Blue teaming Incident Response for the Win

what Tennyson who is an information security professional in the healthcare field and he's going to be giving us this wonderful talk on blue teaming and incident response for the win let me start up the slides so that I know my timing actually what time is it nine fifty-nine I agree so first off thank you everyone for coming especially on a Saturday morning and spending the time at besides Connecticut here at this first location here first time at this location I was trying to do this I was parking in the parking lot D and then I was thinking okay I'm gonna have like Massachusetts plates so basically I'm probably to be the first one that they

tow so I actually had to move I had to move my car and oh yeah I think we've my card to the other other garage but but yeah first of all I want to welcome everyone and again first off thank you for coming in I will be sharing all of these slides too I have about 50 slides that's a lot it's mostly pictures and references as well and so I'm going to kind of go through them really fast and pretty much have try to have some time for questions as well and so these 50 slides I'm trying to probably go in about maybe about 40 minutes hopefully 40 or 45 minutes with 15 minutes for

questions as well so yeah so first off I'm Roy wah Tennyson and basically we're going to talk about blue tea me mostly on the Windows platform and again I wanted to say that I'm still learning I'm not at all at all means like a subject matter expert I'm still learning on all of this so feel free if you have any feedback good and bad as well so first off Who am I so oh actually all right so it's the next slide after that I always like to put this disclaimer up because number one it doesn't it makes me not responsible if I say anything wrong and also at the same time if there's a I actually put this today there's this

is absolutely not a one-size-fits-all for every environment every industry every company we know that security maturity is different for every organization every industry depending on what time for example vulnerability management might be really like a top a right now but things change you have resources you have people you have assets you have different things so it can change anytime also at the same time it doesn't represent any of the companies or organizations that I've worked for and if you're going to if I mention any tools you're going to use this in the ethical legal manner as well and yeah so there's one I mentioned that okay Who am I obviously this is not my picture there is actually a website I

was trying to generate kept last night I always kept kept trying to generate a picture because every time you go to this website this person does not exist everyone anyone know about this person does not exist all right cool I had to keep generating for about I'd say 15 minutes until someone had like black hair look like me um but I used to put my images on the web and and busy now it's so easy to do like a reverse lookup and you're so very easy to find out if you have an image like on LinkedIn hopefully it's blurry it's very easy to find all the websites and links that it's attributed to mostly mostly talking

about open source intelligence but we will talk about that later but this person does not exist website goes through it uses artificial intelligence none of the pictures it uses different characteristics of information of people and it creates different people you can probably use it on your LinkedIn as well anyway healthcare professional i former adjunct faculty at Brandeis for over 10 plus years I created the healthcare informatics course at Brandeis I put security healthcare bridge security the second class so I taught a lot of healthcare professionals like medical officers yeah healthcare nurses doctors as well and people that wanted to transition into healthcare as well so healthcare really needs your help we need more people also at the same time I

I also enjoy kind of like the community giving giving the community getting people to there as well I used to do besides Boston a while back and now pretty much I'm waiting to for a younger generation to help as well and also we we do best Boston application security conference it's awesome we just had it a couple couple weeks ago it was an awesome application security free conference in Barrington Massachusetts and etc blah blah yeah I enjoyed data forensics in response healthcare apps apps a coyote and there's also a link here I've done some seaso mentoring for people that want to become CISOs or leadership leaders as well I talk about like what are like

some of the characteristics communications etc as well and there's also this is mostly all eyes to say and also there's a pre professionals meet up as well and for those of you looking for the slide I'll I'll post it at my Twitter wr0 as well okay so first off sorry okay so first off what are we going to talk about today um specifically just all all blue team so raise of hands who who in this room are blue teamers okay greet who in this room are red teamers penetration testers all right Green excellent who in this room does not fit any of the categories students students ok great excellent great you're you're doing really real

I'm who is doesn't doesn't fit any of the categories etc another okay great okay excellent so you're in the right place so um so yeah pretty much today's agenda we're gonna be talking about blue teaming what you need to do we're gonna have some recommendations and then hopefully I get through all the slides so that there are questions I can answer your questions do so here pretty much you see that blue team I think everyone has says for those of you on blue teaming and also for those of you and difference other teams as well we've heard that blue teaming you always have to be 100% correct at the time so for example the the red team the people that

do it to simulate the attackers the cyber criminals basically they you know they basic and can be they don't always have to be right hundred percent so as you know the term originally came out from the military so the military wanted to use use this term blue team it's kind of a way of acting as the friendly foe you know defense and then they also came up with this red team as well and it's basic os-- playing the role of adversary offense replicating attackers but in a nutshell blue team is looking at discovering defending against attacks and I also added another one late last night it was actually a sharing information as well so for

