Webcasts

June 1st, 2022

Every threat hunter needs a set of tools they can count on when completing a hunt. In this webcast, Chris Brenton will go over his "threat hunting toolbox" discussing what open source tools he uses and why.

Join our Threat Hunter Community Discord Server to join in on the conversation during and after the webcast: https://discord.gg/threathunter

45 0

May 5th, 2022

–––– Chat in Discord:
Join the Threat Hunter Community: https://discord.gg/threathunter


00:00 - Preshow Banter
31:07 - FEATURE PRESENTATION

AC-Hunter in Azure Marketplace: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/activecountermeasuresinc1631039410073.ach-azure-release?tab=Overview


Threat hunting in a cloud environment is tricky. The span port we depend on to get a copy of all network traffic doesn’t usually exist in the cloud as there aren’t physical switches between virtual machines. However, even if we can’t capture traffic on the (virtual) network at a Cloud provider, we can still capture network traffic at each individual server.


Our developers at Active Countermeasure have created an integration between AC-Hunter and Azure that does exactly this! We now provide easy integration with Azure systems and are in the process of offering an appliance in the Azure Marketplace! This software will tell each machine to self-report its network traffic back to a new AC-Hunter server.


In this webcast, ACM developers Brian & Logan will discuss our journey in getting this integration deployed, walk folks through some of the caveats we ran into with network watcher, and discuss the current state of AC-Hunters integration with Azure. We will also have time at the end to answer questions from attendees on this new AC-Hunter feature.

10 0

April 19th, 2022

Lab & Slide Deck Downloads can be found here: https://www.activecountermeasures.com...

Pre-show Banter – 0:00:00
Training Begins – 0:33:50
Hands-on Labs – 4:05:04

Join our Threat Hunter Community Discord Server to join in on the conversation during and after the webcast: https://discord.gg/threathunter

Sign up for our mailing list to stay updated on future webcasts and training: https://www.activecountermeasures.com/subscribe

51 4

March 30th, 2022

–––– Chat in Discord:
Join the Threat Hunter Community: https://discord.gg/threathunter

00:00 - FEATURE PRESENTATION
09:46 - DEMO on Screen
55:20 - Questions and Closing

So you've studied threat hunting methodology and researched all the threat hunting tools... but how do you actually apply all this knowledge into doing a real threat hunt?

In this webcast, Chris Brenton will walk through using Zeek and RITA to do a full hunt from the initial review of the data, through identifying which host is compromised to pinpoint what (if any) data has been exfiltrated.

Join our Threat Hunter Community Discord Server to join in on the conversation during and after the webcast: https://discord.gg/threathunter

43 2

March 16th, 2022

–––– Chat in Discord:
Join the Threat Hunter Community: https://discord.gg/threathunter

–––– For Certificates, Register and Watch Here:
https://zoom.us/webinar/register/6516462565714/WN_HKOQZDF0SIyOETLyEgq0Aw


R.I.T.A. (Real Intelligence Threat Analytics) is an open-source framework for detecting command and control communication through network traffic analysis. But how exactly does RITA work? How is RITA able to find beacons and account for jitter?

In this webcast, Chris Brenton and Lisa Woody will discuss the inner workings of RITA and how it is able to threat hunt your network traffic so effectively.

Join our Threat Hunter Community Discord Server to join in on the conversation during and after the webcast: https://discord.gg/threathunter

27 1

March 3rd, 2022

–––– Chat in Discord:
Join the Threat Hunter Community: https://discord.gg/threathunter

–––– For Certificates, Register and Watch Here:
https://zoom.us/webinar/register/WN_l2iAjEMsSW-AzN1DXPEgGg

Our "Malware of the Day" blog series has become a huge hit over the last year and a half! The goal of the blog series is to help people more easily identify potential threats on their network by becoming familiar with the network communication methods commonly seen from observed malware.

We have received a lot of great feedback on how helpful the blogs are to the community, as well as gotten a lot of requests to do a live webcast for the series. The community asked... so we answered! Join Keith Chew (creator of the blog series) Wednesday, March 2nd in this Malware of the Day - Webcast Edition!

Join our Threat Hunter Community Discord Server to join in on the conversation during and after the webcast: https://discord.gg/threathunter

19 0

March 1st, 2022

Lab & Slide Deck Downloads can be found here: https://www.activecountermeasures.com/cyber-threat-hunting-training-course/

Pre-show Banter – 0:00:00
Training Begins – 0:21:41
Hands-on Labs – 2:58:42

Join our Threat Hunter Community Discord Server to join in on the conversation during and after the webcast: https://discord.gg/threathunter

Sign up for our mailing list to stay updated on future webcasts and training: https://www.activecountermeasures.com/subscribe/

36 2

January 19th, 2022

Lab & Slide Deck Downloads can be found here: https://www.activecountermeasures.com/cyber-threat-hunting-training-course/

Pre-show Banter – 0:00:00
Training Begins –
Hands-on Labs –

Join our Threat Hunter Community Discord Server to join in on the conversation during and after the webcast: https://discord.gg/threathunter

67 2

January 6th, 2022

––– Live Chat in the Discord Threat Hunter Community:
https://discord.gg/threathunter

––– For certificates, register and watch here:
https://attendee.gotowebinar.com/register/3863077349011053067

What do you do when you're caught between a loaded high-speed network cable and a packet analysis tool that just can't keep up? Instead of spending money on expensive load balancers or multiple analysis systems, why not simply stop analyzing high-speed connections on that cable? By stripping out known "good" traffic, your sniffer can focus on the malicious and grey traffic.

