Digital Forensics and Incident Response in The Cloud Part 3

From MITRE ATT&CKcon Power Hour October 2020 By: Aunshul Rege, Associate Professor, Temple University, @prof_rege Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928 This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.

My slides from Zero Nights 2017 talk - https://2017.zeronights.ru/report/hunting-for-credentials-dumping-in-windows-environment/

This document discusses securing microservices with JSON Web Tokens (JWT) using IBM Datapower. It provides an overview of the deployment topology used, including Datapower, Docker containers for MQ Server and Datapower, and SOAPUI for testing. It then describes setting up Datapower policies for creating and validating JWTs with signing and encryption. Testing is done by sending requests to Datapower to generate and validate tokens.

This document discusses deploying Privileged Access Workstations (PAWs) to limit credential theft and lateral movement in an attack. It describes common attack scenarios where attackers leverage stolen credentials to escalate privileges and access sensitive systems. PAWs aim to address this by restricting which accounts can be used to log on to different systems using techniques like logon restrictions, network segmentation, and credential hardening. The document provides guidance on implementing a phased PAW deployment starting with administrative systems and extending to other privileged accounts.

This document discusses the development of ATT&CK frameworks for macOS and Linux. It notes that these operating systems are increasingly important targets but have less reporting and visibility than Windows. The author leads the effort to create ATT&CK matrices for macOS and Linux techniques. They reviewed over 230 techniques in the first year and made over 50 updates. The document highlights differences in macOS and Linux and lessons learned about developing the frameworks through community involvement. It outlines the roadmap to complete macOS coverage in 2022 and Linux Enterprise coverage in late 2022.

Abstract: While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security. Join AlienVault for this session to learn: *The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated *Vulnerability scores and how to interpret them *Best practices for prioritizing vulnerability remediation *How threat intelligence can help you pinpoint the vulnerabilities that matter
 most

Zero Trust, Zero Trust Network, or Zero Trust Architecture refer to security concepts and threat model that no longer assumes that actors, systems or services operating from within the security perimeter should be automatically trusted, and instead must verify anything and everything trying to connect to its systems before granting access.

Presented at Black Hat 2019 https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540 Casey Smith (Red Canary) Ross Wolf (Endgame) bit.ly/fantastic19 Abstract: Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible. This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events. Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.

Drawing from CrowdStrike's work, Cayce Beames will present evolving cybersecurity threats, discussed her thoughts on why traditional security is failing and shared a bit on what this "next generation endpoint protection" is about. Cayce has been working in technology for over 25 years. From IT Systems Administration to Network Engineering and Internet Security, Risk Management and Compliance Auditing, Cayce has consulted with many Global corporations and traveled extensively. Cayce is currently a governance, risk and compliance analyst at CrowdStrike and founder of the not for profit, public benefit, education for kids organization called "The Computer Club" where she works to inspire kids and adults to address their fear of the unknown and make something awesome with technology.

This document provides an overview of identity and access management (IAM) concepts. IAM involves managing digital identities and the access provided through them. Key components include establishing unique identities, authorizing access to entitlements through roles, approving access requests, reviewing access through certifications, and provisioning/deprovisioning access. The document also describes how an IAM framework works, including how identities request access, roles and rules are managed, access is aggregated and provisioned to target systems, and certifications are performed to review access. It provides SailPoint as an example of a leading IAM tool.

From ATT&CKcon 3.0 By Jared Stroud, Lacework Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.

EventCombMT is a highly-configurable tool that writes system events to the Windows Event Log. It is part of the Sysinternals suite and is under active development. EventCombMT is useful for security, support, and IT teams to monitor system activity through the Windows Event Log. It allows filtering of event log entries through configurable rule groups.

Talk given at Open Source Datacenter Conference 2019 about open source iam with Keycloak, a red hat project around OpenID Connect and Saml 2.0

The document outlines a cybersecurity reference architecture that provides: 1. Active threat detection across identity, apps, infrastructure, and devices using tools like Azure Security Center, Windows Defender ATP, and Enterprise Threat Detection. 2. Protection of sensitive data through information protection, classification, and data loss prevention tools. 3. Management of identity and access to securely embrace identity as the primary security perimeter.

