SlideShare a Scribd company logo

Nightmares of a Penetration Tester ( How to protect your network)

Download as PPTX, PDF
Chris Nickerson
Chris Nickerson

As a professional penetration tester for the last 15+ years, I have seen many environments and technologies. I have had the pleasure / hell of testing systems I’d never even heard of, and the agony of defeat on a major scale. Rather than review the techniques used to work our way into systems, I will present the ways blue teams kept us out! In this session we will look at the technologies and techniques that have turned our traditional paths to root from minutes to months, and examine the tricks that got us “caught” along the way. Not all pen tests are a dream and nightmares can and do happen. So, let’s talk about how your environment can become an attacker’s worst nightmare instead of their favorite playground. Things attendees will learn: • Strategic defense • Attacker techniques • Indicators of Compromise • Active blue team response techniques • Security architecture • Layered defensive techniques

Technology
1 of 61
PenTester Nightmares 4/6/16 9:45 Chris Nickerson CEO LARES
Slide 2
Slide 3
Slide 4 HI…I’m Chris
Slide 5
Slide 6 • Loud Anoying American • Cursing • Racism • Religious Prejudice • Sex • Drugs • Daddy / Abandonment issues • Socio Economic Hate crimes • Thin Skin • Lack of sense of humor • Sexual orientation • Sexism • Violence • Vomiting • Abuse • Truth • Fear • Honesty • Facts • Emotions • Tears
Slide 7 I’m Chris AKA @indi303 cnickerson@laresconsulting .com https://vimeo.com/laresconsulting http://www.scribd.com/Lares_ Exoticliability.com
Slide 8
Slide 9 www.lares.com
Slide 10
Slide 11
Slide 12
Slide 13
Slide 14
Slide 15
Slide 16
Slide 17
Slide 18
Slide 19 Custom Services OSINT SIGINT TSCM/ Bug Sweeping Exploit Development Tool Creation Attack Planning Offensive Consultation Adversarial Intelligence Competitive Intelligence Attack Modeling Business Chain Vuln Assessments Custom Physical Bypass Tool Design Reverse Engineering Other stuff I can’t write down…
Slide 20
Slide 21
Slide 22 http://www.verizonenterprise.com/resources/reports/rp_dat a-breach-investigation-report-2015_en_xg.pdf
Slide 23 • 80,000 security incidents and more than 2,000 data compromises from 61 countries. • The top three industries affected are the same as previous years: Public,Technology/Information, and Financial Services. • In 70% of the attacks where we know the motive for the attack, there’s a secondary victim • 23% of recipients now open phishing messages and 11% click on attachments
Slide 24 24
Slide 25 25 The common denominator across the top four patterns – accounting for nearly 90% of all incidents – is people
Slide 26
Slide 27 What do we do to try and DEFEND? Buy stuff ▪ Firewalls ▪ WAF ▪ IDS/IPS ▪ AV ▪ SIEM ▪ Etc… Test our stuff ▪ Conduct Audits ▪ Do “PenTests” ▪ Vuln scanning? ▪ Hire 3rd parties ▪ Hire industry “Experts”
Slide 28 And what happens? WE STILL GET HACKED ALLTHETIME!!!!!!!!
Slide 29
Slide 30 Stories from the OTHER SIDE When attackers DON’T WIN! Because your infosec is FORCE is STRONG
Slide 31 The following things are a brief view of how customers have DEFENDED their networks and made it HURT for us.
Slide 32 GOOD SECURITY PROGRAMS ARE BUILT IN AND NOT BOLT ON
Slide 33 External Defenses Sounds cool if you buy them and actually use them.