example the cyber criminals the the attackers they share information really well you know whether it be like you know whatever mechanism they use so for blue teamers we need to really share information better as well obviously think some things are private or confidential to your group or your department or your company but there are also other ones that can help blue teamers as well so we need to share more information more readily as well so so who loves using cheat sheets who loves using cheats so a show of hands okay great excellent so I really love she cheats i I actually initially found out from like sans and ever since I've been using cheat sheets for everything so for

example when you're looking at let's say one of the most used most commands on Windows command line for example or a Linux command or some other command line there's great cheat sheets available the one that I actually recommend is this malware archaea archaeology how many people know about that one it actually talks about all the different different windows different windows commands it's actually agree great information here but again I'll be sharing all these slides too there's also stuff from sans especially on the data forensics side DF ir there's also pen testing sans as well there's of course I already mentioned there there's certain training she cheats as well all these are made available and I encourage

everyone to use cheat sheets because when you when you think of an incident or when you think of some disaster or events or suspicious events basically sometimes you don't have time to kind of the it takes just a small amount of time to make a decision and these cheat sheets are away again this is just my opinion but our way of not making a mistake so you can just follow this it could be a procedure it doesn't have to be a cheat sheet but these are procedures that you and your group can use and you and your group can work with other team members as well so it's just kind of like repetition practice as well so this is

why I mentioned not cheat sheets so first of all in your organization's in your network environment show of hands do you know what is normal in your environment you know what is normal this is in terms of what are what specific workstation processes should be running on a finance computer what specific workstation processes program software should be running on a I don't know yes 400 I don't know what what's specific thing um so how do you tell what is normal if you don't know what is that I'm sorry how do you tell what is that normal if you don't know what is normal in your organizations obviously there's different challenges I'm not just talking about internal

infrastructure it's all these cloud third-party infrastructures as well remember that doesn't matter if your organization is in the cloud AWS office 365 Microsoft's we're responsible ultimately where their company is responsible for the data doesn't matter where it is so you'll see but you really want to know what is normal to be able to know what is normal you need to to be able to know what is that normal you need to know what is what is normal basically so I encourage you to take a look at that and again right which one is normal I was also looking for a picture that actually designated I remember was I posted on Twitter a couple years maybe months ago but I

couldn't really find one but for example here what is which one is normal you on the left hand side you can see that Explorer Windows Explorer when that process basically runs as user in it spawns Explorer let's look at the Explorer process it does all of this the registry key as well this is just some examples for example like one of the things you probably want to do is like a golden image which which I will talk in the next few slides but you really want to know what are the exact process is running let's say on a financial computer a computer in finance or accounting computer or a IT computer or etc that's how that's how you're able

to tell what is abnormal basically so okay know thy network I think everyone already knows about this but these are the different things that that blue teamers should be monitoring or people as defenders as well we really want to take a look at all the high privilege low security accounts so for example these are like the domain administrator accounts these are the OU 365 Chloe administrator these are as the other ones usually their service accounts that passwords never expire sometimes there's actually I should say most of the time there's low security on it when was the last time there there's an application or API tied into it that basically changes maybe changes the password or it takes a look

at the auditing rules for the high security accounts and this this I'm talking about just anything in Active Directory domain administrator do so for example Shawn Metcalfe one of the guys who I really admire he's awesome he's amazing he and his team do we need domain administrators for these different accounts I don't know I don't think so you have to really take a look as well also at the same time please please please monitor your network or else the attackers criminals will monitor your network for you as well I'll give you a story about that in the next in a couple minutes system administrators doesn't matter system is raters IT people that are taking care of their infrastructure we

need to do a better job of taking taking look at monitoring reviewing logs as well what do we do after that obviously there's a lot of logs how do you how do you parse it how do you automate it how do you you know take care of it as well you can't take care of everything a lot of times the criminals cyber attackers they will inundate kind of do a denial of service put you know date for example they try to look at all the different logging infrastructure and they actually purposely try to fill up your locks for example so that for example your logs logging infrastructure no longer can you can actually find the right right stuff

anymore we can talk about that later but I just want to mention that deception technology honey pots how many people are using honey pots in their infrastructure it's still a really great technology and it's still it's what we'll talk more about that too okay so go to images who knows about Center for Internet Security it's a great resource for different golden images I believe that to be able to know what's normal and what's abnormal you need to have like a some kind of golden image right now there's a lot of different things based on let's say you have a golden image for IT a good image for Finance golden image for etc you control it it doesn't change

