Talkin' Bout [Infosec] News

The team at Black Hills Information Security and Wild West Hackin’ Fest had to pivot from doing an in-person information security conference in San Diego to a 100% virtual conference with 6 days of notice. We had a little bit of experience doing a hybrid in-person/virtual conference in November 2019 (with 10 days’ notice). The response from the 400+ attendees about the virtual conference was overwhelmingly positive. We did it and you can do it, too. In this webcast, we discuss how it all happened, including how we ended our agreement with our venue. We talk about all the things we learned and what we’d do differently next time. 0:00 – Trust Us, We’re Not Experts 0:40 – Suddenly Virtual 3:15 – Venue Vámonos 11:58 – What Now? 18:58 – Let’s All Go To The Lobby (and have ourselves a chat) -LobbyCon/Discord 32:24 – A Stream of Logistics 43:29 – The Calm 46:07 – The Storm 51:48 – The End Credits Scene 56:40 – Any Questions? Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 2,087 other subscribers Email Address Subscribe (00:01) - Trust Us, We're Not Experts (01:11) - Suddenly Virtual (03:46) - Venue Vámonos (12:29) - What Now? (19:29) - Let's All Go To The Lobby (and have ourselves a chat) (32:55) - A Stream of Logistics (44:00) - The Calm (46:38) - The Storm (52:19) - The End Credits Scene (57:12) - Any Questions?

In this webcast, we will cover what we can do if we think there is a breach on our network. We will cover live forensics, cool PowerShell scripts, network, and event log analysis, cool IR spreadsheets, and checklists. We will also be covering the status of our ELK project for reviewing Event ID 3 from Sysmon. So, a lot… Yep… A crazy amount. Download slides: https://www.activecountermeasures.com/presentations 00:00 – Intro 00:47 – “Ok, But Why” 02:17 – Have It The Wrong Way 04:35 – Have It The Right Way 06:58 – Lego My Incident Response 08:25 – Monologging On Mute 11:57 – Wouldn’t Be Prudent 14:29 – “Better Than Bad, It’s Good” 21:33 – A Van Full of Free Tools 44:10 – CSI: Memory 45:01 – We Got Cheat Sheets if You Want Some Cheat Sheets 47:20 – Overlapping Venn Diagrams 49:46 – Questions in the Wild 59:15 – Sucking at Capitalism Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 2,052 other subscribers (00:00) - Intro (01:18) - Ok, But Why (02:49) - Have It The Wrong Way (05:07) - Have It The Right Way (07:30) - Lego My Incident Response (08:56) - Monologging On Mute (12:28) - Wouldn't Be Prudent (15:00) - Better Than Bad, It's Good (22:04) - A Van Full of Free Tools (44:41) - CSI: Memory (45:32) - We Got Cheat Sheets if You Want Some Cheat Sheets (47:51) - Overlapping Venn Diagrams (50:17) - Questions in the Wild (59:46) - Sucking at Capitalism

Do you know what your attackers know? There’s a good chance you know, but you might not be aware of just how much information can be found historically and in real-time about your business operations and organization. Join Jordan Drysdale and Kent Ickler as they discuss and demonstrate Purple Team Enterprise Reconnaissance methods that increase operational network awareness and overall security posture. Download slides: https://activecountermeasures.com/presentations 00:00 – Intro 00:42 – Executive Problem Statement 02:25 – Recon You Say? 06:11 – Your Internal Friends… Sometimes 09:01 – What Does Purple Team Do, Exactly? 10:13 – There Are A Ton Of Sources Out Here 49:55 – And Now For Some Crappy Code Learn how to monitor cloud services for your organizations’ data being dumped on the web, account compromises, and source code disclosure. Use external services to keep an eye on your external landscape to alert on unexpected changes. See configurations of operational awareness uncover potential attacker’s methodology and infrastructure to provide you an upper-hand in stopping threats before they escalate. See how an attacker utilizes common internet sources to gather intelligence about your technology stack, your perimeter security, your wireless networks, and plan attacks against your organization. Know what your attacker knows. Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www.wildwesthackinfest.com/ Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 1, (00:00) - Intro (00:42) - Executive Problem Statement (02:25) - Recon You Say? (06:11) - Your Internal Friends... Sometimes (09:01) - What Does Purple Team Do, Exactly? (10:13) - There Are A Ton Of Sources Out Here (49:55) - And Now For Some Crappy Code