Slide 34 Rule #1 DON’T TALK TO STRANGERS ▪ Implemented blocks from all emerging threats lists ▪ Honeypots that if SCANNED or traffic was sent to, that IP was blocked. FORGOOD. ▪ External SIEM integration that correlated logins. *Magic* the same address tries more than 3 usernames in an APP or SMPT it is banned for a certain time, if it happens after timeout, its banned for good ▪ Constant monitoring and baseline analysis of open ports. If it changed, a SEV1 ticket was created. ▪ Port scanning bans. ▪ Injection Bans ▪ Rejection of specific user agent strings ( most tools out there have specific UA strings. ▪ Test it all until BLOCK modeWORKS! Monitor mode will just make you feel bad when u go back to your logs and seeWHEN you got owned ▪ Big data like a boss. DOTHREAT INTEL IN HOUSE!!!! ▪ Protect yourOSINT ( anonymize info like DNS records)
Slide 35 Quick fixes Tons of free stuff out there to get you started. ▪ External honeypot Network http://threatstream.github.io/mhn/ ▪ Drupal honeypot: https://www.drupal.org/project/honeypot ▪ External honeypot starter https://www.binarydefense.com/project- artillery/ ▪ Tools to monitor open ports https://github.com/subinacls/Filibuster ▪ Wordpress honeypots http://leadin.com/plugins/wordpress- honeypot ▪ Use the Emerging threats lists and other threat intel feeds http://rules.emergingthreats.net/ ▪ Check your osint / attack surface and threat landscape http://www.spiderfoot.net/
Slide 36 Phishing is for kids
Slide 37 #2 If you are going to talk, be sure u know who it is ▪ Disable SMTP verify/validation ▪ Mailer verification ( USE SPF) ▪ Use Mail filtering solutions that can intercept ALL mail protocols Encrypted and unencrypted ▪ Strict enforcement of Site Classification ▪ Analysis of certificate age and domain age “marination” ▪ Inspect all attachments and disallow all attachments except for a very specific set which have mitigating controls at the host or can be used in a sandboxed viewer. ▪ Browser based controls whitelisting 3rd party loaders like java, flash etc… ( or disabling all together) ▪ Verification of sender identity ▪ USE DNS ANALYSIS ▪ Don’t forward DNS. Split DNS is not hard
Slide 38 Quickies ▪ Enable SPF ▪ Implement spamcop and other blocking lists https://www.spamcop.net/fom-serve/cache/291.html https://www.spamhaus.org ▪ Implement a Mail inspection gateway Preferably cloud and local ▪ Check security setting of SMTP/SPF/DNS http://mxtoolbox.com/diagnostic.aspx http://www.dnssy.com/ ▪ Create Split DNS don’t allow forwarding and use only the validated internal resolver. http://shorewall.net/SplitDNS.html ▪ Create automated Phishing reporting process in client or train users on process to submit ▪ Phish the users, test them, train them. And UPDATE your new hire training to include how to defend.
Slide 39 Internal Defenses They ARE gonna get in, so knowing that WHAT U GONNA DO ABOUT IT?
Slide 40 #3 Your internal network is a HOSTILE environment. Treat it as such ▪ Monitor inside MORE than outside. ▪ Portscan inside = Block and SEV1 IR response ▪ Segmentation of all servers from users. ▪ Create Classified zones,These will require 2 factor auth to a Jump box. Only jump box will be allowed to get into secured zone. Or CreateVPN from user desktop directly into the Environment ▪ NEVER useVPN Pools.Always tie a user to a specific ip address and firewall rule limitALL users to resources needed. ▪ Alert on ALL network device configuration change IMMEDIATELY. ▪ Use Netflows or other traffic analysis to identify top talkers and tune to find future anomalies ▪ Set up “HoneyNets” ▪ LOCK DOWNYOUR CONFIGS!!!!!!! ▪ Remove your default route and intercept all HTTP/S