let's say when things need to be changed it's check for vulnerabilities and then you can also update it gradually as well with tests as well because a new coded image may not work with every new application or operating system third-party etc so I really recommend taking a look at cinder Center for Internet Security provides a lot of different benchmarks um many years ago I used to be part of like the windows wow-wow back I think was Rick windows XP or something BC is benchmarks talk about all the difference hardening what you should do for Cisco aasa firewalls what you should do for Windows what you should do for any specific technology mobile phones as well iOS Android there's also I'm trying

to think of there's these different these are all free free as well this try this in a lab environment don't do it in your real environment these RC is really locked down images but you can check you can take a look at it maybe you can use you leverage some of those images take a look at the group policy that's built in and try to maybe copy all that too but again it's not a one-size-fits-all - so I just wanted to mention that Windows sandbox how many people know about the in April 2000 nineteen there was a new Windows sandbox Microsoft patch I I encourage you to also take a look at her soft sandbox sandbox see how many

people know about that - there's a new one it's actually kitch is compatible with Windows 10 now that I use when analyzing like phishing emails or something else - but yeah Windows sandbox is great you can download it right right directly from Microsoft as well so cool all right how many people know about how many people know about the ice axe information sharing analysis centers okay every one of you should should really be participating in their webinars and also presenting if you can it's a great experience there's one for every United States has many information ice axe as well for different industries healthcare automotive SCADA you name it there's so many ice axe as well and

again they're all about sharing information whether it be overly it's not confidential but it helps to blue teamers and helps everyone as a whole so I encourage everyone to take a look at it there's more information there's also Isaac's around the world too but take a look at that - all right event logs so I think everyone knows event event logs one way to get to event log is actually using the events vwr commands through command line or you can actually initiate this - or you can go through the GUI as well um what I really recommend here is that we should actually be ingesting logs that are not only servers but also on the work

stations as well so for example a question for the for the red teamers when was the last time that you did a pen test then actually you you took over tried to take the logs of the server most of the time the red teamers will and correct me if I'm wrong but the red teamers will actually do let's say they do some kind of I don't know take something and then they will always try to get stuff from the endpoint workstation logs it's most of the time a lot of companies they only have the server logs they don't have any endpoint logs so take a look at that did anyone want to comment about red red teamers I

know that to try to stay under the gun you you're not gonna go to the servers because and again this is not like 100 percent correct but they're not going to go to the servers because the servers have a lot of different security controls and that you know like traps around it so why not go to something that is not being used or not being highly monitored so it's good it would be the endpoints as well so I just wanted to mention that okay so regarding log review log analyzation as well obviously we want to take a look at a privileged user in account mod monitoring all the domain administrator accounts all the office 365 go administrators anything that's

basically hired and user did anyone know that um is this true and false by default in Active Directory a regular user can read everything in Active Directory is that true or false true excellent excellent yep so just so you know anyone that has read read access in Active Directory can read anything so so they can kind of spawn Active Directory users groups they can start reading stuff stuff you should have group policies around that but we'll talk about that later abnormal external communication sharing I already talked about like you know what what to find out what is normal what to find out versus what is abnormal as well you can only know what is abnormal when you know things are normal

as well taking a look at acceptable use policies validations not only just the insider threat remember it's not just the external external cybercriminals - it's the internal internal insiders as well data exfiltration unusual port activity I think we get allowed that information from the different firewall switches Network information - but you also want to take a look at the east-west traffic as well take a look at that so for example if you don't have the right logs in there how are you how are you able to actually see what happened as well between your third parties or some other connection etc file integrity monitoring obviously we want to know right um we've seen it that

wanna cry when akairo wanna cry one want to cry to SMB vulnerabilities basically you really want to take a look at put stuff around your SMB shares as well auditing remember auditing is not turned on by default I mean in in Windows you have to turn as well in that group policy or the security policy as well right so okay anyone know what is Windows Event ID for 688 you would just get bragging rights I don't have any prizes yes yeah exactly perfect yeah great creature yep so it's a busy any new process spawning yep so you don't have to know for those of you people that didn't know I think that if you have like a cheat sheet or if you

have the req highly most highly recommended top security events that we should be looking at I have it in the next few slides but four six is eight is basically any time a new process is is planning is it could be anything and for example so I have to keep going there it could be anything like this w script running this is something great to monitor especially in you're logging infrastructure could be a sim could be a log infrastructure but I'll show you more in in the next few slides - all right these are more security event logs so for example for six to five failed user logins those are for brute forces so anytime there is additional let's say

