Talkin' Bout [Infosec] News

This is a joint webcast from Black Hills Information Security and Active Countermeasures. How many of us have tried some new configuration option, utility, or hardware on a production environment, only to crash a critical piece of the business? (me raising hand…) It’s amazing how quickly we learn not to do that! Now we have to decide – do we stop trying out new things because we’re scared of causing problems, or do we come up with a safe way to play and learn? We’re going to cover how to set up a Home Lab – an isolated environment where you can test new hardware, programs, and applications. By keeping this totally separate from everything else, you get free rein to play without risk to your other systems – and without risk of breaking any company policies! We’ll cover how to set this up, the equipment needed, and how to configure these. Best of all, you can use throwaway hardware to do it! Join the new Threat Hunting Community Discord discussion server: https://discord.gg/JmXpQFD Download slides: www.activecountermeasures.com/presentations 0:00 – You’re In Charge 2:06 – Ok. But Why? 7:18 – The Network Layout 9:43 – (John’s Spaghetti) 20:38 – Project Hardware 26:06 – Firewall 29:21 – Switch 30:53 – Wireless AP 36:49 – Sentinel (00:00) - You're In Charge (02:06) - Ok. But Why? (07:18) - The Network Layout (09:43) - (John's Spaghetti) (20:38) - Project Hardware (26:06) - Firewall (29:21) - Switch (30:53) - Wireless AP (36:49) - Sentinel (38:33) - File and Drive Image Transfer (41:04) - Laberv (43:41) - Guinea Pigs (44:46) - John's Setup Porn (46:44) - HELK (47:35) - Beaker (48:13) - Creating Evil (49:48) - Recording (50:14) - Incrementally Opening Up the Firewall (51:50) - Software (53:31) - Packet Capture (54:25) - Network Monitoring (55:09) - Scanning (56:12) - Disk Imaging (56:43) - On a Budget – What's Critical (57:04) - Closing Notes (58:05) - Questions (01:01:28) - See Something Cool

What does it mean to work from home across your corporate VPN? What exactly is VPN? Is your home office prepared? How can you improve and better secure your home network? Is your corporate network ready for the change in IT environment network access? Join us to explore these topics, and describe some potential actions you can take to improve your home office and network environment. And join the BHIS Discord to discuss all of this — https://discord.gg/ST5NdFu Download slides: https://www.activecountermeasures.com/presentations 0:00 – We’re Not In Normal Anymore 2:04 – Viral Pandemic Networking (VPN) 7:34 – Home Office Runner 11:16 – What’s Your Frequency, Kenneth? 17:17 – It’s Always DNS 19:12 – Secure The Perimeter 23:34 – Game Recognizes Game 27:55 – Master of Your Domain 43:36 – Solutions, Solutions, Solutions 47:20 – Remote Workers Unite! Individually In Your Own Homes! (00:00) - We're Not In Normal Anymore. (02:35) - Viral Pandemic Networking (VPN) (08:05) - Home Office Runner (11:47) - What's Your Frequency, Kennith? (17:48) - It's Always DNS (19:43) - Secure The Permitter (24:05) - Game Recognizes Game (28:26) - Master of Your Domain (44:08) - Solutions, Solutions, Solutions (47:51) - Remote Workers Unite! Individually In Your Own Homes. (51:41) - Questions and Answers

The team at Black Hills Information Security and Wild West Hackin’ Fest had to pivot from doing an in-person information security conference in San Diego to a 100% virtual conference with 6 days of notice. We had a little bit of experience doing a hybrid in-person/virtual conference in November 2019 (with 10 days’ notice). The response from the 400+ attendees about the virtual conference was overwhelmingly positive. We did it and you can do it, too. In this webcast, we discuss how it all happened, including how we ended our agreement with our venue. We talk about all the things we learned and what we’d do differently next time. 0:00 – Trust Us, We’re Not Experts 0:40 – Suddenly Virtual 3:15 – Venue Vámonos 11:58 – What Now? 18:58 – Let’s All Go To The Lobby (and have ourselves a chat) -LobbyCon/Discord 32:24 – A Stream of Logistics 43:29 – The Calm 46:07 – The Storm 51:48 – The End Credits Scene 56:40 – Any Questions? Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 2,087 other subscribers Email Address Subscribe (00:01) - Trust Us, We're Not Experts (01:11) - Suddenly Virtual (03:46) - Venue Vámonos (12:29) - What Now? (19:29) - Let's All Go To The Lobby (and have ourselves a chat) (32:55) - A Stream of Logistics (44:00) - The Calm (46:38) - The Storm (52:19) - The End Credits Scene (57:12) - Any Questions?

