Webcasts

Webcast Archive

Want to attend our webcasts live? See what’s coming next on our Events page.

Recorded•2021-06-02
Join the Threat Hunter Community https://discord.gg/dnmvXkz
0:00:00 - PreShow Banter™ — Spring Driven
0:03:27 - PreShow Banter™ — C2 You Later
0:06:36 - PreShow Banter™ — Shut Down The System
0:12:59 - FEATURE PRESENTATION: This Traffic Looks Suspicious…
0:16:32 - Overview
0:16:44 - Start With Shared Doc
0:19:31 - Pull Together Details
0:20:43 - Investigate Traffic
0:23:24 - Packet Capture
0:25:53 - Pcap Files
0:27:27 - Analysis Tools
0:28:38 - Investigate Hosts
0:30:02 - IP Information
0:30:46 - Investigate Processes
0:33:45 - Using BeaKer
0:35:35 - Compare To Policies
0:38:56 - Final Choice –Good Traffic
0:41:02 - Final Choice – Bad Traffic
0:43:27 - Final Choice – Indifferent
0:45:00 - Cleanup
0:52:13 - Prepare for the Next Time
0:53:53 - Writeup
0:56:00 - Other Things to Consider
1:01:17 - Additional Resources
1:01:48 - Wrap Up Questions

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

Threat Hunting is the first in a series of steps - finding the traffic that might be malicious. But what's next? How do we turn the potential threats into actions? 

In this Active Countermeasures (ACM) webcast, Bill Stearns will go over how to investigate the traffic, classify it, and handle it appropriately.  We'll look at the traffic in more detail, including how to capture more of it.  We'll also look at some excellent sources of information about the IP addresses in question.  We'll also look at allowlisting approaches to handle legitimate traffic for your environment.

This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

August 20th, 2021

Recorded•2021-06-02
Join the Threat Hunter Community https://discord.gg/dnmvXkz
0:00:00 - PreShow Banter™ — Spring Driven
0:03:27 - PreShow Banter™ — C2 You Later
0:06:36 - PreShow Banter™ — Shut Down The System
0:12:59 - FEATURE PRESENTATION: This Traffic Looks Suspicious…
0:16:32 - Overview
0:16:44 - Start With Shared Doc
0:19:31 - Pull Together Details
0:20:43 - Investigate Traffic
0:23:24 - Packet Capture
0:25:53 - Pcap Files
0:27:27 - Analysis Tools
0:28:38 - Investigate Hosts
0:30:02 - IP Information
0:30:46 - Investigate Processes
0:33:45 - Using BeaKer
0:35:35 - Compare To Policies
0:38:56 - Final Choice –Good Traffic
0:41:02 - Final Choice – Bad Traffic
0:43:27 - Final Choice – Indifferent
0:45:00 - Cleanup
0:52:13 - Prepare for the Next Time
0:53:53 - Writeup
0:56:00 - Other Things to Consider
1:01:17 - Additional Resources
1:01:48 - Wrap Up Questions

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

Threat Hunting is the first in a series of steps - finding the traffic that might be malicious. But what's next? How do we turn the potential threats into actions?

In this Active Countermeasures (ACM) webcast, Bill Stearns will go over how to investigate the traffic, classify it, and handle it appropriately. We'll look at the traffic in more detail, including how to capture more of it. We'll also look at some excellent sources of information about the IP addresses in question. We'll also look at allowlisting approaches to handle legitimate traffic for your environment.

This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

21 2

YouTube Video VVU2eFBlV1ZxNkxwTHFPWVE0STlodl9RLjEtSTBmT0I4dkFV

A|C — This Traffic Looks Suspicious... What Should I Do? | Bill Stearns

Recorded • 2021-07-07
Join the Threat Hunter Community https://discord.gg/dnmvXkz
00:00 - PreShow Banter™ — Super Awesome by Default
07:57 - FEATURE PRESENTATION: Hacking Packet Captures | Hannah Cartier
09:09 - Why Packet Captures?
09:59 - What Are Packets
11:09 - How Do We Capture Them?
13:31 - Where To Capture Them?
15:21 - Span Ports
15:48 - Full Captures vs Metadata Captures
17:02 - Full Packet Capture Problem
18:15 - Wild Zeek Logs - Metadata Captures
19:17 - Malicious Traffic and Hacked Packets
20:20 - Source IP Spoofing
21:31 - Invalid Flag Combinations
22:07 - Protocol Tunneling
23:26 - Packets Captured - Analyze Them!
24:19 - ACM’s Favorite Tools
25:06 - Looking for What Isn’t There
27:36 - Finding Suspicious Packets With Passer
28:40 - Suspicious Packets in Wireshark
29:33 - Reconstructing Files
31:18 - Be Careful Sharing Your Captures
32:53 - Send Some Funky Pings
33:45 - [Post]Show Banter™ – Wrap Up

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

In this webcast, we are digging into the nitty-gritty details of packet captures and how to interpret the vast amount of data they produce. Our goal is to explain anything and everything you could possibly want to know about packet captures at a level that beginner or aspiring network threat hunters will be able to understand.

