the tldr version slides 1 19 are copy pastable to achieve
play

The TLDR Version Slides 1- 19 are copy pastable to achieve the - PowerPoint PPT Presentation

Nov 15, 2022 •150 likes •761 views

The TLDR Version Slides 1- 19 are copy pastable to achieve the results demonstrated during our talk Slides 20-60 were used in the actual TLDR; presentation BLUE TEAM SPRINT: LETS FIX THESE 3 THINGS ON MONDAY Network Baselines BLUE TEAM

  1. The TLDR Version Slides 1- 19 are copy pastable to achieve the results demonstrated during our talk Slides 20-60 were used in the actual TLDR; presentation BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  2. Network Baselines BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  3. Bropy 3 1. git clone https://github.com/hashtagcyber/bropy3.git 2. cd bropy3 3. vi etc/bropy.cfg – Update Protected Network variable – Ensure paths are correct for Bro logs/binaries 4. sudo ./bropy3.py – Select “Install” – Restart Bro – Wait a few hours – Use the menu to build baseline BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  4. Application Baselines BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  5. Microsoft Applocker • Application Identity Service – Verifies file attributes • If service is not running enforcement will no longer be enforced • Configuring appidsvc to auto-start sc config appidsvc start=auto sc stop appidsvc && sc start appidsvc • Apply to Domain with GP Editor Computer Configuration>Windows Settings>Security Settings>System Services>Application Identity 5 BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  6. Microsoft Applocker • Verify Service is set to Auto-start PS C:\> Get-Service "Application Identity" | Select-Object Status, Name, DisplayName, starttype Status Name DisplayName StartType ---------- ----------- ----------------- ------------- Running AppIDSvc Application Identity Automatic BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  7. Microsoft Applocker • Putting it all together – Gather file information and create new policy PS C:\> Get-AppLockerFileInformation -Directory C:\Windows\System32 -Recurse -FileType exe, script, dll | New-AppLockerPolicy -RuleType Publisher,Hash -User Everyone -IgnoreMissingFileInformation - RuleNamePrefix System32 -XML | Out-File .\System32.XML – Test policy PS C:\> Test-AppLockerPolicy -Path 'C:\Users\Carl.Isdead\Downloads\HxD.exe' -XmlPolicy 'C:\Users\Carl.Isdead\Desktop\System32.xml' FilePath PolicyDecision MatchingRule -------- -------------- ------------ C:\Users\Carl.Isdead\Downloads\HxD.exe DeniedByDefault BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  8. Microsoft Applocker • Set-Applocker PS C:\> Set-AppLockerPolicy -XMLPolicy C:\System32.xml • Get-GPO Get-GPO -All -Domain zombee.corp | Select-Object DisplayName, Path • Apply to GPO PS C:\> Set-AppLockerPolicy -XMLPolicy C:\System32.xml -LDAP "LDAP://Zom-DC.corp/cn={31B2F340- 016D-11D2-945F-00C04FB984F9},cn=policies,cn=system,DC=zombee,DC=corp" BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  9. Microsoft Applocker • Additionally you can create a New-Policy from Audited events C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows- AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher,Hash -User Everyone - IgnoreMissingFileInformation | Set-AppLockerPolicy BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  10. Blue Team Sprint Troopers 18 BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  11. Disclaimer • We “borrowed” an employers slide template – Creating .POT files is hard • This is NOT any employers material • TLDR; You can sue us, not our employers BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  12. Elastic Stack BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  13. But I have a Raspberry Pi Budget…. • 3 Tier System – ElasticSeach + Kibana Node – Logstash for centralized ingestion – Beats agent for forwarding to Logstash • Why this way? – Beats agents are multi platform and allow for simple integration – Logstash by itself is flexible, connectors for most commercial SIEMs • If budget increases, you can switch to $SIEM by changing the Logstash output Filebeat ES WinLog WinLog Logstash Beat Beat Kibana Packet Packet Beat Beat 13 BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  14. #Kitbag : Installing ElasticSearch and Kibana on Debian9 • Elastic has a tutorial – https://www.elastic.co/guide/en/elasticsearch/reference/current/setup.html • TLDR; sudo apt-get update && sudo apt-get upgrade sudo apt-get install default-jdk apt-transport-https wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list sudo apt-get update && sudo apt-get install elasticsearch kibana sudo sed -i 's/^#network.host.*/network.host : 0.0.0.0/' /etc/elasticsearch/elasticsearch.yml sudo sed -i 's/^#server.host.*/server.host : 0.0.0.0/' /etc/kibana/kibana.yml BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  15. #Kitbag : Installing ElasticSearch and Kibana on Debian9 Continued…. sudo /bin/systemctl daemon-reload sudo /bin/systemctl enable elasticsearch.service sudo /bin/systemctl enable kibana.service sudo service elasticsearch start sudo service kibana start BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  16. #Kitbag : Installing Logstash on Debian 9 • Again, Elastic has a great wiki: – https://www.elastic.co/guide/en/logstash/6.2/setup-logstash.html • But, TLDR; sudo apt-get update && sudo apt-get upgrade sudo apt-get install default-jdk apt-transport-https wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list sudo apt-get update && sudo apt-get install logstash sudo /bin/systemctl daemon-reload sudo /bin/systemctl enable logstash.service BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  17. Logstash Config - WinLogBeat • vi /etc/logstash/conf.d/winlogbeat.conf input { beats { port => 5044 } } output { elasticsearch { hosts => ["http://192.168.75.253:9200"] index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" } } • sudo service logstash restart BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  18. WinLogBeat – Install and Configure • Elastic Wiki – https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat- configuration.html • TLDR; 1. Download and extract the winlogbeat zip file from Elastic – https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-6.2.2-windows- x86_64.zip 2. Edit ./winlogbeat/winlogbeat.yml – Comment out all sections relating to ElasticSearch and Kibana – Uncomment output.logstash section and fill in the host field with your logstash IP address 3. Re-compress the folder, transfer to client, extract and run “install-service- winlogbeat.ps1” 4. Start-service winlogbeat BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  19. Final Step : Configure ElasticSearch Index • Browse to http://elastic.search.ip:5351 • Click “Configure Index” • Enter “logstash-*” • Select “@timestamp” for timestamp • Profit BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  20. Blue Team Sprint The Concept Network Baselines (Bropy3) Application Baselines (AppLocker) ElasticStack Super Demo BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  21. About Us Jordan Salyer Matt Domko – – Beard Enthusiast Beard Enthusiast – – Former: Former: • • Carpenter Parachutist • • Gold Prospector Enterprise Admin • • Cyber Network Operator “Cyber Network Defender” – – Infosec Instructor Security Engineer at $DayJob – – Hiking/Outdoors Brakesec Slack https://brakesec.signup.team – @hashtagcyber BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  22. Why We’re Here “Make the world a safer place” {by sharing information} BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  23. Blue Team Sprints NOT THIS KIND OF SPRINT! BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  24. Why YOU are here: – Not enough time in a day • Sorry, can’t fix that – Not enough engineers on your team • Sorry, can’t fix that – You want to know more about the packets on your network • Bropy3 – You want to spend LESS time resolving skiddy malware • Application Whitelisting – You want a SIEM, but don’t have a billion $$$ budget for <redacted> • Elastic Stack BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  25. The most important thing to me….. WHAT THE HELL IS ON MY NETWORK? BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  26. Scenario Network BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

