In this workshop, we’ll leverage Prelude Operator, an easy-to-use desktop platform for autonomous red teaming. With Operator, we can generate adversary profiles, complete with TTPs and goals, then deploy an “adversary”, evaluating our detection coverage against the MITRE ATT&CK framework using Security Onion, a free and open platform for intrusion detection, enterprise security monitoring, and log management. By providing network, host, and other types of data, Security Onion can provide a leg up to defenders, allowing them to track down their adversaries and make them cry.
This talk will show the audience how they can use Osquery to complement the functionality of EDR/MDR/XDR systems to improve overall security on endpoints.
Are you fascinated with Sherlock Holmes stories?
In your lifetime, have you ever come across the word Forensics?
Most of us might have seen in the movies like, After a crime, Police visits the crime scene and says “Call the Forensics Team”
Did you ever feel CURIOUS about that?
Technology is evolving, so are the attacks and investigation techniques.
If you are interested in Digital Forensics and have questions like:
- How to start?
- What skills are required?
- What tools to use?
Then this workshop is the right place for you.
The recent increase in network compromises and sophistication of attackers has underscored the need to rapidly identify and remediate attacks at a large scale across the enterprise. Having the ability to rapidly collect, detect and remediate across a network is a game changer for any Digital Forensics and Incident Response (DFIR) team. It provides unprecedented visibility into the state of the endpoint and the ability to tailor responses as the investigation evolves. Having this capability in an open-source tool that allows for truly surgical collection – at speed, at scale and free – is a triple bonus.
At the beginning of each year, companies share lessons learned and forecasts on what (cyber) threats are expected in the next 12 months. The reality is that a lot of teams and companies publish about this and you probably did not read all these articles or reports.
This talk explores the results of a meta-analysis on threat forecasting, based on open-source reports and articles. As a defender you constantly balance between pushing Jira tickets and looking ahead. By giving you a TLDR, defenders have context into what needs to be prioritised next to the daily operations.
In this presentation, I will discuss the key forensic artifacts that can be used whenever DFIR professionals encounter cloud storage services into the host such as OneDrive, GoogleDrive, Box and Dropbox. These are all essentials especially when the attacker or insider threat leverage these services to exfiltrate data. I will also show how to perform data acquisition to get these artifacts in forensically sound manner.
The Hunt for Red Apples workshop guides participants through emulation walkthroughs, hunting playbooks, & hunting exercises around an Ocean Lotus intrusion, an established threat actor targeting macOS. The workshop is broken into sections using both the attack lifecycle & Mitre ATT&CK knowledge base.
For each phase in the attack live cycle participants learn about one particular tactic, relevant macOS data sources, how to build a hunting plan, practice hunting, & how the red team emulated the tactic using open source intelligence.
This workshop is a resource on how to threat hunt, emulate, & use open source threat intelligence on a specific threat actor.
Most of DFIR work never makes it to a courtroom and even when it does it is often unchallenged. This talk will cover cases of doing pro bono digital forensics for public defenders and journalists and the shoddy work that often passes for science.
We’ll explore vulnerabilities we’ve discovered in our IoT, IIoT, and ICS research to reveal the systemic problems that exist as a result of the fragmented supply chain, inconsistent configurations, and overall poor security standards found across the critical networks and devices. We'll then show how we have applied discoveries of these aberrant behaviors to ML algorithms to uncover the risky and potentially very damaging covert channels communicating with the outside world and the types of data being harvested along with the new attack surfaces that they offer.
Analyzing malware is not an easy task. It is a slow process that becomes even more challenging with all the different protections added by threat actors to hide their secrets.
Several techniques could be used to obscure malicious code, however one most commonly used are the packers. Nowadays, almost every malicious piece of code uses a packer; so, if you really want to understand its inner workings you must first defeat its packer. But do you know how to get rid of this defense without losing your mind? Well, join me and we will find out.
Commercial SIEMs are expensive, inflexible and risk a vendor lock-in. At Cloudflare, we built a SIEM using a Serverless architecture that provides scalability and flexibility to perform various Detection and Response functions. We will discuss this architecture and how it can be built upon to solve many Security problems, in a true pay-as-you-use model after 2 years of use handling Cloudflare’s data.
Almost every cybersecurity services begin with defining a scope to be assessed. There is nothing wrong with scoping unless it is all about what we know. Attackers walk into our network from the entry points that we may not even know about them. This is not an "out of the scope" concept as these entry points are entirely unknown; Let's call it "Scope X." One of the mysterious examples of Scope X is subdomains; this presentation will not talk about techniques to enumerate them as uncle Google provides tons of tutorials. Instead, we discuss threat hunting on discovered subdomains.