In this webcast, we have our friend Hal Pomeranz sharing his massive knowledge on Linux. If you’re new to Linux, or if you know it and just want to hear from Hal’s years of using and teaching all things Linux, then this is the webcast for you. Download slides: http://www.deer-run.com/~hal/CLDojo.pdf 0:00 – Intro to Hal 9000 4:05 – It’s A UNIX System 7:34 – Who’s Trying Naughty URLS? 27:07 – Care About the Environment 48:24 – Questions & Answers From Hal: The Linux command-line is an amazingly powerful programming environment. Mastering its functionality can make you enormously more productive. Sensei Hal gives you critical insights into tackling difficult command-line challenges in this fast-paced and entertaining presentation. Who is Hal? Hal Pomeranz is the Founder and Technical Lead of Deer Run Associates, a consulting company focusing on Computer Forensic Investigations and Information Security. He has spent more than twenty years providing pragmatic Information Technology and Security solutions for some of the world’s largest commercial, government, and academic institutions. An expert in the investigation of Linux/Unix systems, Hal has provided Computer Forensic investigative support for several high-profile cases to both law enforcement and commercial clients. Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www.wildwesthackinfest.com/ Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 1,975 other subscribers Email Address (00:00) - Intro to Hal 9000 (04:05) - It's A UNIX System (07:34) - Who's Trying Naughty URLS? (27:07) - Care About the Environment (48:24) - Questions & Answers

Backdoors & Breaches kind of took off. In case you don’t know, Backdoors & Breaches is an Incident Response Card Game to help people better understand the various attacks and defenses used in security today. We have sold out twice on Amazon, given out thousands of copies for free at conferences, and sent 2,000+ free decks to infosec educators (with a few thousand more decks to go). As a standalone game, with an Incident Master driving the narrative, it works really well. However, we have something else that we have been working on… Competitive Backdoors & Breaches. Yes, you can play this game against your co-workers. It just takes at least two decks. In this live webcast, we will be covering: advice for being an Incident Master; playing the regular game with remote teammates; answering many of your questions about gameplay; and introducing the rules on how to play this game competitively against another player. Download slides: https://www.activecountermeasures.com/presentations 4:38 – Ok, But Why? 5:55 – State of Play 9:27 – Initial Compromise Card 10:31 – Persistence Card 11:53 – C2 and EXFIL Card 14:01 – Pivot and Escalate Card 14:36 – Procedures Card 16:27 – State of Play 17:51 – Initial Setup 20:13 – Resource Points (RP) 25:41 – Building the Kill Chain (00:00) - Kinda Goofy (04:38) - Ok, But Why? (05:55) - State of Play (09:27) - Initial Compromise Card (10:31) - Persistence Card (11:53) - C2 and EXFIL Card (14:01) - Pivot and Escalate Card (14:36) - Procedures Card (16:27) - State of Play (17:51) - Initial Setup (20:13) - Resource Points (RP) (25:41) - Building the Kill Chain (28:20) - Attack in Depth (29:20) - Completing the Kill Chain (31:31) - Defend Rolls (34:33) - For Example (37:29) - Let's Play a Game (47:39) - Any Questions?

Ever wanted to get started in cyber deception? Ever wanted to do it for free? In this BHIS webcast, we will cover some basic, legal, and easy tools/techniques to get you started in working with low interaction honeypots to serve as an early warning of attacks. We will also be sharing a recipe for making wine out of pentester tears. Because attacker tears make the best wine. Download slides: https://www.activecountermeasures.com/presentations/ 1:00 – A Few Cool Things 6:00 – Beginnings of Cyber Deception 9:08 – Conversations 16:34 – Canarytokens 18:42 – Scenario: Recon 23:02 – .exe 36:13 – Cloned Websites! 39:07 – Word Docs!!! 47:41 – One Step Forward 51:58 – Honeybadger Update 53:56 – Back To Threat Intel; How BHIS Uses It 56:03 – Questions This webcast was originally recorded live on January 23, 2020 with John Strand. Wild West Hackin’ Fest – Most Hands-On Infosec Con! (00:00) - Introduction (01:00) - A Few Cool Things (06:00) - Beginnings of Cyber Deception (09:08) - Conversations (16:34) - Canarytokens (18:42) - Scenario: Recon (23:02) - .exe (36:13) - Cloned Websites! (39:07) - Word Docs!!! (47:41) - One Step Forward (51:58) - Honeybadger Update (53:56) - Back To Threat Intel (55:21) - How We Use It (56:03) - Questions

