

Debugging linux

Keynote for PerconaLive 2018 by Brendan Gregg. Video: https://youtu.be/sV3XfrfjrPo?t=30m51s . "At over one thousand code commits per week, it's hard to keep up with Linux developments. This keynote will summarize recent Linux performance features, for a wide audience: the KPTI patches for Meltdown, eBPF for performance observability, Kyber for disk I/O scheduling, BBR for TCP congestion control, and more. This is about exposure: knowing what exists, so you can learn and use it later when needed. Get the most out of your systems, whether they are databases or application servers, with the latest Linux kernels and exciting features."

Linux Performance 2018 (PerconaLive keynote)

Linux Performance 2018 (PerconaLive keynote)

Linux Performance 2018 (PerconaLive keynote)

Implement the DES system in C++, Java, perl, etc. and then decrypt the ciphertext. DES- cipher text--------------------------------------- D8C6C52158391C0AFD150E6B8E519BAA C44C60266DD2CB1B87344EFA0C06DB8C A82D850D49850723D7438B07F3C1F512 512188DF2ECB5AB3D83FE100C74E2BA7 6848D533A4538382EDEB4060DE88D43C 7521B944DF91C69B03B8207C23A815A6 1EF742C2D69B74CE184A03BE6500C54D E134A6EF66D839359D61CB06DFF5A995 2EC3D9F6E6DCEC7B84C50069D91E368A 596ABBD65B9EC0AB5F5979831D1FDBE3 B0358D6B01C23290A1A4B6F640C454ED 4EAAEC9BDEBE644DB9C95AD37A88F13B F29C3741F050E29BF699409BD0EC285C 970D1416FB4D1B5F0685552090B7D5B6 2E91DA5A83896E99D4C40DB066692380 05B8183C9488376563EF011435884B2E 1283E67A63ED9EF00AE70EEA86BEBC88 7EE04D758A37769E3E9386D7140450BF 9C696EF5F7B06E76FD404B0A1DA12449 4559ED3DFD61708CAB9B39737B3DB0EB 77C243828814B45937CBCECDD71A74F3 040CF7F2073C2761CAECCA7EDAA8FFD9 DC8F552E43262749F9C0E3C89852B518 38FD7A68F377EDBF7628E2F48857C3D5 3D6CB4B2BF119B8C3C3E1806B9F94414 7CEFB4D2DA61F7990A34F7839D737907 D3DE55435D263AD88918D2F522F89A5F EF9329D9D3E66388E7A973750FFD8DBD 90776C65CD96109C256D34BE2CC60C35 E284D300832F7862571790ECBB9AB7F0 5CC87AE66DD4A66F7A2EC6DDD43A573A 2DEA748A179C16BB45DD7C7978BE4DFC CB2B83F70A630F787FAA8E1019372C8C 535A84DFF67923828A6B5447AA630F7D FF5328DDC66C044C0B88273A4ECA5043 BE89ACA2CC60D429BF08FE5B05780B49 2770F42FBB9DF36E6AB2E678AD43BD5D 0A2A28D56756C85A380433BC1FFB7C2D 8EF3C2F9AF592D058660DBEA0386E15B 65558AB5CE49B424B99D7A6BE6B2788F 1DD935E852D84891F2E54F26F4CDFC31 A0A6785A2C94D4D8BEEBC8D23FFBA701 E319D629BA83E55036057998A2A4495A FF8A99B6D3F5965DE1477B6B59685824 0CF466A85E7D27CF885D4F26F2E721EB CE32A11C08B706F67ADE442CA79C8ADB D6DF16C40F10AF68B52A2A773054FFE4 80B2BAD30908861EC4C490C8DAEEBDAD CE9C1CB3D20D4F0CF3A133FBCAEDC4C9 EF88CA27558E01D97EF0BD3045605558 27B7C3DB498E4B3A80A87D688B8F8751 EF01981FC41ECD93802C1168D0D335A1 54428A0EB045CE4BD2A8178FA7F223BE 41CC97DDEEA416EFF435C65116EE5124 38838AC7CD8FAF64EC37CECAB9EC7295 B60B4FB2DDD3B571BA0EEDA9A18A455B E295F854B83A1950AA306BAD850192F2 2D69D5D2F388F4091655D9291CF1B062 4BCEE55AB6AA75EF82AD251908412655 F53030F37A90BFB4640F4445FB74A158 C0E55A63A10E3CE069FA226FE94A7F37 D5F98795EABD9DE13DABC11DBDC04A71 F67260B66E98F2F5E6F134C8B34C3D44 FFC41D16944BFDF7FE9A4663E7F5041C 7DD815447FD54123B796F70C960632E1 31AE253CD81DA34B9DE739494BD9562F 1C53FDA78B904D7157E6404CACDC7CA4 2C9AB5C4146E7A550C5B08944E8D9791 62720FC78B7F3AD54E8CE3383C1A839B 9E8CFFAD500380D6ADE2B1DD086DD7C5 287C3575E3FC39E5784F7FA61C1AD784 D03EE00C81FC273C5332870F10414393 77E2C67EC3FB20F7CAAA8AC37E765F6E 884DC88CA2B593E41919E884D490F951 3E5A094FFC3F8EF50E4005E398722532 AB67370656D5D411576D795D92FF5E44 21D02B8A0C3DEA60849DCF243C17A5DF 3FB8B00B6F8D644DBD04A9B24930A097 5588252174E35AD10149C0396BDE91A1 F5BFE68B1A0251CC68A638BF0DD09DBA DE3936318E5F02F3EF48CF45CFF952B8 2506AF26A3F26A15C1BFB348772A1BD6 BE36A3BB5729E351F2AC0DE4F8F2BFDE F2A15D03818A5675A08C6A87D72DE737 3.

