Attack Simulations and Hunting Made Easy

thank you for being here and it's not gonna be dead thank you organizer is Tony's not gonna be one of those people piece next time don't just take another thing another thing mr. Chetan observant of well one off sir it's a white penis okay there's a lot of so cheating in facade if you start out you don't have to be white so he so together of two dead tops don't have half chap yet you say I don't have to wear pink one good you don't have to make so if you're a female don't don't tie team cheap ass too much just be yourself you could metal fit I don't even know school so the name of

tongue is art exhibition remove thread because I think I'm Ella cares about me of my name is nightie that's my to the hender I'm having a I'm less I'm a new and Xia I've been fearful wedding

I do static English so if I don't forget I don't remember something I'm just gonna say you know on our zoo so almost a good feeling that but I'm going to think I'm you gotta have a tattoo you don't need a TV for 200 sir epic good America might sign up my HTML for sense post before my dreams I love I didn't know about fhc - I was talking to George one day and he said tomorrow we're gonna be like Mary just fantastic stuff okay so that's what I did so why websites it getting a new job it meant that I'm gonna have time now more time to you some research in Japan it wasn't fun anymore so because now I'm

working for years of organization I get to get up get to receive those fantastic phones so they saying put that I was giving before now quickly received it be now um also the many politically for yesterday when I say that suppose I have my period for shot she find me this book I feel healthy so I knew I had some defensive line police also is a defend some hat so after watching this fall this is actually a talk that made it very easy for me to spiders skates it was cool I think so widely dead news huh maybe one of Shakespeare's names in the hopefully good house you guessed that it I'm reading expert at all so this is

Justice Party PT stuff so if you think if you have any comment or I guess if I'm you know just a few some parameter paper David Bianco is expecting a search on you only say that organizations normally for customers this you need to focus on this distant in policy to check yourself so if you focus so especially if you go up you make a check on life atever life ha so you make it hotter fun activity so we know most people detect on the lower levels - Vince is gonna be first mix this is specific cash for a farm just upload that so it can be checked it

[Music] and mostly you just focus on that but what do you wanna do with so come on in okay so we want to focus on those two at events so well not gonna take it to let's say who this to leave this happiness so now we were to check on cutting back and alttp stealth tactics technical you wanna say kokoomus this is how an attempt happens so what I need to learn a pattern so essentially detecting so now the more you go with this the more unique your that's a lot harder because now I tell them it needs to change the tools and changing the tools it's very hard they need to change their procedures which which is very hard for

not a good way to Malaysia she's Nicholson on the top on that top layer on top that was she says just like a situation did you wash area investigation or visitation you know when they try to figure out how they how they happen dissing this is why it is and I'm so obvious I watch it here of course this is microbeads obvious are so for me I said and it's solutions - in my chest so the idea there is that with this projects are you understand baby the idea is just to included defense just that's the easy way to put it and same lady says simulation should be dungeon and how that it's unlikely to

actually pose so when I really did a solution you ask yourself this question so you sit somewhere with your buddies those detainees are checked if the answer is yes okay cool that's simulate this if you can have each other so that if it out sighs no okay let's simulate that and see really we kind of because idea is just use of defense and also we have some components so we assume that we can be compromised no matter heart any carpet can be compromised pretty much is volleyball is not a technology simple is collective incident response so the idea is that it the idea is that instead of just waiting for my lats and stuff or for some whoops

you call me and say you have leaked HIV or something just go and see if you know you don't have an opportunity personal cell is dead I'll be hacked by this particular tip so you could kind of think about it I'll tell you say are we hacked by this person that you if the answer is yes or no you still good see you - poop - do you have evidence of how we had let me go ahead also he has been compromised we are doing that okay we might be component you know it is good let's go hunt hi there process of this thing I didn't come up with his name I just thought about it and googled it and so