https://media.blubrry.com/bhis/content.blubrry.com/bhis/BHIS_Podcast_Passwords_Youaretheweakestlink.mp3 Why are companies still recommending an 8-character password minimum?  Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend 8-character minimum passwords based on outdated data.  Download Slides: https://www.activecountermeasures.com/presentations Originally recorded as a live webcast on December 5th, 2019 Presented by: Darin Roberts & CJ Cox Because of newer attack methods and increased computing power, password minimums need to be increased to 15 characters to keep networks safe.  On this BHIS Webcast, Darin & CJ discuss: * Current password policies: BHIS recommendations, Microsoft, Google, Apple, NIST * Why do we recommend 15 characters – brute force, password crack, LM Hash * Passphrase vs. password * Recommended password policy summary Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www.wildwesthackinfest.com/ Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts. Join 1,896 other subscribers Email Address Subscribe (00:00) - Start (01:04) - Introduction (03:26) - In The Beginning (04:23) - What The Experts Say : PCI (05:55) - What The Experts Say : Microsoft (09:29) - What The Experts Say : NIST (16:01) - What The Experts Say : Google (16:28) - What The Experts Say : Apple (16:42) - Still More Experts (17:49) - Why 15 Characters (18:06) - Brute Force (18:44) - Password Spray (22:48) - Password Cracking (23:25) - A Hashing Algorithm (24:07) - More About Hashes (25:49) - So What Is Password Cracking (27:16) - Windows Hashes (27:42) - The LM Hashing Algorithm (29:46) - LM Hash Is "Weak" (30:55) - LM Vs. NTLM Cracking (31:14) - Why 15 Character Passwords – Answer (32:06) - CJ's Response to the Problem (36:32) - Let's See the Mathm (37:09) - Math Examples (40:30) - From the Field (42:47) - Would You Like To Play A Game? (45:03) - Take Aways (46:46) - Are You Really Going To Let This Guy Decide (48:33) - Audience Questions & Comments

Want to learn how attackers bypass endpoint products? Download slides: https://www.activecountermeasures.com/presentations/ 3:41 – Alternate Interpreters 9:19 – Carbon Black Config Issue 15:07 – Cisco AMP EDR – Quick and Easy Bypass 18:24 – PowerShell AMSI Bypass – Rhino 19:07 – CylancePROTECT Bypass 24:14 – Windows Defender and Carbon Black Bypass 30:36 – Windows Subsystem for Linux 39:59 – PowerShell HTTP Web Cradle for Downloads Last year we came to the conclusion that we are going to keep going with the Sacred Cash Cow Tipping Webcast series. Why? Because many in the industry still believe that security is something that can be achieved through the purchase of a single product. To that end, we feel there is still a need to deconstruct certain parts of security (like AV) and show that there are always structural weaknesses in every security product that is implemented. This is becoming even more important now that many of the advanced endpoint products are not just fire-and-forget but have an endless array of different configurations that enable a company to shoot themselves in the foot by reducing the overall effectiveness of these products. So, yes, Sacred Cash Cow Tipping is more important than ever. To that end, our next webcast will be on bypassing endpoint security products. The goal of this webcast is to help show people that there is still no silver bullet in security. We also desperately want to show that configuration and monitoring still matters. This is our first webcast of the year. It may run longer than 60 minutes. It will be recorded. We will have a team of Black Hills Testers answering questions throughout the webcast. We have room for 3,000 attendees, so you will be able to attend live if you want. Wild West Hackin’ Fest – Most Hands-On Infosec Con! Join us at the new Way West Wild West Hackin’ Fest in San Diego — March 11-13th, 2020. Learn more: https://www. (00:00) - Intro (03:41) - Alternate Interpreters (09:19) - Carbon Black Config Issue (15:07) - Cisco AMP EDR - Quick and Easy Bypass (18:24) - PowerShell AMSI Bypass – Rhino (19:07) - CylancePROTECT Bypass (24:14) - WIndows Defender and Carbon Black Bypass (30:36) - Windows Subsystem for Linux (39:59) - PowerShell HTTP Web Cradle for Donwloads

