BSidesATL 2020 - Detect: Connecting the Dots, Detecting Threats, & Protecting the Enterprise

I've said it before and you're gonna hear me say it every time that that we're in the nest track we could not have done what we're doing today without the incredible support of our sponsors and so want to walk through them yet again at the diamond level Warner Media at the gold level Kennesaw State University Cole's College of Business my my home college where I do my day job the KSU Department of Information Systems my home department where allegedly I do some teaching every once in a while Bishop Fox coal fire genuine parts company and NCR at the crystal level synopsis and after Kelly and critical path his video you just saw at the Silver level Aaron's binary defense

Black Hills information security core light and guidepost security additionally at the bronze level the NCC group wanna also thank some in-kind sponsors ec-council came through yesterday with some online paid training for some of you I think might have taken advantage of that and also secured code warrior today for copying or for setting up and staging the CTF that is actually happening right now in another channel we would also like to thank the following individuals and organizations for contributing to our raffle prize effort Mike Kosta and crosshair Information Technology Joe gray information security and pentester lab and so now I'm going to reach over here and grab my piece of paper and so that brings us to our next speaker today to

next talk for the next 55 minutes is Wes Lambert and Wes's talk is entitled connecting the dots detecting threats and protecting the enterprise with security so I'm gonna stop sharing my screen here okay Wes are you ready to go yeah yeah in just a second here alright so welcome to connecting the dots detecting threats and thing the enterprise with security onion I'm Wes Lambert here to talk to you today about really how organizations can leverage security onion with facing some of the common problems that that they see in in their environments to give you a brief overview about myself I am a senior engineer at security and in solutions where we develop and maintain security onion I'm also a husband and

father of four awesome kids and wife and I also enjoy long walks on the keyboard breakfast tacos and of course ed Bassmaster I mean who wouldn't right I mean look at this so really what are some common challenges that that organizations are facing today with regard to security and monitoring in their environments I'm going to talk about a couple of these and not really dive a whole lot into every single one but you know just giving an overview of each one and how we might be able to address that with security in it so one of the main things is limited visibility a lot of organizations maybe don't have the budget or just don't have the

expertise or just by whatever reason don't have great visibility into either their endpoints their network traffic they might run stuff like Microsoft Defender right and and get those alerts as AV alerts but a lot of times whenever we get these alerts and it says something bad is happening on our workstation how do we confirm that it's really bad right or if it is bad is it really the only bad thing on the workstation has that workstation that is potentially infected could I have communicated with other workstations or other servers could you know could that bad thing have moved from one place to another and this really becomes a bad situation overall for analysts right security analysts or IT administrators

when they're not sure what is really going on in their networks when they don't have a clear picture when the lights are off and they can't see a thing it's really difficult to make these decisions in a timely manner again I mentioned the budget and this isn't a dig on commercial tools at all there are some great commercial tools right like of course you know Splunk is as free to a certain degree and it's very capable at the enterprise level but unfortunately a lot of info SEC departments or smaller companies with maybe one-man shops or a couple man shops or even with larger teams and that just simply can't afford these tools right organizations are forced to pick

and choose between which capabilities they want to implement in their environment and I can still lead to gaps in visibility and now when we're able to address that as much as we can with open source tools we'll try to do that another thing that that we run into and that we commonly see is the fact that companies have these disparate data sets they have all these systems that are their own system of record for this thing and you have to jump from this system to this system to see a particular bit of data when you're investigating it's very disjointed it's really easy to miss critical data and it's not really easily easy to connect the dots between what's going on right

you have all these disparate systems and another thing is if they're in a separate time zone right or if you're not using UTC it makes it even worse and even further a lot of the setup for these various tools whenever you have these disparate data sets you have to have that's that's specialized expertise right it can be time-consuming and it just it doesn't fit well to the overall overall scheme and integration organizationally for that security monitoring so what would in an ideal scenario be right we think about the things that we'd really like to have and and maybe you know we can make this available so one of the things might be network traffic right collect all the

network traffic and has occurs on the wires so we get that full conversation another thing network metadata right the metadata about the traffic like bytes right you know file sizes or you know summary data right like like how many times does this host connect to this host and just lots of other stuff and then also host base telemetry adds to that right from Linux Mac Windows and Points and really being able to correlate that between all this traffic would be awesome going further being able to perform analysis on files extracted from Network streams that would be pretty cool right if we can enrich data as we feed it into a log management pipeline helping us