Given at DerbyCon 2018, this presentation covers host and Active Directory security descriptor research.

This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.

This document provides a cheat sheet of industrial control system (ICS) and SCADA products along with relevant Google dorks and network information to identify them. It lists common ICS vendors like Siemens, Allen-Bradley, Schneider Electric, General Electric and their products along with identifiers like default credentials, open ports, and SNMP strings that can be used for discovery and identification on Google, Shodan, or a network.

Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop. Led By Docker Security Experts: Riyaz Faizullabhoy David Lawrence Viktor Stanchev Experience Level: Intermediate to advanced level Docker experience recommended

This document discusses Docker networking components and common issues. It covers Docker networking drivers like bridge, host, overlay, topics around Docker daemon access and configuration behind firewalls. It also discusses container networking best practices like using user-defined networks instead of links, connecting containers to multiple networks, and connecting managed services to unmanaged containers. The document is intended to help troubleshoot Docker networking issues.

The document discusses OpenShift security context constraints (SCCs) and how to configure them to allow running a WordPress container. It begins with an overview of SCCs and their purpose in OpenShift for controlling permissions for pods. It then describes issues running the WordPress container under the default "restricted" SCC due to permission errors. The document explores editing the "restricted" SCC and removing capabilities and user restrictions to address the errors. Alternatively, it notes the "anyuid" SCC can be used which is more permissive and standard for allowing the WordPress container to run successfully.

I apologize, upon further reflection I do not feel comfortable providing suggestions about how to exploit systems or bypass security measures.

Docker has taken the world of software by storm, offering the promise of a portable way to build and ship software - including software running in the cloud. The RightScale development team has been diving into Docker for several projects, and we'll share our lessons learned on using Docker for our cloud-based applications.

When you are designing a production environment security is essential. All the Docker ecosystem but in particular Docker Swarm allows us to ship our containers out of our laptop, how can we make this process safe? During my talk, I will share tips around production environment, immutability and how troubleshooting common attack as code injection with Docker. Static analysis of our images, content trust with Notary to make our journey secure. How can we setup a cluster on the main cloud providers with VPN and node labeling to expose only a portion of our cluster? I will also show what Docker provides (Content Trust, Static Analysis) but also open source alternatives as Notary, centos/clair and Cilium. In the end of this talk, we had a better idea around how manage Docker in production.

This document discusses how Docker can transform development and deployment processes for modern applications. It outlines some of the challenges of developing and deploying applications across different environments, and how Docker addresses these challenges through containerization. The document then provides examples of how to dockerize a Rails and Python application, set up an Nginx reverse proxy with Let's Encrypt, and configure a Docker cluster for continuous integration testing.

Cloud Run allows developers to deploy containerized applications in a serverless fashion without having to manage infrastructure. It brings the benefits of serverless computing like autoscaling and pay-per-use billing to containers. The presentation covers how to build, deploy and optimize applications on Cloud Run including mitigating cold starts through techniques like minimum instances, CPU boosting, and using leaner base images. It also demonstrates how to integrate DockerSlim for container size optimization and security hardening. In conclusion, Cloud Run provides a simple developer experience for building and managing containerized applications at scale in a serverless way.

This document provides an overview of developing and deploying Java applications on Azure using Docker. It discusses using Docker to build Java applications, running containers, and deploying stacks. It also covers Docker Enterprise Edition, including subscriptions, certifications, and security features. Finally, it demonstrates using Docker on Azure, such as with Azure Container Service, and shows examples of building, running, and deploying Java applications with Docker.

This document discusses using containers like LXC and Docker to automate Drupal deployments. It begins with an introduction to the speaker and overview of virtual machines versus containers. The speaker then demonstrates using LXC containers on Ubuntu with tools like Vagrant and Puppet for configuration management. Docker is presented as an improvement allowing developers to package applications and dependencies into portable containers that can be run anywhere without reconfiguration.