Slide 41 Quick hits ▪ Set up your AV to disallow/ban anything port scanning ▪ Segment and firewall protect ALL servers from user segments ▪ Tune internal IDS to look for port scans and inappropriate user to server traffic. Also to identify protocols that shouldn’t be used (ex. DNS traffic to things other than the registered internal DNS) ▪ Enable config monitoring on ALL network Devices http://www.rconfig.com/ ▪ Restrict network device management to only validated addresses of network engineers OR setup mgmt. network that Engineers MUST vpn into. ▪ Monitor all ports open and look for changes. http://sourceforge.net/p/dnmap/wiki/Home/ distributed nmap ▪ Audit your configs https://github.com/pello/routerdefense https://www.titania.com/nipperstudio
Slide 42 Workstations are for WORK
Slide 43 #4 Users have the ability to use the companies resources. ▪ Only ad user accounts through secured methods. DO NOT USE GPO’s that have cPassword or add accounts with cleartext values. ▪ Users should only be allowed to go to categorized sites.Any/all other traffic must be denied. ▪ Whitelist approved and managed software. ▪ Disallow Local admin privs ▪ Do NOT let local admins to log on remotely ▪ Randomize ALL local admin passwords ▪ Maintain internal software reports for updates ▪ Manage all the things ▪ Host based firewalls, IDS, and behavioral analysis ▪ SCANALL HOSTS for vulnerabilities on a regular basis
Slide 44 Quickies ▪ Manage local admin passwords with a commercial solution or some of the open sources. Microsoft LAPS https://technet.microsoft.com/en-us/library/security/3062591.aspx ▪ Create GPO’s to whitelist or blackist services ▪ Remove admin rights ▪ Deploy anti exploitation defenses EMET https://support.microsoft.com/en-us/kb/2458544 ▪ Harden your devices. Linux, AIX, BSD, Etc.. hardening https://cisofy.com/lynis/ Windows: Microsoft Baseline Security Analyzer ▪ Enable hardening locally with detection and protection http://www.fail2ban.org/ and windows firewall + AV ▪ Use Authenticated Scans to inventory software , find non compliant software and define hardening. ▪ Harden default images
Slide 45 It’s a SERVER... Make it serve you.
Slide 46 #5 Servers have a specific purpose ▪ Do not install workstation software on a SERVER. Office, Adobe Acrobat….etc. ▪ Most of them do NOT need to connect to the internet. Not only does this mean NO access with firewall it means, unless the product would require an exception… NO BROWSER! ▪ Manage updates centrally and in house ▪ Segment, Segment, Segment….. SEGMENTTHE DAMNED SERVERS!!!!!!! ▪ Standard image should have NO additional services installed and build guidelines should be followed before release.
Slide 47 Quickies ▪ Remove all non essential services from servers RIGHTAWAY.They will run faster and more secure. ▪ Disallow install of any readers,office type programs or all workstation software in server hardening policy. ▪ Run FullAV on EVERY server. ▪ If you can’t get ids.ips for your servers try opensource like OSSEC http://www.ossec.net/ ▪ Use DLP https://code.google.com/p/opendlp/ ▪ Disallow all non authenticated services. ▪ Do not allow the use of local accounts to log in remotely ( that includes you SQL!!! No local sql accounts.. Integrate it) ▪ Make sure all report to the SIEM for security and login events.
Slide 48 Visualize the hard stuff
Slide 49 Quick hits ▪ Build a wall of doom – https://www.conetix.com.au/blog/conetix-network-operations-centre-build- part-1 – http://dashkiosk.readthedocs.org/en/latest/ ▪ WebVisualizers – http://logstalgia.io/ – http://goaccess.io/ – Hviz- http://www.sciencedirect.com/science/article/pii/S1742287615000067 ▪ TraficVisualizers – https://github.com/Fudge/gltail – https://www.wireshark.org/docs/man-pages/tshark.html – BsodVisualizer http://research.wand.net.nz/software/visualisation.php ▪ Platforms – Just because it looks super sexy https://www.protectwise.com/platform/
Slide 50
