SlideShare a Scribd company logo

SecureSet WarGames - Logging and Packet Capture Training

Greg Foss
Greg Foss

Slides from a course on Packet Capture and Log Management for the SecureSet WarGames curriculum.

Technology
1 of 60
Download to read offline
©2015 SecureSet, LLC Active Defense PCAP and Log DetectionTechniques Instructor: Greg Foss December 08, 2015
©2015 SecureSet, LLC # whoami  Greg.Foss@LogRhythm.com  @heinzarelli  Security OperationsTeam Lead  Sr. Security Research Engineer  OSCP, GAWN, GPEN, GCIH, CEH, Cyber APT
©2015 SecureSet, LLC
©2015 SecureSet, LLC Logging and Packet Capture…
©2015 SecureSet, LLC Why this content matters  You already have everything you need for security monitoring within your corporate infrastructure.  Logging and Packet Capture are the cornerstones to incident response and cyber investigations.  Detailed evidence that can help to show what exactly happened within an environment.  Valuable to Operations and Security alike
©2015 SecureSet, LLC How it fits into cybersecurity  Every single computer investigation can be aided by supporting log and packet capture data.  If you ever want to work on an incident response team or help monitor the security of an organization, you must have an understand logging, packet capture analysis and event correlation.
©2015 SecureSet, LLC What you should learn tonight  Introduction to Logging and Log Management  Actively Detecting Attacks Using Log Data  Introduction to Packet Capture and Net Flow  Packet Dissection and Data Exfiltration Detection  Packet Capture Challenge!  http://omg.endoftheinternet.org/
©2015 SecureSet, LLC Why I love this industry
©2015 SecureSet, LLC Breaking into computers for a living!
©2015 SecureSet, LLC It’s also fun to go hunting…
©2015 SecureSet, LLC TITLE
©2015 SecureSet, LLC Logging
©2015 SecureSet, LLC What are ‘Logs’…  “A record of performance, events, or day-to-day activities”  MerriamWebster, 2015
©2015 SecureSet, LLC Log Data = Log Message Meaning  Informational – Generally benign events  Debug – Software development  Warning – Dependencies may be absent  Error – Indication that something is not right  Alert – Often security related. Highlight interesting info  Logging and Log Management, 2012
©2015 SecureSet, LLC Log Formats  Flat File  Database  CSV  Linux Syslog  Generic Syslog  Windows System, Event, Security, etc…
©2015 SecureSet, LLC Standard Logging Locations  Linux  /var/log/  Windows  EventViewer
©2015 SecureSet, LLC Log Management  Store the logs in a centralized location  Replicating logs across to a log management system  Back up the logs to ensure integrity of the data and maintain compliance standards
©2015 SecureSet, LLC Log Parsing (Normalization)  To gain value from your SIEM, data must be normalized  Varies depending on the log management solution  Regular Expressions  Data Categorization  Common Event Generation  General Classification
©2015 SecureSet, LLC Endpoint Monitoring  User Activity  File Integrity and Hashing  Processes Details  Network Connections  Registry Modification  Document and/or Web BugTracking
©2015 SecureSet, LLC Event Correlation  Leveraging actionable metadata allows you to understand the full picture.  Key when attempting to reconstruct a scenario
©2015 SecureSet, LLC Security Information Event Management  Bringing it all together  Dashboards  Automated Alerting  Automated Response  Central Log Storage  Enterprise Correlation
©2015 SecureSet, LLC SIEMTools  Commercial  LogRhythm  Splunk  Open Source  Logstash and Kibana  Graylog
©2015 SecureSet, LLC Advanced Logging  PowerShell  Command Line Logging  Extracting Logs using PowerShell  PS C:> Get-EventLog Security  Honeypot Event Correlation  TTY Log Replay  Web Bugs  Open Source DocumentTracking and Event Correlation
©2015 SecureSet, LLC DEMO
©2015 SecureSet, LLC
©2015 SecureSet, LLC TITLE
©2015 SecureSet, LLC Packet Capture (PCAP)
©2015 SecureSet, LLC
©2015 SecureSet, LLC
©2015 SecureSet, LLC OSI Model  Complete record of network activity : Layers 2-7
