SACON is India's 1st & Only Security Architecture Conference. With over 70+ participants, this was the 5th edition of SACON and here are a few highlights we wanted to share with you. It was held on 18-19th May, Hotel Hyatt, Pune, India.

We had with us Top Security Industry Leaders who helped SACON with great content. For more details visit: sacon.io

What We Covered? (Key Highlights)

• Applications of AI, Machine Learning, Deep Learning
• Machine Learning - Classical Definition & Types Of Algorithms
• Data Modeling
• How The Algorithm Works
• Linear Regression
• Logistic Regression
• Basic Of Protection - Confidentiality, Integrity, Authenticity, Availability, Reliability
• Targeted & Non-Targeted Attacks
• Attack Life Cycle - Kill Chain
• Cyber Threat Intelligence
• OSINT
• OSINT Using Google
• Deep Web Search Engine
• Operation Security (OPSEC) - Basics & Best Practices
• Cyber Threat - Data Breaches
• Communication Channels

Presentations

Click on each presentation name to open slide in new tab

• Learning Machine Learning
• Exploring DarkWeb For Threat Intelligence
• Codes from the Machine Learning Workshop can be found here (GitHub link)

Contributors are Subrat Panda, Arnab Chattopadhayay, Rohit Srivastwa

Photo Albums

Some great photographs have been compiled into an album. Help us Tag you ( Tag yourself  ) and let us know if you want to add some pictures you took at the event. Email - pritha.aash@cisoplatform.com

Here's the Photo Album link - Click Here

CISO Platform Decision Summit @Pune, last week saw over 200+ attendees for over 2 days making the the spirit of knowledge sharing and learning a huge success in the Information Security Executives of India. Here are the highlights of the awesome keynotes, electrocuting Turbo sessions and some great knowledge boost training sessions.

It was held on 18th & 19th May, Hyatt, Pune, India.

Some Exciting Sessions & Task Force Meetups:

1. Open House : Enterprise OSINT - From Surface Web To Dark Web

2. (Panel Discussion) Top Emerging Innovations In Cyber Security

3. (Panel Discussion) Exploring Dark Web For Managing Cyber Security Posture

4. Task Force Session On Cyber Security Initiative For Kids

5. (Panel Discussion) How To Measure Your Breach Response Readiness

6. (Panel Discussion) Planning Your Board / Management Engagements For 2018

7. (Panel Discussion) Quantitative Approaches For Measuring 3rd and 4th Party Risks

Photo Album

Some great photographs have been compiled into an album. Help us Tag you ( Tag yourself ) and let us know if you want to add some pictures you took at the event. Email - pritha.aash@cisoplatform.com

Here's the Photo Album link - Click Here

Here's the CISO Platform 100 Recognition Photo Album Link - Click Here

Speaker : Rohit Srivastwa, Founder of ClubHack, Quick Heal Technologies, Senior Director Cyber Education & Services

Please Note - Speaker presentations represent the views of the individual speakers and not of CISO Platform or their employers

Speaker : Subrat Panda, Capillary Technologies, Principal Architect AI & Data Sciences

Please Note - Speaker presentations represent the views of the individual speakers and not of CISO Platform or their employers

Why Is OSINT So Important ?

OSINT (Open-Source Intelligence) is intelligence collected from publicly available sources.

It is becoming a key resource for collecting threat intelligence even in enterprise space. A factor being that now we live in a very connected world, so the amount of data and analysis is becoming more key and relevant. A good example here would be the Stuxnet attack. 

Open Source Movement was also a reason for the push for OSINT usage.

OSINT can find great use in the fields and sectors like Goverment, Defence, Banking, Finance, Telecom, Critical Infrastructure, Cyber Security Advisory Firms, Cyber Threat Intelligence Teams, Law, Cyber Forensic Teams.

Typical OSINT Process

It will include (in order)

• Source Identification
• Data Harvesting
• Data Processing & Integration
• Data Analysis
• Results Delivery

This process could be time based leading to offensive or defensive OSINT. Studying before the attack makes it defensive and post attack would be offensive.

OSINT Workshops at SACON

SACON (Security Architecture Conference) 2018 has OSINT workshops by industry experts. Pre-Registrations Open for best discounts.

>> Pre-Register for SACON 2018

OSINT Tool Examples

Palantir, I2 - Commercial products.

Maltego - free and commercial version. Free has some limitations

NodeXL - completely free. An extension to excel. Allows data mining, visualization, some machine learning & clustering capabilities

SpiderFoot - a combination of VA and OSINT that can be automated/scheduled to run from time to time. It automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names etc.

ShodanHQ - google like search engine for all devices connected to the internet. Initially called Google Hacking Database. It focuses on identifying and connecting to anything reachable via a public IP.

Some other tools could be namely - FOCA, Tapir, Creepy, theHarvester, Metagoofil

OSINT Workshops at SACON

SACON (Security Architecture Conference) 2018 has OSINT workshops by industry experts. Pre-Registrations Open for best discounts.