Slide 51 #6 Awareness > Knowledge ▪ Create Security Event Management Environments ▪ Implement logging on ALL servers and eventually specific workstation events. ▪ Consolidate logging ▪ Have packet capture capabilities on the fly in ALL areas ▪ Monitor Malicious Commands http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by- attackers.html ▪ Looks at the hotness of attack surfaces and start to build defenses based on techniques used in offense. (ex.WMI trend) ▪ LOG PROPERLY http://www.malwarearchaeology.com/cheat-sheets/
Slide 52 WMI (WHY?) ▪ 1. An attacker usesWMI as a persistence mechanism • Effect: Instances of __EventFilter, __ EventConsumer, and __FilterToConsumer Bindingare created. An __InstanceCreationEvent event is fired. ▪ 2.TheWMI Shell utility is used as a C2 channel • Effect: Instances of __ Namespace objects are created and modified. Consequently, __ NamespaceCreationEvent and __Namespace ModificationEvent events are fired. ▪ 3.WMI classes are created to store attacker data • Effect: A __ClassCreation Event event is fired. ▪ 4.An attacker installs a maliciousWMI provider • Effect: A __Provider class instance is created. An __ InstanceCreationEvent event is fired. ▪ 5.An attacker persists via the Start Menu or registry • Effect: AWin32_ StartupCommand class instance is created. An __ InstanceCreationEvent event is fired. ▪ 6.An attacker persists via other additional registry values • Effect: A RegistryKeyChangeEvent and/or RegistryValueChangeEvent event is fired. ▪ 7. An attacker installs a service • Effect: AWin32_Service class instance is created. An __InstanceCreationEvent event is fired.
Slide 53 Quick hits ▪ Set up IDS/IPS and have it report to a consolidated platform http://blog.securityonion.net/p/securityonion.html https://www.bro.org/ ▪ Set up logging and have it report to a consolidated platform http://blog.qbox.io/welcome-to-the-elk-stack-elasticsearch- logstash-kibana ▪ Make it easy for yourself. Help correlate from multiple sources. https://bammv.github.io/sguil/ ▪ Fireeye-FLAREWindows WMI-IDS https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS ▪ LEARN ABOUT IOC SHARING! – STIX,TAXII, CybOX,maec – https://www.oasis-open.org/standards
Slide 54 Get your IR game in order
Slide 55
Slide 56 #7 In order to say you have an information security program you need to have an Incident response plan. ▪ Humans must be assigned to this plan and the tasks in it ▪ Security response center must have defined plans, SOP’s, and most of all a fully capable SLA to the business on risk response/identification ▪ Active defenses to stop attack in progress ▪ Forensic/ malware analysis on the fly and manual ▪ Coordination with all teams to have real time response. ▪ Defined skillsets of all team members to be sure the right skill for project.
Slide 57 Quick ways? ▪ Build a proper IR team. Define skills and roles to be played ▪ Setup an IR action group ( from all of IT and the business) ▪ Create defined IR plans that can be run as part of DR plans ▪ Build an IRTeam Sandbox toolkit / lab https://zeltser.com/build-malware-analysis-toolkit/ ▪ Build an Incident response platform http://blog.crowdstrike.com/new-community-tool-crowdresponse/ https://github.com/google/grr http://techblog.netflix.com/2015/05/introducing-fido-automated- security.html ▪ https://www.bestpractical.com/rtir/ ▪ https://www.mediawiki.org/wiki/Download
Slide 58
Slide 59 Quick ways? ▪ Basics: – Enable Constrained Language Mode – USE APPLOCKER – Log ALL powershell !!! – Enable PS Script Block Logging – Use System-wide transcripts ▪ MAKE CUSTOM DETECTIONS PLEASE! https://adsecurity.org/?p=2604 ▪ Follow Best Practices http://powershell-guru.com/best-practices/
Slide 60
Slide 61 I’m Chris AKA @indi303 cnickerson@laresconsulting.com https://vimeo.com/laresconsulting http://www.scribd.com/Lares_ Exoticliability.com