Implement the DES system in C++- Java- perl- etc- and then decrypt the.docx

Implement the DES system in C++- Java- perl- etc- and then decrypt the.docx

Implement the DES system in C++- Java- perl- etc- and then decrypt the.docx

How I failed to present on using DVCS to control archival metadata

How I failed to present on using DVCS to control archival metadata

How I failed to present on using DVCS to control archival metadata

Metasepi team meeting #19: ATS application on Arduino

Metasepi team meeting #19: ATS application on Arduino

Metasepi team meeting #19: ATS application on Arduino

Tools for Metaspace

Tools for Metaspace

Tools for Metaspace

Takahiro YAMADA

Talk by Brendan Gregg for All Things Open 2018. "At over one thousand code commits per week, it's hard to keep up with Linux developments. This keynote will summarize recent Linux performance features, for a wide audience: the KPTI patches for Meltdown, eBPF for performance observability and the new open source tools that use it, Kyber for disk I/O sc heduling, BBR for TCP congestion control, and more. This is about exposure: knowing what exists, so you can learn and use it later when needed. Get the most out of your systems with the latest Linux kernels and exciting features."

ATO Linux Performance 2018

ATO Linux Performance 2018

ATO Linux Performance 2018

Current Cost presentation at Open Tech 2008

Current Cost presentation at Open Tech 2008

Current Cost presentation at Open Tech 2008

Linux kernel debugging(ODP format)

Linux kernel debugging(ODP format)

Linux kernel debugging(ODP format)

Linux kernel debugging(PDF format)

Linux kernel debugging(PDF format)

Linux kernel debugging(PDF format)

Similar a One Key to Rule Them All: Detecting the Skeleton Key Malware (11)

Skeleton key malware detection owasp

Skeleton key malware detection owasp

Skeleton key malware detection owasp

Debugging linux

Debugging linux

Debugging linux

Linux Performance 2018 (PerconaLive keynote)

Linux Performance 2018 (PerconaLive keynote)

Linux Performance 2018 (PerconaLive keynote)

Implement the DES system in C++- Java- perl- etc- and then decrypt the.docx

Implement the DES system in C++- Java- perl- etc- and then decrypt the.docx

Implement the DES system in C++- Java- perl- etc- and then decrypt the.docx

How I failed to present on using DVCS to control archival metadata

How I failed to present on using DVCS to control archival metadata

How I failed to present on using DVCS to control archival metadata

Metasepi team meeting #19: ATS application on Arduino

Metasepi team meeting #19: ATS application on Arduino

Metasepi team meeting #19: ATS application on Arduino

Tools for Metaspace

Tools for Metaspace

Tools for Metaspace

ATO Linux Performance 2018

ATO Linux Performance 2018

ATO Linux Performance 2018

Current Cost presentation at Open Tech 2008

Current Cost presentation at Open Tech 2008

Current Cost presentation at Open Tech 2008

Linux kernel debugging(ODP format)

Linux kernel debugging(ODP format)

Linux kernel debugging(ODP format)

Linux kernel debugging(PDF format)

Linux kernel debugging(PDF format)

Linux kernel debugging(PDF format)

Más de Tal Be'ery

Give me some (key) space!

Give me some (key) space!

Give me some (key) space!

