Feed aggregator

Securmática 2018, OpenAI & Vídeojuegos, #CONPilar con Hack&Beers y mucho CyberSecurity

Un informático en el lado del mal - Sun, 2018/04/22 - 18:25
Toca hacer una revisión de la agenda que tenemos para la semana que viene, así que directamente al lío que después de hacer muchas cosas, se me acaba el domingo.  Y es que el día acompañaba esta mañana para hacer deporte, patinar e ir con mis salvajes a conseguir los tres últimos cromos de la colección que estamos haciendo. Al lío.
Figura 1: Securmática 2018, OpenAI & Vídeojuegos,
#CONPilar con Hack&Beers y mucho CyberSecurity
El día 24 de Abril un evento que no debes perderte, nuestro compañero Enrique Blanco, de mi equipo de Ideas Locas va a presentar los trabajos que hemos estado haciendo con OpenAI para entrenar a una AI con el objetivo de que sepa jugar al Breakout. De este tipo de trabajos ya hay muchos en otros centros de investigación, pero hemos estado jugando con un nuevo enfoque usando visión artificial.
Figura 2: Entrena tu OpenAI para jugar videojuegos
En el blog de LUCA ha contado cómo se ha hecho este trabajo, y tienes un ejemplo de cómo ha aprendido en este vídeo. En los últimos vídeos, que podrás ver durante el seminario, verás cómo de bien juega ya este bebé.

Figura 3: AI jugando al Breakout
Si te gusta este tema, puedes leer todos los artículos que hemos publicado y que te ayudarán a prepararte una sesión de lo más provechosa. Están todos enlazados dentro del último post: Deep Learning vs. Atari: Entrena tu AI para jugar al Breakout
Dando comienzo el día 24 de Abril, pero con tres jornadas de duración, la feria Securmática, uno de los encuentros claves para la comunidad CISO/CSO de este país. Una cita de las pocas que no te puedes saltar en el calendario si ostentas un puesto como tal en tu organización. Yo no iré este año en representación de Telefónica e ElevenPaths, pero lo hará nuestro CEO de Pedro Pablo Pérez. Eso sí, yo me iré a la cena del evento, que es un clásico que no se puede perder uno.
Figura 4: Securmática 2018
El 27 de Abril dará comienzo una nueva edición del Curso Online de Hacking Ético de nuestros compañeros de The Security Sentinel. La formación tienen una duración de 180 horas, y en ella se entregan los libros de 0xWord dedicados a Ethical Hacking y a Metasploit para pentesters. Sin duda, un curso a realizar si te quieres introducir profesionalmente en este este mundo del pentesting.
Figura 5: Curso Online de Hacking Ético
Y ya los días 27 y 28 de Abril, en Zaragoza, la CONPilar con un Hack&Beers, donde estará nuestro compañero Pablo González, y donde también hay talleres, charlas, y eventos para los más jóvenes de la familia. Un buen fin de semana en Aragón, sin duda.

Figura 6: CONPilar con Hack&Beers en Zaragoza
Y esto es todo por ahora, espero que os apuntéis a algunas de las actividades y sigamos haciendo que la comunidad de seguridad informática y hacking siga creciendo por todas partes.

Saludos Malignos!
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

Update: python-per-line.py Version 0.0.4

Didier Stevens - Sun, 2018/04/22 - 12:46
This new version brings new output features. For example, you can use the output option (-o) to output simultaneously to the console and a file: Explanation: -o result.txt will write the output to file result.txt, and nothing to the console -o #c#result.txt will write the output to file result.txt and to the console For all the details, consult the man page: python-per-line.py -m python-per-line_V0_0_4.zip (https)
MD5: FE8E875E2A7B8CD89FCAAB3B5830206C
SHA256: 7A6DACBAFC13DDE164F2AAB49DA766613F23BE78FF9BCAF5392EEA01F71620D0
Categories: Security Posts

