SlideShare une entreprise Scribd logo

Blue Teaming on a Budget of Zero

Télécharger en tant que PPTX, PDF
K
Kyle Bubp

Learn how to build a robust cyber security program with little to no investment in software.

Technologie
1  sur  39
THREATCARE Open Source Defense Building a Security Program with Zero Budget
Agenda •Budget challenges beyond CapEx/OpEx •Foundations: The big picture and where to start •Specific free & open-source tools to help at each step •Real-World Experiences and Fun Stories* *Randomly dispersed throughout
whoami – Kyle Bubp • Just a dude trying to make things better.
Security: What’s the “True Cost”? • Security = People + Processes + Products People • Salary • Training • Personal Dev • Management Processes • Plan (policy) • Build (tech) • Test • Improvement Products • CapEx/OpEx • Support • Time to Value • Labor:Value
Why FOSS? Not just for people with budget constraints! It’s about time and control.
Commercial 1. Google search 2. Choose three 3. Contact vendors 4. Proof of concept 5. Wine & dine 6. Procurement 7. Implementation Elapsed time: weeks/months FOSS 1. Google search 2. Download 3. Configure Elapsed time: minutes/hours Why FOSS?
Shelfware Products that are purchased, but never get used or never fully achieve their intended value
What ends up on the Shelf? What would get them off the shelf?
Start with a solid foundation.
Foundational Blueprints and Frameworks •NIST Standards and Frameworks •CIS Critical Security Controls •ISO 27000 •MITRE ATT&CK
Document everything! A core documentation repository is critical •Policy, procedure, how-tos, etc: • MediaWiki • Atlassian Confluence ($10 for up to 10 users) •Incident Response Ticketing/Documentation: • RTIR (https://bestpractical.com/download-page) • The Hive (https://thehive-project.org/)
Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
The Asset Discovery Dilemma Active Scanning? Nmap? Vuln Scanner? No. Ask your network! NetDB https://netdbtracking.sourceforge.net/ .ova available at https://www.kylebubp.com/files/netdb.ova
Other network mapping approaches •nmap + ndiff/yandiff • Not just for red teams. • Export results, diff for changes. • Alert if something changed. •Netdisco • https://sourceforge.net/projects/netdisco • Uses SNMP to inventory your network devices
Data Discovery •Users are good at putting sensitive data on the network. •Find it with OpenDLP
OpenVAS •Fork of Nessus •Still maintained •Default vuln scanner in AlienVault •Does a great job in comparison w/ commercial products
Web Apps too! •Arachni Framework (arachni-scanner.com) •OWASP ZAP (Zed Attack Proxy) •Nikto2 (more of a server config scanner) •Portswigger Burp Suite (not free - $350) •For a comparison – sectoolmarket.com
In addition to fixing vulnerabilities… •Build in some additional security on your web servers. (also part of a secure configuration) •Fail2ban Python-based IPS that runs off of Apache Logs •Modsecurity Open source WAF for Apache, IIS, & nginx
Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
Protect
Intrusion Detection and Prevention
Host-based IDS • Monitor Critical and Sensitive Files via Integrity Checks • Detects Rootkits • Can monitor Windows Registry • Alert on Changes
Windows 10 – Out of the box – CIS Benchmark
Secure Configuration •CIS Benchmarks / DISA Stigs •Configuration Management, while not exciting, is important •Deploy configs across your enterprise using tools like GPO, Chef, Puppet, or Ansible •Change Management is also important • Use git repo for tracking changes to your config scripts
PATCH IT ALL (kinda)
Patching Windows +
Patching Linux +
Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
What’s happening on the endpoint? •Facebook-developed osquery is effectively free EDR • Agents for MacOS, Windows, Linux • Deploy across your enterprise w/ Chef, Puppet, Ansible, or SCCM • Do fun things like, search for IoCs (hashes, processes, etc.) • Pipe the data into ElasticStack for visibility & searchability •If you only need Windows, check out Microsoft Sysinternals Sysmon
What’s happening on the network? •Elkstack •Suricata •Bro •Snort •SecurityOnion: put it all together
Logging and Monitoring •Central logging makes detection and analysis easier •Many options here, such as Windows Event Subscription, rsyslog •Can also pipe to one central location with dashboards, such as ElasticStack •Good idea to include DNS logs!
Testing Controls
Breach and Attack Simulation • CALDERA (Based ATT&CK) • Uber Metta • Endgame RTA • Guardicore’s Infection Monkey • Barkly’s Stackhackr • Nextron Systems’ APTSimulator • AlphaSOC’s flightsim
Education
Phishing Education • Phishing Frenzy • Social Engineering Toolkit (SET) • GoPhish
Parting thoughts… • Build versus Buy • Security Requirements don’t change, regardless of budget. • Build a strong foundation and branch out. • Consider scenarios – solve one scenario at a time, NOT all at once! • Stay curious and contribute to projects you like. • Community! Share ideas – learn from others • DOCUMENT EVERYTHING
Kyle Bubp kyle@threatcare.com @kylebubp @threatcare