The introduction of Web3 smart contracts has opened unlimited opportunities for decentralized apps (dApps) and users. With smart contracts, anything that can be coded can be deployed by anyone on the blockchain. As a result, in a Web3 environment, the users’ blockchain transactions, previously merely used for sending coins to peers, are now, in fact, Remote Procedure Calls (RPCs) for smart contracts. The flip side of this expressiveness is that it’s almost impossible to know analytically in advance what would be the outcome of such RPC to an arbitrary smart contract. Attackers abuse this observability gap to trick users into signing transactions that are harmful in reality. This situation bears a close resemblance to the desktop environment: users need to evaluate in advance if a particular program behavior will be benign. To solve this gap, Web3 security has taken a page out of the desktop’s security book by using a sandbox-style emulation to evaluate the transaction's outcome before it gets sent to the blockchain. In Web3 lingo, such sandbox emulation is referred to as transaction simulation. In this talk, we will present our newly discovered attack methods against Web3 simulations, including the first-ever Web3 red pill exploits that allow smart contracts to know that they are running in a simulation and as a result, need to behave differently. We have tested our findings against numerous leading simulation providers in the Ethereum Virtual Machine (EVM) domain and found that they are indeed vulnerable to such attacks. As a result of our responsible disclosure, multiple (currently three) issues were fixed, and we were awarded bug bounties. We will explain these exploits in detail, including the research methodology allowing us to inspect simulators’ inaccessible inner workings. We will conclude with new and enlightening insights we gained through this research regarding the true capabilities and limitations of Web3 simulations.

Web3’s red pill: Smashing Web3 transaction simulations for fun and profit

Web3’s red pill: Smashing Web3 transaction simulations for fun and profit

Web3’s red pill: Smashing Web3 transaction simulations for fun and profit

Decentralized Finance (DeFi) is one of today’s most compelling crypto narratives and Compound is one of its most prominent examples. ZenGo research team has taken a deeper look into one of the most intriguing and novel aspects of the Compound protocol, the Liquidation process. This whitepaper (originally published on early 2020) offers a step-by-step technological explanation and financial survey of Compound’s Liquidation process and thus offers a learning opportunity on a prominent DeFi project, relevant for both experts and beginners.

Understanding Compound‘s Liquidation

Understanding Compound‘s Liquidation

Understanding Compound‘s Liquidation

2021’s hottest new tech term, according to TechCrunch, was “definitely Web3”. Web3, as its name suggests, is considered by many as the future of the internet: decentralized, permissionless, and based on modern blockchain technology. While Web3 might have a bright future, it’s in the middle of growing pains: A number of Web3 apps were hacked in 2021, leading to theft of cryptoassets valued at hundreds of millions of US Dollars. In this talk we will present Web3 app technology, dissect new attack surfaces, and suggest new and exciting defense mechanisms. First, we will dive into the technical details of Web3 applications, showing how Web3 technology opens new attack surfaces by moving app functionality onto the blockchain. We will then analyze these newly-exposed attack surfaces by reviewing a few examples we’ve discovered “in the wild.” While Web3 exposes new attack surfaces, it also provides novel detection opportunities. Specifically, the public and transparent nature of the blockchain allows security researchers to immediately explore full details of any attack and, as a result, leads to quick and thorough discoveries. This is a paradigm shift in security research, as current practices only allow a few to learn actual attack details, only some portions of which are shared publicly. This shift in transparency allowed us to independently explore the aforementioned attacks. Furthermore, we believe we can do even better and go beyond rapid post-mortem reports. We will show how the same raw data we had previously used for a post-mortem analysis can be analyzed in real-time (or even ante factum by “taking a peek” into the blocks that have yet to be mined) to detect and even prevent attacks. This capability is enabled by the online nature of the blockchain and its inherent block time delays. In fact, we can import, with relevant modifications, many of the principles and learnings of current web defenses, including Web Application Firewall (WAF) into the realm of blockchain. By doing so, we introduce a scheme for a Web3 Application Firewall (W3AF) which can greatly improve Web3 security and blockchain-based apps.