Things I Hearted this Week – the RSA 2018 Edition

AlienVault Blogs - Fri, 2018/04/20 - 15:00
It’s RSA week! A week where security professionals from far and wide travel to San Francisco to attend not only RSA conference, but the number of other events around it. Whatever the flavour, there’s usually something for everyone. I didn’t make the pilgrimage this year, opting for a low-key vacation with the family during the Easter break. So, this week, most of the updates are viewed through the lens of attending a conference remotely. RSA RSA is the melting pot for diverse groups to converge. It’s not just a security conference. It is an ecosystem that breeds many micro-conferences, each catering to specific audiences. While many observations can be made about the size of the vendor hall, it would be an over-simplification to say RSA is just a vendor-conference. There are investors looking to see where money should go, industry analysts get a good idea of which direction trends are heading, professionals share ideas and network, recruiters find out who is hiring, and who is looking. It’s also the time of year for which many vendors save their biggest announcements, be those new product lines, features, or mergers and acquisitions. AlienVault announced its new free threat hunting service, OTX Endpoint Threat Hunter™. It’s a free threat-scanning service in Open Threat Exchange that allows you to detect malware and other threats on your critical endpoints using OTX threat intelligence. This means that you can now harness the world’s largest open threat intelligence community to assess your endpoints against real-world attacks on demand or as new attacks appear in the wild. BSidesSF Apparently BSides San Francisco was held in a movie theatre and the talks were given in front of an IMAX screen. All I’m saying is I hope that more conferences do that – the opportunities to take advantage of such a setup are amazing. A bit of trivia is that apparently IMAX is a Canadian invention New life goal: give a talk on an IMAX screen #BSidesSF (ps. did you know IMAX is a Canadian invention??) pic.twitter.com/pOb0T8tl46 — Leigh Honeywell (@hypatiadotca) April 15, 2018   It looked to be a good event, as is to be expected from an established BSides, with a number of talks getting some social media love. @KingmanInk is a fantastic illustrator, and was at hand to create posters of talks in real-time. The collection of all the posters can be found on this twitter thread. OURSA One of the new events this year at RSA was Our Security Advocates, OURSA. A single-track, one-day conference that focussed on diverse experts to present. Regardless of your views on diversity, there is no question that there were some stellar talks, and all are available to view on the live stream. How to prepare for an infosec interview Hopefully many people have made the most of their networking at RSA and lined up some interviews. Here’s a good post by Timothy De Block from a couple of weeks ago with tips on preparing for an infosec interview. Netflix open sources Titus Netflix has announced it is open-sourcing its container management platform Titus. Over the last three years, Titus evolved initially from supporting batch use cases, to running services applications (both internal, and ultimately critical customer-facing). Through that evolution, container use at Netflix has grown from thousands of containers launched per week to as many as three million containers launched per week in April 2018. Titus hosts thousands of applications globally over seven regionally isolated stacks across tens of thousands of EC2 virtual machines. The open-sourcing of Titus shares the resulting technology assembled through three years of production learnings in container management and execution. Titus allows us to quickly and nimbly add features that are valuable as our needs evolve, and as we grow to support new use-cases. We always try to maintain a philosophy of “just enough” vs “just in case” with the goal of keeping things as simple and maintainable as possible. How deep does the rabbit hole go? A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent. Localblox, a Bellevue, Wash.-based firm, says it "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks." Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles. Something different I’ll end with this article on why so many tech companies’ logos look the same. It’s a really interesting piece with some insights into what makes a tech brand. THE LOGO ISN’T THE BRAND ANYMORE “People at the head of these powerful digital brands, as any strong brand, know very well they are not defined by their logo anymore but by the product or service they provide. They are strong, thanks to what they allow you to do with them. Before, logo designers would look for a ‘concept’ when designing a logo. That is obviously not needed anymore: The brand is the concept. Their logos may look similar, but what they offer is totally different and effective, and that’s what finally counts for the consumer. They are 100% recognizable. Post-credit teaser I know I said the previous article was the last one, but I have been reliably informed by my colleague and editor of our AlienVault blog, Kate Brew that I won the security bloggers award for the most entertaining blog. So far this tweet is the only evidence I’ve seen of it – so I’m honoured and grateful… unless this was a prank, in which case, well played. At Security Bloggers Meetup @J4vv4D has won most entertaining Security blog! @alienvault watch out he’ll be demanding an increase :) #rsac — Kate Brew (@securitybrew) April 19, 2018       
Categories: Security Posts

An Elaborate Hack Shows How Much Damage IoT Bugs Can Do

Wired: Security - Mon, 2018/04/16 - 19:00
Rube-Goldbergesque IoT hacks are surprisingly simple to pull off—and can do a ton of damage.
Categories: Security Posts

How Russian Facebook Ads Divided and Targeted US Voters Before the 2016 Election

Wired: Security - Mon, 2018/04/16 - 15:00
New research shows just how prevalent political advertising was from suspicious groups in 2016—including Russian trolls.
Categories: Security Posts

What do you wish osquery could do?

