BrakeSec Education Podcast

Jarrod Frates (@jarrodfrates on Twitter) has been doing pentests as a red-team member for a long time. His recent position at #InGuardians sees him engaging many companies who have realized that a typical 'pentest #puppymill' or pentest from certain companies just isn't good enough. Jarrod has also gone on more than a few engagements where he has found the client in question has no clue of what a 'real' pentest is, and worse, they often have the wrong idea of how it should go. This week, I sat down with Jarrod, and we talked about what needs to occur before the pentest, even before you contact the pentesting firm... even, in fact, before you should even consider a pentest. We discuss what a pentest is, and how it's different from a 'vulnerability assessment', or code audit. Jarrod and I discuss the overarching requirements of the pentest (are you doing it 'just because', or do you need to check a box for compliance). We ask questions like Who should be involved setting scope? Should #Social #Engineering always be a part of a pentest? Who should be notified if/when a #pentest is to occur? Should your SOC be told when one occurs? What happens if the pentest causes incident response to be called (like if someone finds a malware/botnet infection)? And how long do you want the engagement to be? And depending on the politics involved, these things can affect the quality of the pentest, and the cost as well... It was a great discussion with Jarrod, a seasoned professional, and veteran of many engagements. If your organization is about to engage a company for a pentest, you'd be wise to take a moment and listen to this. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-029-Jarrod_Frates-What_to_do_before_a_pentest_starts.mp3 #iTunes: https://itunes.apple.com/us/podcast/2016-029-jarrod-frates-steps/id799131292?i=1000373091447&mt=2 #YouTube: http://www.youtube.com/attribution_link?a=p2oq6jT3Iy0&u=/watch%3Fv%3DsTc_seN-hbs%26feature%3Dem-upload_owner #SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Long time listeners will remember Ms. Cheryl #Biswas as one of the triumvirate we had on to discuss #mainframes and mainframe #security. (http://traffic.libsyn.com/brakeingsecurity/2016-008-mainframe_secruity.mp3) I was interested in the goings on at BlackHat/DefCon/BsidesLV, and heard about #TiaraCon (@tiarac0n on Twitter). I went to find someone involved to understand what it was all about, and Ms. Cheryl reached out. She's an #organizer and was more than happy to sit down with me to understand why it was started. This is its inaugural year, and they already have some excellent schwag and sponsors. This is not just an event for ladies, but a way of #empowering #women, creating #mentorship opportunities, and assistance for people moving into the #infosec industry. Also, since Ms. Cheryl's loves discussing #ICS and #SCADA problems and headaches, we got into the headaches, #challenges, and maybe some 'logical' solutions to fixing SCADA vulns... but does the logical approach work in a business sense? TiaraCon official site: http://tiaracon.org/ TiaraCon Dates: Thursday Aug 4 - Friday Aug 5 Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-028-Cheryl_Biswas_Tiaracon_ICSSCADA_headaches.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-028-cheryl-biswas-discusses/id799131292?i=1000372642921&mt=2 Youtube: https://www.youtube.com/watch?v=vsolDjsz5M4 SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security #Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Mr. Boettcher is back! We talked about his experiences with the #DFIR conference, and we get into a discussion about the gap between when incident response is and when you're using #digital #forensics. Mr. Boettcher and I discuss what is needed to happen before #incident #response is required. We also discuss the Eleanor malware very briefly and I talk about finding Platypus, which is a way for you to create OSX packages using python/perl/shell scripts. Platypus: http://sveinbjorn.org/platypus Eleanor Malware on OSX: https://www.grahamcluley.com/2016/07/mac-malware-uses-tor-obtain-access-systems/ Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-027-DFIR_policy_controls.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-027-dfir-conference-dfir/id799131292?i=1000372256055&mt=2 YouTube: https://www.youtube.com/watch?v=RPN0nDGYA5c#action=share SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582

Adam Crompton (@3nc0d3r) and Tyler Robinson (@tyler_robinson) from Inguardians came by to fill in for my co-host this week. We talk about things a company should do to protect themselves against data exfil. Adam then shows us a tool he's created to help automate data exfil out of an environment. It's called 'Naisho', and if you're taking the 'Powershell for Pentesters' class at DerbyCon, you'll be seeing this again, as Adam will be co-teaching this class with Mick Douglas (@bettersafetynet). Tyler tells us about using Cobalt Strike for creating persistent connections that are more easily hidden when you are on an engagement. Adam's demo can be found on our YouTube channel: https://youtu.be/rj--BfCvacY Tyler's demo of Throwback and using Cobalt Strike can be found on our YouTube Channel: Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-026-exfiltration_techniques-redteaming_vs_pentesting-and-gaining_persistence.mp3 SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