this is the process are take or you take firstly one of choose a technique interested in once you tell you that you wanna check out the things if contrast when I see how you doing ladies you see you didn't attend too badly the simulation now you wanna see if you not being attack whatever I read there you're gonna measure how you doing over time authentic needs so did you go you take me down you wanna focus on you can basically check the internet if there's a fire fire I spotted not check in a while you listen a lot going on in the wall so you can kind of do research and then feed it up the technique you see

it's not about me same thing with classic perfect they are rather people first because you can go and take it just the common see what it means of

technique fall if you are Kenny I'm going to find a pattern eg you can see if you don't have a patina something about empowerment and 1000 in purple closely can check out the vendor secretary Burton see if softer you used it's not so much any security eg if he is doing take that technique we can pick an epic oops if you know we won't know about maybe cats so again check mimic its

or you can take pen testing reports

technique and idea CD to my top so my top the very cool organizations that he collected this framework business led to all on a techniques that that has been used and sort of collected them together for you just to go and pick a technique and of course the minute you know about this pretty cool we have techniques for Windows Mac and Linux so I think it's very true full stuff I'm Jack Jack is a Jake is a sort of a Sun hunting expect so basically he said he became develop detection for even half of what is in my top you'll be able to teach Eckart a set of heavy so they'll cool good idea media then scissor so we

honor if if something happens your see so come down to you hey that's did you eat this you get some effective - so you have to say yes but you have to prove that yes we'd be Hardy so you can clear technology you see something come to you and say okay then you take a technique our man is CDC then capture this this atactic so also can get technique from tools of is that so there guy forms back to us so they get in a talk yeah um and they show you how kids if he can didn't get he can get techniques for me to said it needs me me can't visit the example so it shows you how they've done

what he does in the KHL axis we can dump killing Charles I'm gonna plate that house in security support provider and it must be done move men to go into panic boxes then once you have those technique we can pick the one you want to focus on and use that for your simulation of who I want to see where they just pass the ticket to pass the hash so keep that one your simulation significantly check the stuff okay so the first phases that we identified a technique we wanna focus on so now you're gonna do defense laptops when I see how we're doing on the defensive so my to look heat okay look it much just

looking more yeah so essentially what I did the cheek so they show you will take in order to compromise your organization and which did with this there is a defender you only need to eat at once because an attempt to be such non those steps need to be to be a sexy success so you need to just have one of those steps then we can be able to stop so this is on your left will hear our tech tech chains service kill chain and what do you want to end up hitting is something like it so you're gonna have a tool or something to detect or deny or yourself you see the container tip so what are those

stages at one point once you have you want to detect something honestly so if you can have different people on staff one now even if you can detect at installation top you're good because we still just we should love to check it out son so you want to detect at one point in future cool so the phase two is done so we understand now kind of defensive so if we have a technique when I focus on so we've mapped it today today's have a Pucci and we know that we can detect someone said well it's thing with it but we have it to me we know how we do it let's see if we can

do nothing leave this to me so this is the process that you're gonna take hey yourself so basically assimilation as we know it's not a test it test like heck and go so why do you wanna you want to test your detection tools we have a deep you have a you have a technique and you know so you want simulate that your tools that we've done so you want to test the truth so one of the Americas I see if that is digital and how do you do that you wanna use maybe see a digital machine that's the same test machine I need to have power so you want to have the latest your security to lose more

than there so what I have this devastating machine so that again kinda became a little bit say that and the idea was that the tools that one opponent indicators of components because the ideas as we serve see machines about improving the defense you wanna connect person the kids are so that you can eventually later on so it here security software when you want to connect at events you want to connect your network motif it so when inducing an issue you have to does a network connection move it mops and when I did this which is what about like Firefox goes are unique enemy PMS visits most of tablet s used directly in ersity to explain data to use it as a toner you

keep them touch me good man chat though also on your host picks you are now you wanna take you wanna you wanna and most important thing 5 their plans on leaving sir if you do hunting so if you if you do feel at my table you wanna sub I believe so no money that's how you when I do for 5,000 people connect on this was to make legit to be educated so basically this is a test that you can done that me expect you to to my top flavor we talk a lot so we've made it very nice and clear so you can just copy any patience this testing test laptop then quick news was collected in dogs