Welcome to the third post in our series about osquery. So far, we’ve described how five enterprise security teams use osquery and reviewed the issues they’ve encountered. For our third post, we focus on the future of osquery. We asked users, “What do you wish osquery could do?” The answers we received ranged from small requests to huge advancements that could disrupt the incident-response tool market. Let’s dive into those ‘super features’ first. osquery super features Some users’ suggestions could fundamentally expand osquery’s role from an incident detection tool, potentially allowing it to steal significant market share from commercial tools in doing prevention and response (we listed a few of these in our first blog post). This would be a big deal. A free and open source tool that gives security teams access to incident response abilities normally reserved for customers of expensive paid services would be a windfall for the community. It could democratize fleet security and enhance the entire community’s defence against attackers. Here are the features that could take osquery to the next level: Writable access to endpoints What it is: Currently, osquery is limited to read-only access on endpoints. Such access allows the program to detect and report changes in the operating systems it monitors. Write-access via an osquery extension would allow it to edit registries in the operating system and change the way endpoints perform. It could use this access to enforce security policies throughout the fleet. Why it would be amazing: Write-access would elevate osquery from a detection tool to the domain of prevention. Rather than simply observing system issues with osquery, write-access would afford you the ability to harden the system right from the SQL interface. Application whitelisting and enforcement, managing licenses, partitioning firewall settings, and more could all be available. How we could build it: If not built correctly, write-access in osquery could cause more harm than good. Write-access goes beyond the scope of osquery core. Some current users are only permitted to deploy osquery throughout their fleet because of its limited read-only permissions. Granting write-access through osquery core would bring heightened security risks as well as potential for system disruption. The right way to implement this would be to make it available to extensions that request the functionality during initialization and minimize the impact this feature has on the core. IRL Proof: In fact, we have a pull request waiting on approval that would support write-access through extensions! The code enables write-permissions for extensions but also blocks write-permissions for tables built into core. We built this feature in support of a client who wanted to block malicious IP addresses, domains and ports for both preventative and reactive use-cases. Once this code is committed, our clients will be able to download our osquery firewall extension to use osquery to partition firewall settings throughout their fleets. Event-triggered responses What it is: If osquery reads a log entry that indicates an attack, it could automatically respond with an action such as quarantining the affected endpoint(s). This super feature would add automated prevention and incident response to osquery’s capabilities. Why it would be amazing: This would elevate osquery’s capabilities to those of commercial vulnerability detection/response tools, but it would be transparent and customizable. Defense teams could evaluate, customize, and match osquery’s incident-response capabilities to their companies’ needs, as a stand-alone solution or as a complement to another more generic response suite. How we could build it: Automated event response for osquery could be built flexibly to allow security teams to define their own indicators of incidents and their preferred reactions. Users could select from known updated databases: URL reputation via VirusTotal, file reputation via ReversingLabs, IP reputation of the remote addresses of active connections via OpenDNS, etc. The user could pick the type of matching criteria (e.g., exact, partial, particular patterns, etc.), and prescribe a response such as ramping up logging frequency, adding an associated malicious ID to a firewall block list, or calling an external program to take an action. As an additional option, event triggering that sends logs to an external analysis tool could provide more sophisticated response without damaging endpoint performance. IRL Proof: Not only did multiple interviewees long for this feature; some teams have started to build rudimentary versions of it. As discussed in “How are teams currently using osquery?”, we spoke with one team who built incident alerting with osquery by piping log data into ElasticSearch and auto-generated Jira tickets through ElastAlert upon anomaly detection. This example doesn’t demonstrate full response capability, but it illustrates how useful just-in-time business process reaction to incidents is possible with osquery. If osquery can monitor event-driven logs (FIM, process auditing, etc), trigger an action based on detection of a certain pattern, and administer a protective response, it can provide an effective endpoint protection platform. Technical debt overhaul What it is: Many open source projects carry ‘technical debt.’ That is, some of the code engineering is built to be effective for short-term goals but isn’t suitable for long-term program architecture. A distributed developer community each enhancing the technology for slightly different requirement exacerbates this problem. Solving this problem requires costly coordination and effort from multiple community members to rebuild and standardize the system. Why it would be amazing: Decreasing osquery’s technical debt would upgrade the program to a standard that’s adoptable to a significantly wider range of security teams. Users in our osquery pain points research cited performance effects and reliability among organizational leadership’s top concerns for adopting osquery. Ultimately, the teams we interviewed won the argument, but there are likely many teams who didn’t get the green light on using osquery. How we could build it: Tackling technical debt is hard enough within an organization. It’s liable to be even harder in a distributed community. Unless developers have a specific motivation for tackling very difficult high-value inefficiencies, the natural reward for closing an issue biases developers toward smaller efforts. To combat this, leaders in the community could dump and sort all technical debt issues along a matrix of value and time, leave all high-value/low-time issues for individual open source developers, and pool community resources to resolve harder problems as full-fledged development projects. IRL Proof: We know that pooling community resources to tackle technical debt works. We’ve been doing it for over a year. Trail of Bits has been commissioned by multiple companies to build features and fixes too big for the open source community. We’ve leveraged this model to port osquery to Windows, enhance FIM and process auditing, and much more that we’re excited to share with the public over the coming months. Often, multiple clients are interested in building the same things. We’re able to pool resources to make the project less expensive for everyone involved while the entire community benefits. Other features users want osquery shows considerable potential to grow beyond endpoint monitoring. However, the enterprise security teams and developers whom we interviewed say that the open source tool has room for improvement. Here are some of the other requests we heard from users:
  • Guardrails & rules for queries: Right now, a malformed query or practice can hamper the user’s workflow. Interviewees wanted guidance on targeting the correct data, querying at correct intervals, gathering from recommended tables, and customized recommendations for different environments.
  • Enhance Deployment Options: Users sought better tools for deploying throughout fleets and keeping these implementations updated. Beyond recommended QueryPacks, administrators wanted to be able to define and select platform-specific configurations of osquery across multi-platform endpoints. Automatically detecting and deploying configurations for unique systems and software was another desired feature.
  • Integrated Testing, Debugging, and Diagnostics: In addition to the current debugging tools, users wanted more resources for testing and diagnosing issues. New tools should help improve reliability and predictability, avoid performance issues, and make osquery easier to use.
  • Enhanced Event-Driven Data Collection: osquery has support for event-based data collection through FIM, Process Auditing, and other tables. However, these data sources suffer from logging implementation issues and are not supported on all platforms. Better event-handling configurations, published best practices, and guardrails for gathering data would be a great help.
  • Enhanced Performance Features: Users want osquery to do more with fewer resources. This would either lead to overall performance enhancements, or allow osquery to operate on endpoints with low resource profiles or mission-critical performance requirements.
  • Better Configuration Management: Enhancements such as custom tables and osqueryd scheduled queries for differing endpoint environments would make osquery easier to deploy and maintain on a growing fleet.
  • Support for Offline Endpoint Logging: Users reported a desire for forensic data availability to support remote endpoints. This would require offline endpoints to store data locally –- including storage of failed queries –- and push to the server upon reconnection
  • Support for Common Platforms: Facebook built osquery for its fleet of macOS- and Linux-based endpoints. PC sysadmins were out of luck until our Windows port last year. Support for other operating systems has been growing steadily thanks to the development community’s efforts. Nevertheless, there are still limitations. Think of this as one umbrella feature request: support for all features on all operating systems.
The list keeps growing Unfortunately for current and prospective osquery users, Facebook can’t satisfy all of these requests. They’ve shared a tremendous gift by open sourcing osquery. Now it’s up to the community to move the platform forward. Good news: none of these feature requests are unfeasible. The custom engineering is just uneconomical for individual organizations to invest in. In the final post in this series, we’ll propose a strategy for osquery users to share the cost of development. Companies that would benefit could pool resources and collectively target specific features. This would accelerate the rate at which companies could deprecate other full-suite tools that are more expensive, less flexible and less transparent. If any of these items resonate with your team’s needs, or if you use osquery currently and have another request to add to the list, please let us know.
Categories: Security Posts