people either entering the wrong password many times or you probably want to monitor against that you know for your in your security operation center you probably want to take a look at those events let's say Rob brute force they could print it could be false positive it doesn't have to be but we've seen a lot especially around domain controller no entry domain administrator accounts and other accounts that people don't really normally don't take a look at as well all right lateral movements for 6to4 basically it's more of um anytime like account has successfully logged in right for 64's anytime account has successfully logged in is on other grades could this is probably about fifty fifty percent but you can detect

some kind of lateral movement so between four six two four a new processes one and in between four six two five four six two four four sixty five account is successfully logged in as well so you can put some defenses around that these are some additional application stuff - in your sim in your logging you can also kind of monitor around this - it won't be exact but the more you do it the more you know as well but it will help as well regard any application and crashes - all right this is I mentioned about the auditing policy remember remember you have to turn it on to actually see these logs as well but it depends but you you probably

want to kind of like test it out and see if what happens but something like this the event log being cleared I think that would be really interesting as well or maybe you want to build your defense around if someone actually shuts down your Active Directory Active Directory your whole Active Directory system guess what happens then you don't have any vlogs you don't have anything right or they clear anything but there's there's many things here but you should build your defenses around that - okay firewall logs right I think firewall logs this gets good it does a good job internally as well might block some official like server stuff going outbound as well but you also want to

build defenses and and notifications around maybe some firewalls firewall rules arguing it may be something else etc group policies obviously we want to take a look at remember I mentioned about the the you know putting putting together two different auditing logs putting together that you want to turn stuff on for example if you take a look at the event log I believe that if by default the event log is about I don't know not even like 16 Meg I think it's like less than 5 Meg or something by defaults you can actually turn use group policy to turn on that these different blog sizes and then actually monitor them I'm not saying to monitor everything you

want to monitor based on probably the event ID as well or else there's gonna be a whole influx of locks coming in and you won't know what to do with it so just wanted to mention there all right application advanced audit policies on file shares this is what I mentioned about like the wanna cry SMB different things we want to actually take a look at all the different SMB sharing as well some some of you might already be doing it with DLP policies etc DLP policies is not it's there's a lot of false positive in there too but you want to actually take a look at you know what maybe things things that are being shared or

things etc just getting more detail around that right event ID five one four five I'm not going to ask but it's basically you know a network State share object was added so let's say someone shares something on them on the file share internally as well as you get something like that with auditing turned on all right so okay cool all right good I'm going good okay great I'm on 26th great great halfway okay so any questions so far yes yes yep these are all these are all Microsoft Windows Event log so yep yep exactly yep yep yep so the question was if you have a third party application and you want to ingest in the third party application windows logs

yes yes yep this is all Microsoft yep yep exactly yep yeah great great question any other questions so far okay great excellent excellent so how many people are ingesting logs and of course using different open source utilities on and in their environment right as well it writing can be a combination of commercial tools open source tools these are some that I've I've used in the in a couple of couple years ago snare there's some so what I'm trying to say is that all of this is all like free stuff unless the company has that changed it everything in my slide is all free it's all free actually it's all available to everyone anyone can download it there's

n X log how many people use it it's a free one you can ingest logs their snare there's many other ones too I just put these two together many like security operation center they use different different utilities as well to to in in their logging environment or sim as well but you you want to have some kind of gesture as well so just wanted mentioned there all right here I didn't have time but how many people have used bloodhound in Active Directory as a test it's not an end-all be-all a lot of penetrations testing companies use it when they do Active Directory when they do Active Directory when they do an Active Directory penetration tests as well but

it's a great idea to put in at test environments maybe not in your corporate but you know maybe my take a look at it it's actually really interesting I'm actually about to take a look at it too right um so this is actually all free as well how many people have heard of elastic yeah okay it's called yeah okay right so um these are kind of a basic recommendations around logging obviously you want to include a time stamp stamp you want to have format in JSON I'm not gonna read all this but you want to turn on logging you want to log stuff but on the left hand side is elastic you okay I recommend it there's this is typically

on the left hand side for like a smaller organization basically but there's a these are all free beats is a data collection log stash is very similar to like a logging ingestion as well elastic search is kind of like the eok engine I mean last sick you'll probably hear elastic elastic comm gabbana is kind of like putting together the visual endpoints together so this this again you feel free to use it or not but it's really interesting actually show you in the next few slides so for example an elastic search eok it's actually being used and know if you yeah you know it's actually being used by companies like uber Netflix Facebook Microsoft etc you