further enrich that and provide that context giving us a better overall perception of our network that would be great or what if we generated alerts you know we want to generate alerts for noteworthy events we want to develop custom policies and detection rules that go further beyond maybe static news rules or similar things and what if we want to be able to perform the tree out of those alerts right have all that context right there tied together and perform that threat hunting when we go in and look for anomalies and what if we want to be able to be extensible and be able to integrate with different commercial and open source tools what if we want to do that be able to do that

easily right without proprietary intermediaries well the truth is pretty close to ideal is real and the way that happens is with security onion so with security onion we can take the this ideal scenario and for the most part we can put it to play for free right we can peel back the layers of our network security and in itself was founded in 2008 by Doug Burks again it's completely free and open-source we use it for enterprise security monitoring intrusion detection log management threat hunting lots of different stuff and it's super easy to set up if you're doing it in your home lab or in your enterprise network you simply install the security in an ISO we also have it one two PPA so

you can install the packages on your flavor of Ubuntu and we take that data from the network from a network tap or span port and we feed it in the security and then we run through that setup and your monitoring in minutes just pulling back turning the lights on data from your network but really what are the tools and but in data behind security in him that allow us to be able to do that one of them is going to be Zeke also known as bro they recently changed their name and Zeke is a policy neutral network-based intrusion detection system or nits and some of the data can provide is that extracted content they did when we're talking

about files images or media extracted from network streams session data there's high-level communication details and we were talking about before and getting an idea the the types of traffic going on in our network at a high level and also a little deeper in the transaction data so for example HTTP traffic FTP traffic we can drill into the details of those rather than just the summary details additionally the asset data provided by Zeke can be very helpful good so we can grab things like device software versions right if somebody is running some particular they've got some particular version of Adobe or Java installed we can see that like ColdFusion if they're devs running development servers and their

environment you don't want them to write lots of different things that we can see there then we pair that with another network based intrusion detection system your choice of either snort or sericata and these these tools provide that alert data that we talked about where we're generating IDs alerts it's going to alert you when a predefined rule or you know set up conditions has been matched again in this network traffic that's going to alert us to that we also include wazoo so wazoo is a fork of a sec if anybody's used a sec before it's a host-based intrusion detection system and we get a lot of great hosts telemetry data or can get that with

wazoo so we can we can ship windows logs right with sis Mon we can do that using wazoo and we can also have wazoo analyze those logs and generate alerts based on that data aside from that there's some great plugins or capabilities with open SCAP and also active response and we can also file integrity monitoring on the systems that that y-z agent is installed on and each security onion note itself already one runs wazoo so it already performs the active response if you got people trying to hit your box they're not supposed to be right or it's already logging that file integrity monitoring they're performing that file integrity monitoring to alert you if anything strange is going on in the box that's

another great feature and then net sniffing G again we talked about that full packet capture or capturing all that traffic off the wire we get that full content data and we can see the entire conversation and then when we're ready when we're looking through logs in Cabana or going through squirt or squeal we can view that transcript via cat me and it's really helpful to be able to view that you know that conversation right there as you're investigating logs and not having to go to a separate system and then also with the pcap we can export to various tools or perform further analysis with other tools that either we provide or that you may have

yourself in your environment also the elastic stack we run elasticsearch logstash and Cabana to perform the data enrichment the indexing and the visualization for all the data that security onion throws in - into the pipeline so we're able to take that metadata aside from the raw data on the network sensors themselves and that way you still retain that raw data on the sensors right if you want to go back and perform retrospective analysis and then you've got that metadata that's enriched right you've got other stuff that you can go do with either log stash or elastic search to make that data speak to you more or provide more context so we have a lot of flexibility they're

also using a last alert we can query elastic search if we want to send alerts to an email slack or the hives maybe I'm sure a lot of you folks have either heard of the hive or use the hive very cool tool we can you know we can query on windows of NIDS pretty much anything you can query on in Cabana itself and you can alert on certain frequency of events whitelist blacklist events there are lots of different rule types for you to be able to utilize and it's all in the mo syntax so if you're familiar with gamal then it should be very familiar to you and then aside from those tools and those data that