Infocon: green

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 17:46
ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html?id=5943
Categories: Security Posts

ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html?id=5943, (Fri, Apr 6th)

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 03:30
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts


Threat Hunting & Adversary Emulation: The HELK vs APTSimulator - Part 1, (Thu, Apr 5th)

SANS Internet Storm Center, InfoCON: green - Thu, 2018/04/05 - 19:26

Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho Man" Savage said many things in his day, in his own special way, but "Expect the unexpected in the kingdom of madness!" could be our theme. I'm having a flashback to my college days, many moons ago. :-) The HELK just brought it on. Yes, I know, HELK is the Hunting ELK stack, got it, but it reminded me of the Hulk, and then, I thought of a Hulkamania showdown with APTSimulator, and Randy Savage's classic, raspy voice popped in my head with "Hulkamania is like a single grain of sand in the Sahara desert that is Macho Madness." And that, dear reader, is a glimpse into exactly three seconds or less in the mind of your scribe, a strange place to be certain. But alas, that's how we came up with this fabulous showcase.
In this corner, from Roberto Rodriguez, @Cyb3rWard0g, the specter in SpecterOps, it's...The...HELK! This, my friends, worth every ounce of hype we can muster.
And in the other corner, from Florian Roth, @cyb3rops, the The Fracas of Frankfurt, we have APTSimulator. All your worst adversary apparitions in one APT mic drop. This...is...Death Battle! Now with that out of our system, let's begin. There's a lot of goodness here, so I'm definitely going to do this in two parts so as not undervalue these two offerings.
HELK is incredibly easy to install. Its also well documented, with lots of related reading material, let me propose that you take the tine to to review it all. Pay particular attention to the wiki, gain comfort with the architecture, then review installation steps.
On an Ubuntu 16.04 LTS system I ran:
git clone https://github.com/Cyb3rWard0g/HELK.git
cd HELK/
sudo ./helk_install.sh 
Of the three installation options I was presented with, pulling the latest HELK Docker Image from cyb3rward0g dockerhub, building the HELK image from a local Dockerfile, or installing the HELK from a local bash script, I chose the first and went with the latest Docker image. The installation script does a fantastic job of fulfilling dependencies for you, if you haven't installed Docker, the HELK install script does it for you. You can observe the entire install process in Figure 1. Figure 1: HELK Installation
You can immediately confirm your clean installation by navigating to your HELK KIBANA URL, in my case http://192.168.248.29.
For my test Windows system I created a Windows 7 x86 virtual machine with Virtualbox. The key to success here is ensuring that you install Winlogbeat on the Windows systems from which you'd like to ship logs to HELK. More important, is ensuring that you run Winlogbeat with the right winlogbeat.yml file. You'll want to modify and copy this to your target systems. The critical modification is line 123, under Kafka output, where you need to add the IP address for your HELK server in three spots. My modification appeared as hosts: ["192.168.248.29:9092","192.168.248.29:9093","192.168.248.29:9094"]. As noted in the HELK architecture diagram, HELK consumes Winlogbeat event logs via Kafka.
On your Windows systems, with a properly modified winlogbeat.yml, you'll run:
./winlogbeat -c winlogbeat.yml -e
./winlogbeat setup -e
You'll definitely want to set up Sysmon on your target hosts as well. I prefer to do so with the @SwiftOnSecurity configuration file. If you're doing so with your initial setup, use sysmon.exe -accepteula -i sysmonconfig-export.xml. If you're modifying an existing configuration, use sysmon.exe -c sysmonconfig-export.xml.  This will ensure rich data returns from Sysmon, when using adversary emulation services from APTsimulator, as we will, or experiencing the real deal.
With all set up and working you should see results in your Kibana dashboard as seen in Figure 2.
Figure 2: Initial HELK Kibana Sysmon dashboard.
Now for the showdown. :-) Florian's APTSimulator does some comprehensive emulation to make your systems appear compromised under the following scenarios:
  • POCs: Endpoint detection agents / compromise assessment tools
  • Test your security monitoring's detection capabilities
