Tuesday, October 29, 2019

2019-038-Deveeshree_Nayak-risk_analysis, and OWASP WIA


OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE

https://www.owasp.org/index.php/Women_In_AppSec

OWASP Women in AppSec

Twitter: 2013_Nayak (reach and ask to be added)


https://www.tagnw.org/events/


Risk in Infosec

 

Risk - a situation which involves extreme danger and extensive amount of unrecovered loss

    What about risks that are positive in nature?  PMP calls them ‘opportunities’


Risk Analysis - systemic examination of the components and characteristics of risk

 

Analysis Steps - 

        Understanding and Assessment

            Understand there is a risk

            What if a company does not have security standards?

       

           

        Identification

            Identify and categorize risk - 

                Informational risk

                Network risk

                Hardware risk

                Software risk

                Environment risk?

 

https://en.wikipedia.org/wiki/Routine_activity_theory

 

            Scope of risk analysis?

            Threat modeling to find risks?

                https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling 

            SWOT (strength/weakness/opportunities/threats) analysis will discover risks?

            Risk analysis methodologies?

                https://www.project-risk-manager.com/blog/qualitative-risk-techniques/

                https://securityscorecard.com/blog/it-security-risk-assessment-methodology

https://en.wikipedia.org/wiki/Probabilistic_risk_assessment

 

https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration 

 

        Estimation

            Chance that risk will occur (once a decade, once a week)

            Design controls to remediate

 

        Implementation

            Risk assessment is a combined approach

            Combined approach for a risk analysis

                You mentioned a lot of people, what’s the scope?

                How do you do the risk assessment? Framework?

           

        Evaluation

            Evaluation approach

                Like an agile approach

            Provides an informed conclusion

            Report must be clear (no jargon)

        Decision Making

           

 

Examples to Reduce Risk

Training and education

    what kind of testing? Annual Security training?

 

Publishing policies

Agreement with organization

    BAA with 3rd parties

Timely testing - 

   


Download here!

Monday, October 21, 2019

2019-038- Ethical dilemmas with offensive tools, powershell discussion with Lee Holmes - Part2


 

Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s

 

Encarta - https://en.wikipedia.org/wiki/Encarta

 

Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409

 

Congrats on the black badge :)

 

I like that you bring up execution policies. That it was never created to become a security control

  • I started alerting on it anyway at least from non-admin devices

 

https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/ 

 

Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/

 

Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark

 

You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.

 

Powershell slime trail <3 (powershell transparency)

“You can’t force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders”

 

If an attacker is going to use powershell, let’s make them regret it

 

Powershell has had quite an impact and history.

 

My own sorry logging/alerting attempts

 

You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others?

 

Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf

 

https://github.com/danielbohannon/Invoke-Obfuscation 

https://github.com/danielbohannon/Revoke-Obfuscation

 

https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/ 

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A 

 

Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch…

 

Derbycon keynote with Lee Holmes and Daniel bohannon - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes

 

AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

 

https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 -  Windows Powershell cookbook

 

Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html 

https://github.com/sans-blue-team/DeepBlueCLI 

 

Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE 

https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense 

 

Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/ 

 

Maslow’s security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/ 

 

Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN

 

https://github.com/infosecn1nja/AD-Attack-Defense

 

Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa

 

@Lee_Holmes

@hackershealth

@log-md

@infosecCampout

@seasecEast

 

@brakesec

@bryanbrake

@boettcherpwned

@Infosystir

@packscott

@dpcybuck

@megan_roddie

@consultingCSO

 


Download here!

Wednesday, October 16, 2019

2019-037-Lee Holmes, Powershell logging, and why there's an 'execution bypass'


Derbycon9 talk - PowerShell Security Looking Back from the Inside - https://www.youtube.com/watch?v=DYWPtt7qszY&list=PLNhlcxQZJSm_ZDJBksg97I5q1XsdQcyN5&index=27&t=0s

 

Encarta - https://en.wikipedia.org/wiki/Encarta

 

Scott Hanselman’s twitter thread about Encarta: https://twitter.com/shanselman/status/1158780839464849409

 

Congrats on the black badge :)

 

I like that you bring up execution policies. That it was never created to become a security control

  • I started alerting on it anyway at least from non-admin devices

 

https://www.mssqltips.com/sqlservertip/2702/setting-the-powershell-execution-policy/ 

 

Want to learn Powershell? UnderTheWire wargame: https://underthewire.tech/

 

Jeffrey Snover “The Cultural battle to remove Windows from Windows Server”: https://www.youtube.com/watch?v=3Uvq38XOark

 

You talk about “why would anyone want to remove powershell” as it came as a standalone download and part of the windows sdk. - I was taught when I was just getting into tech, that I should fear powershell and didn’t realize how powerful it could be as an admin because of it.