In this talk, we will talk about the importance of monitoring your Azure RBAC and we will introduce SubWatcher our newly released open-source tool that we use internally to compliment Azure security tools and scan our subscriptions to make sure our systems are not being accessed by bad actors. Can’t wait to see where the community takes this amazing tool!
This workshop will take student’s Wireshark skills to the next level with a heavy emphasis on incident response, threat hunting, and malicious network traffic analysis. We will begin with a brief introduction to Wireshark and other Network Security Monitoring (NSM) tools/concepts. Placement, techniques, and collection of network traffic will be discussed in detail.
As a high-profile public-sector organization, the Dutch Tax and Customs Administration deals with criminals claiming to be representatives of the organization and contacting the public with phishing e-mails every day. By using Splunk and RFC’s like, RFC7208 – Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, we have developed a technique to identify phishing attacks that are carried out under the disguise of the Dutch Tax and Customs Administration.
BTV Presents: Malware Station - Maldoc Workshop
A malware analysis and triage workshop covering quick static and dynamic analysis techniques along with common adversarial obfuscation techniques. Followed by a short malware analysis tournament challenge with gift-card prizes.
What can machine learning do for security? A number of things. One major challenge is determining what’s normal and what’s malicious. Machine learning can help with this. For example, ML techniques are used in spam filtering scan email. Machine learning is also being applied to other areas like network traffic monitoring and malware analysis and has potential to detect zero days exploits.
However, machine learning isn't magic. We discuss some of the limitations of machine learning, and how problems like false positives can be mitigated.
If you think I'm shouting something about security strategy for a multi-cloud environment...it's because I AM. Secure your dangling DNS records. Your object storage is showing. I can see your compute workload from here. Get your security groups straight. Have you seen the laundry list of accounts no one has performed nary an IAM credential analysis? Are your analytic processes hamstrung and kludgey from, you know, being cloudy? Don't know to even assess your options? Let's talk about how to evaluate cloud security tools and the considerations you need to make for your enterprise.
Sharing research and details around running passive NGFWs to complement threat hunting tools. This talk will walk through sharing why, how, and what I learned about these to share with the community and the value that can be gained by leveraging NGFWs for threat hunting.
Forensics Station - Workshop 1
A walkthrough of triaging "compromised" Capstone servers.
The Hunt for Red Apples workshop guides participants through emulation walkthroughs, hunting playbooks, & hunting exercises around an Ocean Lotus intrusion, an established threat actor targeting macOS. The workshop is broken into sections using both the attack lifecycle & Mitre ATT&CK knowledge base.
For each phase in the attack live cycle participants learn about one particular tactic, relevant macOS data sources, how to build a hunting plan, practice hunting, & how the red team emulated the tactic using open source intelligence.
This workshop is a resource on how to threat hunt, emulate, & use open source threat intelligence on a specific threat actor.
Modern authentication protocols such as SAML, OAuth and OpenID Connect. Claims, bearer tokens and JWT tokens are traversing various authentication flow paths in your environment today. In this session we will break down these authentication concepts and common flows for the non-identity admin. We will also discuss some common attacks and defenses the security team should be monitoring for and implementing in their environment.
There is so much networking architecture we do in the name of security which ultimately just gets in the way of so many thing. Learn about things to simplify your network design and reduce your management overhead while maintaining or increasing your security posture.
This hands-on training will walk attendees through leveraging the open source Elastic (ELK) Stack to proactively identify common ransomware tactics, techniques, and procedures (TTPs) within diverse log data sets. The blue team tools and techniques taught during this workshop can be used to investigate isolated ransomware incidents or implemented at scale for continuous monitoring and threat hunting.
Based on tradecraft documents openly published by the CIA, this talk takes structured analytical techniques intended for intelligence analysis and refactors them for use in improving typical Information Security investigations and analyses as well as OSINT investigations.
Follow along as we spin the Threat Report Roulette Wheel and provide rapid fire responses to how we would create actionable takeaways from the publicly available, TLP: White Threat Reports. Pick up some tips and tricks to up your game!
Check out our Github with links to the reports: https://github.com/ch33r10/DEFCON29-BTV-ThreatReportRoulette
https://bit.ly/DC29Roulette
In this live table top, a group of panelist will be asked for their opinion on how to deal with a fictitious security incident as it unfolds. Live audience will be encourage to submit questions. Regardless of your skill level, this fun panel will take you in a day in IRLIFE!
Blue Team Village's Meet-a-Mentor program turns 1 year old at DEF CON 29! Join us as we share all the work we've done and what we've learned in the past year, and also listen to three mentor-mentee matches share their experiences with us.
Blue Team Village Closing Ceremony