©2015 SecureSet, LLC Transport Layer Protocols  Transmission Control Protocol (TCP)  Stateful – HTTP, SSH, SMTP, etc.  Used to establish interactive sessions  User Datagram Protocol (UDP)  Stateless / Connectionless transmission model  Easy to spoof origin  No delivery guarantee  Can be used to exfiltrate data via DNS
©2015 SecureSet, LLC HowTo Capture NetworkTraffic  Local  Using tcpdump,Wireshark, NetworkMiner, Ettercap, etc.  In-Line Device  Often commercial but there are free tools as well.  Mirror off Firewalls  Split datapassed through firewalls and push to appliance.  Offensive – MiTM, Arp Poisoning, EvilTwin, etc.
©2015 SecureSet, LLC Packet Capture Appliances  LogRhythm Network Monitor  FreemiumVersion – https://support.logrhythm.com  FireEye PX Series  NetScout  NetWitness  Riverbed  Etc.
©2015 SecureSet, LLC NetworkTap  A networkTap can be as simple as a hub. Hubs allow you to see all data transmitted, as opposed to switches.  Raspberry Pi  Beaglebone Black  LANTurtle  Wi-Fi Pineapple
©2015 SecureSet, LLC Capturing NetworkTraffic  Simple Network  Many Options
©2015 SecureSet, LLC Capturing NetworkTraffic  Basic Network, MultipleVLANs
©2015 SecureSet, LLC Offensive Network Capture  ARP Poisoning  Convince host that our MAC is the router, traffic begans to pass through our system.  EvilTwinWi-Fi Attacks  https://www.youtube.com/watch?v=86bvUV92Ek8  We’ll talk about this more soon…  Attack Switches, Routers, Gateways, etc.
©2015 SecureSet, LLC Sniffing Packets  Many protocols are in plain text  Easy to understand and dissect  HTTP, DNS, FTP,Telnet, SMTP, etc.  TLS is becoming more prevalent  Making traffic inspection more difficult  HTTPS, SSH, SFTP, FTPS, etc.  Malware often uses encrypted tunnels
©2015 SecureSet, LLC Viewing Encrypted Packets  SSL Interception Proxies Source: https://logrhythm.com/blog/network-monitor-and-ssl-proxy-integration/
©2015 SecureSet, LLC Offensive MiTM AgainstTLS / SSL  SSLStrip – Older but still works  https://github.com/moxie0/sslstrip  SSLSplit –TransparentTLS/SSL Interception Proxy  Terminates one session then creates its own  https://github.com/droe/sslsplit  NetRipper –Windows API Hooking  https://github.com/NytroRST/NetRipper
©2015 SecureSet, LLC Attacking Users – A Case Study
©2015 SecureSet, LLC EvilTwin
©2015 SecureSet, LLC EvilTwin source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
©2015 SecureSet, LLC
©2015 SecureSet, LLC
©2015 SecureSet, LLC
©2015 SecureSet, LLC
©2015 SecureSet, LLC DEMO
©2015 SecureSet, LLC We’ve only just scratched the surface…
©2015 SecureSet, LLC WantTo Learn More and Practice?  http://www.netresec.com/?page=PcapFiles  Publicly Available PCAP Files  http://malware-traffic-analysis.net/  PCAP Files and Malware Samples  https://www.vthreat.com/  Simulate threats, data exfiltration, etc.  VirusTotal Professional
©2015 SecureSet, LLC PCAP Challenge
©2015 SecureSet, LLC
©2015 SecureSet, LLC Using Log Data toTrack Winners 
©2015 SecureSet, LLC References  Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management:The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. Print.  Bejtlich, Richard. TheTao of Network Security Monitoring: Beyond Intrusion Detection. Boston: Addison-Wesley, 2005. Print.
©2015 SecureSet, LLC CLOSING  Careers in this area of security  The work – LogRhythm is hiring!  The rewards – Great benefits!  How to pursue  https://logrhythm.com/about/careers/  greg.foss@logrhythm.com
©2015 SecureSet, LLC  Provides aspiring security talent with a powerful & direct path into cybersecurity  “Career Promise”  www.secureset.com/academy  Next Denver session: January 2016
©2015 SecureSet, LLC Did you know? More than 209,000 cybersecurity jobs in the US are unfilled.* * www.peninsulapress.com/2015
©2015 SecureSet, LLC wargames.secureset.com wargames@secureset.com Secure your future in Cyber! SecureSet Academy Starts January 2016
SecureSet WarGames - Logging and Packet Capture Training