Recommandé

Smart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSSmart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSJames Huston
 
Alexander Naydenko - Nagios to Zabbix Migration | ZabConf2016
Alexander Naydenko - Nagios to Zabbix Migration | ZabConf2016Alexander Naydenko - Nagios to Zabbix Migration | ZabConf2016
Alexander Naydenko - Nagios to Zabbix Migration | ZabConf2016Zabbix
 
Migrating big data
Migrating big dataMigrating big data
Migrating big datalauraxthomson
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaudstricaud
 
Dublin JUG February 2018 - Microservices in action at the Dutch National Police
Dublin JUG February 2018 - Microservices in action at the Dutch National PoliceDublin JUG February 2018 - Microservices in action at the Dutch National Police
Dublin JUG February 2018 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
Get There meetup March 2018 - Microservices in action at the Dutch National P...
Get There meetup March 2018 - Microservices in action at the Dutch National P...Get There meetup March 2018 - Microservices in action at the Dutch National P...
Get There meetup March 2018 - Microservices in action at the Dutch National P...Bert Jan Schrijver
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
Alexei Vladishev - Opening Speech
Alexei Vladishev - Opening SpeechAlexei Vladishev - Opening Speech
Alexei Vladishev - Opening SpeechZabbix
 

Recommandé

Smart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSSmart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSJames Huston
 
Alexander Naydenko - Nagios to Zabbix Migration | ZabConf2016
Alexander Naydenko - Nagios to Zabbix Migration | ZabConf2016Alexander Naydenko - Nagios to Zabbix Migration | ZabConf2016
Alexander Naydenko - Nagios to Zabbix Migration | ZabConf2016Zabbix
 
Migrating big data
Migrating big dataMigrating big data
Migrating big datalauraxthomson
 
Hacklu2011 tricaud
Hacklu2011 tricaudHacklu2011 tricaud
Hacklu2011 tricaudstricaud
 
Dublin JUG February 2018 - Microservices in action at the Dutch National Police
Dublin JUG February 2018 - Microservices in action at the Dutch National PoliceDublin JUG February 2018 - Microservices in action at the Dutch National Police
Dublin JUG February 2018 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
Get There meetup March 2018 - Microservices in action at the Dutch National P...
Get There meetup March 2018 - Microservices in action at the Dutch National P...Get There meetup March 2018 - Microservices in action at the Dutch National P...
Get There meetup March 2018 - Microservices in action at the Dutch National P...Bert Jan Schrijver
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
Alexei Vladishev - Opening Speech
Alexei Vladishev - Opening SpeechAlexei Vladishev - Opening Speech
Alexei Vladishev - Opening SpeechZabbix
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..Simon Bennetts
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journeyM.Syarifudin, ST, OSCP, OSWP
 
Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016
Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016
Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016Zabbix
 
Security workflow with ansible
Security workflow with ansibleSecurity workflow with ansible
Security workflow with ansibledevanshdubey7
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroSimon Bennetts
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers SoftwareDevOps Chicago
 
Devoxx PL 2018 - Microservices in action at the Dutch National Police
Devoxx PL 2018 - Microservices in action at the Dutch National PoliceDevoxx PL 2018 - Microservices in action at the Dutch National Police
Devoxx PL 2018 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting StartedSimon Bennetts
 
Open stack jobs avoiding the axe
Open stack jobs avoiding the axeOpen stack jobs avoiding the axe
Open stack jobs avoiding the axeJim Leitch
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Zabbix introduction ( RadixCloud Radix Technologies SA)
Zabbix introduction ( RadixCloud Radix Technologies SA)Zabbix introduction ( RadixCloud Radix Technologies SA)
Zabbix introduction ( RadixCloud Radix Technologies SA)Martin Markovski
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerSimon Bennetts
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsSimon Bennetts
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroSimon Bennetts
 
Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2
Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2
Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2Paris Monitoring
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts
 
Trouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large EnvironmentTrouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large EnvironmentAlain Ganuchaud
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
Silicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in productionSilicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in productionDaniel Coupal
 

Contenu connexe

Tendances

OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..Simon Bennetts
 
Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016
Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016
Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016Zabbix
 
Security workflow with ansible
Security workflow with ansibleSecurity workflow with ansible
Security workflow with ansibledevanshdubey7
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroSimon Bennetts
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers SoftwareDevOps Chicago
 
Devoxx PL 2018 - Microservices in action at the Dutch National Police
Devoxx PL 2018 - Microservices in action at the Dutch National PoliceDevoxx PL 2018 - Microservices in action at the Dutch National Police
Devoxx PL 2018 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting StartedSimon Bennetts
 
Open stack jobs avoiding the axe
Open stack jobs avoiding the axeOpen stack jobs avoiding the axe
Open stack jobs avoiding the axeJim Leitch
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Zabbix introduction ( RadixCloud Radix Technologies SA)
Zabbix introduction ( RadixCloud Radix Technologies SA)Zabbix introduction ( RadixCloud Radix Technologies SA)
Zabbix introduction ( RadixCloud Radix Technologies SA)Martin Markovski
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerSimon Bennetts
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkWallarm
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsSimon Bennetts
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroSimon Bennetts
 
Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2
Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2
Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2Paris Monitoring
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts
 
Trouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large EnvironmentTrouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large EnvironmentAlain Ganuchaud
 

Tendances (20)

OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
 
My pwk & oscp journey
My pwk & oscp journeyMy pwk & oscp journey
My pwk & oscp journey
 
Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016
Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016
Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016
 
Security workflow with ansible
Security workflow with ansibleSecurity workflow with ansible
Security workflow with ansible
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software
 
Devoxx PL 2018 - Microservices in action at the Dutch National Police
Devoxx PL 2018 - Microservices in action at the Dutch National PoliceDevoxx PL 2018 - Microservices in action at the Dutch National Police
Devoxx PL 2018 - Microservices in action at the Dutch National Police
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
 
Open stack jobs avoiding the axe
Open stack jobs avoiding the axeOpen stack jobs avoiding the axe
Open stack jobs avoiding the axe
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Zabbix introduction ( RadixCloud Radix Technologies SA)
Zabbix introduction ( RadixCloud Radix Technologies SA)Zabbix introduction ( RadixCloud Radix Technologies SA)
Zabbix introduction ( RadixCloud Radix Technologies SA)
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
 
NGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talkNGINX User Summit. Wallarm llightning talk
NGINX User Summit. Wallarm llightning talk
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slides
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP IntroOWASP 2013 EU Tour Amsterdam ZAP Intro
OWASP 2013 EU Tour Amsterdam ZAP Intro
 
Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2
Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2
Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2
 
BSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced FeaturesBSides Manchester 2014 ZAP Advanced Features
BSides Manchester 2014 ZAP Advanced Features
 
Trouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large EnvironmentTrouble Ticket Integration with Zabbix in Large Environment
Trouble Ticket Integration with Zabbix in Large Environment
 

Similaire à Blue Teaming on a Budget of Zero

Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
Silicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in productionSilicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in productionDaniel Coupal
 
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National PoliceCodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...Codemotion
 
iSense Java Summit 2017 - Microservices in action at the Dutch National Police
iSense Java Summit 2017 - Microservices in action at the Dutch National PoliceiSense Java Summit 2017 - Microservices in action at the Dutch National Police
iSense Java Summit 2017 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...Sanjay Willie
 
Open Source Infrastructure / Development & Security > How to make it work?
Open Source Infrastructure / Development & Security > How to make it work? Open Source Infrastructure / Development & Security > How to make it work?
Open Source Infrastructure / Development & Security > How to make it work? Kangaroot
 