Web3 Security: The Blockchain is Your SIEM

Web3 Security: The Blockchain is Your SIEM

Web3 Security: The Blockchain is Your SIEM

Elliptic Curve Cryptography (ECC) protects many relevant everyday technologies, including the SSL/TLS protocol that protects our Internet communications and ECDSA signatures that protect Bitcoin and Ethereum transactions against modifications. In this talk we will learn about ECC cryptography, using the Billiards game analogy which make ECC understandable even for non-experts. We will describe some attacks against flawed ECC and signatures implementations, including the recent BlueTooth pairing vulnerability discovered by Technion researchers recently

The Color of Money

The Color of Money

The Color of Money

Slides of our Blackhat USA 2018 talk: Many new devices are trying to fit into our life seamlessly. As a result, there’s a quest for a “universal access methods” for all devices. Voice activation seems to be a natural candidate for the task and many implementations for it surfaced in recent years. A few notable examples are Amazon’s Alexa, Google’s Assistant and Microsoft’s Cortana. The problem starts when these “Universal” access methods, aimed for maximal comfort, meet the very “specific” use-case of the enterprise environment which requires comfort to be balanced with other aspects, such as security. Microsoft Cortana is used on Mobile and IoT devices, but also in the enterprise computers as it comes enabled by default with Windows10 and always ready to respond to users’ commands even when the machine is locked. Allowing interaction with a locked machine is a dangerous architectural decision, and earlier this year, we exposed the Voice of Esau (VoE) exploit for a Cortana vulnerability. The VoE exploit allowed attackers to take over a locked Windows10 machine by combining voice commands and network fiddling to deliver a malicious payload to the victim machine. In this presentation, we will reveal the “Open Sesame” vulnerability, a much more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code. Exploiting the “Open Sesame” vulnerability attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges. To make matters even worse, exploiting the vulnerability does not involve ANY external code, nor shady system calls, hence making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack. We would conclude by suggesting some defense mechanisms and compensating controls to detect and defend against such attacks.

Open Sesame: Picking Locks with Cortana

Open Sesame: Picking Locks with Cortana

Open Sesame: Picking Locks with Cortana

Our physical environments become increasingly packed with new, computerized, devices that increase our comfort and productivity and augment our everyday experience. These devices maintain a wealth of new and existing types of sensors into our surroundings and offer new channels of communications between humans and machines (voice, gestures), between machines themselves (new wireless protocol standards) and between machines and their motherships in the cloud. The coexistence of these new devices and interaction models with our "legacy" IT infrastructure have not escaped the eyes of the digital world's most early adopters – the hackers. In their minds, we've just created so many more gateways into our corporate networks with new types of sensorial data to collect (AKA steal) and subvert, and new protocols and formats to abuse in the process of getting access to corporate assets. As we researched the potential effect of this trend on enterprise cybersecurity we focused on one specific, much hyped, type of interaction: voice. In particular, we examined the voice interaction capabilities that are most prominent in an enterprise environment – those of Microsoft's voice activated assistance Cortana. During our research, which will be detailed in this session, we were able to fully demonstrate the following scenarios: Using voice as a gateway into enterprise: We will expose a previously unknown vulnerability in Microsoft Cortana's voice interface (responsibly disclosed to Microsoft and now patched) that allows close proximity attackers to take over an unattended locked Windows 10 computer. Using voice for lateral movement: We will show how this attack can be further amplified to allow remote attackers to move laterally within the victim's network. Systematically subverting information produced and used by sensorial systems: We will analyze, in technical details, the protocol Cortana uses to talk to its cloud and will expose the "Newspeak" tool that utilize this knowledge to fiddle with the protocol for fun (pranks!) and profit (additional custom functionality!), or just monitor it for security purposes. We will conclude our presentation with some practical suggestions regarding defending against this new breed of threats against enterprise networks and assets.

THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES

THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES

THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES

Automate or Die: How Automation Reshapes Cybersecurity

Automate or Die: How Automation Reshapes Cybersecurity

Automate or Die: How Automation Reshapes Cybersecurity

Tal Maor & Tal Be'ery Blackhat USA 2017 talk Recent advancements in the Targeted Attacks technology, and specifically to the Lateral Movement phase of it, are about to ignite an Industrial Revolution in this field. The original Industrial Revolution and its use of modern methods of mass production is said to had brought "improvements in the cost, quality, quantity, and variety of goods available". The Lateral Movement Industrial Revolution will have similar effects on the attack side. Consequently, it will have grave repercussions on the defensive side. As always when facing a stressful situation, defenders can respond either by: Fight, Flight, or Freeze. In this talk, we will describe these recent advancements in the field of automated Lateral, followed by a demo and the release of 'GoFetch', a new open-source lateral movement automation tool. We will conclude with a discussion on the implications of Lateral Movement industrialization on both attackers and defenders.