what you can do is actually on the left hand side you actually can you actually can if you take a look when you ingest all these logs it could be like beats using beats it could be any kind of open source or commercial tool ingesting the logs you bring it in and then from here it's kind of like think of this as like a a logging kind of like a logging maybe not a sim because it could do a correlation too but you're sure it's it's very similar to like a Splunk how many people have used plunk right yeah okay cool this is very similar it's open source you can actually run queries on different

event IDs you can run that it could be all our windows event ideas could be anything that you want to search for it can be like an something unfortunate I didn't have time to put all the different queries but if you don't have anything in your environment let's say or let's say it doesn't work as well there's many open source alternatives as to - but also you can also the company um you can also purchase the commercial version too but it's a great tool because you have all the event you have all the logs you have all the events so what do you do with it now you actually do you actually go through and put

different searches may be automated searches may be correlated searches as well and that's how you can actually go in and actually see what's going on as well re cabana was the visualization for you okay so it kind of makes the nice graphic Maps visualization as well could be could be for the leadership team for example could be for something but pretty pretty interesting there alright some passwords how many people are doing different monthly password audits in your company you don't the raise your hand it's okay yeah it's it's um I think that now you know for those of you let me ask for those of you on on red team's right how many times when you're trying

to get into a company's network that you actually take a look at look at all the password hashes looking at LinkedIn looking at Facebook looking in that all the different breaches comparing it to see if any of those people you're on any of the people in the rotation have the same hash what does that mean they have the same password right hopefully there's using theirs to FA or multi-factor authentication hash cat how many people have used hash cat I've used it yeah actually a lot it's awesome there's different attack modes there's five attack modes you can combine it there's a straight attack there's combination attack we can put a left and right joint there's also like dictionary

attacks which works okay only ER there's also brute force permutation I really recommend everyone take a look at it on the left hand side actually talks about all the different hashes in hash can and what to use for example NT om is actually sorry over there I think it's like a 1111 down I forget what the number is if anyone knows let me know but I think it's like eleven thousand or something bomb by default when you are actually doing like using hash cat you can actually sum you can have it either automatically try to find out what kind of hash you got it from or you can actually specify so I really recommend you take a look at hash

cat and you know probably one of the things as long again number one yet yet yet approval for this to write you we don't want to happen we don't want to have that in sense of where like remember that goes penetrate penetration testers from coal fire fire they got into a little bit of a thing right so but make sure you get approval for all this um but I recommend everyone take a look at it because one of the things that red teamers do is actually they compare the they're gonna get LinkedIn password hashes they're going to get the Facebook badges breach information they're going to get all the information and try to compare it with the users as

well alright Kerberos Singh how many people know Kerberos thing all right I just learned about it actually earlier this year strong Metcalfe does has great information Ben 10 as well basically it's a method for extracting service accounts credentials from Active Directory with a regular accounts most service accounts we know never expire pastors never expired there's really not a lot of controls around it and any user authenticate and Active Directory can query remember because I mentioned doesn't anyone who has Active Directory account user account can read anything in in Active Directory that's crazy right um there's some stuff from Ben 10 he was my instructor for one of these other classes and he did an awesome job on a

Kerberos thing as well there's Sean Metcalfe a pyro tech 3 talks about Tom basically talks about this Kerberos thing as well arm joy right probably some of you also write a lot of you heard of them he's also one of the creators of bloodhound as well so Kerberos Singh revisited this one talks about SP n SP ends as well you can you can actually look for service principal names as well there's some tools there take a look at that all right Windows system internal so many people use that right this this guy right here mark russinovich now he's the CTO of the Microsoft Azure I really recommend taking a look at this especially when you're doing your thread hunting or or

even if not and I'll talk about thread hunting too in the next few slides later sysinternals tools are great they're free he created it back in 1996 but it's awesome especially system on process Explorer PSA Zack Portman Rahman process monitor list EO else this is just a few there's like valve I get out there's many tools but this is awesome use it take a look at it this will help to identify what is should be on your network what should not be what is abnormal what is normal as well so I just wanted to mention that there's also sorry there's also a live internals as well sysinternals for those of you that want don't want to download you can run

it from the website it has Internet connectivity yes yes yep exactly yep these are all things and yep yep exactly exactly yep and who who knows this person Jessica Payne she is one of the Microsoft security researchers who I hope I can be one day she's awesome she basically does security research and also she does a lot of stuff for Microsoft security and she has a lot of blogs a lot of things like you can use open source stuff you can use for example power bi power business intelligence that basically is the it requires a license in office 365 you can run it to look at different event logs for example so you don't have to use

