2. Disclaimer
2
During the course of this presentation, we may make forward looking statements
regarding future events or the expected performance of the company. I often lie. Maybe
this is a lie. Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the
løveli lakes The wøndërful telephøne system And mäni interesting furry animals The
characters and incidents portrayed and the names used in this Presentation are fictitious
and any similarity to the names, characters, or history of any person is entirely
accidental and unintentional. Signed RICHARD M. NIXON Including the majestik møøse
A Møøse once bit my Marcus... No realli! He was Karving his initials on the møøse with
the sharpened end of an interspace tøøthbrush given him by Svenge – his brother-in-law
– a Canadian dentist and star of many Norwegian møvies: "The Høt Hands of an
Canadian Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"... In
addition, any information about our roadmap outlines our general product direction and
is subject to change at any time without notice. Splunk undertakës no øbligation either to
develøp the features or functionality described or to include any such feature or
functionality in a future release.
3. • 17 years of cyber security
experience
• Current role on Security
Practice team focuses on
incident/breach response,
threat intelligence, and
research
• Also investigating why
printers are so
insubordinate ಠ_ಠ
3
Staff Security Strategist
Minster of the OODAloopers
@meansec
# whoami > Ryan Kovar
CISSP,MSc(Dist)
4. -20+ years in IT and security
-Information security
officer, security architect,
pen tester, consultant, SE,
system/network engineer
-Former SANS Mentor
Senior Security Architect
Minister of Peace
@daveherrald
# whoami > Dave Herrald
CISSP, GIAC G*, GSE #79
30. Security Awareness
Training
• “Clicking on Phishing test”==“clicking on Spear
Phishing email”
• Make your users your canaries in the coal mine
• Education helps… make your own targeting list
36. Decoy Docs and you
• Make a file called passwords.docx. Put
usernames/passwords in file and leave it inVIP
directories.
• Put enhanced audit logging on that directory
• Insert Web Beacon into document… setup alerting
for its callback
• Disable (or restrict) honey-users. Setup alerts for
their usage.
48. Google Fooey
and you
• Determine what your vendors your security depends
upon
• Craft Google alerts to notify you of vulnerabilities or
compromises
• Integrate alerts into your analytical toolkit for
automated thingies
55. DNS Twist and you
• Search backward.Then alert in the future
• Set a cronjob, run it daily, ingest it into your tool set
• Increase risk for important variables
• Registered domain
• MX records
• Newly registered domain
62. Takeaways
• Dig into your own data
• DNStwist your way to visibility
• Automate your GoogleFu
• Local PassiveDNS is good!!!
• Don’t let SAT go to waste
• Set decoys and then alert on them