one day
play

One Day @ RMLLSEC 2017 - Xavier Mertens (@xme) <profile> - PowerPoint PPT Presentation

Feb 25, 2024 •539 likes •985 views

One Day @ RMLLSEC 2017 - Xavier Mertens (@xme) <profile> <name> Xavier Mertens </name> <aka> Xme </aka> <jobs> <day> Freelancer </day> <night> Blogger, ISC Handler, Hacker

  1. One Day @ RMLLSEC 2017 - Xavier Mertens (@xme)

  2. <profile> 
 <name> Xavier Mertens </name> 
 <aka> Xme </aka> 
 <jobs> 
 <day> Freelancer </day> 
 <night> Blogger, ISC Handler, Hacker </night> 
 </jobs> 
 <![CDATA[ 
 www.truesec.be 
 Follow 
 blog.rootshell.be 
 me! isc.sans.edu 
 www.brucon.org 
 ]]> 
 </profile>

  4. Once upon a time… The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm.

  5. Once upon a time… The Li0n worm event demonstrated what the community acting 
 together can do to respond to broad-based malicious attacks. 
 Most importantly, it demonstrated the value of sharing intrusion detection logs in real time .

  6. Some Numbers… 31 handlers (*) 50 countries 500.000 IP addresses (*) 32 for a few days :-)

  7. Handlers The ISC relies on an all-volunteer effort to detect problems, analyze the threat, and disseminate both technical as well as procedural information to the general public.

  8. Who are the Handlers? Must have some knowledge about the “Internet” 
 (protocols, apps, security) Must be able to write freely (no control!) Dedicate some spare time

  10. Did you turn it off and on again?

  11. Shifts • 24 hours • Follow up new threats in the Internet • Reply to users emails / reports • Write a diary • Follow the forums • Investigate reported incidents

  12. US Centric <warning> Warning for French people </warning> SANS is an organization based in US, 100% English content Only 5 handlers in Europe (*) (*) 3 in Belgium, 1 in Switzerland, 1 in Croatia

  13. Food The ISC needs food. Everybody is welcome to participate We need you

  14. Services

  15. Your Dashboard

  16. InfoCon Normal status Significant new threat Major Internet disruption Loss of connectivity across a large part of the Internet Last change: 12/05/2017 (WannaCry)

  17. Daily Diary Blog post that covers something about internet security from highly technical (reverse) to business (compliance)

  18. Podcast Daily 5 mins recap of the threat landscape Perfect when you commute to work (https://isc.sans.edu/dailypodcast.xml)

  19. 404Project Because what does not exist may have a great value! Example: scanning for DB files • Full request URL & parameters ($_SERVER['REQUEST_URI']) • Client IP address ($_SERVER['REMOTE_ADDR']) • Client User-Agent ($_SERVER['HTTP_USER_AGENT'])

  20. 404Project

  21. DShield • Firewall logs collector and aggregator • Multiple clients • Develop your own client (Ex: OSSEC) • API via HTTPS or SMTP • Anonymization • Aggregation

  22. DShield

  23. SSH-Scan https://github.com/jkakavas/kippo-pyshield

  24. DShield on Pi https://github.com/DShield-ISC/dshield

  25. Top-Ports

  26. Ports Activity

  27. Block list

  28. Threat Feeds

  29. Threat Feeds

  30. Threat Feeds

  31. REST API https://isc.sans.edu/api/

  32. REST API https://isc.sans.edu/api/infocon <?xml version="1.0" encoding="UTF-8"?> <infocon> <status>green</status> </infocon> https://isc.sans.edu/api/handler <?xml version="1.0" encoding="UTF-8"?> <handler> <name>Xavier Mertens<name> </handler>