  • Test your SOCs response on a threat that isn't EICAR or a port scan
  • Prepare an environment for digital forensics classes 
This is a truly admirable effort, one I advocate for most heartily as a blue team leader. With particular attention to testing your security monitoring's detection capabilities, if you don't do so regularly and comprehensively, you are, quite simply, incomplete in your practice. If you haven't tested and validated, don't consider it detection, it's just a rule with a prayer. APTSimulator can be observed conducting the likes of:
  • Creating typical attacker working directory C:\TMP...
  • Activating guest user account
    • Adding the guest user to the local administrators group
  • Placing a svchost.exe (which is actually srvany.exe) into C:\Users\Public
  • Modifying the hosts file
    • Adding update.microsoft.com mapping to private IP address
  • Using curl to access well-known C2 addresses
    • C2: msupdater.com
  • Dropping a Powershell netcat alternative into the APT dir
  • Executes nbtscan on the local network
  • Dropping a modified PsExec into the APT dir
  • Registering mimikatz in At job
  • Registering a malicious RUN key
  • Registering mimikatz in scheduled task
  • Registering cmd.exe as debugger for sethc.exe
  • Dropping web shell in new WWW directory
A couple of notes here.
Download and install APTSimulator from the Releases section of its GitHub pages.
APTSimulator includes curl.exe, 7z.exe, and 7z.dll in its helpers directory. Be sure that you drop the correct version of 7 Zip for your system architecture. I'm assuming the default bits are 64bit, I was testing on a 32bit VM. Let's do a fast run-through with HELK's Kibana Discover option looking for the above mentioned APTSimulator activities. Starting with a search for TMP in the sysmon-* index yields immediate results and strikes #1, 6, 7, and 8 from our APTSimulator list above, see for yourself in Figure 3.
Figure 3: TMP, PS nc, nbtscan, and PsExec in one shot
Created TMP, dropped a PowerShell netcat, nbtscanned the local network, and dropped a modified PsExec, check, check, check, and check.
How about enabling the guest user account and adding it to the local administrator's group? Figure 4 confirms.
Figure 4: Guest enabled and escalated
Strike #2 from the list. Something tells me we'll immediately find svchost.exe in C:\Users\Public. Aye, Figure 5 makes it so.
Figure 5: I've got your svchost right here
Knock #3 off the to-do, including the process.commandline, process.name, and file.creationtime references. Up next, the At job and scheduled task creation. Indeed, see Figure 6.
Figure 6: tasks OR schtasks
I think you get the point, there weren't any misses here. There are, of course, visualization options. Don't forget about Kibana's Timelion feature. Forensicators and incident responders live and die by timelines, use it to your advantage (Figure 7).
Figure 7: Timelion
Finally, under HELK's Kibana Visualize menu, you'll note 34 visualizations. By default, these are pretty basic, but you quickly add value with sub-buckets. As an example, I selected the Sysmon_UserName visualization. Initially, it yielded a donut graph inclusive of malman (my pwned user), SYSTEM and LOCAL SERVICE. Not good enough to be particularly useful I added a sub-bucket to include process names associated with each user. The resulting graph is more detailed and tells us that of the 242 events in the last four hours associated with the malman user, 32 of those were specific to cmd.exe processes, or 18.6% (Figure 8).
Figure 8: Powerful visualization capabilities
I am thrilled with both HELK and APTSimulator. The true principles of blue team and detection quality are innate in these projects. The fact that Roberto considers HELK still in alpha state leads me to believe there is so much more to come. Be sure to dig deeply into APTSimulator's Advanced Solutions as well, there's more than one way to emulate an adversary.
Part 2 will explore HELK integration with Spark, Graphframes & Jupyter notebooks.
Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Support my videos on Patreon!

Niels Provos - Sun, 2017/05/28 - 01:18

Add your support on Patreon to help me create more videos. Your support will help with materials, rent as well as other equipment, e.g. cameras, lights, software, etc. It is not required but appreciated. Due to time constraints I can make no promises on how often I will be able to publish new videos but my plan is to continue producing videos as long as people find them interesting.
Categories: Security Posts
Syndicate content