Active Countermeasures Webcast
07-01-2020
Exploring BeaKer
How many times have you been reviewing your firewall logs, NIDS alerts, packet decodes, or similar, and wished you had an easy way to see which application created the network connection you are analyzing? Yup, us too, that’s why we created BeaKer.
“BeaKer” is our latest open source project that connects together Sysmon, Winlogbeat and an ELK stack so that you can quickly and easily run down which applications are communicating with other systems across the network. It acts as a bridge between your network data and your host logs.
So imagine I’m reviewing my outbound firewall logs and I notice a connection pattern that looks like command and control (C2) traffic. With BeaKer, I can quickly pivot to see which application is creating those connections. If I find something suspicious, I can rapidly expand the view to include all host and user data within the defined time range. This way I can quickly obtain the full context of the attack.
Watch our webcast “Exploring BeaKer” to learn more about how to effectively use this tool.
slide deck can be found Here inside the ACM_Webcasts folder
Presented by: Chris Brenton & John Strand
Timeline:
- 00:00 – PreShow Banter™ – Listen Only Mode
- 4:27 – Exploring BeaKer
- 7:35 – A Common Problem
- 9:59 – What Beaker Does
- 11:42 – Example of Beaker at Work
- 15:32 – Beaker is What?
- 16:45 – Sysmon
- 17:39 – Event ID 3 Example
- 19:19 – It’s All Been Done Before
- 23:45 – Focus On a Quick Reference Tool
- 25:37 – Beaker Dashboard
- 33:20 – What BeaKer Sees
- 48:21 – Questions?