  33. REST API https://isc.sans.edu/api/ip/70.91.145.10 <?xml version="1.0" encoding="UTF-8"?> <ip> <number>1.85.2.119</number> <count>9843</count> <attacks>34</attacks> <maxdate>2015-11-12</maxdate> <mindate>2015-10-08</mindate> <updated>2015-11-12 14:03:22</updated> <comment/> <asabusecontact>anti-spam@ns.chinanet.cn.net</asabusecontact> <as>4134</as> <asname>CHINANET-BACKBONE No.31,Jin-rong Street</asname> <ascountry>CN</ascountry> <assize>108902447</assize> <network>1.80.0.0/13</network> <threatfeeds> <blocklistde110> <lastseen>2015-11-11</lastseen> <firstseen>2015-09-22</firstseen> </blocklistde110> <blocklistde143> <lastseen>2015-11-11</lastseen> <firstseen>2015-09-22</firstseen> </blocklistde143> <blocklistde25> <lastseen>2015-11-11</lastseen>

  34. Contact

  35. Contact

  36. Example of API Usage Based on OSSEC, let’s check all IP addresses against the DShield database.

  37. Example of API Usage <active-response> <!-- Collect IP reputation data from <command> ISC API <name>isc-ipreputation</name> --> <executable>isc-ipreputation.py</executable> <command>isc-ipreputation</command> <expect>srcip</expect> <location>server</location> <timeout_allowed>no</timeout_allowed> <level>6</level> </command> </active-response> $ tail -f /var/log/ipreputation.log [2015-05-27 23:30:07,769] DEBUG No data found, fetching from ISC [2015-05-27 23:30:07,770] DEBUG Using proxy: 192.168.254.8:3128 [2015-05-27 23:30:07,772] DEBUG Using user-agent: isc-ipreputation/1.0 (blog.rootshell.be) [2015-05-27 23:30:09,760] DEBUG No data found, fetching from ISC [2015-05-27 23:30:09,761] DEBUG Using proxy: 192.168.254.8:3128 [2015-05-27 23:30:09,762] DEBUG Using user-agent: isc-ipreputation/1.0 (blog.rootshell.be) [2015-05-27 23:30:10,138] DEBUG Saving 178.119.0.173 [2015-05-27 23:30:10,145] INFO IP=178.119.0.173, AS=6848("TELENET-AS Telenet N.V.,BE"), Network=178.116.0.0/14, Country=BE, Count=148, AttackedIP=97, Trend=0, FirstSeen=2015-04-21, LastSeen=2015-05-27, Updated=2015-05-27 18:37:15 https://blog.rootshell.be/2015/06/02/playing-with-ip-reputation-with-dshield-ossec/

  38. Feeding DShield with OSSEC $ ./ossec2dshield.pl --log=/ossec/logs/firewall/firewall.log --statefile=/ossec/logs/firewall/firewall.log.state --userid=12345 --from=user@domain.com --mta=localhost --ports="!80,!443" https://blog.rootshell.be/2011/07/15/feeding-dshield-with-ossec-logs/

  39. Hunting for Samples

  40. Hunting for Malicious Files • MISP • OSSEC • mof.py (“MISP OSSEC Feeder”)

  41. Hunting for Malicious Files # # OSSEC RootCheck IOC generated by MOF (MISP OSSEC Feeder) # https://github.com/xme/ # # Generated on: Mon Jul 11 22:06:56 2016 # MISP url: https://misp.home.rootshell.be/ # Wayback time: 30d # [MISP_2073] [any] [Packrat: Seven Years of a South American Threat Actor] r:HKLM\SOFTWARE\Microsoft\Active; r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies; r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig; [MISP_2200] [any] [Click-Fraud Ramdo Malware Family Continues to Plague Users] r:HKCU\SOFTWARE\Adobe\Acrobat Reader\14.0\Globals\LastLoggedOnProvider; r:HKCU\SOFTWARE\Adobe\Acrobat Reader\14.0\Globals\IconUnderline; r:HKCU\SOFTWARE\Adobe\Acrobat Reader\14.0\Globals\HangDetect; r:HKCU\SOFTWARE\Adobe\Acrobat Reader\14.0\Globals\LastProgress; r:HKCU\SOFTWARE\Adobe\Acrobat Reader\14.0\Globals\ShowTabletKeyboard; r:HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BluetoothManage; [MISP_2210] [any] [Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom] f:%USERPROFILE%\AppData\Roaming\Frfx\; f:%USERPROFILE%\AppData\Roaming\Frfx\firefox.exe; f:%USERPROFILE%\AppData\Local\Drpbx\; f:%USERPROFILE%\AppData\Local\Drpbx\drpbx.exe; f:%USERPROFILE%\AppData\Roaming\System32Work\; f:%USERPROFILE%\AppData\Roaming\System32Work\Address.txt; f:%USERPROFILE%\AppData\Roaming\System32Work\dr; f:%USERPROFILE%\AppData\Roaming\System32Work\EncryptedFileList.txt;

