Hi [[ session.user.profile.firstName ]]

Threat Hunting Academy

  • Date
  • Rating
  • Views
  • Threat Hunting – What Is It, and Why Should You Do It
    Threat Hunting – What Is It, and Why Should You Do It Dennis Leber & Adrian Kirk, Kentucky Cabinet of Health and Family Services Recorded: Sep 19 2017 21 mins
    Join this interactive webinar to learn more about threat hunting:
    - What is a Threat Hunting Program?
    - What is included in it?
    - The reasons and benefits of why a business should have a threat hunting program.

    Speakers:
    - Dennis Leber, CISO at Commonwealth of Kentucky Cabinet of Health and Family Services
    - Adrian Kirk, Information Security and Compliance Analyst - Kentucky Cabinet of Health and Family Services
  • Wear Camouflage While Hunting Threats
    Wear Camouflage While Hunting Threats Lance Cottrell, Chief Scientist at Ntrepid Recorded: Aug 29 2017 49 mins
    Threat hunting has become a major trend but most is focused within the perimeter. Important threats and valuable threat intelligence waits to be found outside your firewall in the wilds of the internet. Join this episode of the Threat Hunting series to learn more about:
    - The particular risks of threat hunting in the wild
    - The importance of camouflage and armor
    - Best practices and techniques for employing digital camouflage and armor.

    About the Speaker:
    Lance Cottrell founded Anonymizer in 1995, which was acquired by Ntrepid (then Abraxas) in 2008. Anonymizer’s technologies form the core of Ntrepid’s Internet misattribution and security products. As Chief Scientist, Lance continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats.

    Lance is a well-known expert on security, privacy, anonymity, misattribution and cryptography. He speaks frequently at conferences and in interviews. Lance is the principle author on multiple Internet anonymity and security technology patents. He started developing Internet anonymity tools in 1992 while pursuing a PhD. in physics, eventually leaving to work on those technologies full time.
  • An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
    An ACE Up the Sleeve: Designing Active Directory DACL Backdoors Will Schroeder, Security Research / SpecterOps and Andy Robbins, Adversary Resilience Lead / SpecterOps Recorded: Aug 15 2017 61 mins
    Active Directory (AD) object discretionary access control lists (DACLs) are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.

    While DACL misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy Active Directory persistence. It's often difficult to determine whether a specific AD DACL misconfiguration was set intentionally or implemented by accident. This makes Active Directory DACL backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.

    This talk will cover Active Directory DACLs in depth, our "misconfiguration taxonomy," and enumeration/analysis with BloodHound's newly released feature set. We will cover the abuse of AD DACL misconfigurations for the purpose of domain rights elevation, including common misconfigurations encountered in the wild. We will then cover methods to design AD DACL backdoors, including ways to evade current detections, and will conclude with defensive mitigation/detection techniques for everything described.
  • Attack and Defense Training: Saving Mr Robot’s WordPress with the Free AppArmor
    Attack and Defense Training: Saving Mr Robot’s WordPress with the Free AppArmor Jay Beale, Co-founder and CTO of InGuardians Recorded: Aug 10 2017 61 mins
    In this webinar Jay Beale, co-founder and CTO of InGuardians, will demonstrate how an attacker gains access on a server running WordPress and then teach you how to break the same attack with a free, open source tool called AppArmor that’s been part of the Linux kernel for years.

    With his black hat on, he’ll show you how to use Kali Linux to attack the WordPress server, where he’ll install a web shell and begin scanning for more machines to compromise.

    Next, Jay will don his white hat and show you how to configure AppArmor to prevent that same attack.

    Come to this BrightTalk session and get a sneak peak at Jay’s Black Hat training course!
  • Hunter Spotlight with Samuel Alonso: Gaining Network Visibility
    Hunter Spotlight with Samuel Alonso: Gaining Network Visibility Samuel Alonso, Senior Cybersecurity Analyst Recorded: Aug 10 2017 28 mins
    In this half-hour interview, Sqrrl sits down with experienced hunter Samuel Alonso for his best advice on threat hunting, focusing on:

    - Gaining network visibility (best tools, data sources, and more)
    - Samuel's experience as a threat hunter and lessons learned
    - Practical tips for both new and experienced hunters

    About the Threat Hunter:
    Samuel is a Senior Cybersecurity Analyst, formerly working at KPMG. He has extensive experience in threat hunting, information security practices, and business development,
  • The Not So Same-Origin Policy & Web Security
    The Not So Same-Origin Policy & Web Security David Petty, Network Security Analyst at Independent Security Evaluators Recorded: Aug 8 2017 32 mins
    The same-origin policy (SOP) remains one of the most important security mechanisms of the web, protecting servers from malicious pages interacting with their APIs through cross-site requests. However, the subtle details of the policy can be overlooked, so our talk aims to show how limitations in the application of the same-origin policy can undermine security.