The Industrial Revolution of Lateral Movement

The Industrial Revolution of Lateral Movement

The Industrial Revolution of Lateral Movement

Advanced targeted attackers utilize compromised credentials in order to move laterally within their victims' network. These compromised credentials may consist of either domain or local credentials. Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed (password complexity and change policy) and less monitored (no traffic and logs besides the specific computer). In this talk, we will cover how advanced attackers are abusing local users' credentials in their attacks, including real examples as captured "in the wild". We would follow with suggested new methods and tools to detect and prevent such attacks. Most notably, we'd expose a tool that implements a method which allows visibility to local users' activity without installing an agent on the monitored machine. The visibility is based on periodic scans of the local users' directory, the Windows Security Account Manager (SAM), using the standard SAM-Remote (SAMR) protocol, messages and APIs. Using these methods defenders gain visibility to local users' logons, group membership, password change among others. Security applications enabled by this visibility include but are not limited to, abnormal logons detection, abnormal group additions and removal detection and abnormal password changes detection.

The Enemy Within: Stopping Advanced Attacks Against Local Users

The Enemy Within: Stopping Advanced Attacks Against Local Users

The Enemy Within: Stopping Advanced Attacks Against Local Users

In this report, we breakdown the Target attack to 11 detailed steps, beginning with the initial credential theft of Target’s HVAC contractor to the theft of PII and credit cards. Particular attention is given to those steps, unknown until now, such as how the attackers were able to propagate within the network. Throughout this report we highlight pertinent insights into the Tactics, Techniques and Procedures (TTPs4) of the attackers. Finally, we provide recommendations on the needed security measures for mitigating similar advanced targeted attacks. I wrote this paper on 2014 as the VP of Research for Aorato

Target Breach Analysis

Target Breach Analysis

Target Breach Analysis

Today, the topic of cybersecurity has moved from IT and the datacenter to the highest levels of the boardroom. Attacks and threats have grown substantially more sophisticated in frequency and severity. Attackers reside within an internal network an average of eight months before they are even detected. In the vast majority of attacks, they compromise user credentials and they are increasingly using legitimate IT tools rather than malware. You are now working under the assumption of a breach. How do you find the attackers--before they cause damage? In this Blackhat talk we will discuss the TTPs (Tactics Techniques & Procedures) of advanced attackers and how they manifest themselves over the network. We will give a special attention to the Reconnaissance and Lateral Movement phases of the Cyber Kill Chain and discuss how network monitoring can be employed to mitigate these risks.

Battlefield network

Battlefield network

Battlefield network

Client sidesec 2013-intro

Client sidesec 2013-intro

Client sidesec 2013-intro

Client sidesec 2013 - non js

Client sidesec 2013 - non js

Client sidesec 2013 - non js

Client sidesec 2013 - script injection

Client sidesec 2013 - script injection

Client sidesec 2013 - script injection

Más de Tal Be'ery (15)

Give me some (key) space!

Give me some (key) space!

Give me some (key) space!

Web3’s red pill: Smashing Web3 transaction simulations for fun and profit

Web3’s red pill: Smashing Web3 transaction simulations for fun and profit

Web3’s red pill: Smashing Web3 transaction simulations for fun and profit

Understanding Compound‘s Liquidation

Understanding Compound‘s Liquidation

Understanding Compound‘s Liquidation

Web3 Security: The Blockchain is Your SIEM

Web3 Security: The Blockchain is Your SIEM

Web3 Security: The Blockchain is Your SIEM

The Color of Money

The Color of Money

The Color of Money

Open Sesame: Picking Locks with Cortana

Open Sesame: Picking Locks with Cortana

Open Sesame: Picking Locks with Cortana

THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES

THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES

THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES

Automate or Die: How Automation Reshapes Cybersecurity

Automate or Die: How Automation Reshapes Cybersecurity

Automate or Die: How Automation Reshapes Cybersecurity

The Industrial Revolution of Lateral Movement

The Industrial Revolution of Lateral Movement

The Industrial Revolution of Lateral Movement

The Enemy Within: Stopping Advanced Attacks Against Local Users

The Enemy Within: Stopping Advanced Attacks Against Local Users

The Enemy Within: Stopping Advanced Attacks Against Local Users

Target Breach Analysis

Target Breach Analysis

Target Breach Analysis

Battlefield network

Battlefield network

Battlefield network

Client sidesec 2013-intro

Client sidesec 2013-intro

Client sidesec 2013-intro

Client sidesec 2013 - non js

Client sidesec 2013 - non js

Client sidesec 2013 - non js

Client sidesec 2013 - script injection

Client sidesec 2013 - script injection

Client sidesec 2013 - script injection

Último

How world-class product teams are winning in the AI era by CEO and Founder, P...