With the rising importance of network security, We believe it is necessary to have a strong understanding of how the network works and understand the data we are collecting. The better our understanding of network traffic is, the easier it becomes to hypothesize about how intruders might be behaving, and stop attacks. We will discuss different methods of capturing packets, how to make use of the data, and several open-source tools you can start using to threat hunt your network right now.

This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

August 14th, 2021

Recorded • 2021-07-07
Join the Threat Hunter Community https://discord.gg/dnmvXkz
00:00 - PreShow Banter™ — Super Awesome by Default
07:57 - FEATURE PRESENTATION: Hacking Packet Captures | Hannah Cartier
09:09 - Why Packet Captures?
09:59 - What Are Packets
11:09 - How Do We Capture Them?
13:31 - Where To Capture Them?
15:21 - Span Ports
15:48 - Full Captures vs Metadata Captures
17:02 - Full Packet Capture Problem
18:15 - Wild Zeek Logs - Metadata Captures
19:17 - Malicious Traffic and Hacked Packets
20:20 - Source IP Spoofing
21:31 - Invalid Flag Combinations
22:07 - Protocol Tunneling
23:26 - Packets Captured - Analyze Them!
24:19 - ACM’s Favorite Tools
25:06 - Looking for What Isn’t There
27:36 - Finding Suspicious Packets With Passer
28:40 - Suspicious Packets in Wireshark
29:33 - Reconstructing Files
31:18 - Be Careful Sharing Your Captures
32:53 - Send Some Funky Pings
33:45 - [Post]Show Banter™ – Wrap Up

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

In this webcast, we are digging into the nitty-gritty details of packet captures and how to interpret the vast amount of data they produce. Our goal is to explain anything and everything you could possibly want to know about packet captures at a level that beginner or aspiring network threat hunters will be able to understand.

With the rising importance of network security, We believe it is necessary to have a strong understanding of how the network works and understand the data we are collecting. The better our understanding of network traffic is, the easier it becomes to hypothesize about how intruders might be behaving, and stop attacks. We will discuss different methods of capturing packets, how to make use of the data, and several open-source tools you can start using to threat hunt your network right now.

This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

31 0

YouTube Video VVU2eFBlV1ZxNkxwTHFPWVE0STlodl9RLjlmU0JUXzBsTzRj

A|C — Hacking Packet Captures: The Foundations of Network Security | Hannah Cartier & Keith Chew

Recorded • 2021-05-05 
Join the Threat Hunter Community https://discord.gg/dnmvXkz
00:00 - PreShow Banter™ — Powered by Coal
05:17 - PreShow Banter™ — Creepy Doll
06:49 - PreShow Banter™ — Meet the Crew
08:21 - PreShow Banter™ — Malware of the Day
09:27 - PreShow Banter™ — Company Shirts
12:25 - PreShow Banter™ — Florida Wild Kingom
15:34 - FEATURE PRESENTATION: Beacon Analysis - The Key to Cyber Threat Hunting
15:51 - Why look for Beacons?
19:25 - The Purpose of Threat Hunting
20:50 - What is a Beacon?
27:55 - Beacon Detection based on Timing
33:38 - Beacon Detection based on Session Size
40:25 - Potential False Positives
44:08 - DEMO: Example Hunt
52:15 - How do you practice?
55:38 - QnA

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

Beacon analysis is by far the most effective method of threat hunting your network. In fact, I would argue that if you are not checking your network for beacon activity, you have a huge gap in your defenses that attackers will happily leverage.

In this webcast, join Chris Brenton, as he discusses the anatomy of beacons and why you need to be looking for them during a threat hunt. He also talks through the challenges of detecting beacons, and some tricks you can use. 

Attendees of this webcast will also have a chance to win prizes in a special contest!