Recommended

Flipping the script
Flipping the scriptFlipping the script
Flipping the scriptChris Nickerson
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
 
Red teaming the CCDC
Red teaming the CCDCRed teaming the CCDC
Red teaming the CCDCscriptjunkie
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revivalscriptjunkie
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revivalscriptjunkie
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 

Recommended

Flipping the script
Flipping the scriptFlipping the script
Flipping the scriptChris Nickerson
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
 
Red teaming the CCDC
Red teaming the CCDCRed teaming the CCDC
Red teaming the CCDCscriptjunkie
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revivalscriptjunkie
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revivalscriptjunkie
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101April Mardock CISSP
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 

More Related Content

What's hot

BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityJakub Kałużny
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Zoltan Balazs
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 

What's hot (20)

BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces securityZeronights 2015 - Big problems with big data - Hadoop interfaces security
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass Protocol
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIP
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
 

Similar to Nightmares of a Penetration Tester ( How to protect your network)

Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtubeDhruv Sharma
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupDiogo Mónica
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakesJustin Black
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteWP Engine
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry AboutIndus Khaitan
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 

Similar to Nightmares of a Penetration Tester ( How to protect your network) (20)

IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startupFrom 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla Revealed
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Top 10 secure boot mistakes
Top 10 secure boot mistakesTop 10 secure boot mistakes
Top 10 secure boot mistakes
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael Tremante
 
5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About5 Bare Minimum Things A Web Startup CTO Must Worry About
5 Bare Minimum Things A Web Startup CTO Must Worry About
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

Nightmares of a Penetration Tester ( How to protect your network)

