cyber war stories from adriatic slovenica - risk conference · 2019-11-28 · cyber war stories...
TRANSCRIPT
![Page 1: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/1.jpg)
Cyber War Stories from Adriatic SlovenicaSandi Bižal C|EH
IT Security Officer - Security Operations
March 21, 2019
![Page 2: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/2.jpg)
Agenda
•Who are we?
•Goal of the Day!
•Why are we Here?
•Use Cases
•Answers
•Q & A
![Page 3: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/3.jpg)
Who are we?
![Page 4: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/4.jpg)
Sandi 101
• 12 years in InfoSec | SIEM ROCKS!• Nessus & Metasploit enthusiast
• Classical music lover!• Very much into Food porn!
![Page 5: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/5.jpg)
Google is NOT your friend!
![Page 6: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/6.jpg)
Goal of the day!
![Page 7: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/7.jpg)
Whateveryou do !!!
DO NOT GET ARRESTED
![Page 8: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/8.jpg)
Why are we Here?
![Page 9: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/9.jpg)
Just how tough is it to get the passwords?
https://www.youtube.com/watch?v=RfAdux3XidM
![Page 10: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/10.jpg)
OK Seriously…Why are we Here?
![Page 11: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/11.jpg)
![Page 12: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/12.jpg)
Real World Top-of-Mind Problems
GDPR
Botnet
Authentication Anomalies
Malware
Privileged Account Monitoring
Funny Story
![Page 13: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/13.jpg)
Trivia Question #1
What is this?
![Page 14: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/14.jpg)
Trivia Question #2
What is this?
![Page 15: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/15.jpg)
Use Cases
![Page 16: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/16.jpg)
UC #1Email Tracking
All data we can have – now what?
![Page 17: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/17.jpg)
![Page 18: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/18.jpg)
![Page 19: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/19.jpg)
UC #2GDPR Auditing - A
As seen by the Security officer
![Page 20: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/20.jpg)
![Page 21: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/21.jpg)
UC #3GDPR Auditing - B
As seen by the DPO
![Page 22: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/22.jpg)
Make a guess? So who the hell is DPO?
![Page 23: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/23.jpg)
Data Protection Officer
![Page 24: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/24.jpg)
![Page 25: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/25.jpg)
UC #4BOTNET !
From an unknown computer
![Page 26: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/26.jpg)
No data about workstation and
Workstation IP number!
![Page 27: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/27.jpg)
No data about workstation and
Workstation IP number!
End of story:
- Event logging on DC was raised with NTLM
Security
- Workstation was on DA (DirectAccess)
- User was administrator on laptop
- Computer was blocked in domain
- Now we get more data from DC to SIEM.
![Page 28: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/28.jpg)
Lessons Learned
• Our data feeds were not enough
• User was administrator on laptop
• Active Directory auditing policies were incorrect
• After the re-config, we found the infected computer, because it was still….. <WHO WOULD LIKE TO ANSWER>?
![Page 29: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/29.jpg)
What is this?
![Page 30: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/30.jpg)
BEACONING !
![Page 31: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/31.jpg)
UC #5Daily Events
As seen by the security officer
![Page 32: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/32.jpg)
![Page 33: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/33.jpg)
![Page 34: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/34.jpg)
UC #6Anomalies within authentication logs
As seen by the security officer
![Page 35: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/35.jpg)
![Page 36: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/36.jpg)
UC #7Asset model with vulnerabilities
As seen by the security officer
![Page 37: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/37.jpg)
![Page 38: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/38.jpg)
UC #8Malware occurrence detected
As seen by the security officer
![Page 39: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/39.jpg)
![Page 40: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/40.jpg)
UC #9Regular group membership changes
![Page 41: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/41.jpg)
![Page 42: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/42.jpg)
UC #10Irregular group membership changes
![Page 43: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/43.jpg)
![Page 44: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/44.jpg)
UC #11Multiple changes to security groups
![Page 45: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/45.jpg)
![Page 46: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/46.jpg)
UC #12Funny story
System administrator bulk created and deleted users after discovering a mistake in provisioning script
![Page 47: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/47.jpg)
![Page 48: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/48.jpg)
![Page 49: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/49.jpg)
Trivia Question #3
THE BEST OF THE BEST !!!
![Page 50: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/50.jpg)
What the ?!? is this?
![Page 51: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/51.jpg)
Answers
![Page 52: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/52.jpg)
Answer #1:
Domain Admin Failed Login & Lockouts in 1 Month
![Page 53: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/53.jpg)
Answer #2:
Domain Admin Failed Login & Lockouts in 1 Hour
![Page 54: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/54.jpg)
PLEASE PATCH PUTTY !!!
![Page 55: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/55.jpg)
• FROM HACKER NEWS!
FROM YESTERDAY: FROM HACKER NEWS!
![Page 56: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/56.jpg)
Bonus Slides
![Page 57: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/57.jpg)
Number of Privileged Account Logins per Minute
Out-of-the-box Dashboard
![Page 58: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/58.jpg)
Privileged Account Logins per Minute
300
1,500
![Page 59: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/59.jpg)
![Page 60: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/60.jpg)
![Page 61: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/61.jpg)
Q & A
![Page 62: Cyber War Stories from Adriatic Slovenica - RISK conference · 2019-11-28 · Cyber War Stories from Adriatic Slovenica Sandi Bižal C|EH IT Security Officer - Security Operations](https://reader036.vdocuments.net/reader036/viewer/2022062603/5f02670a7e708231d4041a03/html5/thumbnails/62.jpg)
Thank You.