Greenfields tech decisions
Greenfields tech decisionsGreenfields tech decisions
Greenfields tech decisionsTrent Hornibrook
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Microservices in action at the Dutch National Police
Microservices in action at the Dutch National PoliceMicroservices in action at the Dutch National Police
Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
OpenValue meetup October 2017 - Microservices in action at the Dutch National...
OpenValue meetup October 2017 - Microservices in action at the Dutch National...OpenValue meetup October 2017 - Microservices in action at the Dutch National...
OpenValue meetup October 2017 - Microservices in action at the Dutch National...Bert Jan Schrijver
 
JavaZone 2017 - Microservices in action at the Dutch National Police
JavaZone 2017 - Microservices in action at the Dutch National PoliceJavaZone 2017 - Microservices in action at the Dutch National Police
JavaZone 2017 - Microservices in action at the Dutch National PoliceBert Jan Schrijver
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureDevSecOpsSg
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
Know thy cost (or where performance problems lurk)
Know thy cost (or where performance problems lurk)Know thy cost (or where performance problems lurk)
Know thy cost (or where performance problems lurk)Oren Eini
 
Time Series Anomaly Detection with Azure and .NETT
Time Series Anomaly Detection with Azure and .NETTTime Series Anomaly Detection with Azure and .NETT
Time Series Anomaly Detection with Azure and .NETTMarco Parenzan
 

Similaire à Blue Teaming on a Budget of Zero (20)

Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
Silicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in productionSilicon Valley Code Camp 2016 - MongoDB in production
Silicon Valley Code Camp 2016 - MongoDB in production
 
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National PoliceCodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
CodeMotion Amsterdam 2018 - Microservices in action at the Dutch National Police
 
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
Microservices in action at the Dutch National Police - Bert Jan Schrijver - C...
 
iSense Java Summit 2017 - Microservices in action at the Dutch National Police
iSense Java Summit 2017 - Microservices in action at the Dutch National PoliceiSense Java Summit 2017 - Microservices in action at the Dutch National Police
iSense Java Summit 2017 - Microservices in action at the Dutch National Police
 
Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...
 
Open Source Infrastructure / Development & Security > How to make it work?
Open Source Infrastructure / Development & Security > How to make it work? Open Source Infrastructure / Development & Security > How to make it work?
Open Source Infrastructure / Development & Security > How to make it work?
 
Greenfields tech decisions
Greenfields tech decisionsGreenfields tech decisions
Greenfields tech decisions
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Microservices in action at the Dutch National Police
Microservices in action at the Dutch National PoliceMicroservices in action at the Dutch National Police
Microservices in action at the Dutch National Police
 
OpenValue meetup October 2017 - Microservices in action at the Dutch National...
OpenValue meetup October 2017 - Microservices in action at the Dutch National...OpenValue meetup October 2017 - Microservices in action at the Dutch National...
OpenValue meetup October 2017 - Microservices in action at the Dutch National...
 
JavaZone 2017 - Microservices in action at the Dutch National Police
JavaZone 2017 - Microservices in action at the Dutch National PoliceJavaZone 2017 - Microservices in action at the Dutch National Police
JavaZone 2017 - Microservices in action at the Dutch National Police
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
DevOps tools for winning agility
DevOps tools for winning agilityDevOps tools for winning agility
DevOps tools for winning agility
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Know thy cost (or where performance problems lurk)
Know thy cost (or where performance problems lurk)Know thy cost (or where performance problems lurk)
Know thy cost (or where performance problems lurk)
 
Time Series Anomaly Detection with Azure and .NETT
Time Series Anomaly Detection with Azure and .NETTTime Series Anomaly Detection with Azure and .NETT
Time Series Anomaly Detection with Azure and .NETT
 

Dernier

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Dernier (20)

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Blue Teaming on a Budget of Zero