  • 6. Slide 6 • Loud Anoying American • Cursing • Racism • Religious Prejudice • Sex • Drugs • Daddy / Abandonment issues • Socio Economic Hate crimes • Thin Skin • Lack of sense of humor • Sexual orientation • Sexism • Violence • Vomiting • Abuse • Truth • Fear • Honesty • Facts • Emotions • Tears
  • 19. Slide 19 Custom Services OSINT SIGINT TSCM/ Bug Sweeping Exploit Development Tool Creation Attack Planning Offensive Consultation Adversarial Intelligence Competitive Intelligence Attack Modeling Business Chain Vuln Assessments Custom Physical Bypass Tool Design Reverse Engineering Other stuff I can’t write down…
  • 23. Slide 23 • 80,000 security incidents and more than 2,000 data compromises from 61 countries. • The top three industries affected are the same as previous years: Public,Technology/Information, and Financial Services. • In 70% of the attacks where we know the motive for the attack, there’s a secondary victim • 23% of recipients now open phishing messages and 11% click on attachments
  • 25. Slide 25 25 The common denominator across the top four patterns – accounting for nearly 90% of all incidents – is people
  • 27. Slide 27 What do we do to try and DEFEND? Buy stuff ▪ Firewalls ▪ WAF ▪ IDS/IPS ▪ AV ▪ SIEM ▪ Etc… Test our stuff ▪ Conduct Audits ▪ Do “PenTests” ▪ Vuln scanning? ▪ Hire 3rd parties ▪ Hire industry “Experts”
  • 28. Slide 28 And what happens? WE STILL GET HACKED ALLTHETIME!!!!!!!!
  • 30. Slide 30 Stories from the OTHER SIDE When attackers DON’T WIN! Because your infosec is FORCE is STRONG
  • 31. Slide 31 The following things are a brief view of how customers have DEFENDED their networks and made it HURT for us.
  • 33. Slide 33 External Defenses Sounds cool if you buy them and actually use them.
  • 34. Slide 34 Rule #1 DON’T TALK TO STRANGERS ▪ Implemented blocks from all emerging threats lists ▪ Honeypots that if SCANNED or traffic was sent to, that IP was blocked. FORGOOD. ▪ External SIEM integration that correlated logins. *Magic* the same address tries more than 3 usernames in an APP or SMPT it is banned for a certain time, if it happens after timeout, its banned for good ▪ Constant monitoring and baseline analysis of open ports. If it changed, a SEV1 ticket was created. ▪ Port scanning bans. ▪ Injection Bans ▪ Rejection of specific user agent strings ( most tools out there have specific UA strings. ▪ Test it all until BLOCK modeWORKS! Monitor mode will just make you feel bad when u go back to your logs and seeWHEN you got owned ▪ Big data like a boss. DOTHREAT INTEL IN HOUSE!!!! ▪ Protect yourOSINT ( anonymize info like DNS records)
  • 35. Slide 35 Quick fixes Tons of free stuff out there to get you started. ▪ External honeypot Network http://threatstream.github.io/mhn/ ▪ Drupal honeypot: https://www.drupal.org/project/honeypot ▪ External honeypot starter https://www.binarydefense.com/project- artillery/ ▪ Tools to monitor open ports https://github.com/subinacls/Filibuster ▪ Wordpress honeypots http://leadin.com/plugins/wordpress- honeypot ▪ Use the Emerging threats lists and other threat intel feeds http://rules.emergingthreats.net/ ▪ Check your osint / attack surface and threat landscape http://www.spiderfoot.net/
  • 37. Slide 37 #2 If you are going to talk, be sure u know who it is ▪ Disable SMTP verify/validation ▪ Mailer verification ( USE SPF) ▪ Use Mail filtering solutions that can intercept ALL mail protocols Encrypted and unencrypted ▪ Strict enforcement of Site Classification ▪ Analysis of certificate age and domain age “marination” ▪ Inspect all attachments and disallow all attachments except for a very specific set which have mitigating controls at the host or can be used in a sandboxed viewer. ▪ Browser based controls whitelisting 3rd party loaders like java, flash etc… ( or disabling all together) ▪ Verification of sender identity ▪ USE DNS ANALYSIS ▪ Don’t forward DNS. Split DNS is not hard
  • 38. Slide 38 Quickies ▪ Enable SPF ▪ Implement spamcop and other blocking lists https://www.spamcop.net/fom-serve/cache/291.html https://www.spamhaus.org ▪ Implement a Mail inspection gateway Preferably cloud and local ▪ Check security setting of SMTP/SPF/DNS http://mxtoolbox.com/diagnostic.aspx http://www.dnssy.com/ ▪ Create Split DNS don’t allow forwarding and use only the validated internal resolver. http://shorewall.net/SplitDNS.html ▪ Create automated Phishing reporting process in client or train users on process to submit ▪ Phish the users, test them, train them. And UPDATE your new hire training to include how to defend.
