Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

•

7 gefällt mir•876 views

Nahidul Kibria

This was present in bdnog6[http://bdnog.org/bdnog6/index.php].

Technologie

Threat hunting != Throwing arrow!
Hunting for adversaries in your IT environment
Md Nahidul kibria
Co-Founder, Beetles

Md Nahidul Kibria
Co-Founder, Beetles
@nahidupa
[~] $ whoami

Threat hunting is a approach to answer that question.
Am i compromised today?

What is hunting?
Hunting as the process of proactively and
iteratively searching through networks to
detect and isolate advanced threats that
evade existing security solutions.
“You Can’t Hunt That With a Bow and Arrow!

What is Threat hunting is and is not.
Threat hunting != Throwing arrow!

Threat landscape
Cybercriminals Hacktivists Nation state
Insiders

The hunting loop
ref:http://blog.sqrrl.com/the-threat-hunting-reference-model-part-2-the-hunting-loop

Hunting vs. Alerting
Alerting
1. Reactive
2. Detect/forget
Hunting
1. Proactive
2. Repeated searches

Approaches to Threat Hunting
1. Data-centric Hunting
2. Hunting on the Endpoint(DFIR)
3. Deception

Adversary simulation
1. Attacking web application
2. OS Command execute
3. Download malicious files (powershell webclient)
4. Getting reverse shell
5. Privilege escape
6. Scan internal host
7. Lateral Movement

Hunt Lateral MovementAttackers quietly traverse your Network.

Lateral Movement - Techniques, Tactics &
Procedures (TTPs)
Psexec
File shares
Powershell
Pass-the-hash
Scheduled tasks
WMI
SMB
SSH

Psexec
psexec.exe -i -s %SystemRoot%system32cmd.exe

Hunt other TTPs
“net” Reconnaissance of Domain Admin Group
Command
C: > net group "Domain Admin" /domain
Credential Harvesting with WMI and WCE
net use 172.31.3.16 PASSWORD /user:SANDBOXAdministrator
copy w.exe 172.31.3.16c$PerfLogs
wmic /NODE:172.31.3.16 /USER:"SANDBOXAdministrator" /PASSWORD:"PASSWORD" process call create "cmd /c C:Perflogsw.exe -w >
C:Perflogso.txt"
Ref: http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf

Ref: http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf

Hunting Command and Control(c2)
C2 via Dynamic DNS
Finding the Unknown with HTTP URIs
Beacon Detection via Intra-Request Time Deltas
Finding C2 in Network Sessions

#wannacry
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

Producer-Consumer Ratio for Detecting Data Exfiltration
Ref
https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/analyze_producer_consumer_ratio.md

Unusual Windows Behavior
https://www.sans.org/security-resources/posters/dfir-find-evil/35/download

Query
(NewProcessName: "svchost.exe" AND NOT NewProcessName: "C:WindowsSystem32svchost.exe") OR (NewProcessName:
"smss.exe" AND NOT NewProcessName: "C:WindowsSystem32smss.exe") OR (NewProcessName: "wininit.exe" AND NOT
NewProcessName: "C:WindowsSystem32wininit.exe") OR (NewProcessName: "taskhost.exe" AND NOT NewProcessName:
"C:WindowsSystem32taskhost.exe") OR (NewProcessName: "lsass.exe" AND NOT NewProcessName:
"C:WindowsSystem32lsass.exe") OR (NewProcessName: "winlogon.exe" AND NOT NewProcessName:
"C:WindowsSystem32winlogon.exe") OR (NewProcessName: "explorer.exe" AND NOT NewProcessName:
"C:Windowsexplorer.exe") OR (NewProcessName: "lsm.exe" AND NOT NewProcessName: "C:WindowsSystem32lsm.exe")
OR (NewProcessName: "services.exe" AND NOT NewProcessName: "C:WindowsSystem32services.exe") OR
(NewProcessName: "csrss.exe" AND NOT NewProcessName: "C:WindowsSystem32csrss.exe")

WannaCry detection
Ref:
https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon

Hunt in memory
Malware become fileless- Kovter,Poweliks
Volatility-/rekall
https://github.com/google/rekall

Happy Hunting!
@nahidupa
Must check
http://www.threathunting.net/

Weitere ähnliche Inhalte

Was ist angesagt?

DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...

Felipe Prado

Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy

RootedCON

Attackers have found compromise trivial for decades. But as additional security layers get deployed and next generation solutions come to market, attackers are turning to old and new techniques for bypassing security controls to launch their attacks and stay hidden. This session will explore the latest techniques and how simple defense techniques can foil even the most sophisticated attacks. (Source: RSA USA 2016-San Francisco)

Hacking Exposed LIVE: Attacking in the Shadows

Priyanka Aash

Laura Garcia - Shodan API and Coding Skills [rooted2019]

RootedCON

Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...

OpenDNS

Docker Plugin For DevSecOps

Pichaya Morimoto

Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.

"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...

PROIDEA

Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.

"A rootkits writer’s guide to defense" - Michal Purzynski

PROIDEA

Windows persistence presentation

OlehLevytskyi1

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters. Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo. Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...

CODE BLUE

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...

Mauricio Velazco

Carlos García - Pentesting Active Directory Forests [rooted2019]

RootedCON

Bsides Long Island 2019

Mauricio Velazco

Matt Swann, Microsoft As defenders, we watch our intrusion detection systems like a hawk so that we know when to jump into action. However, successfully evicting an adversary in a large-scale environment requires capabilities beyond detection. In this talk I describe 5 capabilities that network defenders must have in order to effectively respond to an intrusion in a large-scale service. I describe how we overcame these challenges in Office 365 with pointers to source code and reusable tooling.

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...

BlueHat Security Conference

Each day millions of Internet requests are made to dynamically changing Cryptolocker domains. And it only takes one successful connection from a malware-infected system to the botnet controller for your files to end up encrypted and held for ransom. So how does Cryptolocker actually work? What is the best way to block it? And what implications does this have for security methods going forward? In this webcast, you will learn: -What steps are involved in a Cryptolocker attack -How Domain Generation Algorithms enable it to evade most threat detection methods -Why leveraging our global intelligence has been effective in containing Cryptolocker -What you can do to avoid becoming a victim

Cryptolocker Webcast

OpenDNS

Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.

"Powershell kung-fu" - Paweł Maziarz

PROIDEA

Select malware families have used Domain Generating Algorithms (DGAs) over the past few years in an effort to evade traditional domain blacklists, allow for fast-flux domain registration and usage, and evade analysts’ abilities to predict attackers’ control servers. While novel work has been done by both private industry and academia with respect to detecting DGA-related network traffic, this presentation demonstrates end-to-end analysis of a DGA malware family, from binary deobfuscation to DGA analysis, to sinkholing, to domain registrant research, to attribution of the malware’s author and accomplices. The malware family discussed in this presentation has thousands of active variants currently running on the Internet and has managed to stay off of the radar of all antivirus firms. Missed this presentation at Black Hat 2013? Take a look at the slides from Jason Geffner's session. This presentation brought to light how this malware is tied to an underground campaign that has been active for at least the past six years.