This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

August 11th, 2021

Recorded • 2021-05-05
Join the Threat Hunter Community https://discord.gg/dnmvXkz
00:00 - PreShow Banter™ — Powered by Coal
05:17 - PreShow Banter™ — Creepy Doll
06:49 - PreShow Banter™ — Meet the Crew
08:21 - PreShow Banter™ — Malware of the Day
09:27 - PreShow Banter™ — Company Shirts
12:25 - PreShow Banter™ — Florida Wild Kingom
15:34 - FEATURE PRESENTATION: Beacon Analysis - The Key to Cyber Threat Hunting
15:51 - Why look for Beacons?
19:25 - The Purpose of Threat Hunting
20:50 - What is a Beacon?
27:55 - Beacon Detection based on Timing
33:38 - Beacon Detection based on Session Size
40:25 - Potential False Positives
44:08 - DEMO: Example Hunt
52:15 - How do you practice?
55:38 - QnA

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

Beacon analysis is by far the most effective method of threat hunting your network. In fact, I would argue that if you are not checking your network for beacon activity, you have a huge gap in your defenses that attackers will happily leverage.

In this webcast, join Chris Brenton, as he discusses the anatomy of beacons and why you need to be looking for them during a threat hunt. He also talks through the challenges of detecting beacons, and some tricks you can use.

Attendees of this webcast will also have a chance to win prizes in a special contest!

This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

24 1

YouTube Video VVU2eFBlV1ZxNkxwTHFPWVE0STlodl9RLjBiMUtQWEVWSlMw

A|C — Beacon Analysis – The Key to Cyber Threat Hunting | Chris Brenton

Recorded • 2021-04-07
Join the Threat Hunter Community https://discord.gg/dnmvXkz 
0:00:00 - PreShow Banter™ — Good Ol Days
0:17:23 - FEATURE PRESENTATION: How to Get Started in Cyber Threat Hunting
0:19:47 - The Purpose of Threat Hunting
0:20:29 - What does “Threat Hunting” Mean?
0:23:02 - Do you remember @TayandYou
0:25:34 - What Threat Hunting Should Be
0:27:33 - Threat Hunting as a Process
0:31:21 - It’s about Business Need Discovery
0:33:55 - What does Threat Hunting Replace?
0:35:25 - Threat Hunting Adoption
0:38:42 - What Soft Skills are Needed?
0:46:15 - What Technical Skills are Needed?
0:50:43 - What Tools Should You Learn?
0:53:00 - How to Develop Your Skills
0:57:14 - DEMO: Game Time!
1:16:38 - QnA

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

One of the cool things about cyber threat hunting is that the discipline has been around for less than five years. This means that if you get in now, you are in on the ground floor which can look really good on a resume!

But how do you get started? What's the process and what skills do you need to become an effective threat hunter? How do you hone these skills when most organizations are just starting to figure out that they need threat hunters? 

Join Chris Brenton and the Active Countermeasures team in this webcast, as we discuss all of these topics and more!

Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

August 10th, 2021

Recorded • 2021-04-07
Join the Threat Hunter Community https://discord.gg/dnmvXkz
0:00:00 - PreShow Banter™ — Good Ol Days
0:17:23 - FEATURE PRESENTATION: How to Get Started in Cyber Threat Hunting
0:19:47 - The Purpose of Threat Hunting
0:20:29 - What does “Threat Hunting” Mean?
0:23:02 - Do you remember @TayandYou
0:25:34 - What Threat Hunting Should Be
0:27:33 - Threat Hunting as a Process
0:31:21 - It’s about Business Need Discovery
0:33:55 - What does Threat Hunting Replace?
0:35:25 - Threat Hunting Adoption
0:38:42 - What Soft Skills are Needed?
0:46:15 - What Technical Skills are Needed?
0:50:43 - What Tools Should You Learn?
0:53:00 - How to Develop Your Skills
0:57:14 - DEMO: Game Time!
1:16:38 - QnA

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

One of the cool things about cyber threat hunting is that the discipline has been around for less than five years. This means that if you get in now, you are in on the ground floor which can look really good on a resume!

But how do you get started? What's the process and what skills do you need to become an effective threat hunter? How do you hone these skills when most organizations are just starting to figure out that they need threat hunters?

Join Chris Brenton and the Active Countermeasures team in this webcast, as we discuss all of these topics and more!

Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

37 5

YouTube Video VVU2eFBlV1ZxNkxwTHFPWVE0STlodl9RLjRwUWdjZGttUkV3

A|C — How To Get Started in Cyber Threat Hunting | Chris Brenton

Join the THREAT HUNTING COMMUNITY Discord: https://discord.gg/dnmvXkz
00:00 - PreShow Banter™ — The Dark Side of the Web
01:22 - FEATURE PRESENTATION: A Look at Espy
03:08 - What is Espy?
04:36 - Data Flow Visualization
06:49 - Zeek Logs
16:10 - DEMO - Logs
18:27 - Espy + AC Hunter
19:17 - DEMO – AC Hunter
21:15 - Questions and answers
47:43 - FREE Threat Hunt Training Schedule (https://www.activecountermeasures.com/cyber-threat-hunting-training-course/)

https://www.activecountermeasures.com/free-tools/espy/
https://github.com/activecm/espy

The issues of a distributed workforce used to be handled by a relatively small number of organizations with a few traveling salespeople or work-from-homers. Now they exist in most technical organizations. Lately, even more organizations are implementing remote workforces or a mix between in-office and at-home work workers. It’s amazing to see just how many people can do their jobs from home if given the right tools and flexibility on how and when the job is done.

Unfortunately, this also means that network monitoring becomes impractical. There’s no single point where I can put a network sensor to see hundreds or thousands of employees’ network traffic and look for security issues. Even saying “let’s put a sensor in everyone’s home network” has significant privacy, performance, support, and cost issues.

If we are going to watch a relatively small number of company-owned systems, we want to avoid watching personal machines that are also on those home networks, and we want to keep the cost per site down. Let’s consider watching the network traffic right on the company laptops... and this is where espy comes in.

espy is a tool integrated into our product AC-Hunter, but it is also an open-source tool! Join Naomi Kramer in taking a look at how espy works, and how you can use it to protect your network.

April 19th, 2021

Join the THREAT HUNTING COMMUNITY Discord: https://discord.gg/dnmvXkz
00:00 - PreShow Banter™ — The Dark Side of the Web
01:22 - FEATURE PRESENTATION: A Look at Espy
03:08 - What is Espy?
04:36 - Data Flow Visualization
06:49 - Zeek Logs
16:10 - DEMO - Logs
18:27 - Espy + AC Hunter
19:17 - DEMO – AC Hunter
21:15 - Questions and answers
47:43 - FREE Threat Hunt Training Schedule (https://www.activecountermeasures.com/cyber-threat-hunting-training-course/)

https://www.activecountermeasures.com/free-tools/espy/
https://github.com/activecm/espy

The issues of a distributed workforce used to be handled by a relatively small number of organizations with a few traveling salespeople or work-from-homers. Now they exist in most technical organizations. Lately, even more organizations are implementing remote workforces or a mix between in-office and at-home work workers. It’s amazing to see just how many people can do their jobs from home if given the right tools and flexibility on how and when the job is done.

Unfortunately, this also means that network monitoring becomes impractical. There’s no single point where I can put a network sensor to see hundreds or thousands of employees’ network traffic and look for security issues. Even saying “let’s put a sensor in everyone’s home network” has significant privacy, performance, support, and cost issues.

If we are going to watch a relatively small number of company-owned systems, we want to avoid watching personal machines that are also on those home networks, and we want to keep the cost per site down. Let’s consider watching the network traffic right on the company laptops... and this is where espy comes in.

espy is a tool integrated into our product AC-Hunter, but it is also an open-source tool! Join Naomi Kramer in taking a look at how espy works, and how you can use it to protect your network.

13 1

YouTube Video VVU2eFBlV1ZxNkxwTHFPWVE0STlodl9RLnZvSHlZMi1xem5v

A Look at espy - Naomi Kramer - 1-Hour

Join the Threat Hunting Community on Discord: https://discord.gg/tbQBAzT
Slides & VM: https://www.activecountermeasures.com/cyber-threat-hunting-training-course/
0:00:00 - PreShow Banter™ — Tales of Great Ambitions
0:16:47 - Chris Crowley Plugs His UpComing SOC Class (https://soc-class.com/)
0:21:32 - Meet the ACM Teams
0:26:45 - This is the Way : The Path to Threat Hunting Carriers
0:29:34 - FEATURE PRESENTATION: Network Cyber Threat Hunter Training
0:34:43 - How We Try To Catch Bad Guys
0:38:12 - Limitations of Logging
0:50:52 - Threat Intel Feeds?
0:55:50 - What Should Threat Hunting Be?
1:01:04 - Starting With the Network
1:14:40 - What to Look For
1:18:51 - Keeping Score
1:21:57 - Blind Spots to C2 Targeting
1:24:13 - C2 Detection
1:28:36 - Bad Guys V Red Teams
1:31:00 - Long Connections
1:39:53 - Bro V Zeek?
1:43:31 - Zeek Has a Timeout Problem
1:49:49 - Anyway, Here’s Firewalls
1:50:45 - Beacons!
1:59:06 - False Positives? Unexpected Results?
2:17:15 - Destination IP Address
2:19:55 - Internal Systems
2:21:27 - Event ID Type 3
2:23:07 - Passer
2:25:44 - C2 Detection Tools
2:43:31 - C2 Labs
2:46:17 - LAB: Find Long Connections
3:02:50 - LAB: Investigate Long-Talkers
3:10:36 - LAB: Beacons By Session Size
3:31:25 - LAB: C2 Over DNS
3:39:11 - LABS Again, But With RITA
3:49:46 - AI Hunter
3:53:55 - That’s All, Folks