  42. Hunting for Malicious Files

  43. Thank You! Questions? Shoot or… Looking for French support? >> xmertens@isc.sans.edu >> @xme

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The virtual world of languages a treasury of support Slide 1 The intention is that this PPT

The virtual world of languages a treasury of support Slide 1 The intention is that this PPT

The virtual world of languages a treasury of support Slide 1 The intention is that this PPT brings together some of the better known and less well know sources of support for language teachers in both primary and secondary schools. The world

311 views • 3 slides
THE MARRIAGE OF COMMUNICATION &amp; CODE BY ANDREA GOULET &amp; M. SCOTT FORD FOUNDERS,

THE MARRIAGE OF COMMUNICATION &amp; CODE BY ANDREA GOULET &amp; M. SCOTT FORD FOUNDERS,

THE MARRIAGE OF COMMUNICATION &amp; CODE BY ANDREA GOULET &amp; M. SCOTT FORD FOUNDERS, CORGIBYTES @andreagoulet WHEN I We remodel existing WAS software to make it stable, IN HIGH scalable, and secure. SCHOOL.

1.59k views • 55 slides
Research Data Management Forum 16 Data (and) Systems, Redux Hilton Grosvenor Hotel,

Research Data Management Forum 16 Data (and) Systems, Redux Hilton Grosvenor Hotel,

Research Data Management Forum 16 Data (and) Systems, Redux Hilton Grosvenor Hotel, Edinburgh, 21-22 November 2016 Housekeeping Fire alarm Bathrooms Bedrooms Drinks, dinner, breakfast and lunch Twitter hashtag: #rdmf16 Monday

423 views • 10 slides
Session 2 Annual Goal Planning 1 2 3 4 5 Hosted by: Jack Markham Todays Agenda

Session 2 Annual Goal Planning 1 2 3 4 5 Hosted by: Jack Markham Todays Agenda

2019 Business Plan Development Session 2 Annual Goal Planning 1 2 3 4 5 Hosted by: Jack Markham Todays Agenda Why Should You Plan Annual Goals? How to Set and Plan for Annual Goals Annual Goal Planning Examples

780 views • 19 slides
C l e a n A r c h i t e c t u r e s i n P y t h o n A t a l e o f

C l e a n A r c h i t e c t u r e s i n P y t h o n A t a l e o f

C l e a n A r c h i t e c t u r e s i n P y t h o n A t a l e o f d u r a b i l i t y , u t i l i t y , a n d b e a u t y L E O N A R D O G I O R D A N I S O F T W A R E D E V E L O P E

521 views • 33 slides
I started blogging in 2004 For my first four years of blogging, I couldnt attract more than 700

I started blogging in 2004 For my first four years of blogging, I couldnt attract more than 700

I started blogging in 2004 For my first four years of blogging, I couldnt attract more than 700 readers a month. It felt like I was trying to punch through an invisibe ceiling. Then, something happened in 2008 where I hit an inflection point

329 views • 12 slides
Something To Blog About: Sharing Stories and Building Communities on the Web Margaret Mason

Something To Blog About: Sharing Stories and Building Communities on the Web Margaret Mason

Something To Blog About: Sharing Stories and Building Communities on the Web Margaret Mason Spirit &amp; Place Festival November 11, 2007 Life Book Sites Sacramento No One Mighty Goods Cares What You Had for San Francisco Mighty Girl