How world-class product teams are winning in the AI era by CEO and Founder, P...

How world-class product teams are winning in the AI era by CEO and Founder, P...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Already know how to write a basic SOQL query? Great! But what about an *aggregate* SOQL query? You know, the kind that uses aggregate functions like COUNT & MAX along with GROUP BY and HAVING clauses? No? Well, get ready to learn how to slice & dice your org’s data right inside your own dev console. From finding duplicate records to prototyping summary & matrix reports, learn the ins and outs of aggregate queries during this fast-paced but admin-friendly session on advanced SOQL concepts.

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

I'm excited to share my latest predictions on how AI, robotics, and other technological advancements will reshape industries in the coming years. The slides explore the exponential growth of computational power, the future of AI and robotics, and their profound impact on various sectors. Why this matters: The success of new products and investments hinges on precise timing and foresight into emerging categories. This deck equips founders, VCs, and industry leaders with insights to align future products with upcoming tech developments. These insights enhance the ability to forecast industry trends, improve market timing, and predict competitor actions. Highlights: ▪ Exponential Growth in Compute: How $1000 will soon buy the computational power of a human brain ▪ Scaling of AI Models: The journey towards beyond human-scale models and intelligent edge computing ▪ Transformative Technologies: From advanced robotics and brain interfaces to automated healthcare and beyond ▪ Future of Work: How automation will redefine jobs and economic structures by 2040 With so many predictions presented here, some will inevitably be wrong or mistimed, especially with potential external disruptions. For instance, a conflict in Taiwan could severely impact global semiconductor production, affecting compute costs and related advancements. Nonetheless, these slides are intended to guide intuition on future technological trends.

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Peter Udo Diehl

Discover the essentials of performance testing in the IT sector with our concise guide. Learn about various testing types such as load, stress, endurance, spike, scalability, and volume testing. Understand key performance metrics like response time, throughput, CPU and memory utilization, and error rate. Explore top tools like Apache JMeter, LoadRunner, Gatling, Neoload, and BlazeMeter. Gain insights into best practices for defining objectives, creating realistic scenarios, automating tests, and optimizing performance to ensure user satisfaction, reliability, scalability, and cost efficiency. Ideal for developers, QA engineers, and IT professionals. Visit Expeed Software for more information. https://expeed.com/

In-Depth Performance Testing Guide for IT Professionals

In-Depth Performance Testing Guide for IT Professionals

In-Depth Performance Testing Guide for IT Professionals

Expeed Software

The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.

Search and Society: Reimagining Information Access for Radical Futures

Search and Society: Reimagining Information Access for Radical Futures

Search and Society: Reimagining Information Access for Radical Futures

Intrigued by why some of the world's largest companies (Netflix, Google, Cisco, Twitter, Uber etc) are using gRPC? In this demo based talk we delve into the world of gRPC in .Net, what it does and why we should use it. We compare the interface with both Rest and graphQL. We will show you how to implement grpc server-side in .net and in the web. Finally, I will show you how the tooling helps you deliver powerful interfaces and interact with them quickly and simply.

Demystifying gRPC in .Net by John Staveley

Demystifying gRPC in .Net by John Staveley

Demystifying gRPC in .Net by John Staveley

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

New customer? New industry? New cloud? New team? A lot to handle! How to ensure the success of the project? Start it well! I've created the 3 areas of focus at the beginning of the project that helped me in multiple roles (BA, PO, and Consultant). Learn from real-world experiences and discover how these insights can empower you to deliver unparalleled value to your customers right from the project's start.

Powerful Start- the Key to Project Success, Barbara Laskowska

Powerful Start- the Key to Project Success, Barbara Laskowska

Powerful Start- the Key to Project Success, Barbara Laskowska

Ever caught yourself nodding along when someone mentions "delivering value" in Agile, but secretly wondering what the heck they actually mean? You're not alone! Join us for an eye-opening session where we'll strip away the buzzwords and dive into the heart of Agile—value delivery. But what is "value"? Is it a mythical unicorn in the world of software development, or is there more to this overused term? This isn't going to be a sit-and-get lecture. We're talking about a face-to-face, interactive meetup where YOU play a crucial role. Come along to: Define It: What does "value" really mean? We’ll build a definition that’s not just words, but a compass for your Agile journey. Contextualise It: Discover what value means specifically to you, your team, your company, and your industry. Because one size does not fit all. Deliver It: Share strategies and gather new ones for uncovering and delivering true value—no more shooting in the dark!