  • 39. Slide 39 Internal Defenses They ARE gonna get in, so knowing that WHAT U GONNA DO ABOUT IT?
  • 40. Slide 40 #3 Your internal network is a HOSTILE environment. Treat it as such ▪ Monitor inside MORE than outside. ▪ Portscan inside = Block and SEV1 IR response ▪ Segmentation of all servers from users. ▪ Create Classified zones,These will require 2 factor auth to a Jump box. Only jump box will be allowed to get into secured zone. Or CreateVPN from user desktop directly into the Environment ▪ NEVER useVPN Pools.Always tie a user to a specific ip address and firewall rule limitALL users to resources needed. ▪ Alert on ALL network device configuration change IMMEDIATELY. ▪ Use Netflows or other traffic analysis to identify top talkers and tune to find future anomalies ▪ Set up “HoneyNets” ▪ LOCK DOWNYOUR CONFIGS!!!!!!! ▪ Remove your default route and intercept all HTTP/S
  • 41. Slide 41 Quick hits ▪ Set up your AV to disallow/ban anything port scanning ▪ Segment and firewall protect ALL servers from user segments ▪ Tune internal IDS to look for port scans and inappropriate user to server traffic. Also to identify protocols that shouldn’t be used (ex. DNS traffic to things other than the registered internal DNS) ▪ Enable config monitoring on ALL network Devices http://www.rconfig.com/ ▪ Restrict network device management to only validated addresses of network engineers OR setup mgmt. network that Engineers MUST vpn into. ▪ Monitor all ports open and look for changes. http://sourceforge.net/p/dnmap/wiki/Home/ distributed nmap ▪ Audit your configs https://github.com/pello/routerdefense https://www.titania.com/nipperstudio
  • 43. Slide 43 #4 Users have the ability to use the companies resources. ▪ Only ad user accounts through secured methods. DO NOT USE GPO’s that have cPassword or add accounts with cleartext values. ▪ Users should only be allowed to go to categorized sites.Any/all other traffic must be denied. ▪ Whitelist approved and managed software. ▪ Disallow Local admin privs ▪ Do NOT let local admins to log on remotely ▪ Randomize ALL local admin passwords ▪ Maintain internal software reports for updates ▪ Manage all the things ▪ Host based firewalls, IDS, and behavioral analysis ▪ SCANALL HOSTS for vulnerabilities on a regular basis
  • 44. Slide 44 Quickies ▪ Manage local admin passwords with a commercial solution or some of the open sources. Microsoft LAPS https://technet.microsoft.com/en-us/library/security/3062591.aspx ▪ Create GPO’s to whitelist or blackist services ▪ Remove admin rights ▪ Deploy anti exploitation defenses EMET https://support.microsoft.com/en-us/kb/2458544 ▪ Harden your devices. Linux, AIX, BSD, Etc.. hardening https://cisofy.com/lynis/ Windows: Microsoft Baseline Security Analyzer ▪ Enable hardening locally with detection and protection http://www.fail2ban.org/ and windows firewall + AV ▪ Use Authenticated Scans to inventory software , find non compliant software and define hardening. ▪ Harden default images
  • 45. Slide 45 It’s a SERVER... Make it serve you.
  • 46. Slide 46 #5 Servers have a specific purpose ▪ Do not install workstation software on a SERVER. Office, Adobe Acrobat….etc. ▪ Most of them do NOT need to connect to the internet. Not only does this mean NO access with firewall it means, unless the product would require an exception… NO BROWSER! ▪ Manage updates centrally and in house ▪ Segment, Segment, Segment….. SEGMENTTHE DAMNED SERVERS!!!!!!! ▪ Standard image should have NO additional services installed and build guidelines should be followed before release.
  • 47. Slide 47 Quickies ▪ Remove all non essential services from servers RIGHTAWAY.They will run faster and more secure. ▪ Disallow install of any readers,office type programs or all workstation software in server hardening policy. ▪ Run FullAV on EVERY server. ▪ If you can’t get ids.ips for your servers try opensource like OSSEC http://www.ossec.net/ ▪ Use DLP https://code.google.com/p/opendlp/ ▪ Disallow all non authenticated services. ▪ Do not allow the use of local accounts to log in remotely ( that includes you SQL!!! No local sql accounts.. Integrate it) ▪ Make sure all report to the SIEM for security and login events.