  • 1. THREATCARE Open Source Defense Building a Security Program with Zero Budget
  • 2. Agenda •Budget challenges beyond CapEx/OpEx •Foundations: The big picture and where to start •Specific free & open-source tools to help at each step •Real-World Experiences and Fun Stories* *Randomly dispersed throughout
  • 3. whoami – Kyle Bubp • Just a dude trying to make things better.
  • 4. Security: What’s the “True Cost”? • Security = People + Processes + Products People • Salary • Training • Personal Dev • Management Processes • Plan (policy) • Build (tech) • Test • Improvement Products • CapEx/OpEx • Support • Time to Value • Labor:Value
  • 5. Why FOSS? Not just for people with budget constraints! It’s about time and control.
  • 6. Commercial 1. Google search 2. Choose three 3. Contact vendors 4. Proof of concept 5. Wine & dine 6. Procurement 7. Implementation Elapsed time: weeks/months FOSS 1. Google search 2. Download 3. Configure Elapsed time: minutes/hours Why FOSS?
  • 7. Shelfware Products that are purchased, but never get used or never fully achieve their intended value
  • 8. What ends up on the Shelf? What would get them off the shelf?
  • 10. Foundational Blueprints and Frameworks •NIST Standards and Frameworks •CIS Critical Security Controls •ISO 27000 •MITRE ATT&CK
  • 11.
  • 12. Document everything! A core documentation repository is critical •Policy, procedure, how-tos, etc: • MediaWiki • Atlassian Confluence ($10 for up to 10 users) •Incident Response Ticketing/Documentation: • RTIR (https://bestpractical.com/download-page) • The Hive (https://thehive-project.org/)
  • 13. Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
  • 14.
  • 15. The Asset Discovery Dilemma Active Scanning? Nmap? Vuln Scanner? No. Ask your network! NetDB https://netdbtracking.sourceforge.net/ .ova available at https://www.kylebubp.com/files/netdb.ova
  • 16. Other network mapping approaches •nmap + ndiff/yandiff • Not just for red teams. • Export results, diff for changes. • Alert if something changed. •Netdisco • https://sourceforge.net/projects/netdisco • Uses SNMP to inventory your network devices
  • 17. Data Discovery •Users are good at putting sensitive data on the network. •Find it with OpenDLP
  • 18. OpenVAS •Fork of Nessus •Still maintained •Default vuln scanner in AlienVault •Does a great job in comparison w/ commercial products
  • 19. Web Apps too! •Arachni Framework (arachni-scanner.com) •OWASP ZAP (Zed Attack Proxy) •Nikto2 (more of a server config scanner) •Portswigger Burp Suite (not free - $350) •For a comparison – sectoolmarket.com
  • 20. In addition to fixing vulnerabilities… •Build in some additional security on your web servers. (also part of a secure configuration) •Fail2ban Python-based IPS that runs off of Apache Logs •Modsecurity Open source WAF for Apache, IIS, & nginx
  • 21. Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
  • 24. Host-based IDS • Monitor Critical and Sensitive Files via Integrity Checks • Detects Rootkits • Can monitor Windows Registry • Alert on Changes
  • 25. Windows 10 – Out of the box – CIS Benchmark
  • 26. Secure Configuration •CIS Benchmarks / DISA Stigs •Configuration Management, while not exciting, is important •Deploy configs across your enterprise using tools like GPO, Chef, Puppet, or Ansible •Change Management is also important • Use git repo for tracking changes to your config scripts
  • 27. PATCH IT ALL (kinda)
  • 30. Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
  • 31. What’s happening on the endpoint? •Facebook-developed osquery is effectively free EDR • Agents for MacOS, Windows, Linux • Deploy across your enterprise w/ Chef, Puppet, Ansible, or SCCM • Do fun things like, search for IoCs (hashes, processes, etc.) • Pipe the data into ElasticStack for visibility & searchability •If you only need Windows, check out Microsoft Sysinternals Sysmon
  • 32. What’s happening on the network? •Elkstack •Suricata •Bro •Snort •SecurityOnion: put it all together
  • 33. Logging and Monitoring •Central logging makes detection and analysis easier •Many options here, such as Windows Event Subscription, rsyslog •Can also pipe to one central location with dashboards, such as ElasticStack •Good idea to include DNS logs!
  • 35. Breach and Attack Simulation • CALDERA (Based ATT&CK) • Uber Metta • Endgame RTA • Guardicore’s Infection Monkey • Barkly’s Stackhackr • Nextron Systems’ APTSimulator • AlphaSOC’s flightsim
  • 37. Phishing Education • Phishing Frenzy • Social Engineering Toolkit (SET) • GoPhish
  • 38. Parting thoughts… • Build versus Buy • Security Requirements don’t change, regardless of budget. • Build a strong foundation and branch out. • Consider scenarios – solve one scenario at a time, NOT all at once! • Stay curious and contribute to projects you like. • Community! Share ideas – learn from others • DOCUMENT EVERYTHING