 

Powershell slime trail <3 (powershell transparency)

“You can’t force a powerful tool only to be used how you want it to be used, you can tilt the playing field on behalf of defenders”

 

If an attacker is going to use powershell, let’s make them regret it

 

Powershell has had quite an impact and history.

 

My own sorry logging/alerting attempts

 

You mentioned the amount of attacks listed in MITRE that use powershell, is that *the* recommended resource for blue teamers, are there any others?

 

Revoke-Obfuscation white paper (blackhat2017): https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf

 

https://github.com/danielbohannon/Invoke-Obfuscation 

https://github.com/danielbohannon/Revoke-Obfuscation

 

https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-now-uses-windows-powershell/ 

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POSHCODER.A 

 

Ever thought of writing a powershell security sentric book? Bill Pollock was looking for someone to write a book for NoStarch…

 

Derbycon keynote with Lee Holmes and Daniel bohannon - http://www.irongeek.com/i.php?page=videos/derbycon6/101-key-note-jeffrey-snover-lee-holmes

 

AMSI - Antimalware Scan Interface: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

 

https://www.amazon.com/dp/B00ARN9MEK/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1 -  Windows Powershell cookbook

 

Eric conrad: https://www.ericconrad.com/2016/09/deepbluecli-powershell-module-for-hunt.html 

https://github.com/sans-blue-team/DeepBlueCLI 

 

Daniel Bohannon - DevSec Defense - https://www.youtube.com/watch?v=QJe8xikf-iE 

https://github.com/psconfeu/2018/tree/master/Daniel%20Bohannon/DevSec%20Defense 

 

Constrained language mode: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/ 

 

Maslow’s security Hierarchy: https://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/ 

 

Just Enough Administration: https://docs.microsoft.com/en-us/previous-versions//dn896648(v=technet.10)?redirectedfrom=MSDN

 

https://github.com/infosecn1nja/AD-Attack-Defense

 

Also - DrawOnMyBadge.com - Super cool idea, loved the mona lisa

 

@Lee_Holmes

@hackershealth

@log-md

@infosecCampout

@seasecEast

 

@brakesec

@bryanbrake

@boettcherpwned

@Infosystir

@packscott

@dpcybuck

@megan_roddie

@consultingCSO


Download here!

Tuesday, October 8, 2019

2019-036-RvrShell-graphql_defense-Part2


Secure Python course: 

https://brakesec.com/brakesecpythonclass 

PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing 

 

GraphQL High Level

https://graphql.org/

Designed to replace REST Arch

Allow you to make a large request, uses a query language

Released by FB in 2012

JSON 

 

Learn Enough to be dangerous

https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2

 

WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315

 

Vulns in the Wild

 

Abusing GraphQL 

 

OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html


Attack Techniques

https://www.apollographql.com/docs/apollo-server/data/data/

https://github.com/graphql/graphiql


Protecting GraphQL

 

https://github.com/maticzav/graphql-shield

 

Magento 2 (runs GraphQL), hard to update…

 

https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter

 

GraphQL implementations inside (ecosystem packages?)

 

Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA)

Patreon supporters  (Josh P and David G)

Teepub: https://www.teepublic.com/user/bdspodcast

 

For Amanda next:

https://www.cybercareersummit.com/

& keynote @grrcon oct 24/25

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Wednesday, October 2, 2019

2019-035-Matt_szymanski-attack and defense of GraphQL-Part1





Derbycon Discussion (bring Matt in)

 

Python course: 

https://brakesec.com/brakesecpythonclass 



PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing 

 

GraphQL High Level

https://graphql.org/

Designed to replace REST Arch

Allow you to make a large request, uses a query language

Released by FB in 2012

JSON 

 

Learn Enough to be dangerous

https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2

 

WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315

 

Vulns in the Wild

 

Abusing GraphQL 

 

OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html



Attack Techniques

https://www.apollographql.com/docs/apollo-server/data/data/

https://github.com/graphql/graphiql



Protecting GraphQL

 

https://github.com/maticzav/graphql-shield

 

Magento 2 (runs GraphQL), hard to update…

 

https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter

 

GraphQL implementations inside (ecosystem packages?)

 

Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA)

Patreon supporters  (Josh P and David G)

Teepub: https://www.teepublic.com/user/bdspodcast

 

For Amanda next:

https://www.cybercareersummit.com/

& keynote @grrcon oct 24/25

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!