Security BSides CDMX

While threat prevention is an important step to reduce the security risk on the organizations, it is not enough. As blue teamers, we must assume that at some point a threat is going to evade defenses and get an initial foothold on the organization, in such scenario, it is important to have the means to detect those attacks in an early stage so that the threat can be contained, and impact reduced. Defenders also need to perform retrospective investigations and do enterprise-wide searches, analyzing information of multiples devices at once. In this talk, we will show how to enhance endpoint visibility by using free tools such as Sysmon, Winlogbeat and ELK. By using ATT&CK as a reference model, blue teamers can create detections for several attack techniques based on the endpoint events, by targeting threat behavior, defenders can more effectively detect adversaries, even when they change their artifacts or infrastructure. Several examples will be shown on how the system can be used to detect several attack techniques such as: Live off the Land attacks: attackers using tools available on the endpoints such as wmic, cscript, net, PowerShell, net scripts Fileless attacks through PowerShell scripts (detections for PowerShell Empire and Unicorn will be shown) Lateral Movement (PSEXEC, wmic) Password spraying attacks (based on Window successful and failed logins visualization in Kibana) Persistence creation via the Windows registry, new services and other techniques Command and control callbacks Actions on objective, such as looking for passwords on the file system and Windows registry for lateral movement and privilege escalation In addition to Kibana, elasticsearch ELK API Known threats based on specific functions used in code (TTP), rather than file hash, IP address or domain, which allows for better detection, harder for attackers to evade. An example to detect a variant of Emotet will be shown While the human analyst is focusing on detecting TTPs, ELK API allows analysts to automate the search for indicators of compromise such as: IP addresses, domains and hashes, to programmatically detect known evil. We will also show how to integrate this solution with MISP Threat Intelligence Platform through API for automatic detection of Indicators of Compromise (IoC), such as file hash, domains and IP addresses. Credit will be given to researchers that have published information that has helped to build this system, such as Roberto Rodriguez, Mark Russinovich, SwiftOnSecurity, Florian Roth, Thomas Patzke.