that secure Denton provides there are several different use cases where it can use security and ends to help us either investigate something or protect our environment one example would be an evaluation mode we provided an evaluation mode for maybe businesses who wants to set up a PSC to prove intent or to prove that they can go forward with the project maybe for academic instruction we had a lot of a lot of universities that have cyber ranges and a lot of them love to use security onion for that academic instruction because it's very easy to set up and it's very easy to walk through an attacker scenario additionally home lab testing a lot of folks like SCI have their own home lab

it's very useful you know even aside from really the lab perspective but some monitor your own home network and be able to see the traffic and it would be very very interested in some of the traffic that comes from those IOT devices and and how crazy some of it looks I'm sure and then as part of that evaluation mode or you know that kind of line of thinking we also have a SS set up minimal script that runs and it's a modified version of the native setup script and allows you to run security onion with only two cores and four gigs of ram so if you have students or yourself you have limited resources it really helps to allow you

to set it up quickly and start experimenting and start getting the data and it really losing yourself in all the all the cool stuff

additionally other use cases might include a production deployment there are a couple different models that we utilize with security and in one of them and really the most popular and recommended model would be that of a distributed model where you have a master server which really acts as the master of or really the I'm sorry the manager of the grid right you perform that grid management you can distribute rules you can push files you know orchestrate actions and then it's also a relay for the data that comes through from the four nodes so those four nodes are gonna be picking up that network data they're gonna be performing those sensor processes is that sniffing that collection and then

that's gonna be sent off to that master server and then each storage node is going to pick out of the queue on the master server and then you can snap in as many storage nodes as you want as your business grows it allows you to scale very well and they be able to store data for longer and perform searches more quickly and that kind of thing additionally that standalone is the all-in-one we don't necessarily recommend using a standalone unless you're doing it for testing or unless you are have a very low throughput environment but that's another option as well as the heavy node which is just a four node in a storage node that you can

kind of take one box out of the equation you just have that master and heavy node communicating again we don't necessarily recommend it just because we'd like to separate the sniffing processes from the indexing processes just from the i/o and and resource perspective but that is another option and yet another one an analyst VM so say you want to install the security onion I so you can install that in a VM and you can have your own self-contained analysis platform this way whenever you're going and looking in kappanna and you're pulling down pcaps and you're looking in network miner and you're looking in Wireshark you can carve out files without risk of accidentally running those files or adding a V pick

up those files and do something with those files and it contains and necessary tools for us to be able to still in an enterprise triage those alerts right with either squeal squirt or Cabana dissect the packets and whatever you need soon as an analyst and this is what we typically recommend for those you know whenever they can to use an analyst VM to access their core infrastructure and then another use case would be that of the event conduit so with security onion and really the elastic stack helps us to leverage this a lot is the ability to send logs to Splunk we can symbols to another elastic stack or sim s3 anything with an HTTP

endpoint HTTP endpoint really it's kind of up to your imagination there's just a lot of ways that that we can still collect that data and if you have another sim or data link that you want to throw that into we can help with that as well and then I mentioned the analyst VM that kind of ties in with forensics if you want to analyze a specific pcap or multiple pcaps we can use the Esso import pcap command and what that's going to do it's going to allow us to take that peek app and read it in with the native timestamp as opposed to TCP replay if you were to replay the packet it would not for preserve the original

timestamps so if we had a peek at that somebody wanted us to look at we can go back and retroactively Lee import that and we can do that you know from the correct timestamps and whatnot so I know it socks a whole lot about you know what security and and can do right and and how we can leverage that in the different use cases and the tools and data but really I think the value comes whenever you're able to see the components work together you know have that context and be able to have that visibility into your environment and so with that I'd like to start off with a little bit of Investigation I am going

to disconnect this particular screen real quick and pull something up unless I can pull that over let me see mm-hmm see isn't it all right give me just a second here okay so so this right here what I'm showing on the screen is after running som port pcap and what we have right here is a security onion analyst vm or just a dedicated VM for analysis that stood up with the security and an ISO and once I've stood that up I ran Esso import pcap to prepare the box so that's I can then import whatever pcaps that I want to look through and after that I've really only imported one pcap because the situation here in the

