2020-007-Roberto_Rodriguez-threat_hunting-juypter_notebooks_data-science
Published February 26, 2020
|
63 min
    Download
    Add to queue
    Copy URL
    Show notes

    Brakesec Podcast is now on Pandora!  Find us here: https://pandora.app.link/p9AvwdTpT3

    Book club

    Book club is starting up again with Hands-On AWS penetration testing with Kali Linux from Gilbert and Caudill. You read and get together to discuss or demo every Monday. Get the book, start reading and meet us for the kick off Monday the 24 at 10pm eastern. The book club meets virtually on zoom, and organizes on slack..get invited like this.”

     

    Book: https://smile.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725

     

    NolaCon Training:

    https://nolacon.com/training/2020/security-detect-and-defense-ttx




    Roberto Rodriguez 

     

    Bio

    @Cyb3rWard0g on Twitter





    Threat Intel vs. Threat Hunting = what’s the difference?

     

    What datasets are you using? 

     

    Did you start with any particular dataset, or created your own?

     

    Technique development - what skills are needed?

        C2 setup

        Detection mechanisms

        Honeypots

     

    How can people get involved?

     

    Blacksmith - create ‘mordor’ environment to push scripts to setup honeypot/nets

     

    https://Threathunterplaybook.com 

     

    https://github.com/hunters-forge/ThreatHunter-Playbook 

     

    https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190815181010.html

     

    https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4

     

    https://medium.com/threat-hunters-forge/writing-an-interactive-book-over-the-threat-hunter-playbook-with-the-help-of-the-jupyter-book-3ff37a3123c7 

     

    https://www.exploit-db.com/exploits/47995 - Sudo buffer overflow

     

    Mordor: The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. 

     

    YAML Example: https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/WIN-190810201010.yaml

     

    Notebook Example:

    https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/lateral_movement/WIN-190810201010.html 

     

    Jupyter notebook - Definition: https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html 

     

    Lateral Movement - WMI - IMAGE Below



    SIGMA?

     

    What is a Notebook?

    Think of a notebook as a document that you can access via a web interface that allows you to save input (i.e live code) and output (i.e code execution results / evaluated code output) of interactive sessions as well as important notes needed to explain the methodology and steps taken to perform specific tasks (i.e data analysis).

    https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4




    Have a goal for expanding to other parts of ATT&CK?

     

    Threat Hunter Playbook - Goals

    • Expedite the development of techniques an hypothesis for hunting campaigns.
    • Help Threat Hunters understand patterns of behavior observed during post-exploitation.
    • Reduce the number of false positives while hunting by providing more context around suspicious events.
    • Share real-time analytics validation examples through cloud computing environments for free.
    • Distribute Threat Hunting concepts and processes around the world for free.
    • Map pre-recorded datasets to adversarial techniques.
    • Accelerate infosec learning through open source resources.

    Sub-techniques:

     

    https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a

     

    Slack Channel:

     

    https://launchpass.com/threathunting

     

    Twitter;

    https://twitter.com/mattifestation

    https://twitter.com/tifkin_

    https://twitter.com/choldgraf

    https://twitter.com/Cyb3rPandaH

     

    on

    Brakeing Down Security Podcast on #Pandora-

    https://www.pandora.com/podcast/brakeing-down-security-podcast/PC:27866

    Marcus Carey https://twitter.com/marcusjcarey 

    Prolific Author, Defender, Enterprise Architect at ReliaQuest

     

    https://twitter.com/egyp7 

     

    https://www.darkreading.com/vulnerabilities---threats/reliaquest-acquires-threatcare/d/d-id/1335950

     

    “GreyMatter integrates security data from security incident and event manager (SIEM), endpoint detection and response (EDR), firewalls, threat intelligence feeds, and other security tools, and includes analysis functions and automation. Threatcare's technology — which will become a new feature on the platform — simulates how a specific threat or attack could target an organization's network in order to determine whether its security tools and settings are or are not actually working to thwart the threats.”

     

    Security model - everyone’s is diff

        How do you work with your threat model?

        A proper threat model

     

    Attack Simulation - 

        How is this different from doing a typical Incident Response tabletop? Threat modeling systems?

        How is this different than a pentest?

        Is this automated red teaming? How effective can automated testing be?

        Is this like some kind of constant scanning system?

        How does this work with threat intel feeds? 

        Can it simulate ransomware, or any attacks?