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

Essentials of Automations: Optimizing FME Workflows with Parameters

Essentials of Automations: Optimizing FME Workflows with Parameters

Essentials of Automations: Optimizing FME Workflows with Parameters

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

In this session, we will showcase how to revolutionize automated testing for your software, automation, and QA teams with UiPath Test Suite. In part 1 of UiPath test automation using UiPath Test Suite – developer series, we will cover, Software testing overview What is software testing Why software testing is required Typical test types and levels Continuous testing and challenges Introduction to UiPath Test Suite UiPath Test Suite family of products Speaker: Atul Trikha, Chief Technologist & Solutions Architect, Peraton and UiPath MVP Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UiPath Test Automation using UiPath Test Suite series, part 1

UiPath Test Automation using UiPath Test Suite series, part 1

UiPath Test Automation using UiPath Test Suite series, part 1

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Knowledge engineering: from people to machines and back

Knowledge engineering: from people to machines and back

Knowledge engineering: from people to machines and back

ODC, Data Fabric and Architecture User Group

ODC, Data Fabric and Architecture User Group

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.

"Impact of front-end architecture on development cost", Viktor Turskyi

"Impact of front-end architecture on development cost", Viktor Turskyi

"Impact of front-end architecture on development cost", Viktor Turskyi

You’ve heard good data matters in Machine Learning, but does it matter for Generative AI applications? Corporate data often differs significantly from the general Internet data used to train most foundation models. Join me for a demo on building an open source RAG (Retrieval Augmented Generation) stack using Milvus vector database for Retrieval, LangChain, Llama 3 with Ollama, Ragas RAG Eval, and optional Zilliz cloud, OpenAI.

Introduction to Open Source RAG and RAG Evaluation

Introduction to Open Source RAG and RAG Evaluation

Introduction to Open Source RAG and RAG Evaluation

ScyllaDB has the potential to deliver impressive performance and scalability. The better you understand how it works, the more you can squeeze out of it. But before you squeeze, make sure you know what to monitor! Watch our experienced Postgres developer work through monitoring and performance strategies that help him understand what mistakes he’s made moving to NoSQL. And learn with him as our database performance expert offers friendly guidance on how to use monitoring and performance tuning to get his sample Rust application on the right track. This webinar focuses on using monitoring and performance tuning to discover and correct mistakes that commonly occur when developers move from SQL to NoSQL. For example: - Common issues getting up and running with the monitoring stack - Using the CQL optimizations dashboard - Common issues causing high latency in a node - Common issues causing replica imbalance - What a healthy system looks like in terms of memory - Key metrics to keep an eye on This isn’t “Death-by-Powerpoint.” We’ll walk through problems encountered while migrating a real application from Postgres to ScyllaDB – and try to fix them live as well.

Optimizing NoSQL Performance Through Observability

Optimizing NoSQL Performance Through Observability

Optimizing NoSQL Performance Through Observability

Agentic RAG What it is its types applications and implementation.pdf

Agentic RAG What it is its types applications and implementation.pdf

Agentic RAG What it is its types applications and implementation.pdf

ChristopherTHyatt

Último (20)

How world-class product teams are winning in the AI era by CEO and Founder, P...

How world-class product teams are winning in the AI era by CEO and Founder, P...

How world-class product teams are winning in the AI era by CEO and Founder, P...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

In-Depth Performance Testing Guide for IT Professionals

In-Depth Performance Testing Guide for IT Professionals

In-Depth Performance Testing Guide for IT Professionals

Search and Society: Reimagining Information Access for Radical Futures

Search and Society: Reimagining Information Access for Radical Futures

Search and Society: Reimagining Information Access for Radical Futures

Demystifying gRPC in .Net by John Staveley

Demystifying gRPC in .Net by John Staveley

Demystifying gRPC in .Net by John Staveley

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Powerful Start- the Key to Project Success, Barbara Laskowska

Powerful Start- the Key to Project Success, Barbara Laskowska

Powerful Start- the Key to Project Success, Barbara Laskowska

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

Essentials of Automations: Optimizing FME Workflows with Parameters

Essentials of Automations: Optimizing FME Workflows with Parameters

Essentials of Automations: Optimizing FME Workflows with Parameters

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

UiPath Test Automation using UiPath Test Suite series, part 1

UiPath Test Automation using UiPath Test Suite series, part 1

UiPath Test Automation using UiPath Test Suite series, part 1

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Knowledge engineering: from people to machines and back