story was this is is my boss gave me this pcap and and just wanted me to look at this because he had some folks that weren't really really sure about the situation and really just wanted to get my thoughts on it without without really putting too much into perspective for me so what I've got right here is after running SSO import pcap kibana the overview dashboard and security onion you'll notice it's not super populated right now that's because I've only imported that one pcap and it only happened it's one point in time so will only see those logs relevant to this but if you were monitoring your your network of course you would see that steady flow

of data and you'd see a lot more mixed in here so this is more of an academic use case but should still be applicable to give you an idea of how it performs right so we've got this overview dashboard and we've got these different long types here we'll break these out you can see different Zeke types we still name them with a bro extension on the backend so you'll still see that but we can see that we've got some files logs some connection logs some HTTP records and some DNS records and we can also see on the left hand side that we've got a lot of links that we can click here and these are really example

dashboards we encourage a lot of folks whenever they use security I didn't set it up and their enterprise to expand experiments with these dashboards because they aren't necessarily one-size-fits-all right they do have some useful visualizations on each dashboard but really we want folks to get accustomed to building their own dashboards and really doing what works for them but as you can see we've got different details in these files and then on these HTTP records in here let's take just a second here this VM it's not the quickest writes and so we can see some different details source IP address destination IP address all in these different dashboards but really right now I just want to take it back

over to that overview dashboard real quick and zoom in on something that I noticed right off the bat so let's click home real quick take just a second here all right so you can see that we have some snorers here and really this is just an identifier for snort or sericata needs alerts so we see that we have a few of those there and just because it's kind of easy pickins i'm gonna take a look at those first real quick and see what's up with those and we present those actually down here in addition this other some of the other summary data and I can see right here that that's source IP again it's the same

that's really the only source IP for the most part that I see in all of this communication that we were looking at so with this right here this source IP address it's hyperlinked so we can sync that to the indicator dashboard right and fault that indicator dashboard is going to show the last 24 hours but we can quickly and easily change that and it's gonna take just a second here just in case that takes a second because again this VM is slow I'm gonna go over here so this is where I've pivoted before over to this indicator dashboard right and we can see again some different details some more summary data we can see some different types of services we

can see again the alerts but what I'm interested here and this is again showing the source IP really just this host that we're interested in it's kind of building a time line write a time line of activity and to do that I really like to scroll down and and really you know in discover as well you can do this but I like to specify you know toggle some specific fields that I want to look for in this traffic so I can get a better idea and as this is incrementing the time stamp I can see kind of what happened at what time and correlate that with the other traffic right so right now let me put this back in here doesn't

look like I have the query in here so I'd probably want to see a query for DNS so I'm going to toggle that right and now I'm gonna pull that over here just to make it a little easier to read here all right comma once again over here so rolling all right I'm just gonna prop this over here and one more all right so right now I'm gonna collapse this and we can get a little bit of an idea of what's going on here right without anything else any other knowledge just starting from the beginning we can see that a query has gone out to or for free to speak that enemy okay that's kind of strange but

you know I mean what else happened right so we've got these other connection records on these connection records are really going to be associated with each of these transactional records so there's not gonna be a lot at this time that I really want to look at unless I want to dig into more summary details so I'm just going to negate this value on the event side

all right now it's a little bit clearer right so we've got some DNS and some HTTP traffic and we see that query for free to speak that me all right and then we see a get to free to speak that me right to this URI this 0 8 4 3 underscore 4 3 dot PHP okay I mean that's nothing too crazy so far right but you know if we want to get a little bit more detail into that as I mentioned before we do have that full packet capture available so if I want to go over to cap me and pull the TCPS transcript for that and get a little bit better idea of what's going on there

okay so we see that get to the zero eight four three underscore four three dot PHP and then we see a return right it looks like a binary or I'm sorry not a binary is it okay so we have a pique here and then we had this if extension here okay so maybe somebody downloaded a zip file alright so let's go back it's a little you know people download zip files all the time so let's go back alright so they got that they went there the file is downloaded we can see our bro files record here but following that just after that event we also see a call to IP defi dot org okay or I'm sorry not

a call but a DNS query right here and then further down we see the actual get to IP I if I dot org okay you know there are a lot of services that use external IP ease right then in businesses but given that you know we kind of had this isolated pcap maybe we should just take a look and see what's going on there okay so we do see that get for the API dot IP I find out of work then we do see an address returned okay so there's an external address returned not a big deal but let's see let's walk it a little more okay so we see some profiles that's really going to be that