  • 49. Slide 49 Quick hits ▪ Build a wall of doom – https://www.conetix.com.au/blog/conetix-network-operations-centre-build- part-1 – http://dashkiosk.readthedocs.org/en/latest/ ▪ WebVisualizers – http://logstalgia.io/ – http://goaccess.io/ – Hviz- http://www.sciencedirect.com/science/article/pii/S1742287615000067 ▪ TraficVisualizers – https://github.com/Fudge/gltail – https://www.wireshark.org/docs/man-pages/tshark.html – BsodVisualizer http://research.wand.net.nz/software/visualisation.php ▪ Platforms – Just because it looks super sexy https://www.protectwise.com/platform/
  • 51. Slide 51 #6 Awareness > Knowledge ▪ Create Security Event Management Environments ▪ Implement logging on ALL servers and eventually specific workstation events. ▪ Consolidate logging ▪ Have packet capture capabilities on the fly in ALL areas ▪ Monitor Malicious Commands http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by- attackers.html ▪ Looks at the hotness of attack surfaces and start to build defenses based on techniques used in offense. (ex.WMI trend) ▪ LOG PROPERLY http://www.malwarearchaeology.com/cheat-sheets/
  • 52. Slide 52 WMI (WHY?) ▪ 1. An attacker usesWMI as a persistence mechanism • Effect: Instances of __EventFilter, __ EventConsumer, and __FilterToConsumer Bindingare created. An __InstanceCreationEvent event is fired. ▪ 2.TheWMI Shell utility is used as a C2 channel • Effect: Instances of __ Namespace objects are created and modified. Consequently, __ NamespaceCreationEvent and __Namespace ModificationEvent events are fired. ▪ 3.WMI classes are created to store attacker data • Effect: A __ClassCreation Event event is fired. ▪ 4.An attacker installs a maliciousWMI provider • Effect: A __Provider class instance is created. An __ InstanceCreationEvent event is fired. ▪ 5.An attacker persists via the Start Menu or registry • Effect: AWin32_ StartupCommand class instance is created. An __ InstanceCreationEvent event is fired. ▪ 6.An attacker persists via other additional registry values • Effect: A RegistryKeyChangeEvent and/or RegistryValueChangeEvent event is fired. ▪ 7. An attacker installs a service • Effect: AWin32_Service class instance is created. An __InstanceCreationEvent event is fired.
  • 53. Slide 53 Quick hits ▪ Set up IDS/IPS and have it report to a consolidated platform http://blog.securityonion.net/p/securityonion.html https://www.bro.org/ ▪ Set up logging and have it report to a consolidated platform http://blog.qbox.io/welcome-to-the-elk-stack-elasticsearch- logstash-kibana ▪ Make it easy for yourself. Help correlate from multiple sources. https://bammv.github.io/sguil/ ▪ Fireeye-FLAREWindows WMI-IDS https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS ▪ LEARN ABOUT IOC SHARING! – STIX,TAXII, CybOX,maec – https://www.oasis-open.org/standards
  • 54. Slide 54 Get your IR game in order
  • 56. Slide 56 #7 In order to say you have an information security program you need to have an Incident response plan. ▪ Humans must be assigned to this plan and the tasks in it ▪ Security response center must have defined plans, SOP’s, and most of all a fully capable SLA to the business on risk response/identification ▪ Active defenses to stop attack in progress ▪ Forensic/ malware analysis on the fly and manual ▪ Coordination with all teams to have real time response. ▪ Defined skillsets of all team members to be sure the right skill for project.
  • 57. Slide 57 Quick ways? ▪ Build a proper IR team. Define skills and roles to be played ▪ Setup an IR action group ( from all of IT and the business) ▪ Create defined IR plans that can be run as part of DR plans ▪ Build an IRTeam Sandbox toolkit / lab https://zeltser.com/build-malware-analysis-toolkit/ ▪ Build an Incident response platform http://blog.crowdstrike.com/new-community-tool-crowdresponse/ https://github.com/google/grr http://techblog.netflix.com/2015/05/introducing-fido-automated- security.html ▪ https://www.bestpractical.com/rtir/ ▪ https://www.mediawiki.org/wiki/Download
  • 59. Slide 59 Quick ways? ▪ Basics: – Enable Constrained Language Mode – USE APPLOCKER – Log ALL powershell !!! – Enable PS Script Block Logging – Use System-wide transcripts ▪ MAKE CUSTOM DETECTIONS PLEASE! https://adsecurity.org/?p=2604 ▪ Follow Best Practices http://powershell-guru.com/best-practices/

Editor's Notes

  1. MIS Training Institute Section # - Page 1 XXXXXX XXX ©
  2. Who we are
  3. Code review
  4. Incident response
  5. Risk Assessment
  6. Physical security
  7. PenTesting
  8. Red Teaming
  9. To my stupid ppt