Knowledge engineering: from people to machines and back

Knowledge engineering: from people to machines and back

ODC, Data Fabric and Architecture User Group

ODC, Data Fabric and Architecture User Group

ODC, Data Fabric and Architecture User Group

"Impact of front-end architecture on development cost", Viktor Turskyi

"Impact of front-end architecture on development cost", Viktor Turskyi

"Impact of front-end architecture on development cost", Viktor Turskyi

Introduction to Open Source RAG and RAG Evaluation

Introduction to Open Source RAG and RAG Evaluation

Introduction to Open Source RAG and RAG Evaluation

Optimizing NoSQL Performance Through Observability

Optimizing NoSQL Performance Through Observability

Optimizing NoSQL Performance Through Observability

Agentic RAG What it is its types applications and implementation.pdf

Agentic RAG What it is its types applications and implementation.pdf

Agentic RAG What it is its types applications and implementation.pdf

One Key to Rule Them All: Detecting the Skeleton Key Malware

1. TCE2015 Summer School, September 2015

2.

3. • The Villain: • The Damsel: • Damsel in distress: • Knight in shining Armor:

4.

5. campaign http://www.tibco.com/blog/wp-content/uploads/2013/01/Hackers-With-An-Agenda.jpg

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

21.

22. wrongpassword

23.

25.

26.

27. admin 123 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae1 f498ff41614cc7800 1cbf6e3142857cce2 566ce74a7f25b KDC KDC TGT TGS ③ TGS-REQ (Server) ④ TGS-REP ⑤ Usage User Server

28. • AES uses the username for salt • RC4-HMAC doesn’t have any! • AES uses PBKDF2= Thousands of SHA rounds • RC4-HMAC doesn’t have any!

29. KDC admin 123 User1 des_cbc_md5 f8fd987fa7153185 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) cc36cf7a8514893e fccd332446158b1a aes128_hmac 8451bb37aa6d7ce3 d2a5c2d24d317af3 aes256_hmac 1a7ddce7264573ae1 f498ff41614cc7800 1cbf6e3142857cce2 566ce74a7f25b user rc4_hmac _nt aes256_ hmac Joe 21321… 543.. user1 cc36cf7a … 1a7ddc … Doe TGT

30.

31.

32.

33. KDC User1 des_cbc_md5 LSASS (kerberos) rc4_hmac_nt (NTLM/md4) aes128_hmac aes256_hmac user rc4_hmac _nt aes256_ hmac Joe 21321… 543.. user1 cc36cf7a … 1a7ddc … TGT ff687678.... Pa$$w0rd1 ff687678…

35.

36.

37. Automatically… • Learn entities and their context • Profile entity activities and behaviors • Build the entities interaction graph • Identify suspicious activities • Connect suspicious activities into an Attack Timeline™ How Microsoft ATA works

38. 1 ATA Analyzes all Active Directory- related traffic and collects relevant events from SIEM 3 ATA Builds the organizational security graph, detects abnormal behavior, protocol attacks and weaknesses and constructs an attack timeline 2 ATA automatically learns all entities’ behaviors ANALYZE LEARN DETECT

39. Abnormal Behavior • Anomalous logins • Abnormal behavior • Unknown threats • Password sharing • Lateral-movement Security Risks • Weak Protocols • Known protocol vulnerabilities • Broken Trust Attacksinreal-time • Pass-the-Ticket (PtT) • Pass-the-Hash (PtH) • Forged PAC (MS14-068) • Reconnaissance • Bruteforce 1 2 3

40.

41.

42.

43. https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73

44.

45. https://gallery.technet.microsoft.com/Aorato- Skeleton-Key-24e46b73 https://www.microsoft.com/en- us/evalcenter/evaluate-microsoft-advanced- threat-analytics

46.

47.

48. @TalBeerySec @ItaiGrady

Notas del editor

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf http://image.slidesharecdn.com/pivotaldatalakearchitectureitsroleinsecurityanalytics-140707093240-phpapp02/95/pivotal-data-lake-architecture-its-role-in-security-analytics-7-638.jpg?cb=1415961449
http://images.rapgenius.com/995335ab10386f992dde5f3797e92c65.1000x682x1.jpg
NTLM relay talk 2014 by Oren Ofer
3 Data sources – Network traffic, AD data and SIEM events Create traps (Honeytokens) to mislead attackers
Classifying the SAs to 3 types - Risks (Misconfiguration), Deterministic and Behavioral based (Who access what and when)