Chris Crowley's SOC class:
https://soc-class.com/

**This session will have updated labs and content that was not included in past trainings!

Chris Brenton from Active Countermeasures is conducting another free, one-day, Cyber Threat Hunting Training online course!

One of the biggest challenges in security today is identifying when our protection tools have failed and a threat actor has made it onto our network. 

In this free, 4-hour course, we will cover how to leverage network and host data to perform a cyber threat hunt. 

The focus will be on processes and techniques that can be used to protect:
- Desktops
- Servers
- Network gear
- IIoT
- BYOD system

The course includes hands-on labs using packet captures of various command and control channels. 

We also discuss how you can use our new Sysmon tool BeaKer to detect attacks on the host with Sysmon... for free!

The labs enable you to apply what you've learned using various open-source tools. 

By the end of the course, you’ll understand the tools and techniques needed to perform compromise assessments within your own environment. While the course will be available later for download, live attendees will receive a "Cyber Security Threat Hunter Level-1" certificate.


Why are we doing it? Cyber threat hunting is a relatively new discipline. As an industry, we are still formulating standards and procedures. We want to do our part by giving back to the security community. We are hoping that by sharing what we've learned we can help spark new ideas and threat hunting tools. Let's build a community and solve these problems together.

November 5th, 2020

Join the Threat Hunting Community on Discord: https://discord.gg/tbQBAzT
Slides & VM: https://www.activecountermeasures.com/cyber-threat-hunting-training-course/
0:00:00 - PreShow Banter™ — Tales of Great Ambitions
0:16:47 - Chris Crowley Plugs His UpComing SOC Class (https://soc-class.com/)
0:21:32 - Meet the ACM Teams
0:26:45 - This is the Way : The Path to Threat Hunting Carriers
0:29:34 - FEATURE PRESENTATION: Network Cyber Threat Hunter Training
0:34:43 - How We Try To Catch Bad Guys
0:38:12 - Limitations of Logging
0:50:52 - Threat Intel Feeds?
0:55:50 - What Should Threat Hunting Be?
1:01:04 - Starting With the Network
1:14:40 - What to Look For
1:18:51 - Keeping Score
1:21:57 - Blind Spots to C2 Targeting
1:24:13 - C2 Detection
1:28:36 - Bad Guys V Red Teams
1:31:00 - Long Connections
1:39:53 - Bro V Zeek?
1:43:31 - Zeek Has a Timeout Problem
1:49:49 - Anyway, Here’s Firewalls
1:50:45 - Beacons!
1:59:06 - False Positives? Unexpected Results?
2:17:15 - Destination IP Address
2:19:55 - Internal Systems
2:21:27 - Event ID Type 3
2:23:07 - Passer
2:25:44 - C2 Detection Tools
2:43:31 - C2 Labs
2:46:17 - LAB: Find Long Connections
3:02:50 - LAB: Investigate Long-Talkers
3:10:36 - LAB: Beacons By Session Size
3:31:25 - LAB: C2 Over DNS
3:39:11 - LABS Again, But With RITA
3:49:46 - AI Hunter
3:53:55 - That’s All, Folks

Chris Crowley's SOC class:
https://soc-class.com/

**This session will have updated labs and content that was not included in past trainings!

Chris Brenton from Active Countermeasures is conducting another free, one-day, Cyber Threat Hunting Training online course!

One of the biggest challenges in security today is identifying when our protection tools have failed and a threat actor has made it onto our network.

In this free, 4-hour course, we will cover how to leverage network and host data to perform a cyber threat hunt.

The focus will be on processes and techniques that can be used to protect:
- Desktops
- Servers
- Network gear
- IIoT
- BYOD system

The course includes hands-on labs using packet captures of various command and control channels.

We also discuss how you can use our new Sysmon tool BeaKer to detect attacks on the host with Sysmon... for free!

The labs enable you to apply what you've learned using various open-source tools.