Recommended

DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseGreg Foss
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataGreg Foss
 
Lateral Movement by Default
Lateral Movement by DefaultLateral Movement by Default
Lateral Movement by DefaultInnoTech
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareCybereason
 

Recommended

DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseGreg Foss
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataGreg Foss
 
Lateral Movement by Default
Lateral Movement by DefaultLateral Movement by Default
Lateral Movement by DefaultInnoTech
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareCybereason
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?Ramin Farajpour Cami
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain OpenDNS
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverAmit Serper
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotShah Sheikh
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session TwoFRSecure
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE - ATT&CKcon
 
2020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 12020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 1FRSecure
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Logicalis Security Conference
Logicalis Security ConferenceLogicalis Security Conference
Logicalis Security ConferencePaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?Tom Kranz
 

More Related Content

What's hot

Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain OpenDNS
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverAmit Serper
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotShah Sheikh
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session TwoFRSecure
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE - ATT&CKcon
 
2020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 12020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 1FRSecure
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 

What's hot (20)

Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh Smith
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
 
2020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 12020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 1
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 

Similar to SecureSet WarGames - Logging and Packet Capture Training

Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?Tom Kranz
 
Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Tom Kranz
 
In Cloud We Encrypt #GHC15
In Cloud We Encrypt #GHC15In Cloud We Encrypt #GHC15
In Cloud We Encrypt #GHC15Intuit Inc.
 
Data Consult Managed Security Services
Data Consult Managed Security ServicesData Consult Managed Security Services
Data Consult Managed Security ServicesJad Bejjani
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015Evident.io
 
Asynchronous Event Streams – when java.util.stream met org.osgi.util.promise!...
Asynchronous Event Streams – when java.util.stream met org.osgi.util.promise!...Asynchronous Event Streams – when java.util.stream met org.osgi.util.promise!...
Asynchronous Event Streams – when java.util.stream met org.osgi.util.promise!...mfrancis
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015Mike Spaulding
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themGreg Swedosh
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecuritySkycure
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...Sandro Gauci
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesReliaQuest
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Digital Bond
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergdawnrk
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergdawnrk
 

Similar to SecureSet WarGames - Logging and Packet Capture Training (20)

Logicalis Security Conference
Logicalis Security ConferenceLogicalis Security Conference
Logicalis Security Conference
 
Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?
 
Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?
 
In Cloud We Encrypt #GHC15
In Cloud We Encrypt #GHC15In Cloud We Encrypt #GHC15
In Cloud We Encrypt #GHC15
 
Data Consult Managed Security Services
Data Consult Managed Security ServicesData Consult Managed Security Services
Data Consult Managed Security Services
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
 
Tails os
Tails osTails os
Tails os
 
Asynchronous Event Streams – when java.util.stream met org.osgi.util.promise!...
Asynchronous Event Streams – when java.util.stream met org.osgi.util.promise!...Asynchronous Event Streams – when java.util.stream met org.osgi.util.promise!...
Asynchronous Event Streams – when java.util.stream met org.osgi.util.promise!...
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
Common NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid themCommon NonStop security hacks and how to avoid them
Common NonStop security hacks and how to avoid them
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile Security
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
 

More from Greg Foss

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime OpsGreg Foss
 
Future of Destructive Malware
Future of Destructive MalwareFuture of Destructive Malware
Future of Destructive MalwareGreg Foss
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerCrypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerGreg Foss
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018Greg Foss
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Greg Foss
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and OrchestrationGreg Foss
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 

More from Greg Foss (10)

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
 
Future of Destructive Malware
Future of Destructive MalwareFuture of Destructive Malware
Future of Destructive Malware
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerCrypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto Farmer
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and Orchestration
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