  27. Network Anomaly Detection : Bropy3 – Start with an empty whitelist – Apply a policy to log all traffic not in the whitelist – Use logs to update the whitelist – Review new logs • Investigate new ports/hosts • Update whitelist as needed BLUE TEAM SPRINT: LET’S FIX THESE 3 THINGS ON MONDAY

Recommend

T Levels/Skills Plan Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body

T Levels/Skills Plan Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body

HERTFORD REGIONAL COLLEGE HEADER Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body Copy Body

515 views • 17 slides
NOTE: THIS IS A DRAFT PAPER; PLEASE DO NOT CITE OR COPY AN UPDATED VERSION WILL BE AVAILABLE

NOTE: THIS IS A DRAFT PAPER; PLEASE DO NOT CITE OR COPY AN UPDATED VERSION WILL BE AVAILABLE

NOTE: THIS IS A DRAFT PAPER; PLEASE DO NOT CITE OR COPY AN UPDATED VERSION WILL BE AVAILABLE CLOSER TO THE TIME OF THE IUSSP CONFERENCE (October 30, 2017) The Effect of Legal Status on Educational Outcomes of College Students: Evidence on

400 views • 21 slides
This copy is for archival purposes only. Please contact the publisher for the original version.

This copy is for archival purposes only. Please contact the publisher for the original version.