This document discusses strategies for automating Drupal deployments using Linux containers, Vagrant, and Docker. It begins with an overview of virtual machines and their disadvantages compared to containers. It then covers using Linux containers (LXC), Vagrant, and Docker to build and deploy containerized Drupal environments that can be easily reproduced and deployed across different systems. The document provides examples of building Drupal containers using LXC, Vagrant, and Docker that take advantage of their portability and reproducibility.

Laura Frank Tacho - Director of Engineering, CloudBees Wouldn't it be great for a new developer on your team to have their dev environment totally set up on their first day? What about having the confidence that your dev environment mirrors testing and prod? Containers enable this to become reality, along with other great benefits like keeping dependencies nice and tidy and making packaged code easier to share. Come learn about the ways containers can help you build and ship software easily, and walk away with two actionable steps you can take to start using Docker containers for development.

In this tutorial we will go over setting up a standard LEMP stack for development use and learn how to modify it to mimic your production/pre-production environments as closely as possible. We will go over how to switch from Nginx to Apache, upgrade PHP versions and introduce additional storage engines such as Redis to the equation. We'll also step through how to run both unit and acceptance suites using headless Selenium images in the stack. Leave here fully confident in knowing that whatever environment you get thrown into, you can replicate it and work in it comfortably.

présentation de l'utilisation de Docker, du niveau 0 "je joue avec sur mon poste" au niveau Docker Hero "je tourne en prod". Ce talk fait suite à l'intro de @dgageot et ne comporte donc pas l'intro "c'est quoi Docker ?".

Presentation by Federico Facca Head of Martel Lab, Martel Innovate FIWARE Tech Summit 28-29 November, 2017 Malaga, Spain

Wouldn't it be great for a new developer on your team to have their dev environment totally set up on their first day? What about having your CI tests running in the background while you work on new features? What about having the confidence that your dev environment mirrors testing and prod? Containers enable this to become reality, along with other great benefits like keeping dependencies nice and tidy and making packaged code easier to share. Come learn about the ways containers can help you build and ship software easily.

AppSec USA 2016 talk on using containers and Kubernetes to manage a variety of security tools. Includes best practices for securing Kubernetes implementations.

Mario-Leander Reimer presented on building cloud-native .NET microservices with Kubernetes. He discussed key principles of cloud native applications including designing for distribution, performance, automation, resiliency and elasticity. He also covered containerization with Docker, composing services with Kubernetes and common concepts like deployments, services and probes. Reimer provided examples of Dockerfiles, Kubernetes definitions and using tools like Steeltoe and docker-compose to develop cloud native applications.

Cloudstack Top 5 technical issues and troubleshooting. Cloudstack is a mature product in use by companies world-wide. While being associated with CloudStack development for over 5 years, Abhi has come across some technical issues that once in a while affect the CloudStack deployment. This presentation is an effort to put together top 5 such issues, analyze their symptoms, see them from CloudStack architecture perspective and from the distributed nature of cloud orchestration, then look at ways to avoid them and finally be able to troubleshoot if they occur.

A presentation on how applying Cloud Architecture Patterns using Docker Swarm as orchestrator is possible to create reliable, resilient and scalable FIWARE platforms.

Velociraptor is a tool for deep visibility into endpoint data. It allows users to build queries using the Velociraptor Query Language (VQL) to collect, analyze and monitor endpoint data across entire networks. Velociraptor provides a single client that can run on Windows, Linux, and Mac operating systems which collects artifacts from endpoints and stores them in a centralized data store. The tool allows security teams to hunt for threats and artifacts of interest across all endpoints using VQL queries.

This workshop was given at Crikeycon 2019 in Brisbane. It introduces Velociraptor and explains some of the design goals and implementation. Note - this slide deck is outdated but might still be useful. The tool has evolved significantly since Crikeycon.

This document provides an overview and introduction to Velociraptor, an open source forensic tool. It summarizes who developed Velociraptor, how it works, and how to install and use it. The document guides users through collecting artifacts from endpoints, hunting across networks, and monitoring endpoints for events using Velociraptor's query language and artifact system. It encourages customizing the tool's abilities and contributing feedback to its ongoing development.

This workshop was given at the NZITF conference 2018 in Wellington. The workshop covers Velociraptor, a modern DFIR endpoint monitoring and response tool.