In this webcast, we will cover what we can do if we think there is a breach on our network. We will cover live forensics, cool PowerShell scripts, network, and event log analysis, cool IR spreadsheets, and checklists. We will also be covering the status of our ELK project for reviewing Event ID 3 from Sysmon. So, a lot… Yep… A crazy amount. Download slides: https://www.activecountermeasures.com/presentations 00:00 – Intro 00:47 – “Ok, But Why” 02:17 – Have It The Wrong Way 04:35 – Have It The Right Way 06:58 – Lego My Incident Response 08:25 – Monologging On Mute 11:57 – Wouldn’t Be Prudent 14:29 – “Better Than Bad, It’s Good” 21:33 – A Van Full of Free Tools 44:10 – CSI: Memory 45:01 – We Got Cheat Sheets if You Want Some Cheat Sheets 47:20 – Overlapping Venn Diagrams 49:46 – Questions in the Wild 59:15 – Sucking at Capitalism Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 2,052 other subscribers (00:00) - Intro (01:18) - Ok, But Why (02:49) - Have It The Wrong Way (05:07) - Have It The Right Way (07:30) - Lego My Incident Response (08:56) - Monologging On Mute (12:28) - Wouldn't Be Prudent (15:00) - Better Than Bad, It's Good (22:04) - A Van Full of Free Tools (44:41) - CSI: Memory (45:32) - We Got Cheat Sheets if You Want Some Cheat Sheets (47:51) - Overlapping Venn Diagrams (50:17) - Questions in the Wild (59:46) - Sucking at Capitalism

Do you know what your attackers know? There’s a good chance you know, but you might not be aware of just how much information can be found historically and in real-time about your business operations and organization. Join Jordan Drysdale and Kent Ickler as they discuss and demonstrate Purple Team Enterprise Reconnaissance methods that increase operational network awareness and overall security posture. Download slides: https://activecountermeasures.com/presentations 00:00 – Intro 00:42 – Executive Problem Statement 02:25 – Recon You Say? 06:11 – Your Internal Friends… Sometimes 09:01 – What Does Purple Team Do, Exactly? 10:13 – There Are A Ton Of Sources Out Here 49:55 – And Now For Some Crappy Code Learn how to monitor cloud services for your organizations’ data being dumped on the web, account compromises, and source code disclosure. Use external services to keep an eye on your external landscape to alert on unexpected changes. See configurations of operational awareness uncover potential attacker’s methodology and infrastructure to provide you an upper-hand in stopping threats before they escalate. See how an attacker utilizes common internet sources to gather intelligence about your technology stack, your perimeter security, your wireless networks, and plan attacks against your organization. Know what your attacker knows. Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www.wildwesthackinfest.com/ Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 1, (00:00) - Intro (00:42) - Executive Problem Statement (02:25) - Recon You Say? (06:11) - Your Internal Friends... Sometimes (09:01) - What Does Purple Team Do, Exactly? (10:13) - There Are A Ton Of Sources Out Here (49:55) - And Now For Some Crappy Code