This copy is for archival purposes only. Please contact the publisher for the original version. Table of Contents This copy is for archival purposes only. Please contact the publisher for the original version. Economic Highlights Doing

480 views • 34 slides
Collective Download an electronic copy of the slides, at

Collective Download an electronic copy of the slides, at

Patrick Fanelli, Esq. - Fanelli Wille4 Law 6/17/15 Offices - pfanelli@fanwil.com Digital Handouts Collective Download an electronic copy of the slides,

401 views • 4 slides
Making Slides in L A T X E Same L A T X that typesets your papers; you can use the same

Making Slides in L A T X E Same L A T X that typesets your papers; you can use the same

L A T Xs slides Document Class E Making Slides in L A T X E Same L A T X that typesets your papers; you can use the same E commands on slides RSI 2008 Staff Trivial to copy bits of your paper (even equations!) into slides

350 views • 3 slides
Atmospheric Sounding Visualization Sancho McCann Permission is granted to copy, distribute

Atmospheric Sounding Visualization Sancho McCann Permission is granted to copy, distribute

Atmospheric Sounding Visualization Sancho McCann Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software

356 views • 24 slides
real-world crypto and privacy. June 2016 Copy of speaker slides from a summer school in Croatia on

real-world crypto and privacy. June 2016 Copy of speaker slides from a summer school in Croatia on

Copy of speaker slides from a summer school in Croatia on Authenticated Encryption (AE) real-world crypto and privacy. June 2016 Part 1: 14:00 15:00 Kind thanks to the Part 2: 15:00 16:00 organizers of this Copy of speaker slides from

929 views • 72 slides
Before we get started A copy of todays webinar slides is currently available for download

Before we get started A copy of todays webinar slides is currently available for download

Before we get started A copy of todays webinar slides is currently available for download on the SEDS Resource Site LEA Special Education Point of Contact (LEA SE POC) resource page:

456 views • 44 slides
STOOL SAMPLE For enterovirus Stool sample / Evidence of viral cause of Rectal swab

STOOL SAMPLE For enterovirus Stool sample / Evidence of viral cause of Rectal swab

Paediatric and Congenital Cardiac Service Starship Children's Hospital The electronic version of these guidelines is the version currently in use. Any printed copy cannot be assumed to be current. INVESTIGATONS for acute presentation of DCM,

504 views • 3 slides
INVESTMENTS TO HIGHER FCF DISCLAIMER This presentation, including a hard copy of these slides,

INVESTMENTS TO HIGHER FCF DISCLAIMER This presentation, including a hard copy of these slides,

FROM PEAK INVESTMENTS TO HIGHER FCF DISCLAIMER This presentation, including a hard copy of these slides, the information communicated during any delivery of the presentation, both oral and written, and any question and answer session and any

1.01k views • 54 slides
Slides 2-5 LETS RECAP : Copy down memory note and table on the left . Raw materials have not

Slides 2-5 LETS RECAP : Copy down memory note and table on the left . Raw materials have not

Week 8 : 8-12 June Slides 2-5 LETS RECAP : Copy down memory note and table on the left . Raw materials have not gone through a process . They are made into other things and may look, smell, feel or taste different and be used for a totally

280 views • 5 slides
Latest version of the slides can be obtained from

Latest version of the slides can be obtained from

Latest version of the slides can be obtained from http://www.cse.ohio-state.edu/~panda/it4i-ib-hse.pdf InfiniBand, Omni-Path, and High-speed Ethernet for Dummies Tutorial at IT4 Innovations 18 by Dhabaleswar K. (DK) Panda Hari Subramoni

1.66k views • 131 slides
Latest version of the slides can be obtained from

Latest version of the slides can be obtained from

Latest version of the slides can be obtained from http://www.cse.ohio-state.edu/~panda/it4-advanced.pdf InfiniBand, Omni-Path, and High-Speed Ethernet: Advanced Features, Challenges in Designing HEC Systems, and Usage A Tutorial at IT4

1.81k views • 157 slides
Copy of the slides as delivered by the facilitators of the 5 themes to the President in the report

Copy of the slides as delivered by the facilitators of the 5 themes to the President in the report

Copy of the slides as delivered by the facilitators of the 5 themes to the President in the report back session. 14 January 2020 Fumani Mthembi Founder &amp; Director | Pele Energy Group Energy Security Energy Security Top 3 Topics Eskom

