Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

SecOps - IR and Forensic Workflows - Python (Security Automation)

281 Aufrufe

Veröffentlicht am

The talk is about the SecOps - Incident Response and Forensics Workflows, Where we are using python for automation stuff.

- SOAR Use Cases (5)
- API Integrations
- DEMOS
- Email Beaconing (Advanced setup)
- Public Interaction

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

SecOps - IR and Forensic Workflows - Python (Security Automation)

  1. 1. - Santhosh Baswa SecOps -Automation !1 Workflows & Python IR & Forensics
  2. 2. • SecOps - New Starter • CTF player *Occasionally* • Offensive + Defensive Guy Who Am I !2
  3. 3. “What is SecOps : Where | What | How to Automate ???” !3 *** Share Your Thoughts***
  4. 4. What is SOAR ? (Security Orchestration Automation Response) !4 ***Any IDEA***
  5. 5. SecOps Teams | Automation | Use-Cases !5 - SIEM Alert
 - Phishing Triage
 - Threat Hunting
 - Insider Threat
 - Endpoint Protection
 - Forensic Investigation
  6. 6. SIEM Alert | Threat Hunting | Forensic Investigation !6
  7. 7. !7 Where do we Automate ? • What about Endpoint Agent installation ? • Configuration management (Sysmon/osquery) • SIEM Alert Integration *Python API* / *REST API* • Threat Intel Integration *Corporate/Open Source* • Query Active Directory (Python: ldap3/pyad) • EDR REST API Integration (Get Forensic Snapshots)
  8. 8. !8 Threat Intel : API Integrations • pip install virustotal-api-v2 • X-Force REST API
  9. 9. !9 Active Directory : LDAP Integration
  10. 10. Phishing Triage | Endpoint Investigation !10
  11. 11. !11 Where do we Automate ? • Email -> Extract -> JSON output (Dirty Python Script) • HTML Email Template Generation (Python) • JIRA/ServiceNow - Python API Integration • EDR API Integration : REST API • SandBox Submission: (Cuckoo/VMRay/Falcon/SNDBOX etc.) • Threat Intel - API Integration : VT/IBM-X Force/Open Source • Office 365 Email API Integration
  12. 12. !12 Weird Automation Demos: ** Demo Time **
  13. 13. !13 O365 Management : API Integrations
  14. 14. Data Exfiltration !14
  15. 15. !15 Exfiltration - Detection • Curious about MTA Agents ? • Is Ingress/Outgress Email Traffic monitor in Firewall ? • What about free mail providers/disposable email providers ? • Track how many partners/clients are using free email services ? • Gist: https://gist.github.com/P3t3rp4rk3r/bc707cebaeb306aba3e8e9a9597aa658
  16. 16. !16 Email Beaconing - (Next Level) - Python • What is Beaconing ? pip install python-guerrillamail
  17. 17. “ !17 — P3t3rp4rk3r Any Questions ???

×