BHIS’ Defensery Driven Duo Delivers Another Delectable Transmission! We know you are worried about your networks. After hours of discussion, we’ve come to the realization that some of our dedicated followers seem to be much more interested in catching malware than learning how to be (please forgive this next statement) “l33t hax0rs.” Download slides: https://www.activecountermeasures.com/presentations/ 2:47 – Why Are We Doing This? 5:07 – AT7: The Logs You Are Looking For 7:41 – AD Best Practices to Frustrate Attackers 9:37 – AT 5 – Complete Takedown & AT 6 – IOCs 12:04 – Blue Team-A-Palooza 14:22 – Windows Logging, Sysmon, and ELK – Part 1 16:45 – Implementing Sysmon and Applocker 21:45 – …And Group Policies That Kill Kill-Chains 22:31 – Here Are Some Important Blogs 23:35 – Summary Complete 25:28 – Introducing the Atomic Red Team 27:50 – Installing the Atomic Framework 29:29 – Squibbly Doo; The Results; Let’s Take A Step Back: The Atomic Tests; Another Step Back: WEF / Winlogbeat Config 33:41 – Executing T1015; Catching Executables; Executin... (00:00) - Intro (02:47) - Why Are We Doing This? (05:07) - AT7: The Logs You Are Looking For (07:41) - AD Best Practices to Frustrate Attackers (09:37) - AT 5 – Complete Takedown & AT 6 – IOCs (12:04) - Blue Team-Apalooza (14:22) - WIndows Logging, Sysmon and ELK – Part 1 (16:45) - Implementing Sysmon and Applocker (21:45) - ...And Group Policies That Kill Kill-Chains (22:31) - Here Are Some Important Blogs (23:35) - Summary Complete (25:28) - Introducing the Atomic Red Team (27:50) - Installing the Atomic Framework (29:29) - Squibbly Doo (30:46) - The Results (31:29) - Let's Take A Step Back: The Atomic Tests (32:18) - Another Step Back: WEF / Winlogbeat Config (33:41) - Executing T1015 (34:26) - Catching Executables (41:05) - Executing T1003 (42:02) - ElastAlert (43:21) - Now, On the ATT&CK (44:20) - Not Sure If That's a Wrap Yet. (It's Not) (47:11) - Check Out Our Dashboard

Why are companies still recommending an 8-character password minimum?  Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend 8-character minimum passwords based on outdated data.  Download Slides: https://www.activecountermeasures.com/presentations 3:26 – In The Beginning 4:23 – What The Experts Say: PCI 5:55 – What The Experts Say: Microsoft 9:29 – What The Experts Say: NIST 16:01 – What The Experts Say: Google 16:28 – What The Experts Say: Apple 16:42 – Still More Experts 17:49 – Why 15 Characters 18:06 – Brute Force, Password Spray 22:48 – Password Cracking 23:25 – A Hashing Algorithm, More About Hashes 25:49 – So What Is Password Cracking 27:16 – Windows Hashes, The LM Hashing Algorithm, “LM Hash Is “”Weak””, LM Vs. NTLM Cracking 31:14 – Why 15 Character Passwords – Answer, CJ’s Response to the Problem (00:00) - Start (01:04) - Introduction (03:26) - In The Beginning (04:23) - What The Experts Say : PCI (05:55) - What The Experts Say : Microsoft (09:29) - What The Experts Say : NIST (16:01) - What The Experts Say : Google (16:28) - What The Experts Say : Apple (16:42) - Still More Experts (17:49) - Why 15 Characters (18:06) - Brute Force (18:44) - Password Spray (22:48) - Password Cracking (23:25) - A Hashing Algorithm (24:07) - More About Hashes (25:49) - So What Is Password Cracking (27:16) - Windows Hashes (27:42) - The LM Hashing Algorithm (29:46) - LM Hash Is "Weak" (30:55) - LM Vs. NTLM Cracking (31:14) - Why 15 Character Passwords – Answer (32:06) - CJ's Response to the Problem (36:32) - Let's See the Mathm (37:09) - Math Examples (40:30) - From the Field (42:47) - Would You Like To Play A Game? (45:03) - Take Aways (46:46) - Are You Really Going To Let This Guy Decide (48:33) - Audience Questions & Comments