     

    Hedgehog principles

        A lot of things crappily, and nothing good

     

    Mr. Boettcher: “Why suck at everything…”

     

    Atomic Red Team - https://github.com/redcanaryco/atomic-red-team 

    ATT&CK Matrix - https://attack.mitre.org/matrices/enterprise/ 

     

    Tribe of Hackers 

    https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189 -  Red Book

     

    The Tribe of Hackers team is back with a new guide packed with insights from dozens of the world’s leading Red Team security specialists. With their deep knowledge of system vulnerabilities and innovative solutions for correcting security flaws, Red Team hackers are in high demand. Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity takes the valuable lessons and popular interview format from the original Tribe of Hackers and dives deeper into the world of Red Team security with expert perspectives on issues like penetration testing and ethical hacking.  This unique guide includes inspiring interviews from influential security specialists, including David Kennedy, Rob Fuller, Jayson E. Street, and Georgia Weidman, who share their real-world learnings on everything from Red Team tools and tactics to careers and communication, presentation strategies, legal concerns, and more

    • Learn what it takes to secure a Red Team job and to stand out from other candidates
    • Discover how to hone your hacking skills while staying on the right side of the law
    • Get tips for collaborating on documentation and reporting
    • Explore ways to garner support from leadership on your security proposals
    • Identify the most important control to prevent compromising your network
    • Uncover the latest tools for Red Team offensive security



    https://smile.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1119643376 - Yellow Book

     

    Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World is your guide to joining the ranks of hundreds of thousands of cybersecurity professionals around the world. Whether you’re just joining the industry, climbing the corporate ladder, or considering consulting, Tribe of Hackers offers the practical know-how, industry perspectives, and technical insight you need to succeed in the rapidly growing information security market. This unique guide includes inspiring interviews from 70 security experts, including Lesley Carhart, Ming Chow, Bruce Potter, Robert M. Lee, and Jayson E. Street.

    • Get the scoop on the biggest cybersecurity myths and misconceptions about security
    • Learn what qualities and credentials you need to advance in the cybersecurity field
    • Uncover which life hacks are worth your while
    • Understand how social media and the Internet of Things has changed cybersecurity
    • Discover what it takes to make the move from the corporate world to your own cybersecurity venture
    • Find your favorite hackers online and continue the conversation

     

    https://smile.amazon.com/Tribe-Hackers-Security-Leaders-Cybersecurity/dp/1119643775 - Green Book

    (Next out!)

    Information security is becoming more important and more valuable all the time. Security breaches can be costly, even shutting businesses and governments down, so security leadership is a high-stakes game. Leading teams of hackers is not always easy, but the future of your organization may depend on it. In this book, the world’s top security experts answer the questions that Chief Information Security Officers and other security leaders are asking, including:

    • What’s the most important decision you’ve made or action you’ve taken to enable a business risk?
    • How do you lead your team to execute and get results?
    • Do you have a workforce philosophy or unique approach to talent acquisition?
    • Have you created a cohesive strategy for your information security program or business unit?

     

    https://smile.amazon.com/Tribe-Hackers-Blue-Team-Cybersecurity/dp/1119643414 - Blue Book

    (OUT SOON!)

    Tribe of Hackers Blue Team goes beyond the bestselling, original Tribe of Hackers book and delves into detail on defensive and preventative techniques. Learn how to grapple with the issues that hands-on security experts and security managers are sure to build into their blue team exercises.

    • Discover what it takes to get started building blue team skills
    • Learn how you can defend against physical and technical penetration testing
    • Understand the techniques that advanced red teamers use against high-value targets
    • Identify the most important tools to master as a blue teamer
    • Explore ways to harden systems against red team attacks
    • Stand out from the competition as you work to advance your cybersecurity career

    Check out our Store on Teepub! https://brakesec.com/store

    Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

    #Brakesec Store!:https://www.teepublic.com/user/bdspodcast

    #Spotifyhttps://brakesec.com/spotifyBDS

    #Pandora: https://pandora.app.link/p9AvwdTpT3

    #RSShttps://brakesec.com/BrakesecRSS

    #Youtube Channel:  http://www.youtube.com/c/BDSPodcast

    #iTunes Store Link: https://brakesec.com/BDSiTunes

    #Google Play Store: https://brakesec.com/BDS-GooglePlay

    Our main site:  https://brakesec.com/bdswebsite

    #iHeartRadio App:  https://brakesec.com/iHeartBrakesec

    #SoundCloudhttps://brakesec.com/SoundcloudBrakesec

    Comments, Questions, Feedback: bds.podcast@gmail.com

    Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

    https://brakesec.com/BDSPatreon

    #Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

    #Player.FM : https://brakesec.com/BDS-PlayerFM

    #Stitcher Network: https://brakesec.com/BrakeSecStitcher

    #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

     

      15
      15
        0:00:00 / 0:00:00