This webcast will focus on BPF (Berkeley Packet Filter); the packet filtering system that's part of every operating system and the packet description language BPF uses. With a minimal amount of effort, you can filter out between 30% and 90% of the known good traffic, reducing packet loss, CPU load, and storage requirements.

This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/threathunter

20 2

December 2nd, 2021

00:01:05 - PreShow Banter™
0:29:33 - FEATURE PRESENTATION
1:27:47 - Q & A

Join the WWHF Community Discord: https://discord.gg/wwhf

One of the cool things about cyber threat hunting is that the discipline has been around for less than five years. This means that if you get in now, you are in on the ground floor!

But how can you start your career in threat hunting? What skills do you need to be an effective threat hunter? What will companies look for on a resume? In this webcast, Chris Brenton (COO of Active Countermeasures) will answer all these questions and more to help you get hired and start your career in threat hunting!


This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

43 3

November 16th, 2021

Lab & Slide Deck Downloads can be found here: https://www.activecountermeasures.com/cyber-threat-hunting-training-course/

Pre-show Banter –
Training Begins –
Hands-on Labs –

49 4

November 4th, 2021

--- Live Chat on Discord:
https://discord.gg/dnmvXkz

--- For Certificates, you must register and watch here:
https://attendee.gotowebinar.com/register/1983152157656373260

Let’s put your sensors to work! Learn to take your sensor from a lab environment and deploy your sensor in production. Learn from my pain and get a handle on securely implementing, monitoring and managing your devices in the wild.

Jim and Bill - two unabashed Raspberry Pi enthusiasts - will expand on the "How to use a Raspberry Pi as a Network Sensor" webcast ( https://youtu.be/vja_H59fh1I). We encourage you to see that one first!

This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

25 3

October 24th, 2021

Lab and Slide Deck Downloads can be found here: https://www.activecountermeasures.com/cyber-threat-hunting-training-course/

77 1

October 13th, 2021

0:00:00 - PreShow Banter™
0:23:26 - FEATURE PRESENTATION: Lord of the Pings
1:01:32 - Questions & Answers

Join the Threat Hunter Community https://discord.gg/dnmvXkz

The Internet Control Message Protocol (ICMP) is the maintenance protocol of the internet. It is primarily used for error reporting and determining connectivity between devices. This is extremely useful to system administrators trying to diagnose connection issues. Like anything however, ICMP can be abused by people with malicious intent.

In this webcast, we will briefly cover the common legitimate applications of ICMP such as ping and Traceroute. Then delve into the ways in which attackers can leverage ICMP to further a malicious agenda. We will examine ICMP at the packet level as well as look at malicious uses of it, covering both historical and modern attacks. Significant attention will be given to ICMP traffic anomalies, command and control, and how to detect these.

Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

9 1

August 31st, 2021

Find Lab Instructions Here: https://www.activecountermeasures.com/cyber-threat-hunting-training-course/

Training Begins - 00:33:51

Hands-on Labs - 03:18:20

81 5

August 20th, 2021

Recorded•2021-06-02
Join the Threat Hunter Community https://discord.gg/dnmvXkz
0:00:00 - PreShow Banter™ — Spring Driven
0:03:27 - PreShow Banter™ — C2 You Later
0:06:36 - PreShow Banter™ — Shut Down The System
0:12:59 - FEATURE PRESENTATION: This Traffic Looks Suspicious…
0:16:32 - Overview
0:16:44 - Start With Shared Doc
0:19:31 - Pull Together Details
0:20:43 - Investigate Traffic
0:23:24 - Packet Capture
0:25:53 - Pcap Files
0:27:27 - Analysis Tools
0:28:38 - Investigate Hosts
0:30:02 - IP Information
0:30:46 - Investigate Processes
0:33:45 - Using BeaKer
0:35:35 - Compare To Policies
0:38:56 - Final Choice –Good Traffic
0:41:02 - Final Choice – Bad Traffic
0:43:27 - Final Choice – Indifferent
0:45:00 - Cleanup
0:52:13 - Prepare for the Next Time
0:53:53 - Writeup
0:56:00 - Other Things to Consider
1:01:17 - Additional Resources
1:01:48 - Wrap Up Questions

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

Threat Hunting is the first in a series of steps - finding the traffic that might be malicious. But what's next? How do we turn the potential threats into actions?

In this Active Countermeasures (ACM) webcast, Bill Stearns will go over how to investigate the traffic, classify it, and handle it appropriately. We'll look at the traffic in more detail, including how to capture more of it. We'll also look at some excellent sources of information about the IP addresses in question. We'll also look at allowlisting approaches to handle legitimate traffic for your environment.

This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

23 2

August 14th, 2021

Recorded • 2021-07-07
Join the Threat Hunter Community https://discord.gg/dnmvXkz
00:00 - PreShow Banter™ — Super Awesome by Default
07:57 - FEATURE PRESENTATION: Hacking Packet Captures | Hannah Cartier
09:09 - Why Packet Captures?
09:59 - What Are Packets
11:09 - How Do We Capture Them?
13:31 - Where To Capture Them?
15:21 - Span Ports
15:48 - Full Captures vs Metadata Captures
17:02 - Full Packet Capture Problem
18:15 - Wild Zeek Logs - Metadata Captures
19:17 - Malicious Traffic and Hacked Packets
20:20 - Source IP Spoofing
21:31 - Invalid Flag Combinations
22:07 - Protocol Tunneling
23:26 - Packets Captured - Analyze Them!
24:19 - ACM’s Favorite Tools
25:06 - Looking for What Isn’t There
27:36 - Finding Suspicious Packets With Passer
28:40 - Suspicious Packets in Wireshark
29:33 - Reconstructing Files
31:18 - Be Careful Sharing Your Captures
32:53 - Send Some Funky Pings
33:45 - [Post]Show Banter™ – Wrap Up

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

In this webcast, we are digging into the nitty-gritty details of packet captures and how to interpret the vast amount of data they produce. Our goal is to explain anything and everything you could possibly want to know about packet captures at a level that beginner or aspiring network threat hunters will be able to understand.

With the rising importance of network security, We believe it is necessary to have a strong understanding of how the network works and understand the data we are collecting. The better our understanding of network traffic is, the easier it becomes to hypothesize about how intruders might be behaving, and stop attacks. We will discuss different methods of capturing packets, how to make use of the data, and several open-source tools you can start using to threat hunt your network right now.

This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

32 0

August 11th, 2021

Recorded • 2021-05-05
Join the Threat Hunter Community https://discord.gg/dnmvXkz
00:00 - PreShow Banter™ — Powered by Coal
05:17 - PreShow Banter™ — Creepy Doll
06:49 - PreShow Banter™ — Meet the Crew
08:21 - PreShow Banter™ — Malware of the Day
09:27 - PreShow Banter™ — Company Shirts
12:25 - PreShow Banter™ — Florida Wild Kingom
15:34 - FEATURE PRESENTATION: Beacon Analysis - The Key to Cyber Threat Hunting
15:51 - Why look for Beacons?
19:25 - The Purpose of Threat Hunting
20:50 - What is a Beacon?
27:55 - Beacon Detection based on Timing
33:38 - Beacon Detection based on Session Size
40:25 - Potential False Positives
44:08 - DEMO: Example Hunt
52:15 - How do you practice?
55:38 - QnA

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

Beacon analysis is by far the most effective method of threat hunting your network. In fact, I would argue that if you are not checking your network for beacon activity, you have a huge gap in your defenses that attackers will happily leverage.

In this webcast, join Chris Brenton, as he discusses the anatomy of beacons and why you need to be looking for them during a threat hunt. He also talks through the challenges of detecting beacons, and some tricks you can use.

Attendees of this webcast will also have a chance to win prizes in a special contest!

This Webcast will be recorded. Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

34 1

August 10th, 2021

Recorded • 2021-04-07
Join the Threat Hunter Community https://discord.gg/dnmvXkz
0:00:00 - PreShow Banter™ — Good Ol Days
0:17:23 - FEATURE PRESENTATION: How to Get Started in Cyber Threat Hunting
0:19:47 - The Purpose of Threat Hunting
0:20:29 - What does “Threat Hunting” Mean?
0:23:02 - Do you remember @TayandYou
0:25:34 - What Threat Hunting Should Be
0:27:33 - Threat Hunting as a Process
0:31:21 - It’s about Business Need Discovery
0:33:55 - What does Threat Hunting Replace?
0:35:25 - Threat Hunting Adoption
0:38:42 - What Soft Skills are Needed?
0:46:15 - What Technical Skills are Needed?
0:50:43 - What Tools Should You Learn?
0:53:00 - How to Develop Your Skills
0:57:14 - DEMO: Game Time!
1:16:38 - QnA

**All YouTube ad revenue donated to the Innocent Lives Foundation**
https://www.innocentlivesfoundation.org

One of the cool things about cyber threat hunting is that the discipline has been around for less than five years. This means that if you get in now, you are in on the ground floor which can look really good on a resume!

But how do you get started? What's the process and what skills do you need to become an effective threat hunter? How do you hone these skills when most organizations are just starting to figure out that they need threat hunters?

Join Chris Brenton and the Active Countermeasures team in this webcast, as we discuss all of these topics and more!

Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the live session of the webcast: https://discord.gg/dnmvXkz

48 5

April 30th, 2021

Join the Threat Hunter Community https://discord.gg/dnmvXkz
00:00 - PreShow Banter™ — Evil Bacon
03:30 - FEATURE PRESENTATION:
04:27 - Threat Types to Consider
12:07 - It’s a Beacon, It MUST Be Evil!
18:02 - Benign Traffic That Look Like Threats
45:12 - What if I Don’t Know?
49:12 - Whitelisting Support
52:04 - References
56:53 - Thanks & Questions

We all know that beacons - regular connections between systems - are commonly used to carry instructions and data in a command and control channel. But that raises an interesting question; are Beacons always malicious? In this presentation by Active Countermeasures', Keith Chew, & Bill Stearns, we'll look at the Threat types normally associated with command and control traffic and see how legitimate application traffic can show up.

We'll go over the types of traffic and how to identify and whitelist them.

Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and your fellow attendees during the webcast: https://discord.gg/dnmvXkz

16 0

April 19th, 2021

Join the THREAT HUNTING COMMUNITY Discord: https://discord.gg/dnmvXkz
00:00 - PreShow Banter™ — The Dark Side of the Web
01:22 - FEATURE PRESENTATION: A Look at Espy
03:08 - What is Espy?
04:36 - Data Flow Visualization
06:49 - Zeek Logs
16:10 - DEMO - Logs
18:27 - Espy + AC Hunter
19:17 - DEMO – AC Hunter
21:15 - Questions and answers
47:43 - FREE Threat Hunt Training Schedule (https://www.activecountermeasures.com/cyber-threat-hunting-training-course/)

https://www.activecountermeasures.com/free-tools/espy/
https://github.com/activecm/espy

The issues of a distributed workforce used to be handled by a relatively small number of organizations with a few traveling salespeople or work-from-homers. Now they exist in most technical organizations. Lately, even more organizations are implementing remote workforces or a mix between in-office and at-home work workers. It’s amazing to see just how many people can do their jobs from home if given the right tools and flexibility on how and when the job is done.

Unfortunately, this also means that network monitoring becomes impractical. There’s no single point where I can put a network sensor to see hundreds or thousands of employees’ network traffic and look for security issues. Even saying “let’s put a sensor in everyone’s home network” has significant privacy, performance, support, and cost issues.

If we are going to watch a relatively small number of company-owned systems, we want to avoid watching personal machines that are also on those home networks, and we want to keep the cost per site down. Let’s consider watching the network traffic right on the company laptops... and this is where espy comes in.

espy is a tool integrated into our product AC-Hunter, but it is also an open-source tool! Join Naomi Kramer in taking a look at how espy works, and how you can use it to protect your network.

14 1

March 11th, 2021

Join the Threat Hunter Community https://discord.gg/dnmvXkz
00:00 - PreShow Banter™ — Name Dropping
05:40 - FEATURE PRESENTATION: How To Analyze Encrypted Traffic on Your Network
06:31 - Traffic On a Wire
10:54 - Common Types
15:31 - Unencrypted DNS Vs Encrypted DNS
23:21 - Encrypted DNS: Analyze Options?
28:59 - Encrypted Traffic in Zeek
35:09 - Exploit Detection in Certificates
37:54 - Sunburst Anomaly
45:44 - SSH Visibility Starts in Open Source
47:44 - Corelight ETC
51:22 - RITA & AC-Hunter
54:05 - References and Questions

Bill Stearns from Active Countermeasures & Alex Kirk with Corelight have joined together to discuss analyzing encrypted network traffic. In this one hour Active Countermeasures webcast, you will learn how to detect and analyze encrypted traffic on your network.

Join the THREAT HUNTING COMMUNITY Discord Server to engage with the presenters and fellow attendees https://discord.gg/dnmvXkz

38 2

December 15th, 2020

Join Our Threat Hunter Discord Community: https://discord.gg/qyy9vrE
0:00:00 - PreShow Banter™ — Geek Dance Party
0:09:48 - FEATURE PRESENTATION: How to Cover C&C in the AT&TCK Matrix
0:14:03 - Problems with IDS
0:19:11 - Endpoint Protection Review: A Change in the Landscape
0:23:13 - MITRE Command & Control & Exfiltration
0:26:48 - MITRE Shield
0:33:59 - Why Is This Necessary?
0:36:18 - Malware PCAP Samples
0:47:09 - Passer
0:50:51 - Creating Command & Control
0:58:04 - Conclusions & Questions
1:09:52 - DEMO: AC Hunter (Active Countermeasures) Commercial Demo


We all look to the MITRE ATT&CK Matrix for guidance to understand attack techniques as well as to mitigate their risks. If you want to take a strong defense in-depth approach, you will want to ensure you have coverage of each ATT&CK framework category. Arguably, one of the most difficult columns to both test and implement is the Command and Control column.

In this ACM webcast, we'll run down the Command and Control column to identify how we can both detect and test each described threat vector.

Join Our Threat Hunter Community. Conversation during the webcast will take place here: https://discord.gg/qyy9vrE

All Webcasts are recorded and posted on our website under the education tab.

43 0

November 5th, 2020

Join the Threat Hunting Community on Discord: https://discord.gg/tbQBAzT
Slides & VM: https://www.activecountermeasures.com/cyber-threat-hunting-training-course/
0:00:00 - PreShow Banter™ — Tales of Great Ambitions
0:16:47 - Chris Crowley Plugs His UpComing SOC Class (https://soc-class.com/)
0:21:32 - Meet the ACM Teams
0:26:45 - This is the Way : The Path to Threat Hunting Carriers
0:29:34 - FEATURE PRESENTATION: Network Cyber Threat Hunter Training
0:34:43 - How We Try To Catch Bad Guys
0:38:12 - Limitations of Logging
0:50:52 - Threat Intel Feeds?
0:55:50 - What Should Threat Hunting Be?
1:01:04 - Starting With the Network
1:14:40 - What to Look For
1:18:51 - Keeping Score
1:21:57 - Blind Spots to C2 Targeting
1:24:13 - C2 Detection
1:28:36 - Bad Guys V Red Teams
1:31:00 - Long Connections
1:39:53 - Bro V Zeek?
1:43:31 - Zeek Has a Timeout Problem
1:49:49 - Anyway, Here’s Firewalls
1:50:45 - Beacons!
1:59:06 - False Positives? Unexpected Results?
2:17:15 - Destination IP Address
2:19:55 - Internal Systems
2:21:27 - Event ID Type 3
2:23:07 - Passer
2:25:44 - C2 Detection Tools
2:43:31 - C2 Labs
2:46:17 - LAB: Find Long Connections
3:02:50 - LAB: Investigate Long-Talkers
3:10:36 - LAB: Beacons By Session Size
3:31:25 - LAB: C2 Over DNS
3:39:11 - LABS Again, But With RITA
3:49:46 - AI Hunter
3:53:55 - That’s All, Folks

Chris Crowley's SOC class:
https://soc-class.com/

**This session will have updated labs and content that was not included in past trainings!

Chris Brenton from Active Countermeasures is conducting another free, one-day, Cyber Threat Hunting Training online course!

One of the biggest challenges in security today is identifying when our protection tools have failed and a threat actor has made it onto our network.

In this free, 4-hour course, we will cover how to leverage network and host data to perform a cyber threat hunt.

The focus will be on processes and techniques that can be used to protect:
- Desktops
- Servers
- Network gear
- IIoT
- BYOD system

The course includes hands-on labs using packet captures of various command and control channels.

We also discuss how you can use our new Sysmon tool BeaKer to detect attacks on the host with Sysmon... for free!

The labs enable you to apply what you've learned using various open-source tools.

By the end of the course, you’ll understand the tools and techniques needed to perform compromise assessments within your own environment. While the course will be available later for download, live attendees will receive a "Cyber Security Threat Hunter Level-1" certificate.


Why are we doing it? Cyber threat hunting is a relatively new discipline. As an industry, we are still formulating standards and procedures. We want to do our part by giving back to the security community. We are hoping that by sharing what we've learned we can help spark new ideas and threat hunting tools. Let's build a community and solve these problems together.

190 6

October 16th, 2020

Join Our Threat Hunter Discord Community: https://discord.gg/qyy9vrE
0:00:00 - PreShow Banter™ – SadPlant Returns
0:07:12 - The Problem With Zeek
0:11:39 - FEATURE PRESENTATION: Passer – Effortless Network Knowledge!
0:15:37 - Passer, What Is It?
0:17:59 - What Passer Finds
0:29:53 - How Passer Works
0:32:53 - Installing Passer
0:35:51 - Passer Output
0:55:44 - Importing Into A Spreadsheet
1:02:58 - Additional Output
1:04:43 - Passer Performance
1:06:14 - System Inventory
1:06:44 - Passer_ng (Multiprocess Version)
1:09:17 - Bring It On Home


Notable Links:

How to Build a Home Lab – Bill Stearns: https://youtu.be/t7bhnK47Ygo
Passer Web Page: https://www.activecountermeasures.com/free-tools/passer/
Passer GitHub: https://github.com/activecm/passer
Bill Stearns’ Passer Web Pagehttp://www.stearns.org/passer/

Passer is a network sniffer that teaches you about your network - with no extra work for you! By watching network traffic it can identify your systems, routers, names of devices, and network services (both internal and external ones used by your systems). In this webcast we go over how to use it in your own network, how to interpret the results, and how to use these results with other tools.

Passer runs on Linux and macOS. You won't need a lot of technical background to use it or understand the webcast. We look forward to seeing you there!

18 0

September 11th, 2020

Join the THREAT HUNTER COMMUNITY Discord: https://discord.gg/dnmvXkz
00:00:00 - PreShow Banter™ — PreShow Banter™
00:12:13 - FEATURE PRESENTATION: Getting Started With RITA
00:13:24 - What Is RITA
00:16:40 - Setting up RITA
00:23:41 - RITA Test Config
00:28:08 - Import Zeek Log Files
00:35:44 - Generate Zeek Logs From Pcap
00:51:00 - Whitelisting RITA

https://www.activecountermeasures.com/free-tools/rita/
https://github.com/activecm/rita
https://github.com/activecm/rita/releases/download/v3.3.1/install.sh

Want to search your network for malicious command and control channels?

In this 1-hour Active Countermeasures webcast, Chris Brenton walks through the setup process for RITA (Real Intelligence Threat Analytics), our open-source threat hunting tool. Once the install is complete, Chris will demonstrate how to threat hunt using the tool; so you too can hunt down the bad guys.

Learn more about our open-source tool and framework -- RITA -- and download it here: https://www.activecountermeasures.com/free-tools/rita/

82 3

August 12th, 2020

Our Tools: https://acm.re | https://github.com/activecm/passer | http://www.stearns.org/passer/
00:00 - PreShow Banter™ – Self Titled
02:47 - John Gives Thanks
03:40 - Our Threat Hunting Tools
04:31 - The Purpose of Threat Hunting
08:29 - How To Learn More
09:03 - RITA
11:30 - AI-Hunter Demo
44:40 - Passer
59:20 - Got Questions?
1:04:33 - Passer Demo

Join Our Threat Hunter Discord Community! :
https://discord.gg/QNzjnd7

Originally Recorded Live June 3, 2020

We bend a few of our own rules during this webcast. We try very hard to keep our webcasts a marketing-free zone by not showing off our commercial product. However, there are some technical aspects to how AI-Hunter threat hunts the network which makes it unique within the industry. It's difficult to talk about why these techniques are best practice, without showing the tool itself. So in this webcast will highligh both our open source and commercial threat hunting tools.

This talk is very technical, but we wanted to give a heads up that we will be leveraging our commercial product during the main part of the webcast. If you are an open-source purist, please feel free to skip this cast. Otherwise, learn what techniques we leverage to both simplify as well as expedite the process of detecting malicious actors that have made it past an organization's defenses.

41 2

August 12th, 2020

Join Our Threat Hunter Community Discord: https://discord.gg/qyy9vrE
Download RITA: https://www.activecountermeasures.com/free-tools/rita/
0:00 - PreShow Banter™ - Many New Faces
3:42 - Hacking RITA
6:02 - Workspace Setup
7:49 - RITA Repo Cheat Sheet
9:29 - Database Cheat Sheet
11:09 - Metadata Cheat Sheet
12:07 - RITA Commands
14:06 - RITA Command File
15:22 - Lisa's Lazy Dev Quickstart
18:37 - What About Arguments
20:53 - Build A Query
21:43 - Query Time
29:27 - Bonus: Alternative Query
35:02 - Slap a BSON
40:47 - Testing / Bonus: RegEx Results!
41:36 - HTML Output Woes?
1:00:05 - Got Questions?

Originally Recorded Live, August 5, 2020

Have you ever wanted something to be slightly different in RITA? To contribute a new feature, perhaps, or customize the input and output fields of your local version?

Many of our users are not developers, and even if they are, the complexity of the project can quickly become overwhelming or intimidating. We get frequent feedback with the common, underlying blocker of needing to "sit down and learn GO". You don't need to learn GO to start working with it!

In this webcast, we go through the process that new devs use to start working with a new language they don't know. We set up your work environment, isolate which files in the project are relevant to what you want to change, and walk through making minor tweaks together. We will make mistakes, search stack overflow, and get you started hacking on RITA!

8 1

August 10th, 2020

Check out BeaKer: https://github.com/activecm/BeaKer
Join Our Threat Hunter Discord Community : https://discord.gg/QNzjnd7
00:00 - PreShow Banter™ – Listen Only Mode
4:27 - Exploring BeaKer
7:35 - A Common Problem
9:59 - What Beaker Does
11:42 - Example of Beaker at Work
15:32 - Beaker is What?
16:45 - Sysmon ( https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon )
17:39 - Event ID 3 Example
19:19 - It's All Been Done Before
23:45 - Focus On a Quick Reference Tool
25:37 - Beaker Dashboard
33:20 - What BeaKer Sees
48:21 - Questions?

Originally recorded live July 1st, 2020.

How many times have you been reviewing your firewall logs, NIDS alerts, packet decodes, or similar, and wished you had an easy way to see which application created the network connection you are analyzing? Yup, us too, that's why we created BeaKer.

"BeaKer" is our latest open source project that connects together Sysmon, Winlogbeat and an ELK stack so that you can quickly and easily run down which applications are communicating with other systems across the network. It acts as a bridge between your network data and your host logs.

So imagine I'm reviewing my outbound firewall logs and I notice a connection pattern that looks like command and control (C2) traffic. With BeaKer, I can quickly pivot to see which application is creating those connections. If I find something suspicious, I can rapidly expand the view to include all host and user data within the defined time range. This way I can quickly obtain the full context of the attack.

Watch our free webcast "Exploring BeaKer" to learn more about how to effectively use this tool.

17 0

June 24th, 2020

Join the new "Threat Hunting Community" Discord discussion server: https://discord.gg/w23C3rd
0:00 - Before We Start
3:06 - Threat Simulation: Testing Threat Hunting Software
4:29 - OK, But Why?
6:11 - Approach
8:32 - Network Layout
9:11 - Setup
14:24 - Actual Testing
15:37 - Detecting DNS C2 Traffic
17:41 - DNS Live Demo
29:17 - What We Look For
30:08 - If Not Detected?
36:36 - Metasploit Framework
1:00:55 - More Information
1:01:45 - Questions From Discord Chat
1:16:44 - Peanut Butter & Jelly

Because Threat Hunting is such a new discipline, it's not always clear what Threats a particular package can detect. In this webcast, Bill Stearns and Keith Chew will walk you through testing your Threat Hunting software to make sure it is working properly and can detect different types of unwanted traffic. This is a walkthrough of the process for detecting DNS beaconing and Metasploit. After this webcast, you should be all set to do testing on the other threat traffic types.

In preparation for this webcast, check out our Threat Simulation blog series here: https://www.activecountermeasures.com/threat-simulation-overview-and-setup/

15 0

April 20th, 2020

Join the new "Threat Hunting Community" Discord discussion server: https://discord.gg/w23C3rd
0:00 – You're In Charge
2:06 – Ok. But Why?
7:18 – The Network Layout
9:43 – (John's Spaghetti)
20:38 – Project Hardware
26:06 – Firewall
29:21 – Switch
30:53 – Wireless AP
36:49 – Sentinel
38:33 – File and Drive Image Transfer
41:04 – Laberv
43:41 – Guinea Pigs
44:46 – John's Setup Porn
46:44 – HELK
47:35 – Beaker
48:13 – Creating Evil
49:48 – Recording
50:14 – Incrementally Opening Up the Firewall
51:50 – Software
53:31 – Packet Capture
54:25 – Network Monitoring
55:09 – Scanning
56:12 – Disk Imaging
56:43 – On a Budget – What's Critical
57:04 – Closing Notes
58:05 – Questions
1:01:28 – See Something Cool

The Slide deck can be found here: http://activecountermeasures.com/presentations inside the ACM_Webcasts folder

How many of us have tried some new configuration option, utility, or hardware on a production environment, only to crash a critical piece of the business? (me raising hand... 🙂 ) It's amazing how quickly we learn not to do that! Now we have to decide - do we stop trying out new things because we're scared of causing problems, or do we come up with a safe way to play and learn?

We're going to cover how to set up a Home Lab - an isolated environment where you can test new hardware, programs, and applications. By keeping this totally separate from everything else, you get free rein to play without risk to your other systems - and without risk of breaking any company policies!

We'll cover how to set this up, the equipment needed, and how to configure these. Best of all, you can use throwaway hardware to do it!

148 4

March 30th, 2020

Join the ACM Discord Community: https://discord.gg/dnmvXkz
0:00 - Forming Voltron
2:46 - Bad Guys, Bad Guys, Watcha Gonna Do When We Don't Catch You
10:19 - Can You Log Me Now?
13:14 - Catching Bad Guys Wearing Parachute Pants
21:26 - It's Threat Hunting Season
32:51 - Bad Guy Glasses
37:01 - Threat Scores and Seven IPs To Go
42:08 - Perfect Is As Perfect Does
44:38 - By The Power Of Discord
45:53 - Questions From the Floor?

Download Slides: https://www.activecountermeasures.com/presentations/
Presentations -- ACM_Webcasts -- How_to_cyber_threat_hunt

Have you noticed that two people can be talking about cyber threat hunting and actually be talking about two different things? It's kind of turned into this "thing" that everyone is talking about, but no one is really sure what it means. What is step #1? How do you know when a threat hunt is "done"? Is there a defined job description for a Cyber Threat Hunter? Clearly, it's time to create some guardrails around the topic.

174 5

March 3rd, 2020

00:00:00 –Intro
00:04:18 –Traffic Mirroring
00:07:55 –What is VXLAN
00:16:20 –Configuration Overview
00:26:27 –Configuration Walkthrough
00:48:43 –Test Yourself Before You Wreck Yourself

Download Slides: https://www.activecountermeasures.com/presentations/
Presentations -- ACM_Webcasts -- SniffingTrafficinAmazonEC2withTrafficMirroring_02272020

Amazon EC2 is a great solution for quickly spinning up virtual machines. The only downside is that we lose our ability to leverage network-based security tools that rely on decoding the packet stream, like traffic monitors and intrusion detection systems. Luckily, that no longer needs to be a thing.

In this webcast, we will walk you through how to leverage Amazon's VPC traffic mirroring and the VXLAN protocol to create a VM capable of monitoring the traffic to and from other VMs. The goal will be a monitoring system that is running Zeek, RITA and Suricata, so we have the ability to detect all sorts of nastiness.

We will even walk through how to test the system so that we are sure everything is working properly.

Check out RITA prior to the webcast (open-source): https://www.activecountermeasures.com/free-tools/rita/

34 2

January 20th, 2020

Slides & Buy List: https://activecountermeasures.com/raspberry_pi_sensor/
1:51 Presentation Outline
2:12 Goals of This Talk
3:24 Did Someone Say Raspberry Pie?
14:50 Building the System
19:21 Software Setup
21:06 Network Setup
28:06 Additional Steps
31:20 Getting Packets
34:09 Monitor the Span Port
45:34 What Sniffing Tools to Use
46:46 This Example
50:49 Why Not a Traditional PC?
53:51 To Infinity...
56:05 References

Join Bill Stearns, from Active Countermeasures for "How to use a Raspberry Pi as a Network Sensor!"

Stealth - Size - Cost - Bang for the buck: pick any 4. 🙂

Running a network sensor, IDS, or IPS can be a costly venture; the high-end ones can cost more than a used car. In this webcast we’ll cover running a network sensor using a Raspberry Pi, a miniature single-board computer that runs most anything you can run under Linux.

Bill will show you how to install and use the Zeek IDS and cover the performance aspects you'll need to know. Setting up IDSs that cost about the same as a bike means you can monitor far more network segments simultaneously, and hide them behind a power brick if you have to.

No previous experience with the Pi is needed - you'll have a shopping list of what to get.

You'll probably want basic familiarity with running commands under Linux.

338 15

November 21st, 2019

This video was created by Active Countermeasures COO Chris Brenton to give a demonstration of our AI-Hunter product and all its amazing features

21 0

November 13th, 2019

In this video, Chris Brenton describes why threat hunting is the missing link between our protection and incident response technologies.

5 1

November 13th, 2019

In this video, Chris Brenton provides a definition for Threat Hunting and how it differs from other security disciplines like threat intelligence or log review.

19 1

May 8th, 2019

Download slides: https://www.activecountermeasures.com/presentations/
1:30 Introduction on Gcat, basic protections, why Gcat is hard to detect, Zeek, Zcat, Bro, and why simply looking at delta time can't help identify an attack
14:22 Using packet data to help determine a Gcat attack
21:32 Analyzing packet data with RITA and AI-Hunter
29:43 Lessons Learned
33:52 Q&A

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

Presented by: Chris Brenton

First, please check out the MITRE Technique Matrix far right side. Specifically, Command and Control:
https://attack.mitre.org/matrices/enterprise/ 

While many of these techniques are pretty straight-forward, some can be a bit harder to get your head around. Specifically, Web Service.
https://attack.mitre.org/techniques/T1102/ 

This is where an attacker uses a web service (think Gmail) as a C2.  