    Join this talk in the "Threat Hunting" series as David Petty, Network Security Analyst at Independent Security Evaluators, explains in depth how the same-origin policy works and how it can be bypassed to exploit cross-site vulnerabilities, including examples of Java, Flash, Silverlight, and Cross-Origin Resource Sharing (CORS) misconfigurations.

    As the same-origin policy and cross-site request forgery (CSRF) are inherently connected, we will also show both simple and complex cross-site request forgery attacks and how CSRF functions within the context of the same-origin policy. This will include classic CSRF attacks that work within the confines of the same-origin policy and more complicated attacks that utilize server misconfigurations to bypass the same-origin restrictions altogether.

    About the Threat Hunter:
    David Petty is an Associate Security Analyst at Independent Security Evaluators (ISE), a security consulting company in Baltimore, MD. He has recently graduated from Northwestern University with a B.S. in Computer Science, and discovered his interest in security while working for ISE during college. He specializes in breaking web and native applications and uses these skills to conduct custom security assessments of software products. His interests also include reverse engineering and digital forensics.
  • Threat Hunting Tool: Sweet Security Supercharged [Hunter Spotlight]
    Threat Hunting Tool: Sweet Security Supercharged [Hunter Spotlight] Travis Smith, Principal Security Researcher at Tripwire Recorded: Aug 1 2017 43 mins
    In this episode of the Threat Hunting series we will feature a network security tool developed and used by real-life threat hunters. Sweet Security is a network security monitoring and defensive tool which can be deployed on hardware as small as a Raspberry Pi.

    Using the power of Bro IDS and threat intelligence feeds, malicious network traffic can be exposed. This data is gathered and visualized with the ELK stack (Elasticsearch, Logstash, and Kiban). Going beyond detection, the device can implement blocking for specific devices on a granular level. Sweet Security can monitor all network traffic with no infrastructure change and block unwanted traffic. It ships with Kibana dashboards, as well as a new web administration UI. Even better, the installation can be separated between web administration and sensor.

    Want to deploy the web administration to AWS and install a dozen sensors? No problem! With the ability to intercept all network traffic combined with the power of Bro and ELK, you can unlock the ability to hunt for threats across any environment.

    Travis Smith will go through how the tool works, as well as some interesting findings he has discovered on his own home network.
  • Knowing and Pivoting Through Your Data (Hunter Spotlight)
    Knowing and Pivoting Through Your Data (Hunter Spotlight) Chris Sanders, Founder, Applied Network Defense Recorded: Jul 19 2017 32 mins
    In this month's hunter spotlight, we sit down with Chris Sanders, veteran hunter with over 10 years experience, as we discuss:
    - How to manage different data sources for hunting
    - Best pivoting practices and rules of thumb
    - How to convert findings into actionable intelligence
    - Techniques for reducing evidence abstraction
  • Threat Hunting Scenario: Monitoring for Insider Data Exfiltration
    Threat Hunting Scenario: Monitoring for Insider Data Exfiltration Al Hartmann, Chief Scientist at Ziften & Josh Harriman, VP of Cyber Security Intelligence at Ziften Recorded: Jul 11 2017 62 mins
    Industry statistics point to 1 in 5 enterprise breaches involve insider actions. Insider threats are often the costliest and most disruptive to an enterprise - even highly secure enterprises (think Edward Snowden). According to the FBI, “the thief who is harder to detect and who could cause the most damage is the insider—the employee with legitimate access.” With the insider there is no malware necessary, no access rule violations, no credentials theft, no command and control traffic, no firewall intrusions. Your enterprise is mounting a Maginot Line defense against the knowledgeable insider, gun emplacements facing away from the real threat, easily bypassed. Security is breached, critical data is exfiltrated, and any data privacy is vaporized as your most sensitive data assets appear for sale on the dark web, while embarrassing revelations are leaked online, making headline news, triggering investigations and resignations.

    In this episode in the Threat Hunting series, we will review:
    - The insider threat defense futility of traditional security placebos
    - Essential visibility for effective user and endpoint activity monitoring
    - Sensor and effector instrumentation to quickly observe and promptly thwart malicious insider activity
    - Instrumentation customization for enterprise-specific tailoring
    - The transition from routine operations team user support to security team insider threat awareness
    - Spatial and temporal anomaly types associated with insider threats
    - The FBI’s insider threat kill chain
    - The importance of forensic lookback
    - Exfiltration routes favored by insiders
  • Hunter Spotlight: Interview with Danny Akacki, Fortune 100 Hunter
    Hunter Spotlight: Interview with Danny Akacki, Fortune 100 Hunter Danny Akacki, Threat Hunter, Fortune 100 Company Recorded: Jun 22 2017 33 mins
    Danny Akacki works on the Hunt Team for a Fortune 100 Finance Company. In this interview, Danny will share his experiences hunting and discuss:

    1. What makes a good hunter?
    2. What makes a good hunt program?
    3. How mature does an org need to be in order to benefit from a hunting program?
    4. Why should you avoid hunting before your org is ready?
    5.What's the difference between an investigation and a hunt?

Embed in website or blog