The windows registry has come a long way from it's humble beginnings in #Windows 3.11 (Windows for Workgroups). This week, we discuss the structure of the Windows registry, as well as some of the inner workings of the registry itself. We also discuss where are some good places to find malware, some of the key values that you can find in the #registry and their meanings. We also discuss what atomicity is and how the registry is a lot like a database in how it functions. And no podcast about Windows #forensics should be done without talking about a tool, and our friend David #Longenecker (@dnlongen on Twitter) created a cross-platform tool that allows you to take exports of the registry and analyze them without need to be physically on the host. You can find reglister here: http://www.securityforrealpeople.com/2015/08/introducing-new-forensics-tool-reglister.html We finish up discussing our #DerbyCon giveaways and a peek at what will be a very interesting podcast next week. Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-025-Windows_Registry-RunKey_artifacts-finding_where_malware_hides.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-025-windows-registry/id799131292?i=1000371465676&mt=2 SoundCloud: https://soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

We are pleased to introduce Ms. Kim Green (Twitter: @kim1green). She is the CEO of KAZO Security, as well as the CISO/CPO of Zephyr Health, a #SaaS based #Healthcare data #analytics company. She brings over 20 years of experience in healthcare and leadership to help small and medium business companies get help from a #CISO to assist in an advisory role. Ms. Green also started a bug bounty program at Zephyr Health to assist them in shoring up their application, finding #vulnerabilities that their internal teams may have missed. We are going to discuss with her why they decided to make it a private bug bounty, and what was the result. https://www.youtube.com/watch?v=GbW777t1tTA -- more about the bug bounty We also discuss why#HIPAA seems to be so far behind in terms of being able to protect #PHI/#PII and what if anything can be done to fix it. http://www.darkreading.com/analytics/hipaa-not-helping-healthcares-software-security-lagging/d/d-id/1322715 We finish up discussing a recent news story about the how the National Football League (#NFL) team Washington Redskins had a trainer lose a laptop with the PII and health information on several thousand NFL players. We discuss why they did not violate HIPAA, and what if anything they did violate. https://www.washingtonpost.com/news/dc-sports-bog/wp/2016/06/01/nfl-players-medical-records-reportedly-stolen-from-redskins-trainers-car/ Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-024-Kim_Green-HIPAA-CISO_as_a_service-HIPAA_maturity_redskins-laptop.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-024-kim-green-on-cisoaas/id799131292?i=1000371021883&mt=2 YouTube: https://www.youtube.com/watch?v=F9zvkeuON4I&list=PLqJHxwXNn7guMA6hnzex-c12q0eqsIV_K&index=1 SoundCloud: https://www.soundcloud.com/bryan-brake Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ #Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Picture yourself in the middle of a security incident... A malware infection, or you have hosts on your network are part of a botnet. You figured out where how the malware is communicating with the command and control servers, but if you just kill the connection, the malware stop functioning. What do you do? In some cases, you might be able to employ a DNS #sinkhole to route traffic harmlessly to or through a honey network that can be used to further analyze things like #infection vectors, #protocols, commands, and #network movement. You can also use #DNS sinkholing to disable the malware if certain conditions are met. Like most tools, sinkholing can be used for good, but there are legal issues if it's used incorrectly. We discuss some of the legalities. It won't disable all malware or exploit kits, but for some infections, this is another tool in your toolbox you can employ. In a continuation from last week's show with Earl Carter about the #Angler #Exploit Kit, we discuss how Angler is able to bypass #EMET and #ASLR protections... https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-023-DNS_Sinkholes2.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-023-dns-sinkholing/id799131292?i=1000370572088&mt=2 YouTube: https://youtu.be/67huikA2QFg Links we used to discuss sinkholing: Basic sinkhole app using BIND: https://isc.sans.edu/forums/diary/DNS+Sinkhole+ISO+Available+for+Download/9037/ *UPDATED literally hours after I posted this show* Version 2.0 of the DNS sinkhole ISO: https://isc.sans.edu/diary/21153 http://resources.infosecinstitute.com/dns-sinkhole https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/content-inspection-features/dns-sinkholing https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523 http://www.darkreading.com/partner-perspectives/general-dynamics-fidelis/principles-of-malware-sinkholing/a/d-id/1319769 Blackhole DNS servers -- http://www.malware-domains.com/ or http://www.malwaredomains.com/ http://handlers.dshield.org/gbruneau/sinkhole.htm Malware blackhole DNS campaign (2013) - http://www.bleepingcomputer.com/forums/t/511780/dns-sinkhole-campaign-underway-for-cryptolocker/ http://www.darkreading.com/risk/microsoft-hands-off-nitol-botnet-sinkhole-operation-to-chinese-cert/d/d-id/1138455 http://someonewhocares.org/hosts// -massive dns sinkholing list Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/ images: Image: https://www.enisa.europa.eu/topics/national-csirt-network/glossary/files/dns_sinkhole