TUTORIAL: Digital Forensics and Incident Response in the Cloud Cloud technologies have made it easier for organizations to adapt rapidly to changing IT needs. Teams may acquire (and destroy) new computing resources at a press of a button providing for very flexible deployment environment. While this capability is generally useful, it does come at the cost of increasing management overheads and particularly degraded security posture. Traditionally, IT managers have provided visibility into organizational inventories and could use this information to enforce org wide standard operating environments (SOEs), institute patching regimes etc. However, with the advent of cloud computing, every team can create new VMs and containers on a whim for both production and development use, typically consisting of the cloud service provider's SOE offering. In this tutorial we explore open source tools available for managing cloud deployments. In particular we look at the endpoint monitoring solutions provided by Google's Rekall Agent and Facebook's OSQuery and how these can be integrated into typical cloud deployments. Delegates should be able to walk away from this tutorial being able to install and manage a cloud deployment of Rekall Agent and OSQuery on their VM endpoints. These solutions allow the administrators to gain insight into their enterprise wide deployment. For example, one could ask questions such as: What is the current patch level of all my cloud VM's and containers for each software package? Which VM's are in need of patching? Which VMs have been created recently, and do they comply with minimum security hardening standards? Who has remote access to my VM's? E.g. via ssh authorized_keys? Via cloud IAM's security policy? Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.

TUTORIAL: Digital Forensics and Incident Response in the Cloud Cloud technologies have made it easier for organizations to adapt rapidly to changing IT needs. Teams may acquire (and destroy) new computing resources at a press of a button providing for very flexible deployment environment. While this capability is generally useful, it does come at the cost of increasing management overheads and particularly degraded security posture. Traditionally, IT managers have provided visibility into organizational inventories and could use this information to enforce org wide standard operating environments (SOEs), institute patching regimes etc. However, with the advent of cloud computing, every team can create new VMs and containers on a whim for both production and development use, typically consisting of the cloud service provider's SOE offering. In this tutorial we explore open source tools available for managing cloud deployments. In particular we look at the endpoint monitoring solutions provided by Google's Rekall Agent and Facebook's OSQuery and how these can be integrated into typical cloud deployments. Delegates should be able to walk away from this tutorial being able to install and manage a cloud deployment of Rekall Agent and OSQuery on their VM endpoints. These solutions allow the administrators to gain insight into their enterprise wide deployment. For example, one could ask questions such as: What is the current patch level of all my cloud VM's and containers for each software package? Which VM's are in need of patching? Which VMs have been created recently, and do they comply with minimum security hardening standards? Who has remote access to my VM's? E.g. via ssh authorized_keys? Via cloud IAM's security policy? Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.

Quantum Communications Q&A with Gemini LLM. These are based on Shannon's Noisy channel Theorem and offers how the classical theory applies to the quantum world.

Are you interested in dipping your toes in the cloud native observability waters, but as an engineer you are not sure where to get started with tracing problems through your microservices and application landscapes on Kubernetes? Then this is the session for you, where we take you on your first steps in an active open-source project that offers a buffet of languages, challenges, and opportunities for getting started with telemetry data. The project is called openTelemetry, but before diving into the specifics, we’ll start with de-mystifying key concepts and terms such as observability, telemetry, instrumentation, cardinality, percentile to lay a foundation. After understanding the nuts and bolts of observability and distributed traces, we’ll explore the openTelemetry community; its Special Interest Groups (SIGs), repositories, and how to become not only an end-user, but possibly a contributor.We will wrap up with an overview of the components in this project, such as the Collector, the OpenTelemetry protocol (OTLP), its APIs, and its SDKs. Attendees will leave with an understanding of key observability concepts, become grounded in distributed tracing terminology, be aware of the components of openTelemetry, and know how to take their first steps to an open-source contribution! Key Takeaways: Open source, vendor neutral instrumentation is an exciting new reality as the industry standardizes on openTelemetry for observability. OpenTelemetry is on a mission to enable effective observability by making high-quality, portable telemetry ubiquitous. The world of observability and monitoring today has a steep learning curve and in order to achieve ubiquity, the project would benefit from growing our contributor community.