In this webcast, we have our friend Hal Pomeranz sharing his massive knowledge on Linux. If you’re new to Linux, or if you know it and just want to hear from Hal’s years of using and teaching all things Linux, then this is the webcast for you. Download slides: http://www.deer-run.com/~hal/CLDojo.pdf 0:00 – Intro to Hal 9000 4:05 – It’s A UNIX System 7:34 – Who’s Trying Naughty URLS? 27:07 – Care About the Environment 48:24 – Questions & Answers From Hal: The Linux command-line is an amazingly powerful programming environment. Mastering its functionality can make you enormously more productive. Sensei Hal gives you critical insights into tackling difficult command-line challenges in this fast-paced and entertaining presentation. Who is Hal? Hal Pomeranz is the Founder and Technical Lead of Deer Run Associates, a consulting company focusing on Computer Forensic Investigations and Information Security. He has spent more than twenty years providing pragmatic Information Technology and Security solutions for some of the world’s largest commercial, government, and academic institutions. An expert in the investigation of Linux/Unix systems, Hal has provided Computer Forensic investigative support for several high-profile cases to both law enforcement and commercial clients. Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www.wildwesthackinfest.com/ Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 1,975 other subscribers Email Address (00:00) - Intro to Hal 9000 (04:05) - It's A UNIX System (07:34) - Who's Trying Naughty URLS? (27:07) - Care About the Environment (48:24) - Questions & Answers

Backdoors & Breaches kind of took off. In case you don’t know, Backdoors & Breaches is an Incident Response Card Game to help people better understand the various attacks and defenses used in security today. We have sold out twice on Amazon, given out thousands of copies for free at conferences, and sent 2,000+ free decks to infosec educators (with a few thousand more decks to go). As a standalone game, with an Incident Master driving the narrative, it works really well. However, we have something else that we have been working on… Competitive Backdoors & Breaches. Yes, you can play this game against your co-workers. It just takes at least two decks. In this live webcast, we will be covering: advice for being an Incident Master; playing the regular game with remote teammates; answering many of your questions about gameplay; and introducing the rules on how to play this game competitively against another player. Download slides: https://www.activecountermeasures.com/presentations 4:38 – Ok, But Why? 5:55 – State of Play 9:27 – Initial Compromise Card 10:31 – Persistence Card 11:53 – C2 and EXFIL Card 14:01 – Pivot and Escalate Card 14:36 – Procedures Card 16:27 – State of Play 17:51 – Initial Setup 20:13 – Resource Points (RP) 25:41 – Building the Kill Chain (00:00) - Kinda Goofy (04:38) - Ok, But Why? (05:55) - State of Play (09:27) - Initial Compromise Card (10:31) - Persistence Card (11:53) - C2 and EXFIL Card (14:01) - Pivot and Escalate Card (14:36) - Procedures Card (16:27) - State of Play (17:51) - Initial Setup (20:13) - Resource Points (RP) (25:41) - Building the Kill Chain (28:20) - Attack in Depth (29:20) - Completing the Kill Chain (31:31) - Defend Rolls (34:33) - For Example (37:29) - Let's Play a Game (47:39) - Any Questions?

Ever wanted to get started in cyber deception? Ever wanted to do it for free? In this BHIS webcast, we will cover some basic, legal, and easy tools/techniques to get you started in working with low interaction honeypots to serve as an early warning of attacks. We will also be sharing a recipe for making wine out of pentester tears. Because attacker tears make the best wine. Download slides: https://www.activecountermeasures.com/presentations/ 1:00 – A Few Cool Things 6:00 – Beginnings of Cyber Deception 9:08 – Conversations 16:34 – Canarytokens 18:42 – Scenario: Recon 23:02 – .exe 36:13 – Cloned Websites! 39:07 – Word Docs!!! 47:41 – One Step Forward 51:58 – Honeybadger Update 53:56 – Back To Threat Intel; How BHIS Uses It 56:03 – Questions This webcast was originally recorded live on January 23, 2020 with John Strand. Wild West Hackin’ Fest – Most Hands-On Infosec Con! (00:00) - Introduction (01:00) - A Few Cool Things (06:00) - Beginnings of Cyber Deception (09:08) - Conversations (16:34) - Canarytokens (18:42) - Scenario: Recon (23:02) - .exe (36:13) - Cloned Websites! (39:07) - Word Docs!!! (47:41) - One Step Forward (51:58) - Honeybadger Update (53:56) - Back To Threat Intel (55:21) - How We Use It (56:03) - Questions