By the end of the course, you’ll understand the tools and techniques needed to perform compromise assessments within your own environment. While the course will be available later for download, live attendees will receive a "Cyber Security Threat Hunter Level-1" certificate.


Why are we doing it? Cyber threat hunting is a relatively new discipline. As an industry, we are still formulating standards and procedures. We want to do our part by giving back to the security community. We are hoping that by sharing what we've learned we can help spark new ideas and threat hunting tools. Let's build a community and solve these problems together.

184 6

YouTube Video VVU2eFBlV1ZxNkxwTHFPWVE0STlodl9RLkZ6WVBUMXhUVkhZ

Cyber Threat Hunting | Chris Brenton | October 2020 | 4 Hours

Passer — Effortless Network Knowledge! | Bill Stearns | 1 Hour

Join Our Threat Hunter Community Discord: https://discord.gg/qyy9vrE
Download RITA: https://www.activecountermeasures.com/free-tools/rita/
     0:00 - PreShow Banter™ - Many New Faces
     3:42 - Hacking RITA
     6:02 - Workspace Setup
     7:49 - RITA Repo Cheat Sheet
     9:29 - Database Cheat Sheet
   11:09 - Metadata Cheat Sheet
   12:07 - RITA Commands
   14:06 - RITA Command File
   15:22 - Lisa's Lazy Dev Quickstart
   18:37 - What About Arguments
   20:53 - Build A Query
   21:43 - Query Time
   29:27 - Bonus: Alternative Query
   35:02 - Slap a BSON
   40:47 - Testing / Bonus:  RegEx Results!
   41:36 - HTML Output Woes?
1:00:05 - Got Questions?

Originally Recorded Live, August 5, 2020

Have you ever wanted something to be slightly different in RITA? To contribute a new feature, perhaps, or customize the input and output fields of your local version? 

Many of our users are not developers, and even if they are, the complexity of the project can quickly become overwhelming or intimidating. We get frequent feedback with the common, underlying blocker of needing to "sit down and learn GO". You don't need to learn GO to start working with it! 

In this webcast, we go through the process that new devs use to start working with a new language they don't know. We set up your work environment, isolate which files in the project are relevant to what you want to change, and walk through making minor tweaks together. We will make mistakes, search stack overflow, and get you started hacking on RITA!

August 12th, 2020

Join Our Threat Hunter Community Discord: https://discord.gg/qyy9vrE
Download RITA: https://www.activecountermeasures.com/free-tools/rita/
0:00 - PreShow Banter™ - Many New Faces
3:42 - Hacking RITA
6:02 - Workspace Setup
7:49 - RITA Repo Cheat Sheet
9:29 - Database Cheat Sheet
11:09 - Metadata Cheat Sheet
12:07 - RITA Commands
14:06 - RITA Command File
15:22 - Lisa's Lazy Dev Quickstart
18:37 - What About Arguments
20:53 - Build A Query
21:43 - Query Time
29:27 - Bonus: Alternative Query
35:02 - Slap a BSON
40:47 - Testing / Bonus: RegEx Results!
41:36 - HTML Output Woes?
1:00:05 - Got Questions?

Originally Recorded Live, August 5, 2020

Have you ever wanted something to be slightly different in RITA? To contribute a new feature, perhaps, or customize the input and output fields of your local version?

Many of our users are not developers, and even if they are, the complexity of the project can quickly become overwhelming or intimidating. We get frequent feedback with the common, underlying blocker of needing to "sit down and learn GO". You don't need to learn GO to start working with it!

In this webcast, we go through the process that new devs use to start working with a new language they don't know. We set up your work environment, isolate which files in the project are relevant to what you want to change, and walk through making minor tweaks together. We will make mistakes, search stack overflow, and get you started hacking on RITA!

7 1

YouTube Video VVU2eFBlV1ZxNkxwTHFPWVE0STlodl9RLndYN0xUdnRGLUpR

Hacking RITA with Lisa Woody (1 Hour)

Check out BeaKer: https://github.com/activecm/BeaKer
Join Our Threat Hunter Discord Community :  https://discord.gg/QNzjnd7
00:00 - PreShow Banter™ – Listen Only Mode
  4:27 - Exploring BeaKer
  7:35 - A Common Problem
  9:59 - What Beaker Does
11:42 - Example of Beaker at Work
15:32 - Beaker is What?
16:45 - Sysmon ( https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon )
17:39 - Event ID 3 Example
19:19 - It's All Been Done Before
23:45 - Focus On a Quick Reference Tool
25:37 - Beaker Dashboard
33:20 - What BeaKer Sees 
48:21 - Questions?