elasticy ok you can use anything that you want as long as it works but she's awesome she talks about lateral movement free tools recommendations and she's pretty much like I know I wish I had a kms slash ROI but she has right there but she's awesome take a look at that and she has a lot of stuff around lateral movements and Microsoft as well alright so now it's all about to patching about patching and finding vulnerabilities obviously there's maybe there's different departments or different companies may not do a good job around it but still patching is definitely if there's one thing in the company that you can do that doesn't require a lot of additional money maybe

it depends depends on your patches as well its patching I don't think about patching the operating system but also all the third-party vulnerabilities third-party software as well take a look at the vulnerability management whether it be a necessary install or a commercial tool - there's a lot of cloud solutions now software as-a-service repeat and do over again as I mentioned your vulnerability let's say if you take your your at leadership and you're trying to show the leadership that your vulnerability is actually at a right now during the month of November one of the things that I do is actually to that leadership know that our a our great a won't be great a in December would beard

there's different things yeah so so it's it changes over time it's never going to be always the same it could be even worse some some ones as well resolve it and there's some information here open-source security tools that you can get to all right PowerShell how many people use PowerShell awesome right all right great you should we should be using it more at you know one of the things that the cyber criminals like to do is they like to use PowerShell because it's free and it's open it's on every Windows 10 box now Windows 7 you had to install it Windows XP I don't think I don't even know if it works I think I think you

have to install it too but use it I was created by this guy Jeffrey snoer in 2016 he's now the chief architects of yeah whereas actually he's a technical fellow actually the highest level and Microsoft and is built on the net framework I advise you to take a look at this if you haven't it's kind of like the new command-line everything in Microsoft now doesn't have to be done in GUI it can all be done in PowerShell from exchange to Active Directory to exchange email groups that you can do sometimes in the newer you know on sites exchange or office 365 it's hidden so I really recommends taking a look at PowerShell as well all right and map I

think everyone knows nmap it was in the hackers movies and all these different ones is in the mr. robot it was actually - right from David Kennedy or the Trevor thing and Matt dork Gordon for your door he's awesome take a look at that you can do not only looking for open ports you can do advanced I end map stop - you can look at looking for some vulnerabilities - looking for additional stuff - I didn't put it in there but a lot of good stuff there all right polar bear honey pots this is actually talking about honey pots and honey pot right is just a trap for an attacker hoping that they will interact

with a way that provides useful intelligence polar bear was actually from Benton it's currently in the making right now but what it is it's the premise of um you can create any application let's say like command line or PowerShell and then basically it will trick the attacker or cyber criminals into thinking that's a real command line so it's kind of like looping looping and polar bears one of is actually coming from Benton in a few months as well and you're welcome to add stuff to it it's gonna be different applications it's kind of like a honey pot of different applications it could be a PowerShell give anything then you kind of laugh at the same time but you also are doing

your due diligence to see intelligence what are they doing rather be external or internal server etc I want to stress here for those of you who have honey pots as well please don't leave your please change the default credentials please change the default names don't leave your honey pot as honey pot ABC etc you can find more information on polar bear right there all right Fisher users Fisher's users I'm not gonna ask them obviously but right if you don't fish your users guess what your cyber criminals well they're gonna be your your best users friends if you don't you're not aware of it right talk to your users don't assume please don't have the mentality that users don't know

what they're doing they're very smart just because users don't don't indulge and security doesn't mean that they do and they do not care as well and help them help them try to figure out what they're trying to do you know it should be an ambassador for them and don't give up on them because it's our it's our jobs there's some information here how many people remember using social engineer toolkit works pretty well you can copy any website in like one minute it's just like like they write very interesting it was from trusted tech David Kennedy as well the there's a most of the versions of SCT has been released but except for one so the antivirus won't catch it as well

but um good information there so all right threat hunting a threat hunting there's some good information here but pretty much in a nutshell threat hunting is depending on the maturity of realization you really want to do for hunting there's no specific framework for it but you basically one of the things that threat hunting gives you is basically a way to number one most of the time most organizations have like a ids/ips they usually have rules base stuff they usually have like maybe a enter PPR yeah next generation antivirus for example but remember it's all signature based it doesn't have to be signature based could be behavioral based as well or we actually we really need to do throughout

hunting more because the human human remember a human factor as well the human will actually find the that obstacles the stuff that signatures and this non non may be behavioral will finds as well do you because for example um um yeah we like for example I give you example there was accident where we were doing threat hunting and all of a sudden we found some users from China by accident yeah I think so that's a good keep keep working on that is the lessons learned but it helps everyone to remember keep in mind we can have all the technology and in we can have all the technology in place but companies still get me get breach get hacked right