765 views • 50 slides
SECTION 1: CODE REASONING + VERSION CONTROL CSE 331 Summer 2018 slides borrowed and adapted

SECTION 1: CODE REASONING + VERSION CONTROL CSE 331 Summer 2018 slides borrowed and adapted

SECTION 1: CODE REASONING + VERSION CONTROL CSE 331 Summer 2018 slides borrowed and adapted from Alex Mariakis and CSE 390a, CSE 331 lecture slides, and Justin Bare and Deric Pang Section 1 slides. OUTLINE Introductions Code

447 views • 41 slides
Fonctionnalits de la version 11 Nouveauts de la version 12 Version 11 and version 12 in a

Fonctionnalits de la version 11 Nouveauts de la version 12 Version 11 and version 12 in a

Fonctionnalits de la version 11 Nouveauts de la version 12 Version 11 and version 12 in a nutshell Fracture mechanics Non-linear constitutive laws Linear and non-linear dynamics Numerical methods Architecture, ergonomics, performances

407 views • 36 slides
Solution-Oriented Trancework Bill OHanlon BillOHanlon.com For a free copy of the slides,

Solution-Oriented Trancework Bill OHanlon BillOHanlon.com For a free copy of the slides,

Solution-Oriented Trancework Bill OHanlon BillOHanlon.com For a free copy of the slides, Click Free Stuff Then Click Slides 1 ERICKSONIAN VS. TRADITIONAL PERMISSIVE VS. AUTHORITARIAN 2 PERMISSIVE Could, might, can, okay to, may

1.04k views • 77 slides
/home/ytang/slides /home/ytang/exercise make your own copy!

/home/ytang/slides /home/ytang/exercise make your own copy!

/home/ytang/slides /home/ytang/exercise make your own copy! /home/ytang/solution http://docs.nvidia.com/cuda/index.html 2 a = b + c;

594 views • 31 slides
Positioning Tables NFM NH2 - AL Slides NE - AL Product catalog 2015 Latest version of the

Positioning Tables NFM NH2 - AL Slides NE - AL Product catalog 2015 Latest version of the

Positioning Tables NFM NH2 - AL Slides NE - AL Product catalog 2015 Latest version of the catalogs You can always find the latest version of our catalogs in the Download area of our website. Disclaimer This publication has been compiled

428 views • 15 slides
Positioning Tables NFM / NH2 - AL Slides NE - AL Product catalog 2019 Latest version of the

Positioning Tables NFM / NH2 - AL Slides NE - AL Product catalog 2019 Latest version of the

Positioning Tables NFM / NH2 - AL Slides NE - AL Product catalog 2019 Latest version of the catalogs You can always find the latest version of our catalogs in the Download area of our website. Disclaimer This publication has been compiled

404 views • 13 slides
Slides Dynamic and precise Product catalog 2017 Latest version of the catalogs You can always

Slides Dynamic and precise Product catalog 2017 Latest version of the catalogs You can always

Slides Dynamic and precise Product catalog 2017 Latest version of the catalogs You can always find the latest version of our catalogs in the Download area of our website. Disclaimer This publication has been compiled with great care and all

786 views • 39 slides
GO ! 100% RES Communities / Publishable slides / version: April 2013 100% RES COMMUNITIES A

GO ! 100% RES Communities / Publishable slides / version: April 2013 100% RES COMMUNITIES A

RURAL COMMUNITIES, GO ! 100% RES Communities / Publishable slides / version: April 2013 100% RES COMMUNITIES A political, strategical and systemic commitment for a local development through energy 100% RES Communities / Publishable slides /

326 views • 9 slides
An editable version of these slides is available on request by emailing curriculum@rcr.ac.uk 1

An editable version of these slides is available on request by emailing curriculum@rcr.ac.uk 1

An editable version of these slides is available on request by emailing curriculum@rcr.ac.uk 1 New curricula for IR and CR have been approved by the GMC Both documents can be viewed on the RCR website The GMC commended the work that

524 views • 34 slides
Highlights of the This copy is for archival purposes only. Please contact the publisher for the

Highlights of the This copy is for archival purposes only. Please contact the publisher for the

Highlights of the This copy is for archival purposes only. Please contact the publisher for the original version. Alberta Economy 2013 Alberta Enterprise and Advanced Education Table of Contents Economic Highlights Doing Business in

703 views • 33 slides

More recommend