Originally recorded live July 1st, 2020. 

How many times have you been reviewing your firewall logs, NIDS alerts, packet decodes, or similar, and wished you had an easy way to see which application created the network connection you are analyzing? Yup, us too, that's why we created BeaKer. 

"BeaKer" is our latest open source project that connects together Sysmon, Winlogbeat and an ELK stack so that you can quickly and easily run down which applications are communicating with other systems across the network. It acts as a bridge between your network data and your host logs. 

So imagine I'm reviewing my outbound firewall logs and I notice a connection pattern that looks like command and control (C2) traffic. With BeaKer, I can quickly pivot to see which application is creating those connections. If I find something suspicious, I can rapidly expand the view to include all host and user data within the defined time range. This way I can quickly obtain the full context of the attack. 

Watch our free webcast "Exploring BeaKer" to learn more about how to effectively use this tool.

August 10th, 2020

Check out BeaKer: https://github.com/activecm/BeaKer
Join Our Threat Hunter Discord Community : https://discord.gg/QNzjnd7
00:00 - PreShow Banter™ – Listen Only Mode
4:27 - Exploring BeaKer
7:35 - A Common Problem
9:59 - What Beaker Does
11:42 - Example of Beaker at Work
15:32 - Beaker is What?
16:45 - Sysmon ( https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon )
17:39 - Event ID 3 Example
19:19 - It's All Been Done Before
23:45 - Focus On a Quick Reference Tool
25:37 - Beaker Dashboard
33:20 - What BeaKer Sees
48:21 - Questions?

Originally recorded live July 1st, 2020.

How many times have you been reviewing your firewall logs, NIDS alerts, packet decodes, or similar, and wished you had an easy way to see which application created the network connection you are analyzing? Yup, us too, that's why we created BeaKer.

"BeaKer" is our latest open source project that connects together Sysmon, Winlogbeat and an ELK stack so that you can quickly and easily run down which applications are communicating with other systems across the network. It acts as a bridge between your network data and your host logs.

So imagine I'm reviewing my outbound firewall logs and I notice a connection pattern that looks like command and control (C2) traffic. With BeaKer, I can quickly pivot to see which application is creating those connections. If I find something suspicious, I can rapidly expand the view to include all host and user data within the defined time range. This way I can quickly obtain the full context of the attack.

Watch our free webcast "Exploring BeaKer" to learn more about how to effectively use this tool.

15 0

YouTube Video VVU2eFBlV1ZxNkxwTHFPWVE0STlodl9RLmVFSlhJbDVmTy1B

Exploring BeaKer w/ Chris Brenton (1-Hour)

Join the new "Threat Hunting Community" Discord discussion server: https://discord.gg/w23C3rd
 0:00 – You're In Charge
2:06 – Ok. But Why?
7:18 – The Network Layout
9:43 – (John's Spaghetti) 
20:38 – Project Hardware
26:06 – Firewall
29:21 – Switch
30:53 – Wireless AP
36:49 – Sentinel
38:33 – File and Drive Image Transfer
41:04 – Laberv
43:41 – Guinea Pigs
44:46 – John's Setup Porn
46:44 – HELK
47:35 – Beaker
48:13 – Creating Evil
49:48 – Recording
50:14 – Incrementally Opening Up the Firewall
51:50 – Software
53:31 – Packet Capture
54:25 – Network Monitoring
55:09 – Scanning
56:12 – Disk Imaging
56:43 – On a Budget – What's Critical
57:04 – Closing Notes
58:05 – Questions
1:01:28 – See Something Cool

The Slide deck can be found here: http://activecountermeasures.com/presentations inside the ACM_Webcasts folder

How many of us have tried some new configuration option, utility, or hardware on a production environment, only to crash a critical piece of the business?  (me raising hand... 🙂 )  It's amazing how quickly we learn not to do that!  Now we have to decide - do we stop trying out new things because we're scared of causing problems, or do we come up with a safe way to play and learn?

We're going to cover how to set up a Home Lab - an isolated environment where you can test new hardware, programs, and applications.  By keeping this totally separate from everything else, you get free rein to play without risk to your other systems - and without risk of breaking any company policies!

We'll cover how to set this up, the equipment needed, and how to configure these.  Best of all, you can use throwaway hardware to do it!