and stuff the idea also you want to improve our details what I collect those is so cool now when I done with testing about our tools now when I test their processes so you want to test how your your defenders will response you to you are tip so you wanna send that fishing mail and see what how how your defenders guys with the activator when I see how they and he's following direct cause seizures if I did you mean that I things that I think what I do I do any gaps in the process that we take the idea also is improve their capsule to prove that processes a third procedure so here you just just just checking your

once you turn your attempt for a basically should add sodium

so this is an example of maybe linkage ataxia to change so this is the playbook got to follow teammate stuff so this is a phishing phishing attempt see where are basically so I'm gonna go through each Creek so the first step in what I did was take capital in so who is the first day so what do you have what so I said I said that's you and I defendants and you talk what do we have so no control of you have some kind of in control - you don't have a cool we accept that cinema is officially medicines received by the company SMTP server so what do we do about there what control can you put in this so you can

reject email subject lines and IP liquor some thirdly email goes to the companies in those go but we do about there you can flag bad humors to let the fish move to the end users mailbox what we do with that I occur whatever is probably a soft would take a lot of moving so you have put it there five user notifies that new demand in the mailbox the user opportunities for camellia above it we can one use us on the imaging efficient campaign so sir pizza in college steps you have you are you controlling it these are ticks on a leaky nemesis million doses in the world are not good users for meet up with the

DNS so there's a DNS involved what do we do with them Nicole yes DNS requests and it's kind of just taking that guinness name and just giving it a not happy I'm happy that doesn't put you outside whatever just his office so nothing was out of your organization so you can see simple stuff after you time you attend sit with depend on seppuku uses steps are to this is the contours that we seen are grateful now then

so nice well above hey I can help yes wrong good so once you've done that you said we fill the defender dies you wanna because you didn't want to be distinguish it if it's have for one thing come on up what to maternity check the stuff so you wanna update your software so your ideas FPS so maybe nobody you know so you will not be just up so that the next time she gets get detected if there was an issue with the process that was happening like where they they're reaching that didn't further the process what about the gap in the process anyone updated if there was no control at all for some for some reason now you have to

define the control you have to figure out how to me if they were left simple done if there was no ad when the box there that means well now you have to get and the issue will controls especially for big companies that most people just this guy's my god hovering say for such Eddie he felt she didn't the next night we should be level she'd be a sense of x2 so it should be something that became if you can collect some software so she didn't shouldn't be expensive encompass good now that you deployed your controls and you update your software securities oh yeah now we can be too cool but let's see if you really can't it so now you

want to validate whatever control is you just stated I'm gonna buy didn't you defense on top how many how many people can essentially para dangerous how many people in here knows that knows what what what is going on with Eddie is they be picking something hot how many people have essentially we're doing a soft wanna see if maybe words probably yeah so what am i doing this stuff don't want us Justin I'm gonna say hey I'm secure but you know so you when I did you respond hot and mostly when I take a strict and yeah and you shouldn't we don't need to get far with commands that normally a heckuva carcinoma a hedonist commands to get to get information from

your domain so you can just change its character it's a good team this basically does that will not near each other so if this do if you don't get if you don't if you don't attend to just laugh now when it lands there's something so so the not part of your simulation used to track your activity so we all know money management or whatever business of that she type stuff are just so you can change this circuit any spreadsheet basically you can onion African can have a to that a simulated one technique that you used technically used in depositor in use then you have their results like Inception do you detect the attack so you see no detection authorization cool