Earl Carter spends all day researching exploit kits and using that information to protect customers from various malware payloads that spread ransomware. This week we sit down with him to understand the #Angler EK. He starts us off with a history or where it came from and how it gained so much popularity, evolving from earlier EKs, like #BlackHole, or WebAttacker. We even discuss how it's gone from drive-by downloads, to running only in memory, to being used in malvertising campaigns. We even get to hear about how the creators "rent" out the EK, and how they also control the malvertising side as well. Great insights into how the EK eco-system operates... We talk about some of the vulns used by exploit kits. Contrary to popular belief, the vulns used don't always have to be 0day. Blue teamers will learn valuable insights in protecting your networks from this EK. Direct Link:http://traffic.libsyn.com/brakeingsecurity/2016-022-earl_carter_dissects_angler_ek.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-022-earl-carter-dissects/id799131292?i=1000370105193&mt=2 Links referenced during the show: Earl's slides from Bsides Austin: http://www.slideshare.net/EarlCarter3/bsides-anglerevolution-talk-60408313 http://blog.0x3a.com/post/118366451134/angler-exploit-kit-using-tricks-to-avoid-referrer http://blogs.cisco.com/security/talos/angler-flash-0-day http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html https://isc.sans.edu/forums/diary/Angler+exploit+kit+pushes+new+variant+of+ransomware/19681 http://blogs.cisco.com/security/talos/angler-flash-0-day https://hiddencodes.wordpress.com/2015/05/29/angler-exploit-kit-breaks-referer-chain-using-https-to-http-redirection/ https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-technical-people/ Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Ben Johnson (@chicagoben on Twitter) has spent a good deal of time working on protecting client's endpoints. From his work at the NSA, to being the co-founder of Carbon Black (@carbonblack_inc). We managed to have him on to discuss EDR (#Endpoint Detection and Response), TTP (#Tactics, Techniques, and Procedures), and #Threat #Intelligence industry. Ben discusses with us the Layered Approach to EDR: 1. Hunting 2. Automation 3. Integration 4. Retrospection 5. Patterns of Attack/Detection 6. indicator-based detection 7. Remediation 8. Triage 9. Visibility We also discuss how VirusTotal's changes in policy regarding sharing of information is going to affect the threat intel industry. Ben also discusses his opinion of our "Moxie vs. Mechanisms" podcast, where businesses spend too much on shiny boxes vs. people. Brakesec apologizes for the audio issues during minute 6 and minute 22. Google Hangouts was not kind to us :( Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-021-Ben_Johnson-Carbon_black-Threat_intelligence.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-021-carbon-blacks-cto/id799131292?i=1000369579669&mt=2 YouTube: https://youtu.be/I10R3BeGDs4 RSS: http://www.brakeingsecurity.com/rss Show notes: https://docs.google.com/document/d/12Rn-p1u13YlmOORTYiM5Q2uKT5EswVRUj4BJVX7ECHA/edit?usp=sharing (great info) https://roberthurlbut.com/blog/make-threat-modeling-work-oreilly-2016 Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr #TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Dr. Matt Miller is a professor at the University of Nebraska at Kearney. We had him on to discuss a matter that seems to weigh heavily on the infosec community. What will a CS degree get you? What are you learning these days as a future code jockey? Is skipping college altogether better? We discuss what he does to arm future developers with the tools necessary to get a job. We hear about what they also might be lacking in as well. Dr. Miller is also spearheading a new cybersecurity degree track at his university. We discuss what it's like to head that up, and we even get into a bit of discussion on Assembly language. ASM book used in the above class: http://www.drpaulcarter.com/pcasm/ Download here: http://www.drpaulcarter.com/pcasm/pcasm-book-pdf.zip We also discuss free alternatives for learning out there, and how effective they are. Show notes: https://docs.google.com/document/d/1Grimx_OCSURTktzM5QRKqsG9p9G5LljdleplH1DZQv4/edit?usp=sharing Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-020-College_vs_Certs_vs_self-taught.mp3 iTunes: https://itunes.apple.com/us/podcast/2016-020-college-vs.-certifications/id799131292?i=1000369124337&mt=2 YouTube Playlist: https://www.youtube.com/playlist?list=PLqJHxwXNn7guMA6hnzex-c12q0eqsIV_K RSS FEED: http://www.brakeingsecurity.com/rss Dr. Miller's CSIT-301 course on Assembly: https://www.youtube.com/playlist?list=PLSIXOsmf9b5WxCMrt9LuOigjR9qMCRrAC Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast #Twitter: @brakesec @boettcherpwned @bryanbrake @milhous30 #Facebook: https://www.facebook.com/BrakeingDownSec/ #Tumblr: http://brakeingdownsecurity.tumblr.com/ Player.FM : https://player.fm/series/brakeing-down-security-podcast #Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/