https://media.blubrry.com/bhis/content.blubrry.com/bhis/BHIS_Podcast_Passwords_Youaretheweakestlink.mp3 Why are companies still recommending an 8-character password minimum?  Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend 8-character minimum passwords based on outdated data.  Download Slides: https://www.activecountermeasures.com/presentations Originally recorded as a live webcast on December 5th, 2019 Presented by: Darin Roberts & CJ Cox Because of newer attack methods and increased computing power, password minimums need to be increased to 15 characters to keep networks safe.  On this BHIS Webcast, Darin & CJ discuss: * Current password policies: BHIS recommendations, Microsoft, Google, Apple, NIST * Why do we recommend 15 characters – brute force, password crack, LM Hash * Passphrase vs. password * Recommended password policy summary Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www.wildwesthackinfest.com/ Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 1,896 other subscribers Email Address Subscribe (00:00) - Start (01:04) - Introduction (03:26) - In The Beginning (04:23) - What The Experts Say : PCI (05:55) - What The Experts Say : Microsoft (09:29) - What The Experts Say : NIST (16:01) - What The Experts Say : Google (16:28) - What The Experts Say : Apple (16:42) - Still More Experts (17:49) - Why 15 Characters (18:06) - Brute Force (18:44) - Password Spray (22:48) - Password Cracking (23:25) - A Hashing Algorithm (24:07) - More About Hashes (25:49) - So What Is Password Cracking (27:16) - Windows Hashes (27:42) - The LM Hashing Algorithm (29:46) - LM Hash Is "Weak" (30:55) - LM Vs. NTLM Cracking (31:14) - Why 15 Character Passwords – Answer (32:06) - CJ's Response to the Problem (36:32) - Let's See the Mathm (37:09) - Math Examples (40:30) - From the Field (42:47) - Would You Like To Play A Game? (45:03) - Take Aways (46:46) - Are You Really Going To Let This Guy Decide (48:33) - Audience Questions & Comments

Want to learn how attackers bypass endpoint products? Download slides: https://www.activecountermeasures.com/presentations/ 3:41 – Alternate Interpreters 9:19 – Carbon Black Config Issue 15:07 – Cisco AMP EDR – Quick and Easy Bypass 18:24 – PowerShell AMSI Bypass – Rhino 19:07 – CylancePROTECT Bypass 24:14 – Windows Defender and Carbon Black Bypass 30:36 – Windows Subsystem for Linux 39:59 – PowerShell HTTP Web Cradle for Downloads Last year we came to the conclusion that we are going to keep going with the Sacred Cash Cow Tipping Webcast series. Why? Because many in the industry still believe that security is something that can be achieved through the purchase of a single product. To that end, we feel there is still a need to deconstruct certain parts of security (like AV) and show that there are always structural weaknesses in every security product that is implemented. This is becoming even more important now that many of the advanced endpoint products are not just fire-and-forget but have an endless array of different configurations that enable a company to shoot themselves in the foot by reducing the overall effectiveness of these products. So, yes, Sacred Cash Cow Tipping is more important than ever. To that end, our next webcast will be on bypassing endpoint security products. The goal of this webcast is to help show people that there is still no silver bullet in security. We also desperately want to show that configuration and monitoring still matters. This is our first webcast of the year. It may run longer than 60 minutes. It will be recorded. We will have a team of Black Hills Testers answering questions throughout the webcast. We have room for 3,000 attendees, so you will be able to attend live if you want. Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www. (00:00) - Intro (03:41) - Alternate Interpreters (09:19) - Carbon Black Config Issue (15:07) - Cisco AMP EDR - Quick and Easy Bypass (18:24) - PowerShell AMSI Bypass – Rhino (19:07) - CylancePROTECT Bypass (24:14) - WIndows Defender and Carbon Black Bypass (30:36) - Windows Subsystem for Linux (39:59) - PowerShell HTTP Web Cradle for Donwloads