that plain text that was returned by the IP fi dot org and then we also see it looks like a DNS query for some eks calm okay all right I don't know what that is but seems okay so far but if we go oh you know what I'm gonna back up real quick so one of the snort alerts that we saw previously this did trigger after the IP lookup I was that IP lookup API IP if I that org so just thrown it out there that kind of correlates with what we saw earlier right and again that some eks calm we see a post to that okay well it was all cool and so we kind of saw

this post right it seems a little strange seems like it could be reasonable but you know let's let's go ahead and check it out and see what that looks like okay well well that's a little different right hmm looks like an actual gooood who's being posted to this server and then base64 encoded string is returned okay well can we look at this I mean does this make any sense to us if we maybe we want to go over to cyber chef so we host a local instance of cyber chef with security engine maybe we can pop that in see if it gives us anything good mm really I mean I'm not really sure about that

so let's go back run one all right so exit over there oh okay so it's taking a second here so it's loading up but some will go back there and let me refresh this

pray to the demo gods but again you know it's kind of strange with was that basic ste 4 encoded string and that posting of that gooood it's it's certainly not typical behavior at least I wouldn't assume so so let's see let's give it a second here my my poor my poor undersized VM here you all right just to do a let's go back down and continue start off Oh so we have to switch back let me switch back over to this nope yeah make sure we specify the correct date for these records all right we're back in business okay so I'm gonna scroll back down to the bottom mm-hmm and do we filter let's see we

filtered on yeah yeah all right sorry for that all right well regardless so it looks like our filters have been since removed but there's oh here we go so I run sad so we'll go over here back over to the some EPS post to the four four and PHP okay now that's definitely really strange we definitely want to follow up on this activity and see what else might have happened so we see a DNS query for shop our de infinity calm and we see this get requests right here right for shop art affinity calm and this sodium can Pat one so all right let's get this straight so it posted this goo it to this URI right here and

now it's calling out this you are right here let's see what happened

interesting okay so it looks like we're getting a file called a 1 and it's a binary so returns okay so that file is transferred over to the client and then what do we see the DNS query again for some eks a post to thumb eks at a different URI see what happened here interesting so now we're posting binary data to another endpoint I'm not sure if this is beginning to look familiar for for anybody but we'll keep going here well we'll keep kind of following the the trail here go ahead and close out of this all right so we've seen it then post binary data to this URI after getting a binary from the other URI and now we're seeing it

getting it seems like another file possibly from that same URI all right from the root URI okay that's interesting let's close that out let me keep going down of course we see the profiles associated with that bro files is going to if there are any file names associated with that it's going to populate them here and it's also going to show you that source IP from which the file came and we can see that there and then we also see after that previous get we see another post to d2 about that PHP now what is that

another binary post okay interesting so as you can see it with the data collected from not only Z cancer ikata but also net sniffing G we're able to tie this together and start to connect the dots about what is going on here we're already building our trail of evidence here and kind of our timeline to see what's going on okay so we see that post there and then immediately after there we see three more posts to the same server and the same URI let's take a look at each one

okay another post of the gooood and a base64 encoded string returned okay interesting if we see if we pop that in cyber shark we are not second sharks ever chef goodness making up tools forget anything useful and not really not a whole lot there for us to go off of unless we already have some familiarity with it something that that might be related so let's go off and look at this Thank You cat me and chromium alright okay and then we see the same thing here another gooood posted it looks like the same good and a different string I don't know about you but son this is kind of starting to look like like situ right

even so a few few interactions before but you can see that these strings are different you know maybe different commands why not right and then let's look at this last one here and if we compare that it is also different so that's interesting so we've got all these series of events right this you first we've got this file and then we posted this data to this endpoint and then you've got all these other series of events occurring right and we're kind of building our our trail here and well we've got some interesting items here we don't really have anything that's super conclusive so maybe we want to dig a little bit more into the pcap

that we had and and look at the files contained within it you can do that on our security I mean analyst VM and let me just pull up and do that using various tools you can use Wireshark or if you want to use network miner that is one option so right now I'm gonna use the network miner to load in my peak app and then it's going to present me with some files that I extracts out of there now if you're already performing Zeke file extraction or you're you know you're doing some other method of file extraction then of course you would already have this extracted but for this academic use case we're going to use a