we need to leverage more of it we need to do more automation we need to also oh this one is I'm sorry this one is a PowerShell script ps1 it's called it blue deep blue it actually it's actually from sans and basically you can run logs through it and it will give you more information as well so there's some stuff there I hooked up like this thread hunting book as well cyber ease and some other stuff too you don't have to register you have that until they take it down all right follow this guy already mentioned about Sean Metcalf he does awesome stuff he's probably one of the most brilliant guys I know in addition to Jessica as well

and these are just a few people so I want to mention it because I'm on the camera too I want to mention that there's so many people that are really really smart I I recommend you talk to them we're trying to do the same thing over and over again right now Microsoft ignite right now I don't even know where it is I think it's Las Vegas right now um he's there Orlando okay sorry yeah I didn't know but but pretty cool stuff don't forget about application security oh wasps how many open web application security project members here all right awesome don't forget about that there's from 2017 there's oh I stopped and obviously one of the things was if if there was a

oh I stopped one there was actually being fixed a lot of the OWASP top 10 or you know stuff that's over and over again right cross-site scripting disclosure blah blah blah or injection it's over and over again but there's also a wast mobile security project there's always cheat sheets as well and then this is more like that we're helping this some so like yeah so ori this is our boss application security conference we have a lot of it's all free we don't record everything but we have it every year we have about 200 people 200 yeah 200 people but really interesting so take a look at that take a look at your OS local chapters - okay so this is show

then how many people use - or 10 right it's just it's a great utility for is to create a web web site for those of you who have e education or academia emails you can actually get it for free just basically contact I forgot his name you can actually get it for free as well the full version for educational people educational people that work in academia yeah great information here make sure that you're doing your open source intelligence to not only logging the logs but taking a look at hopefully your servers in the network and your company are not advertised here hopefully there's not an Amazon echo in your company hopefully there's not an ass

hopefully there's not a big I don't know you name it there's a refrigerator in your company and right there so take a look at that all right I'm sorry I went too fast google hacking I think where everyone already knows this Google Dorking Google door google hacking Google Dorking everyone knows who came from Johnny long many many years ago he was the one that originated with it he has a non-profit hackers for charity that he says he's been in Africa yeah awesome stuff take a look at it there's exploit Google hacking all the different terms you can use this I just copied like yesterday so you get more information offensive security for those of you that want to get more familiar

with Metasploit offensive security you can also basically donate to them too but they have this course for free everyone know that there's a Metasploit Metasploit offensive security unleash you can actually learn all Metasploit online for free melty go how many people use that I'm actually waiting for the Black Friday so I can get it up for a good price there's many different versions of it but um there's just a community version too obviously but you can kind of see it's not in here I think they may have changed it but um you can kind of get an idea of what it's basically based on transforms it's based on transforms are kind of like think of

it as um different searches into applications as well what they call it in in melty go and you can look at again public source information using this melty go as well so pretty pretty interesting but do your thing make sure it's from petrova you can get more information as well bless you all right so this guy I actually follow a lot too because um yeah I was really lucky I um I worked in Hong Kong for about almost one year and yep hey oh yeah yep cool yeah I'm glad to be back again with all the you know the different things that are happening I won't talk about that that's another talk this guy is awesome

he he used to be in the UK and he has a lot of great red team tips not only this guy there's many more people but I wanted to kind of call up call out Tim because blue teamers we need to we need to remember we need to be hundred percent right right so take a look at the red team's as well different tips - cool two minutes all right so incident response obviously I won't have as much time but for those are you doing instant response as well you're growing it you're maturing it be sure to do tabletop exercises we've be sure to do practice repetition get lessons learn be sure to work with your internal teams

not only in your internal group internal external people outside your department as well and also external people from the you know the third parties that you're working with as well I'm sorry about that and then keep continuing updating your policies procedures plans always be ready stay calm practice you know practice to not make mistakes the more repetitive you do the more checklists you have the more procedures you have than work the more it's easier to do if you're if you're not trained for it and then you have a large incidence what are you gonna do you're gonna you're not gonna be calm you're not gonna be I also do that is very important that's the mist from 2012 old one from

the instant response forensics tools pretty much who knows buscador a saint oh saint vm right it's mostly from oh saint techniques yeah intel techniques calm i believe yes yep exactly yep and then CN sift sans provides also a forensics a forensics image as well and also cali and many others too but again you should always have not only for your policies procedures etc you should really have your your VMs virtual but whatever VirtualBox VM is VMware ready to you should be edited for your corporate for your corporate testing because you have to you have to you probably have to analyze some malware analyze some other stuff right sandboxing etc so be ready for that too

okay leaving off the lamb the end how many people have heard of this so this is actually command-line evasion so for example let's say you are basically recording command line right this website right here living on tool and you can a attacker or cyber criminal or red team can make the command line look look so bad so that you can't even tell what it is or it can be embedded in a different process or some other stuff too this is great information here is a great project you can also contribute to this project too it's open source it's freeware but it's the the attackers the you know lets the attackers red teamers they use this

to cybercriminals they use this so that in your log source you're unable to tell what it is so okay recommendations I think I'm good awesome green okay so recommendations these are just my opinions but you know no dye network do your job well and automate when possible because these cyber criminals attackers they're doing that already try to measure document your gaps to lessons learn progress progress that has been made if it's not you or let's say it's your manager review and edit the report take a look at it make sure that all the technical jargon is done it is out there making sure that bring it to someone outside of technology to see if they

actually understand it when you're actually presenting in front of the leadership team they want to see red green blue they want to see something simple they don't want to see vulnerability scans CVE x-ray or whatever it is make it simple network network network I think everyone here has already been doing that participate in more of the you know the sharing blue team the information etc also at the same time for does you there's also the mental health hackers too we have a lot of stress especially incident response engagements you know we're always working we working work from anywhere in the world always working you know enjoy your time to take vacation as well it's really important

and with that I want to open up for questions we have about eleven minutes basically and feel free feedback if if it was bad let me know if it wasn't good let me know as well I'm not wr0 on Twitter and again this is just all the things that I've learned from like you know travels etc talking to people and I hope that this this was very beneficial for everyone and of course I will share this too I'll find out somewhere to put it any questions any questions no no yeah sure yep yes sir

yep sorry could you repeat that sorry

that's a good question I may have to get back to you on that yeah I'm not I'm not positive myself I would have to get back to you on that yeah sorry about that yeah but the question was how often do you see frequency analysis on the on the blue team side I don't know I have to I have to look I had to take a look I think sands does something I think there's some other but I'm not I ought to top my head I don't know that answer so yeah yeah exactly yeah okay yeah I which I still don't know yes to that question I don't know if anyone wants to comments I'm but yeah I

fortunately I think yeah I'll have to get back to you on that yep any any any other questions any other questions good yes yes sir yes

yeah yeah so the question was so are there any recommended like logging etc it's not a one-size-fits-all for every company organization what may work for like um you know my company or your company may not work for someone else as well so everyone is I doing their own thing but I mean there's there's recommendations about what you'd be logging but obviously right if you ingest started ingesting workstation logs and it's gonna be a huge huge stuff you probably want to just ingest stuff but but you know try to parse it out parse it out bit by that most there's actually I think I put in here but if not I'll put in there too for the red

team side there's are actually from Microsoft they actually have a list of all the the top top maybe like 20 to 50 50 to 100 when security event logs that should be looked at whether it be like a security operation center or etc as well so I can only say on that but yeah it's not a one-size-fits-all so yes sure oh yeah yeah sure yep so the question was are there any companies or industries using like a third party yep so a lot of the MS SPS shared partners um a lot of companies also because they're again right show of hands how many people have how many people have like a hundred people and their security team right

okay so alright so yeah there's a lot of security operation center that are doing it whether it be like a they'll secure works or something else to do there's many there's many this just came on the top of my head but there's so many you'll see like every industry using their own thing to but it also depends on like the amount of users as well thank you amount of users etc but again it's not a one size fits all but I know that uh you know there's we don't have a hundred people so and also at the same time we're not working 24/7 so we probably need like some kind of dirt party or third party or vendor to help

us to basically monitor that 24/7 as well so so yeah good question yep any other questions going once yes yes sir

yes yeah so um there was one the there was that uh this is there and the NX log and also that PowerShell script called um deep blue as well and those those are just some recommendations to there's many more to that you can start off with you if there's nothing currently that you have as well so there's many yep so oh yeah um yeah um yeah the question was is there any recommendation um for for different it's a not a one size fits all what I would take a look at what a recommendation I would look at is actually the top critical Windows security event IDs and put defenses around it um I think one of the things

that I forgot was um I think one on the slides is it's hard to do white listing but when you actually know like what is in the environments you can actually you know put like a white list together anything any deviation from that white list you know so something like that too but the main thing is really just to know like what is normal as well yep so yeah Pete well thanks a lot everyone thank you thanks everyone [Applause] Thank You Roy so if you guys want to stick around