End-to-End Analysis of a Domain Generating Algorithm Malware Family

CrowdStrike

'Malware Analysis' by PP Singh

Bipin Upadhyay

(130119) #fitalk apt, cyber espionage threat

INSIGHT FORENSIC

NOTES -- Slide 8 Some of the categories we will discuss are very broad like this one. Untrusted command – get / post / rest style params Clicks Surprise inputs Slide 13 Very broad too Little or no auth Auth with some bypass possibilities Some problem with how session is generated, managed, expired Insufficient sessionID protection Slide 18 When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. Slide 27 Security hardening throughout Application Stack Unnecessary features enabled or installed? ports, services, pages, accounts, privileges Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values? Default accounts/ passwords still enabled and unchanged? Error handling reveal stack traces or other overly informative error messages to users? Software out of date? OS, Web Server, DBMS, applications, code libraries Slide 41 sign up for updates or do regular audits to see versions there might be technical dependencies easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc. Slide 47 We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run. Have sprints with dedicated security features and use those as a selling point for our security conscious customers Slide 48 Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure Research how much support it gets, how popular it is Look to find out any vulnerabilities in it before you start using it Maintain it; Sign up for CVE updates Ask us if you need to get something reviewed Slide 50 Not only better and more features Security vulnerabilities get patched in new versions New versions get most attention by the companies and old ones stop getting support after some time fully Most Security Support by the community Turn on auto updates for Chrome; always look at updates on AppStore Slide 51 Use different passwords for different sites Password managers let you set complexity, generate random passwords, etc. Slide 52 Only grant access to whats needed to get the job done employee leaves; mistakes; vulnerabilities in other s/w which leverages this; Don’t install redundant software, plugins, etc. This opens up so much risk People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers; Slide 55 To prevent unintended execution actions e.g., fail open auth errors Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks

Security Ninjas: An Open Source Application Security Training Program

OpenDNS

Was ist angesagt? (20)

DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...

Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy

Hacking Exposed LIVE: Attacking in the Shadows

Laura Garcia - Shodan API and Coding Skills [rooted2019]

Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...

Docker Plugin For DevSecOps

"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...

"A rootkits writer’s guide to defense" - Michal Purzynski

Windows persistence presentation

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...

Carlos García - Pentesting Active Directory Forests [rooted2019]

Bsides Long Island 2019

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...

Cryptolocker Webcast

"Powershell kung-fu" - Paweł Maziarz

End-to-End Analysis of a Domain Generating Algorithm Malware Family

'Malware Analysis' by PP Singh

(130119) #fitalk apt, cyber espionage threat

Security Ninjas: An Open Source Application Security Training Program

Ähnlich wie Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

Billions & Billions of Logs

Jack Crook

Super1

neelakanteswarreddy

Anti-forensics refers to any technique, gadget or software designed to hamper a computer investigation. Achieve Security using Anti Forensics. Anti-forensics Includes: Encryption, stenography, disk cleaning, file wiping. Anti-Forensics mainly for the security purpose.For confidentiality of Information or Securing the Web-Transaction. Smart Criminals are using it to Harden the forensic Investigation.

Anti forensics-techniques-for-browsing-artifacts

gaurang17

(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon

Priyanka Aash

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Chris Gates

Why are you still getting CryptoLocker?

Aaron Lancaster

Common threats to web security with real world case studies of compromised sites, - A 'dissection' of a typical common exploit tool and how it operates, - Simple approaches to mitigating common threats/vulnerabilities, - Defence in depth – an overview of the various components of web security, - Drupal specific measures that standard penetration testing often does not account for. An overview of how to benefit from: - Security monitoring and log analysis - Intrusion Detection Systems & Firewalls - Security headers and Content Security Policies (CSP). see Drupal Camp London for full details: http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it

DrupalCamp London 2017 - Web site insecurity

George Boobyer

Ceh certified ethical hacker

bestip

Cyber Kill Chain Deck for General Audience

Tom K

Anton Chuvakin on Discovering That Your Linux Box is Hacked

Anton Chuvakin

Public facing web sites are constantly under attack and keeping websites protected is an arms race, yet security rarely gets a look-in at specification and budget allocation stages of delivering a web site - or at best is an afterthought. Yet everyone has an expectation of security and QOS that implies it is central to every project. Security considerations should pervade all stages of a project from initial specification, throughout development and testing and on to ongoing hosting and maintenance. In this session I will cover: * Common threats to web security with real world case studies of compromised sites, * Simple approaches to mitigating common threats/vulnerabilities, * Defence in depth – an overview of the various components of web security, * Drupal specific measures that standard penetration testing often does not account for. * An overview of how to benefit from: * Security monitoring and log analysis * Intrusion Detection Systems & Firewalls * Security headers and Content Security Policies (CSP). Comments: https://joind.in/talk/8bbea

Drupal Camp Bristol 2017 - Website insecurity

George Boobyer

Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.