network miner so we can see also some different communication details for these hosts and then some of files that were extracted out we've got the zip file that we saw before now we've got a couple of different PHP and HTML files we've got a couple binaries at one binary and that two binary that we talked about and then from here if we want we can go into here into the folder and we can actually see if we can extract that here right and we can make you know we can certainly hash these and check these with virus it along the way certain files to to see if there's any inkling of information that can lead us

along that path but it looks like extracting that zip file there's a VBS file here which is kind of interesting I wouldn't normally expect that with normal traffic and certainly given these series of events it definitely falls in line with the weirdness factor so we can open that with them all right and right now we see a bunch of different stuff it's really hard to read right a split function variable that's gonna be potentially read in later but if we scroll down and see if we can get some logic okay okay we got some logic here so it looks like some you know just some VB here VB scripting and we got a couple of function here

including a seed in a loop creating an object here okay that's interesting opening a stream we're writing text and we're saving it to a file okay interesting and of course you can see all the windows control characters here you're gonna see that in in this platform our in Linux in general but we also see blips back up I'll go back that got went too far we also see a process where it actually creates the process there with reg server 32 so one thing we could do is take this out if we wanted to try to extract the file we can actually take that out maybe and then try running the VB script to create the

file the resultant file that then gets run or processed okay don't really have the the capability natively to do that here but if I were to transfer that to another host you know that could certainly be possible so I'm not gonna demonstrate that here I'm kind of gonna leave it at that as far as as the file analysis portion again you could take difference you know take different hash values and whatnot from these separate these different files and then use those for later indicators maybe if it's something of interest but that's gonna be it as far as these security onion demonstration here but I will put it over here to the slides and clarify on this a little bit more so let

me switch this screen real quick Shh all right so get back over here and I'm just gonna go through these this is really for the folks that are not going to be able to watch the video I figured I'd include some stuff here for them to be able to go over and for folks that go over after their presentation so it just walks through what we just spoke and real quick just a recap so that sequence of events we see that get requests initially all the way down to those three posts right to the semi KS and we didn't know before about the files delivered a drop but now we do know there is a VBS file and using network

miner we were able to extract that out that's it file we're able to go down and look through the the function there and this is really what I was mentioning we want to end up with right and so after modifying the BBS and running it on a test Windows host we can run C scripts and we can actually have it perform that action right and so what happens is that this file whenever I ran C scripts the name of the VBS file it explored itself into users bassmaster great name by the way app data local temp right and it was a file called Adobe txt so I got that file hash at sha-256 own virus

this hand sitter okay so now I've got some more work to do you know going and investigating on the host and and performing some cleanup and maybe some remediation but definitely a lot of you know a lot of direction where to go now and a lot more visibility than maybe I wouldn't have had you know not using something like secure Union and really it all started here it was from a mouse BAM so an email purporting to be related to of course our arc Ovid crisis right now which is of course not very favorable but it is working for some folks and so that's that's kind of how this all started and then we've got some other

indicators that if you review in the slide you can go through

and then what can we do with these indicators right I mean they're great you know what I mean sometimes they're worth they're worth something and sometimes of worthless right it just really depends but what you can do you can use a Zeke Intel framework to generate Zeke notices if you use miss but you can load them to miss and you can still get you know Cercado signatures and Zeke Intel from Miss p-- so if you're already doing that myth that's great we can do that you can write knids rules right alas alert rules or write signal rules and you can even convert those Sigma rules to last alert rules and then use those insecurities in

it and I just want to give a shout out to Andy peas Destin Lee Brad Duncan and Mason Matz there is a write-up on sans about this very thing that you can also go through it was very nice to be able to to refer to and compare as I was going through this and then also Andy has one on hun ops that blue so just want to say thanks for those guys so what's next I'm gonna try to get through this fairly quickly because I know I'm running a little short on time what's security onion hybrid hunter this is our next big thing that we've been working on and we've been developing it a ton and putting a lot of a lot of

