Cyber War Stories from Adriatic SlovenicaSandi Bižal C|EH
IT Security Officer - Security Operations
March 21, 2019
Agenda
•Who are we?
•Goal of the Day!
•Why are we Here?
•Use Cases
•Answers
•Q & A
Who are we?
Sandi 101
• 12 years in InfoSec | SIEM ROCKS!• Nessus & Metasploit enthusiast
• Classical music lover!• Very much into Food porn!
Google is NOT your friend!
Goal of the day!
Whateveryou do !!!
DO NOT GET ARRESTED
Why are we Here?
Just how tough is it to get the passwords?
https://www.youtube.com/watch?v=RfAdux3XidM
OK Seriously…Why are we Here?
Real World Top-of-Mind Problems
GDPR
Botnet
Authentication Anomalies
Malware
Privileged Account Monitoring
Funny Story
Trivia Question #1
What is this?
Trivia Question #2
What is this?
Use Cases
UC #1Email Tracking
All data we can have – now what?
UC #2GDPR Auditing - A
As seen by the Security officer
UC #3GDPR Auditing - B
As seen by the DPO
Make a guess? So who the hell is DPO?
Data Protection Officer
UC #4BOTNET !
From an unknown computer
No data about workstation and
Workstation IP number!
No data about workstation and
Workstation IP number!
End of story:
- Event logging on DC was raised with NTLM
Security
- Workstation was on DA (DirectAccess)
- User was administrator on laptop
- Computer was blocked in domain
- Now we get more data from DC to SIEM.
Lessons Learned
• Our data feeds were not enough
• User was administrator on laptop
• Active Directory auditing policies were incorrect
• After the re-config, we found the infected computer, because it was still….. <WHO WOULD LIKE TO ANSWER>?
What is this?
BEACONING !
UC #5Daily Events
As seen by the security officer
UC #6Anomalies within authentication logs
As seen by the security officer
UC #7Asset model with vulnerabilities
As seen by the security officer
UC #8Malware occurrence detected
As seen by the security officer
UC #9Regular group membership changes
UC #10Irregular group membership changes
UC #11Multiple changes to security groups
UC #12Funny story
System administrator bulk created and deleted users after discovering a mistake in provisioning script
Trivia Question #3
THE BEST OF THE BEST !!!
What the ?!? is this?
Answers
Answer #1:
Domain Admin Failed Login & Lockouts in 1 Month
Answer #2:
Domain Admin Failed Login & Lockouts in 1 Hour
PLEASE PATCH PUTTY !!!
• FROM HACKER NEWS!
FROM YESTERDAY: FROM HACKER NEWS!
Bonus Slides
Number of Privileged Account Logins per Minute
Out-of-the-box Dashboard
Privileged Account Logins per Minute
300
1,500
Q & A
Thank You.