791 views • 44 slides
B LOGGING FOR Q UANTITATIVE L ITERACY Kira Hamman Penn State Mont Alto W HAT S A B LOG ? BLOG

B LOGGING FOR Q UANTITATIVE L ITERACY Kira Hamman Penn State Mont Alto W HAT S A B LOG ? BLOG

B LOGGING FOR Q UANTITATIVE L ITERACY Kira Hamman Penn State Mont Alto W HAT S A B LOG ? BLOG = weB LOG (dont ask me, I didnt make it up) An online journal of sorts, with entries about practically any topic imaginable: W HAT S A B

1.3k views • 77 slides
Blogging Branding and How Content Blogging, Branding and How Content Marketing Changed the Entire

Blogging Branding and How Content Blogging, Branding and How Content Marketing Changed the Entire

Blogging Branding and How Content Blogging, Branding and How Content Marketing Changed the Entire Swimming Pool Industry Swimming Pool Industry M Marcus Sheridan Sh id Owner / Principal River Pools &amp; Spas River Pools &amp; Spas The Sales

416 views • 16 slides
Publishing Online Lecture 6 COMPSCI111/111G Todays lecture u Blogs u Wikis u Social issues

Publishing Online Lecture 6 COMPSCI111/111G Todays lecture u Blogs u Wikis u Social issues

Publishing Online Lecture 6 COMPSCI111/111G Todays lecture u Blogs u Wikis u Social issues around online publishing Blogs u Short for web log , a website where posts are displayed in reverse chronological order (ie. newest posts first)

511 views • 30 slides
Planning Your Online Marketing P R E S E N T E D B Y MONICA MIKE ELLIS AVELEEN ROXIE The

Planning Your Online Marketing P R E S E N T E D B Y MONICA MIKE ELLIS AVELEEN ROXIE The

Planning Your Online Marketing P R E S E N T E D B Y MONICA MIKE ELLIS AVELEEN ROXIE The Pitts Family The MayeCreate Family QUIMBY ROXIE MayeCreate Support Staff We solve marketing problems. 5 Even the dogs. 6 Mostly online. 7

1.44k views • 127 slides
Cogni&amp;ve Science Blogging Class #4 Image:

Cogni&amp;ve Science Blogging Class #4 Image:

Cogni&amp;ve Science Blogging Class #4 Image: h6p://www.thebluediamondgallery.com/wooden-&amp;le/b/blog.html Get to the meat AAAS Communica&amp;on Toolkit Check out the ar&amp;cle Peer Feedback on First DraIs Can you find the story

290 views • 6 slides
Using Permission-Based, Opt-In Email Features Presenter:

Using Permission-Based, Opt-In Email Features Presenter:

Using Permission-Based, Opt-In Email Features Presenter: Robert W. Bly Center for Technical Communication www.bly.com (201) 505-9451 rwbly@bly.com Twitter: @robertbly www.pinpointe.com | Tw: @Pinpointe

544 views • 42 slides
Linked Data Publishing with Drupal Joachim Neubert ZBW German National Library of Economics

Linked Data Publishing with Drupal Joachim Neubert ZBW German National Library of Economics

Linked Data Publishing with Drupal Joachim Neubert ZBW German National Library of Economics Leibniz Information Centre for Economics SWIB13 Workshop Hamburg, Germany 25.11.2013 ZBW is member of the Leibniz Association My background

948 views • 52 slides
Mutualizing the mix Bradley Dilger Western Illinois University Poughs call for proposals How

Mutualizing the mix Bradley Dilger Western Illinois University Poughs call for proposals How

Mutualizing the mix Bradley Dilger Western Illinois University Poughs call for proposals How do we rethink our strategies in dealing with the national, state and local policies that have an impact on our classrooms and the students we

550 views • 30 slides
Using Wordpress as a blog teaching tool This is an overview of the way that we have configured

Using Wordpress as a blog teaching tool This is an overview of the way that we have configured

Using Wordpress as a blog teaching tool This is an overview of the way that we have configured WordPress at Emory Law for our Advanced Legal Writing - Blogging and Social Media Course. The course was taught in the spring 2015 and spring 2016