April 20th, 2020

Join the new "Threat Hunting Community" Discord discussion server: https://discord.gg/w23C3rd
0:00 – You're In Charge
2:06 – Ok. But Why?
7:18 – The Network Layout
9:43 – (John's Spaghetti)
20:38 – Project Hardware
26:06 – Firewall
29:21 – Switch
30:53 – Wireless AP
36:49 – Sentinel
38:33 – File and Drive Image Transfer
41:04 – Laberv
43:41 – Guinea Pigs
44:46 – John's Setup Porn
46:44 – HELK
47:35 – Beaker
48:13 – Creating Evil
49:48 – Recording
50:14 – Incrementally Opening Up the Firewall
51:50 – Software
53:31 – Packet Capture
54:25 – Network Monitoring
55:09 – Scanning
56:12 – Disk Imaging
56:43 – On a Budget – What's Critical
57:04 – Closing Notes
58:05 – Questions
1:01:28 – See Something Cool

The Slide deck can be found here: http://activecountermeasures.com/presentations inside the ACM_Webcasts folder

How many of us have tried some new configuration option, utility, or hardware on a production environment, only to crash a critical piece of the business? (me raising hand... 🙂 ) It's amazing how quickly we learn not to do that! Now we have to decide - do we stop trying out new things because we're scared of causing problems, or do we come up with a safe way to play and learn?

We're going to cover how to set up a Home Lab - an isolated environment where you can test new hardware, programs, and applications. By keeping this totally separate from everything else, you get free rein to play without risk to your other systems - and without risk of breaking any company policies!

We'll cover how to set this up, the equipment needed, and how to configure these. Best of all, you can use throwaway hardware to do it!

141 2

YouTube Video VVU2eFBlV1ZxNkxwTHFPWVE0STlodl9RLnQ3YmhuSzQ3WWdv

How to Build a Home Lab – Bill Stearns

Download slides: https://www.activecountermeasures.com/presentations/
1:30 Introduction on Gcat, basic protections, why Gcat is hard to detect, Zeek, Zcat, Bro, and why simply looking at delta time can't help identify an attack
14:22 Using packet data to help determine a Gcat attack
21:32 Analyzing packet data with RITA and AI-Hunter
29:43 Lessons Learned
33:52 Q&A

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

Presented by: Chris Brenton

First, please check out the MITRE Technique Matrix far right side. Specifically, Command and Control:
https://attack.mitre.org/matrices/enterprise/ 

While many of these techniques are pretty straight-forward, some can be a bit harder to get your head around. Specifically, Web Service.
https://attack.mitre.org/techniques/T1102/ 

This is where an attacker uses a web service (think Gmail) as a C2.  

We received so much positive feedback to our deep dive on dnscat2 as a C&C channel, that we've decided to continue the C&C decoding series. In this webcast we cover Gcat, the infamous tool that was one of the tools used to bring down the Ukranian power grid. Detection here is tricky, as Gcat can look like a regular end-user checking their email. However, there are some tell-tale traits you can key in on. Just like last time, this will be an intermediate level walkthrough. We start with some raw decodes and work our way through the various possibilities for detection. 

Here is a link describing how this backdoor was used in the Ukranian power grid attack:
https://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/

May 8th, 2019

Download slides: https://www.activecountermeasures.com/presentations/
1:30 Introduction on Gcat, basic protections, why Gcat is hard to detect, Zeek, Zcat, Bro, and why simply looking at delta time can't help identify an attack
14:22 Using packet data to help determine a Gcat attack
21:32 Analyzing packet data with RITA and AI-Hunter
29:43 Lessons Learned
33:52 Q&A

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

Presented by: Chris Brenton

First, please check out the MITRE Technique Matrix far right side. Specifically, Command and Control:
https://attack.mitre.org/matrices/enterprise/ 

While many of these techniques are pretty straight-forward, some can be a bit harder to get your head around. Specifically, Web Service.
https://attack.mitre.org/techniques/T1102/ 

This is where an attacker uses a web service (think Gmail) as a C2.  

We received so much positive feedback to our deep dive on dnscat2 as a C&C channel, that we've decided to continue the C&C decoding series. In this webcast we cover Gcat, the infamous tool that was one of the tools used to bring down the Ukranian power grid. Detection here is tricky, as Gcat can look like a regular end-user checking their email. However, there are some tell-tale traits you can key in on. Just like last time, this will be an intermediate level walkthrough. We start with some raw decodes and work our way through the various possibilities for detection. 

Here is a link describing how this backdoor was used in the Ukranian power grid attack:
https://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/

5 0

YouTube Video VVU2eFBlV1ZxNkxwTHFPWVE0STlodl9RLjdNS285WXZTcmxr

ACM Webcast: Network Decoding GCat Command & Control

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to email us with your ideas!

Latest Active Countermeasures Blog Posts: