Active Countermeasures Webcasts
Network Decoding Gcat Command & Control
- 1:30 Introduction on Gcat, basic protections, why Gcat is hard to detect, Zeek, Zcat, Bro, and why simply looking at delta time can’t help identify an attack
- 14:22 Using packet data to help determine a Gcat attack
- 21:32 Analyzing packet data with RITA and AI-Hunter
- 29:43 Lessons Learned
- 33:52 Q&A
Presented by: Chris Brenton
In this webcast we cover Gcat, the infamous tool that was one of the tools used to bring down the Ukranian power grid. Detection here is tricky, as Gcat can look like a regular end-user checking their email. However, there are some tell-tale traits you can key in on. Just like last time, this will be an intermediate level walk-through. We start with some raw decodes and work our way through the various possibilities for detection.
This is another hands-on webcast! Download the files used in this webcast here.
Network Decoding Command & Control Channels
- 1:56 dnscat2 and C&C servers, detection challenges, and detecting beacons
- 11:33 Using tshark to extract data fields and how to use command lines in those fields, using Rita and AI hunter in a similar way
- 24:13 Detecting scrupulous use of dnscat2 using standard and alternative procedures
- 39:44 Lessons Learned and Resources
- 42:16 Q&A
Presented by: Chris Brenton & John Strand
One of the challenges with command and control channels is distinguishing them from normal traffic patterns. For example, while dnscat2 uses RFC compliant DNS queries to establish communications, it does have some tell-tale traits that distinguish its queries from normal DNS traffic.
In this webcast, we do a deep dive on the network communications of multiple command and control tools. We start with a pcap analysis (Wireshark, woot!) and work our way through open source and commercial tools that can help simplify the process.
This is sort of a hands-on webcast! All attendees will gain access to the source files (captures, or it did not happen!) as well. Download the files here.
Network Threat Hunting Runbook
We all know what threat hunting is in general terms; its when we actively search our network for compromised systems. But what does that mean exactly and what process should we be following? Can I simply check network traffic to see if the evil bit is set, or is there a bit more to it than that?
In this webcast we walk you through the methodology of doing a network threat hunt. We talk about what steps to perform and in what order. We also look at some of the tools and online resources you can leverage to expedite the process. In short, this Webcast is a runbook you can leverage for validating the integrity of each of your internal endpoints.
Additionally, we have documented some of what is covered in this webcast as a reference in our blog post: How to Threat Hunt Your Network.
Threat Hunting Beacon Analysis
Join Chris Brenton, COO of Active Countermeasures, as he discusses the anatomy of beacons and why you need to be looking for them during a threat hunt. He also talks through the challenges of detecting beacons, and some tricks you can use.
Attack Tactics: Part 4
For this next installment of the Attack Tactics series, John Strand looks at cloud security defenses. In the previous webcast, we covered the tools Black Hills Information Security (our sister company) uses to attack cloud-based two-factor authentication and turn cloud services against each other for password spraying. We also cover how we can create cloud malware to ex-filtrate data. Watch now to learn more about how to stop these kinds of attacks.
Attack Tactics: Part 3
For this next installment of our Attack Tactics webcast series, John Strand looks at an environment that had no Active Directory. This is odd, but it’s becoming more and more common for new companies to have everything in the “cloud” and BYOD. This is also a great case-study on how to access services like Git, Slack, Gsuites, Salesforce and so on, because even if you are still using AD, you WILL be moving to the cloud. This webcast is for everyone. Finally, as testers, we need to evolve our testing to be able to successfully test these cloud services. This means we all need to up our game and be ready for the next round of cloud-based enterprise technologies!
Attack Tactics: Part 2
This is the second part of John’s series about Attack Tactics. In the first part we discussed how we’d attack. Now, we cover the same attack, but this time we are covering the defensive components the organization could have implemented to stop us every step of the way.
“We cover event logs, new vendors, SIEM, UBEA and yes… I hate to say it… Cyber Kill Chain. Remember, the goal is to make your next pentester cry; to make hackers give up and most importantly to have puppies and kittens everywhere love you.” – John
Attack Tactics: Part 1
John Strand is starting a new series of webcasts called Attack Tactics. This first part is a step-by-step walk-through of an attack BHIS launched against a customer, with just a few obfuscating tweaks. He covers the tools, how we used them and any other tricks we had to pull out for the attack. The second will be co-hosted by our sister company Active Countermeasures and will go through the defensive side. Stay tuned for more details about that!