276 views • 11 slides
Dear instructors/users of these slides: Please feel free to include these slides in your own

Dear instructors/users of these slides: Please feel free to include these slides in your own

S OCIAL M EDIA M INING Introduction Dear instructors/users of these slides: Please feel free to include these slides in your own material, or modify them as you see fit. If you decide to incorporate these slides into your presentations, please

234 views • 22 slides
10 Surefire Ways to Grow Your Results in 2015 @michaeltasner LETS DIVE IN 4 #1 #1

10 Surefire Ways to Grow Your Results in 2015 @michaeltasner LETS DIVE IN 4 #1 #1

10 Surefire Ways to Grow Your Results in 2015 @michaeltasner LETS DIVE IN 4 #1 #1 DOMINATE MOBILE Mobile responsive web site SMS / MMS marketing Mobile Experience #2 MARKETING ROADBLOCKS Not enough hours in the day

506 views • 32 slides
TEST LISTS FOR MEASURING INTERNET CENSORSHIP APPLICABILITY, PROBLEMS &amp; SOLUTIONS IMPROVING

TEST LISTS FOR MEASURING INTERNET CENSORSHIP APPLICABILITY, PROBLEMS &amp; SOLUTIONS IMPROVING

TEST LISTS FOR MEASURING INTERNET CENSORSHIP APPLICABILITY, PROBLEMS &amp; SOLUTIONS IMPROVING LISTS OF CENSORED ONLINE CONTENT Update test lists for 48 states in Latin America, Africa, MENA, Asia and CIS Develop methodology

444 views • 31 slides
Asian Social Web: Travel 2.0 promotion in Asia and Pacific Jacob Sparre Andersen Niels Bohr

Asian Social Web: Travel 2.0 promotion in Asia and Pacific Jacob Sparre Andersen Niels Bohr

A cross-disciplinary project Putting valuable blogs on the front page Travel Knowledge Database Summary Asian Social Web: Travel 2.0 promotion in Asia and Pacific Jacob Sparre Andersen Niels Bohr Institute, University of Copenhagen 23rd

641 views • 14 slides
Performance Benchmarking with Cloud Workbench (CWB) Presenters Joel Scheuner Philipp Leitner

Performance Benchmarking with Cloud Workbench (CWB) Presenters Joel Scheuner Philipp Leitner

Performance Benchmarking with Cloud Workbench (CWB) Presenters Joel Scheuner Philipp Leitner https://icet-lab.eu @IcetLab Chalmers 2 Performance Matters Chalmers 3 Benchmarking IaaS Clouds Chalmers 4 Capacity Planning in the

816 views • 52 slides
Using Social Media as a Tool for Empowerment and Advocacy National Women and Girls HIV/AIDS

Using Social Media as a Tool for Empowerment and Advocacy National Women and Girls HIV/AIDS

Using Social Media as a Tool for Empowerment and Advocacy National Women and Girls HIV/AIDS Awareness Day 2015 Webinar details Webinar will last approximately 90 minutes The first 60 minutes will be a moderated; followed by Q &amp; A

841 views • 46 slides
Taking talking beyond the clinic: practical patient and public involvement in your practice Beki

Taking talking beyond the clinic: practical patient and public involvement in your practice Beki

Taking talking beyond the clinic: practical patient and public involvement in your practice Beki Aldam Why? Face-to-face events with families Blogging Social media How? Digesting Science Barts-MS blog Twitter Over 70 events Over 400

725 views • 31 slides
Special Topics: CSci 8980 Machine Learning in Computer Systems Jon B. Weissman (jon@cs.umn.edu)

Special Topics: CSci 8980 Machine Learning in Computer Systems Jon B. Weissman (jon@cs.umn.edu)

Special Topics: CSci 8980 Machine Learning in Computer Systems Jon B. Weissman (jon@cs.umn.edu) Department of Computer Science University of Minnesota Introduction Introductions all Who are you? What interests you and why are

667 views • 46 slides

More recommend