We received so much positive feedback to our deep dive on dnscat2 as a C&C channel, that we've decided to continue the C&C decoding series. In this webcast we cover Gcat, the infamous tool that was one of the tools used to bring down the Ukranian power grid. Detection here is tricky, as Gcat can look like a regular end-user checking their email. However, there are some tell-tale traits you can key in on. Just like last time, this will be an intermediate level walkthrough. We start with some raw decodes and work our way through the various possibilities for detection. 

Here is a link describing how this backdoor was used in the Ukranian power grid attack:
https://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/

5 0

April 15th, 2019

In this video we walk through the required steps to deploy AI-Hunter on your network.

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

7 0

April 12th, 2019

Hi folks! In this video, we give you a quick 5min overview of AI-Hunter. We talk about what problem we solve, how the tool is deployed, and give a quick walkthrough of the user interface.

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

9 0

April 2nd, 2019

Download slides: https://www.activecountermeasures.com/presentations/
1:56 dnscat2 and C&C servers, detection challenges, and detecting beacons
11:33 Using tshark to extract data fields and how to use command lines in those fields, using Rita and AI hunter in a similar way
24:13 detecting scrupulous use of dnscat2 using standard and alternative procedures
39:44 Lessons Learned and Resources
42:16 Q&A

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

Presented by: Chris Brenton & John Strand

One of the challenges with command and control channels is distinguishing them from normal traffic patterns. For example, while dnscat2 uses RFC compliant DNS queries to establish communications, it does have some tell-tale traits that distinguish its queries from normal DNS traffic.

In this webcast, we do a deep dive on the network communications of multiple command and control tools. We start with a pcap analysis (Wireshark, woot!) and work our way through open source and commercial tools that can help simplify the process.

This is sort of hands-on webcast! All attendees will gain access to the source files (captures, or it did not happen!) as well. Download files: http://acm.re/webcast-file-downloads/

11 1

January 22nd, 2019

Download slides: https://www.activecountermeasures.com/presentations/
Presented by: Chris Brenton & John Strand

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

We all know what threat hunting is in general terms; its when we actively search our network for compromised systems. But what does that mean exactly and what process should we be following? Can I simply check network traffic to see if the evil bit is set, or is there a bit more to it than that?

In this webcast we walk you through the methodology of doing a network threat hunt. We talk about what steps to perform and in what order. We also look at some of the tools and online resources you can leverage to expedite the process. In short, this Webcast is a runbook you can leverage for validating the integrity of each of your internal endpoints.

79 4

November 13th, 2018

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

See our updated version of AI-Hunter.

5 0

September 17th, 2018

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

Join Chris Brenton, COO of Active Countermeasures, as he discusses the anatomy of beacons and why you need to be looking for them during a threat hunt. He also talks through the challenges of detecting beacons, and some tricks you can use.

Slides from the full webcast can be found here: www.activecountermeasures.com/threat-hunting-beacon-analysis-september-11-2018/

87 3

August 31st, 2018

8:41 Systems Recon
10:45 Defense: Systems Recon
12:55 Portspoof
20:30 Scraping Users with Google and Burp
24:21 Attacking Google 2FA; Credsniper; Defense: User Awareness Training
34:52 Info and IP Address
38:40 Git Access; Google and Others
43:44 Defense/Security Controls
47:40 What We Do
49:40 Thanks/Extra Info
50:00 Q&A

For this next installment of the Attack Tactics series, John looks at cloud security defenses. In the previous webcast, we covered the tools Black Hills Information Security (our sister company) uses to attack cloud-based two-factor authentication and turn cloud services against each other for password spraying. We also cover how we can create cloud malware to ex-filtrate data. Watch now to learn more about how to stop these kinds of attacks.

15 1

July 2nd, 2018

This is the second part of John's series about Attack Tactics. In the first part we discussed how we'd attack. Now, we cover the same attack, but this time we are covering the defensive components the organization could have implemented to stop us every step of the way.

"We cover event logs, new vendors, SIEM, UBEA and yes... I hate to say it... Cyber Kill Chain. Remember, the goal is to make your next pentester cry; to make hackers give up and most importantly to have puppies and kittens everywhere love you." - John

Slides are available here: https://blackhillsinformationsecurity.shootproof.com/gallery/6843799/

2 0

February 23rd, 2018

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

The original Webcast where AI-Hunter was launched to the general public. This provides a good general overview of AI-Hunter and how to use it.

2 0

February 15th, 2018

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

In this video John discusses the techniques attackers use to hide their command and control traffic on the network. He discusses how this traffic differs from normal traffic, and what techniques can be used to spot those differences. He also demonstrates how AI-Hunter presents these command and control sessions so they are easy to distinguish from normal traffic.

9 0

February 14th, 2018

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

10 0

February 14th, 2018

Schedule a personal demo of AI-Hunter, our network threat hunting software solution: https://www.activecountermeasures.com/ai-hunter-demo

3 0