Attack Chaining: Advanced Maneuvers for Hack Fu

Rob Ragan

Advanced malware analysis training session 7 malware memory forensics

Cysinfo Cyber Security Community

Intro To Hacking

nayakslideshare

DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer

Felipe Prado

SIA302.pptx

reynold298

Adversary tactics config mgmt-&-logs-oh-my

Jesse Moore

Indicators of compromise: From malware analysis to eradication

Michael Boman

44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...

44CON

Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5

sixdub

Ähnlich wie Threat hunting != Throwing arrow! Hunting for adversaries in your it environment (20)

Billions & Billions of Logs

Super1

Anti forensics-techniques-for-browsing-artifacts

(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Why are you still getting CryptoLocker?

DrupalCamp London 2017 - Web site insecurity

Ceh certified ethical hacker

Cyber Kill Chain Deck for General Audience

Anton Chuvakin on Discovering That Your Linux Box is Hacked

Drupal Camp Bristol 2017 - Website insecurity

Attack Chaining: Advanced Maneuvers for Hack Fu

Advanced malware analysis training session 7 malware memory forensics

Intro To Hacking

DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer

SIA302.pptx

Adversary tactics config mgmt-&-logs-oh-my

Indicators of compromise: From malware analysis to eradication

44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...

Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5

Mehr von Nahidul Kibria

Sending a for ahuh. win32 exploit development old school

Nahidul Kibria

Scaling application with RabbitMQ

Nahidul Kibria

G3t R00t at IUT

Nahidul Kibria

Banking malware zeu s zombies are using in online banking theft.

Nahidul Kibria

Everybody loves html5,h4ck3rs too

Nahidul Kibria

Penetration testing web application web application (in) security

Nahidul Kibria

Mehr von Nahidul Kibria (6)

Sending a for ahuh. win32 exploit development old school

Scaling application with RabbitMQ

G3t R00t at IUT

Banking malware zeu s zombies are using in online banking theft.

Everybody loves html5,h4ck3rs too

Penetration testing web application web application (in) security

Kürzlich hochgeladen

MINDCTI Revenue Release Quarter One 2024

MIND CTI

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda. In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.

Cyberprint. Dark Pink Apt Group [EN].pdf

Overkill Security

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Architecting Cloud Native Applications

WSO2

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Kürzlich hochgeladen (20)

MINDCTI Revenue Release Quarter One 2024

Cyberprint. Dark Pink Apt Group [EN].pdf

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

CNIC Information System with Pakdata Cf In Pakistan

Architecting Cloud Native Applications

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Exploring the Future Potential of AI-Enabled Smartphone Processors

How to Troubleshoot Apps for the Modern Connected Worker

Ransomware_Q4_2023. The report. [EN].pdf

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

AXA XL - Insurer Innovation Award Americas 2024

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

FWD Group - Insurer Innovation Award 2024

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Axa Assurance Maroc - Insurer Innovation Award 2024

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

1. Threat hunting != Throwing arrow! Hunting for adversaries in your IT environment Md Nahidul kibria Co-Founder, Beetles

2. Md Nahidul Kibria Co-Founder, Beetles @nahidupa [~] $ whoami

3. Threat hunting is a approach to answer that question. Am i compromised today?

4. What is hunting? Hunting as the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. “You Can’t Hunt That With a Bow and Arrow!

5. What is Threat hunting is and is not. Threat hunting != Throwing arrow!

6. Threat landscape Cybercriminals Hacktivists Nation state Insiders

7. Cyber Attack Lifecycle

8. Cyber Kill Chain

9. Proactive security

10.

11. Sensors >> Data >> monitoring

12. The hunting loop ref:http://blog.sqrrl.com/the-threat-hunting-reference-model-part-2-the-hunting-loop

13. Hunting vs. Alerting Alerting 1. Reactive 2. Detect/forget Hunting 1. Proactive 2. Repeated searches

14. Let's hunt... But from where?

15. Approaches to Threat Hunting 1. Data-centric Hunting 2. Hunting on the Endpoint(DFIR) 3. Deception

16. Adversary simulation 1. Attacking web application 2. OS Command execute 3. Download malicious files (powershell webclient) 4. Getting reverse shell 5. Privilege escape 6. Scan internal host 7. Lateral Movement

