2020-006-Roberto Rodriguez, threat intel, threat hunting, hunter's forge, mordor setup
Published February 19, 2020
|
32 min
    Download
    Add to queue
    Copy URL
    Show notes

    Full notes and graphics are on www.brakeingsecurity.com

    Episode 2020-006

    Book club

    “And maybe blurb for the cast could go something like this. Book club is starting up again with Hands-On AWS penetration testing with Kali Linux from Gilbert and Caudill. You read and get together to discuss or demo every Monday. Get the book, start reading and meet us for the kick off Monday the 24 at 10pm eastern. The book club meets virtually on zoom, and organizes on slack..get invited like this.”

     

    Book: https://smile.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725

     

    NolaCon Training:

    https://nolacon.com/training/2020/security-detect-and-defense-ttx




    Roberto Rodriguez 

     

    Bio

    @Cyb3rWard0g on Twitter





    Threat Intel vs. Threat Hunting = what’s the difference?

     

    What datasets are you using? 

     

    Did you start with any particular dataset, or created your own?

     

    Technique development - what skills are needed?

        C2 setup

        Detection mechanisms

        Honeypots

     

    How can people get involved?

     

    Blacksmith - create ‘mordor’ environment to push scripts to setup honeypot/nets

     

    https://Threathunterplaybook.com 

     

    https://github.com/hunters-forge/ThreatHunter-Playbook 

     

    https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190815181010.html

     

    https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4

     

    https://medium.com/threat-hunters-forge/writing-an-interactive-book-over-the-threat-hunter-playbook-with-the-help-of-the-jupyter-book-3ff37a3123c7 

     

    https://www.exploit-db.com/exploits/47995 - Sudo buffer overflow

     

    Mordor: The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. 

     

    YAML Example: https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/WIN-190810201010.yaml

     

    Notebook Example:

    https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190810201010.html 

     

    Jupyter notebook - Definition: https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html 

     

    Lateral Movement - WMI - IMAGE Below



    SIGMA?

     

    What is a Notebook?

    Think of a notebook as a document that you can access via a web interface that allows you to save input (i.e live code) and output (i.e code execution results / evaluated code output) of interactive sessions as well as important notes needed to explain the methodology and steps taken to perform specific tasks (i.e data analysis).

    https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4




    Have a goal for expanding to other parts of ATT&CK?

     

    Threat Hunter Playbook - Goals

    • Expedite the development of techniques an hypothesis for hunting campaigns.
    • Help Threat Hunters understand patterns of behavior observed during post-exploitation.
    • Reduce the number of false positives while hunting by providing more context around suspicious events.
    • Share real-time analytics validation examples through cloud computing environments for free.
    • Distribute Threat Hunting concepts and processes around the world for free.
    • Map pre-recorded datasets to adversarial techniques.
    • Accelerate infosec learning through open source resources.

    Sub-techniques:

     

    https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a

     

    Slack Channel:

     

    https://launchpass.com/threathunting

     

    Twitter;

     

    https://twitter.com/mattifestation

    https://twitter.com/tifkin_

    https://twitter.com/choldgraf

    https://twitter.com/Cyb3rPandaH

     

      15
      15
        0:00:00 / 0:00:00