SecureSet WarGames - Logging and Packet Capture Training

  • 1.
  • 2. ©2015 SecureSet, LLC Active Defense PCAP and Log DetectionTechniques Instructor: Greg Foss December 08, 2015
  • 3. ©2015 SecureSet, LLC # whoami  Greg.Foss@LogRhythm.com  @heinzarelli  Security OperationsTeam Lead  Sr. Security Research Engineer  OSCP, GAWN, GPEN, GCIH, CEH, Cyber APT
  • 5. ©2015 SecureSet, LLC Logging and Packet Capture…
  • 6. ©2015 SecureSet, LLC Why this content matters  You already have everything you need for security monitoring within your corporate infrastructure.  Logging and Packet Capture are the cornerstones to incident response and cyber investigations.  Detailed evidence that can help to show what exactly happened within an environment.  Valuable to Operations and Security alike
  • 7. ©2015 SecureSet, LLC How it fits into cybersecurity  Every single computer investigation can be aided by supporting log and packet capture data.  If you ever want to work on an incident response team or help monitor the security of an organization, you must have an understand logging, packet capture analysis and event correlation.
  • 8. ©2015 SecureSet, LLC What you should learn tonight  Introduction to Logging and Log Management  Actively Detecting Attacks Using Log Data  Introduction to Packet Capture and Net Flow  Packet Dissection and Data Exfiltration Detection  Packet Capture Challenge!  http://omg.endoftheinternet.org/
  • 9. ©2015 SecureSet, LLC Why I love this industry
  • 10. ©2015 SecureSet, LLC Breaking into computers for a living!
  • 11. ©2015 SecureSet, LLC It’s also fun to go hunting…
  • 14. ©2015 SecureSet, LLC What are ‘Logs’…  “A record of performance, events, or day-to-day activities”  MerriamWebster, 2015
  • 15. ©2015 SecureSet, LLC Log Data = Log Message Meaning  Informational – Generally benign events  Debug – Software development  Warning – Dependencies may be absent  Error – Indication that something is not right  Alert – Often security related. Highlight interesting info  Logging and Log Management, 2012
  • 16. ©2015 SecureSet, LLC Log Formats  Flat File  Database  CSV  Linux Syslog  Generic Syslog  Windows System, Event, Security, etc…
  • 17. ©2015 SecureSet, LLC Standard Logging Locations  Linux  /var/log/  Windows  EventViewer
  • 18. ©2015 SecureSet, LLC Log Management  Store the logs in a centralized location  Replicating logs across to a log management system  Back up the logs to ensure integrity of the data and maintain compliance standards
  • 19. ©2015 SecureSet, LLC Log Parsing (Normalization)  To gain value from your SIEM, data must be normalized  Varies depending on the log management solution  Regular Expressions  Data Categorization  Common Event Generation  General Classification
  • 20. ©2015 SecureSet, LLC Endpoint Monitoring  User Activity  File Integrity and Hashing  Processes Details  Network Connections  Registry Modification  Document and/or Web BugTracking
  • 21. ©2015 SecureSet, LLC Event Correlation  Leveraging actionable metadata allows you to understand the full picture.  Key when attempting to reconstruct a scenario
  • 22. ©2015 SecureSet, LLC Security Information Event Management  Bringing it all together  Dashboards  Automated Alerting  Automated Response  Central Log Storage  Enterprise Correlation
  • 23. ©2015 SecureSet, LLC SIEMTools  Commercial  LogRhythm  Splunk  Open Source  Logstash and Kibana  Graylog
  • 24. ©2015 SecureSet, LLC Advanced Logging  PowerShell  Command Line Logging  Extracting Logs using PowerShell  PS C:> Get-EventLog Security  Honeypot Event Correlation  TTY Log Replay  Web Bugs  Open Source DocumentTracking and Event Correlation
  • 31. ©2015 SecureSet, LLC OSI Model  Complete record of network activity : Layers 2-7