17. Data analysis

18. Hunt Lateral MovementAttackers quietly traverse your Network.

19. Lateral Movement - Techniques, Tactics & Procedures (TTPs) Psexec File shares Powershell Pass-the-hash Scheduled tasks WMI SMB SSH

20. Detect using windows event log /Sysmon

21. WebShell -Command injection

22. Psexec psexec.exe -i -s %SystemRoot%system32cmd.exe

23. Sysmon event - psexc.exe

24. Hunt other TTPs “net” Reconnaissance of Domain Admin Group Command C: > net group "Domain Admin" /domain Credential Harvesting with WMI and WCE net use 172.31.3.16 PASSWORD /user:SANDBOXAdministrator copy w.exe 172.31.3.16c$PerfLogs wmic /NODE:172.31.3.16 /USER:"SANDBOXAdministrator" /PASSWORD:"PASSWORD" process call create "cmd /c C:Perflogsw.exe -w > C:Perflogso.txt" Ref: http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf

25. Ref: http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf

26. Sysmon dashboard

27. Hunting Command and Control(c2)

28. Hunting Command and Control(c2) C2 via Dynamic DNS Finding the Unknown with HTTP URIs Beacon Detection via Intra-Request Time Deltas Finding C2 in Network Sessions

29. Detection Using Bro

30. #wannacry www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

31. Hunt for Data Exfiltration

32. Producer-Consumer Ratio for Detecting Data Exfiltration Ref https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/analyze_producer_consumer_ratio.md

33. Hunt for Malware

34. Unusual Windows Behavior https://www.sans.org/security-resources/posters/dfir-find-evil/35/download

35. Query (NewProcessName: "svchost.exe" AND NOT NewProcessName: "C:WindowsSystem32svchost.exe") OR (NewProcessName: "smss.exe" AND NOT NewProcessName: "C:WindowsSystem32smss.exe") OR (NewProcessName: "wininit.exe" AND NOT NewProcessName: "C:WindowsSystem32wininit.exe") OR (NewProcessName: "taskhost.exe" AND NOT NewProcessName: "C:WindowsSystem32taskhost.exe") OR (NewProcessName: "lsass.exe" AND NOT NewProcessName: "C:WindowsSystem32lsass.exe") OR (NewProcessName: "winlogon.exe" AND NOT NewProcessName: "C:WindowsSystem32winlogon.exe") OR (NewProcessName: "explorer.exe" AND NOT NewProcessName: "C:Windowsexplorer.exe") OR (NewProcessName: "lsm.exe" AND NOT NewProcessName: "C:WindowsSystem32lsm.exe") OR (NewProcessName: "services.exe" AND NOT NewProcessName: "C:WindowsSystem32services.exe") OR (NewProcessName: "csrss.exe" AND NOT NewProcessName: "C:WindowsSystem32csrss.exe")

36. Svchost.exe with no -k

37. WannaCry detection Ref: https://github.com/Neo23x0/sigma/tree/master/rules/windows/sysmon

38. Hunt in memory Malware become fileless- Kovter,Poweliks Volatility-/rekall https://github.com/google/rekall

39. DEMO

40.

41. The Hunting Maturity Model

42. Machine Learning for Incident Detection

43. Real-time Threat Hunting

44. Happy Hunting! @nahidupa Must check http://www.threathunting.net/

Hinweis der Redaktion

New in this con Blue team activity Defense Anyone from incident response Hunting is assume that you are already compromised and now you want to know/verify it.
Pentesting Web application Synack Owasp Sofo
Not a new concept Not Alert Driven Not a tool or product Not standardized Not a silver bullet
It take over month
When everyone in bdnog your org is in under attack
psexec.exe -i -s %SystemRoot%\system32\cmd.exe
http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf
http://blog.sqrrl.com/the-cyber-hunting-maturity-model

Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

Ähnlich wie Threat hunting != Throwing arrow! Hunting for adversaries in your it environment (20)

Mehr von Nahidul Kibria

Mehr von Nahidul Kibria (6)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Threat hunting != Throwing arrow! Hunting for adversaries in your it environment

Hinweis der Redaktion