Peter buggy detector which is never one that POS prevented more than that you know did I just say so you wanna have this also you wanna you wanna you wanna see how to get looking yes when I see if they wear note so the web management at our tip so you wanna go and see exactly they're not supportive you have to be sending no dogs no no no no no don't do you wanna ain't neva so you wanna see if you need some time no no so basically once you have your blocks whatever step so cool so so we banded that destination face so we test that test at the technique that we talked about you have

dated my defense

and the good part is we Louis de Chasseur to use for hearts we know mister notes of our texture right which is going to be helpful when you do your hunt so now you wanna do your hunting so you've done your simulation you wanna you said poop we we tell you this we cannot detect it but now we updated our our software our security software so we pretty sure that the net attacks will Detailers but now when I see if we have not already hacked so we go hunting for us they sent it the first step will be to correctly or not if on your attack you had you sir HTTP HTTP a request going hot so you

want to take your poxy mugs so basically you wanna you want to map your I text so you can use your antivirus and up see some more nuts so when you do your simulation you're gonna party need to system or tools and when you do your networking simulation values or IDs not everything from your formative machine again any chains like dividends for stuff easily so now that you have your notes so they were techniques that used to process the preferred technique that we use mostly good searching because we know we've got your comity cuts for our simulation simulation you can search for a specific one of us so if you if there was a file called nav

nav data doc we can take the popular web set for that form but so that session that's easy way to do I can use the counting basically this is the console so you can you can search for spit specific user agent string and if you find the one with the least occurrence so basically the one that is what you need then you can focus on that one and see why is this again hope you can take groups of steps if I'm life and wonders so basically that's the deal

so yeah you said she might even learn it on the network page so you wanna side remember you wanna start an in-depth level stuff so living being sudden everyone in their transition stuff for example here telenovelas another user agent either so you want to follow that boy network then you'll find some host cities is basically act event then you find some post so when we find some species then you can go to those do specific post and

that's how I realized and so what's your time if you if you feel like there are some suspicious activity that item to the forensics guys something wrong here p7 and then you get it execute your incidences also we need we need to do taking apart you need to have the results in easy reach and get me hearty did you say at the pool I didn't find anything it's still good if you didn't find any you prove that there's probably nothing also you can have something malicious or something not mention somebody for me see I'm deleted so they who have found something that's not much education but if all right so now we confirm if you

under a table of using hunting so we basically have an idea how we go know me used this technique we know we can detect this technique we know that we are not an attic but active and if we're not able now we need to measure effectiveness so we won't know as I said of course it's or money just need me to measure measure to measure stuff so the guy committed what for better about he guess change energy and shows you how to email yourself atop okay changes on a quarterly basis and show you okay this is how we're doing with the hands-on stuff this is where we need to focus on so we can go there was a

very good top and a blog post about stuff yeah so please take aways here said I tell you get to paid parking defense which is cool get you find bad guys and pentesters on a network you get to doing stuff like get your light poles you get to do cool helps that actually makes it a blind an organization so get to see them at that measure stiffness you get to see that you actually help in your company to move instead of saying hey I had you this is this is this is nah you got to say they're cool look ahead and I made the company better good maybe getting that we can get upon us to and

you get to teach and then from the blue team to serve the idea is that you use a bartender as a red team I need to be able to to talk or to I told her what is talk so this is big last month they did and I thought the same conversation just updated from the same so we've been talking my rough stuff now people are essentially these people have these tools so you can use color theorem which is ejected by might are the same people who talked about later anyone there you really actually they released a tool yesterday but it hope would be this weekend so there's also dumpster fire for assimilations dev squad vm if you wanna

if you do thread haunt you do you have a video Medicare dunno what I guess you yeah they can motoring stuff just make things easier for you the cesium VM for incident yeah so this will do that post hunting stuff when I is this V able to connect that loss at effects which is so we talk about poor ideas if you want to do network monitoring this one for system itself hello is your free combination - lets see Spencer Barnes come on yeah so you're gonna use that and this poor son back to skate this case is oscillating what a simulation to see I'm key to develop thank you so these guys you probably want to avoid them if you

enough and some resources and training and also some training special thanks to these guys venom Smith is Marconi - I'm glad Kevin Kyne is happen my boss yeah and George mallet so these guys are for something so do the common thing they have with them is that they're very humble key um this is the code that alive I use it both offense defense do you whatever you want Costigan mainly fit is very limited knowledge this is festival as dusty he questions

[Applause]