  • 32. ©2015 SecureSet, LLC Transport Layer Protocols  Transmission Control Protocol (TCP)  Stateful – HTTP, SSH, SMTP, etc.  Used to establish interactive sessions  User Datagram Protocol (UDP)  Stateless / Connectionless transmission model  Easy to spoof origin  No delivery guarantee  Can be used to exfiltrate data via DNS
  • 33. ©2015 SecureSet, LLC HowTo Capture NetworkTraffic  Local  Using tcpdump,Wireshark, NetworkMiner, Ettercap, etc.  In-Line Device  Often commercial but there are free tools as well.  Mirror off Firewalls  Split datapassed through firewalls and push to appliance.  Offensive – MiTM, Arp Poisoning, EvilTwin, etc.
  • 34. ©2015 SecureSet, LLC Packet Capture Appliances  LogRhythm Network Monitor  FreemiumVersion – https://support.logrhythm.com  FireEye PX Series  NetScout  NetWitness  Riverbed  Etc.
  • 35. ©2015 SecureSet, LLC NetworkTap  A networkTap can be as simple as a hub. Hubs allow you to see all data transmitted, as opposed to switches.  Raspberry Pi  Beaglebone Black  LANTurtle  Wi-Fi Pineapple
  • 36. ©2015 SecureSet, LLC Capturing NetworkTraffic  Simple Network  Many Options
  • 37. ©2015 SecureSet, LLC Capturing NetworkTraffic  Basic Network, MultipleVLANs
  • 38. ©2015 SecureSet, LLC Offensive Network Capture  ARP Poisoning  Convince host that our MAC is the router, traffic begans to pass through our system.  EvilTwinWi-Fi Attacks  https://www.youtube.com/watch?v=86bvUV92Ek8  We’ll talk about this more soon…  Attack Switches, Routers, Gateways, etc.
  • 39. ©2015 SecureSet, LLC Sniffing Packets  Many protocols are in plain text  Easy to understand and dissect  HTTP, DNS, FTP,Telnet, SMTP, etc.  TLS is becoming more prevalent  Making traffic inspection more difficult  HTTPS, SSH, SFTP, FTPS, etc.  Malware often uses encrypted tunnels
  • 40. ©2015 SecureSet, LLC Viewing Encrypted Packets  SSL Interception Proxies Source: https://logrhythm.com/blog/network-monitor-and-ssl-proxy-integration/
  • 41. ©2015 SecureSet, LLC Offensive MiTM AgainstTLS / SSL  SSLStrip – Older but still works  https://github.com/moxie0/sslstrip  SSLSplit –TransparentTLS/SSL Interception Proxy  Terminates one session then creates its own  https://github.com/droe/sslsplit  NetRipper –Windows API Hooking  https://github.com/NytroRST/NetRipper
  • 42. ©2015 SecureSet, LLC Attacking Users – A Case Study
  • 44. ©2015 SecureSet, LLC EvilTwin source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
  • 50. ©2015 SecureSet, LLC We’ve only just scratched the surface…
  • 51. ©2015 SecureSet, LLC WantTo Learn More and Practice?  http://www.netresec.com/?page=PcapFiles  Publicly Available PCAP Files  http://malware-traffic-analysis.net/  PCAP Files and Malware Samples  https://www.vthreat.com/  Simulate threats, data exfiltration, etc.  VirusTotal Professional
  • 54. ©2015 SecureSet, LLC Using Log Data toTrack Winners 
  • 55. ©2015 SecureSet, LLC References  Chuvakin, Anton, and Kevin Schmidt. Logging and Log Management:The Authoritative Guide to Dealing with Syslog, Audit Logs, Events, Alerts and Other IT 'noise' Rockland, MA: Syngress, 2012. Print.  Bejtlich, Richard. TheTao of Network Security Monitoring: Beyond Intrusion Detection. Boston: Addison-Wesley, 2005. Print.
  • 56. ©2015 SecureSet, LLC CLOSING  Careers in this area of security  The work – LogRhythm is hiring!  The rewards – Great benefits!  How to pursue  https://logrhythm.com/about/careers/  greg.foss@logrhythm.com
  • 57. ©2015 SecureSet, LLC  Provides aspiring security talent with a powerful & direct path into cybersecurity  “Career Promise”  www.secureset.com/academy  Next Denver session: January 2016
  • 58. ©2015 SecureSet, LLC Did you know? More than 209,000 cybersecurity jobs in the US are unfilled.* * www.peninsulapress.com/2015
  • 59. ©2015 SecureSet, LLC wargames.secureset.com wargames@secureset.com Secure your future in Cyber! SecureSet Academy Starts January 2016