man-hours into its gonna support CentOS an Ubuntu alright packages are gonna be replaced with docker containers salt stack is going to be used for that automation and orchestration of the stack it's going to make the sensor grid so much easier to manage it's gonna make grid statistics being able to gain statistics about your servers and for nodes and whatnot it's gonna make it awesome and then of course there are plans to even have a more unified interface there in Harvard hunter so Harvard hunter includes the hive and cortex if you've heard of them before then you'll know that they're great for alert triage incident management's if you want to enrich observables using their analyzers or perform response

actions based on certain data that you bring in or cases you can do that with responders and thence octopus so sock to puss is a flask API that we present in hybrid hunter and you can push an event from cabana to the hive if you want to investigate that further you can push an event from cabana to miss I mean there's there's a lot of different ways that you can tie in and do different things and there's a lot of automation going on behind the scenes with that as well playbook it's another huge one Josh Bowers done an awesome job on playbook and helping us implement detection orchestration with Sigma and there's a last alert rules that I spoke of also

automating the importing or the insertion that's the hive case templates into the hive so that whenever we have an alert that's maybe generated from a sigma rule we already have the steps defined that we want to go take on those alerts so at lower lower level analyst can go off and do those quickly and then even remind a hiring a tier hire to your analyst of this stuff to take as well and then we can check that attack coverage we can check it with a tech navigator it's okay so look at the the layers of coverage there right based on our detection logic that we have deployed another huge one Josh has been working on is OS query in fleet

integration as I mentioned Linux Mac and Windows host telemetry data is awesome to have and tie in with our network data and we can also perform live and scheduled queries with that and it really helps with that centralized agent management their stroke oh if you've heard of SF f F F SF or file scanning framework stroke is a similar concept it's automated file analysis scale written go and it allows us to take those extracted files those files extracted by Zeke or other files that you have on your network that you want to analyze and perform analysis get additional metadata you can even use yara or integrate it with cuckoo it's super awesome in that regard and

pcap google stenographer will be replacing net sniff ng we're going to get a great performance improvement was that I think and also the ability to index that pcap right so index no pkf may mean faster retrieval and whatnot and just you know easier search and that sort of thing and then also sensor Oni Jason Errol is just joined us recently before then he'd helped us to develop since aroni and this will be the Katmai replacement cut knee what you just saw a few minutes ago since her Roni is written in go and it also supports that same peak at retrieval and transcript transcript rendering and will likely evolve to something a bit more in the

near future another thing that I want to focus on real quick is cloud all right we just had a brief discussion about cloud here before me well it's you know in that same vein AWS we now have a community ami in AWS that's currently in testing and we would love for you guys to help us test it out and try it in your environments we have a guide on read the docs which I negligently left out of this slide which I once I post the slides I will add that in there but we also have the ability to spin it up quickly and easily using terraform so if you have an AWS account or if you don't

have one and you want to set one up real quick and you don't know how to set up at VPC you know that it will automatically create a VPC security groups mirroring config and then you can have that instant spun up and testing with it and playing with it super quickly and easily and I just want to give a shout out to decimally again Johnny AJ man cyberwar dog Roberto Rodriguez and Chris long Centurion because they did a lot of work we as in a detection lab and also they did some great stuff with a Hulk and then Dustin of course with some security and in additions for this terraform stuff so I just want to say thanks and with that

it's trying to speed through those last slides to make sure I made it through I think I am done so I will open it up for questions if anybody has any questions and yeah that's about it all right let me see

to unmute the attracted tech channel all right let me scroll up just a bit trip the looks while wes is scrolling through and reading things I saw that you raised your hand in in the zoom webinar all of our interactions are being driven through the slack Channel so if you just want to bounce over there and post and post your question there was we'll take care of it for you there okay okay so I see ethical InfoSec is there a way to integrate a CT I feed it depends specifically on I guess what you're referring to but pretty much anywhere where where we can grab that data from you know from an API or whatnot if you

had the data in the file if we need to massage that we can do that I think it just really depends on on specific ones that we already support out of the box I see one for I see Matt Carruthers are there plans to integrate security onion with Moloch it seemed very complementary we've had a few questions about that we don't necessarily have any intentions of doing that at least not at this time if there's anyone anyone it's time to scroll and hate through here you you right

yeah I don't see any other questions so I appreciate the feedback guys and you know I'll be here for the next minute so if you still need one last question but other than that that's all I have