>> Pre-Register for SACON 2018

Reference :

Pointers were derived from a talk at Annual Summit 2015 here and Offensive OSINT Talk from Black hat here

The Playbook Round Table was set in 3 cities - mumbai, bangalore & delhi where security heads got together to contribute in building a plan to measure an organisation's security program against 2018's application attacks

Key Highlights

• Key Expectations Of An Appsec Program
• Key Frameworks To Measure Appsec Maturity
• Key Metrics To Measure Appsec Maturity
• Critical Capabilities Of Some Technologies (eg. WAF,DDOS)
• Creating Appsec Program Architecture

Detailed Presentation (PPT)

Contributors

Vikas Yadav,Max Life Insurance,CISO
Dhirendra Kumar,Barclays,Head Of Cyber Resilience
Yask, Indian Oil Corporation Ltd, CISO
Pravesh Sharma, Fidelity, Head IT & IS
H S Hora, NIC, Sr. Technical Director
R. Manikant Kumar, Orbis Financial Corporation, Head-IT & Security
Mohit Mendiratta, Havells India Limited, General Manager - IT
Deepak Tiwari, Aircel Limited, DGM IT
Gomeet Pant, Cairn India, Lead - IT Security And Compliance
Hema Gupta, NCR, Sr. Manager Security Governance
Sunil Gupta, Ministry of Steel, Chief Information Officer
Rekha Atri, Cairn India, IT Security & Compliance

Sridhar Govardhan, Wipro General, Manager - Cyber Security
Rejo Thomas, Exide Life Insurance, DGM
Roshan Williams, Cognizant, Director Global Information Security
Somanath NG, Alstom, Head Of Security
Sathish Sreenivasiah, TCS, Information Technology Service
Ajay Agrawal, Wipro, Senior Manager
Nitin Gaur, Omega Healthcare, Associate Director- CISO
Lopa Mudraa Basuu, Ocwen Finanical Solutions, Director IT Risk Operations
Raghavendra Bhat, SAP, Head Of Security
Satish Kumar Dwibhashi, WIBMO, CISO
Shaik J Ahmed, Virtusa Polaris Director, Head Cyber Security
Shobha Jagathpal, Walmart Labs, Security Manager
Sushil Nahar, Happiest Minds, GM
Vinod Kumar Vasudevan, Honeywell, Head- Cyber Security
Chidanand, Eminent Minds, IT Head
Kalyana M, Kotra, Manager

Vikas Gupta, State Bank of India, Assistant General Manager(Systems)
Prasanna Lohar, DCB BANK LTD, Head Technology
Kotni Srihari Rao, Reliance Payment solutions ltd, Associate Vice President
Mohd Imran, L&T Finance Group, Head- IT Sec
Bhuvanesh Shukla, Axis Securities Limited, CTO
Rajendra Bhalerao, NPCI, CISO
Bharat Chitroda, Paypoint India Network Pvt. Ltd., IT-Head
Raj Naik, Indus Ind bank, Asst. Manager
Prashant Mhapomkar, Indus Ind bank, Deputy Manager
Manthan Babu K, NPCI, CISO
Dilip Panjwani, L&T Infotech, CISO
Rajesh Kathuria, rediff.com, Associate Director - IT

January 2018 started with 2 small community meets for Security Priority Planning for 2018. With 35+ members joining us in Bangalore & Mumbai, we gathered some interesting insights to share here.

Dates - 17th & 18th Jan, 2018

Do share with your friends. Let us know your comments from the survey analysis.

Continuation Sessions For Windows Forensic Workshop (By Dr. Philip Polstra)

Session 1

Continuation where we left off

Session 2

Let's talk NTFS

Session 3

NTFS Timelines

Session 4

Talking Registry and Artifacts

Keynotes & Speakers

Get free access to the presentations by Moshe Ferber, Gregory Pickett, Murray Goldschmidt, Dr.Philip Polstra & more. SACON is one of the largest Security Architecture Conferences in APAC region. With over 400+ participants, this was the 4th edition of SACON and here are a few highlights we wanted to share with you. It was held on 10th-11th Nov, Hotel Lalit Ashok, Bangalore, India.

We had with us Top Security Industry Leaders who helped SACON with great content. For more details visit: sacon.io

Check out the full list of speakers here

>> Pre-Register for SACON 2018

01. Cloud Security Architecture (Moshe Ferber)

This session includes understanding IaaS, threats & risks of cloud computing, securing IaaS platforms, securing IaaS instances

>> Pre-Register for SACON 2018

02. Windows Forensic (Dr. Philip Polstra) 

Have you ever wanted to investigate a Windows and/or Linux breach but could not justify the 8 lakh rupees in software? This workshop will introduce attendees to Windows and Linux forensics using 100% free and open source software. Python and shell scripting will be used to easily analyze both Windows and Linux systems at a deep level.

>> Pre-Register for SACON 2018

03. SecOps Workshop (Gregory Pickett)

Adaptive Network Protocol (ANP) allows systems to share events with each other. When one system sees a threat, they all see it and can respond in a coordinated fashion. Your network can, quite literally, respond to a threat all on its own. In this session, we’ll show you how ANP works, how to install it, and cover all the use cases from generating your own Threat Intelligence feed, to sharing fail2ban jails across clouds, to automatically NATing threats to honeypots, and many more. To show you how it works, there will be demos of some of these scenarios.

>> Pre-Register for SACON 2018

04. Automating SecOps (Murray Goldschmidt)

Dynamic, high-velocity DevOps production environments deliver impressive results to enterprises. Security Teams now need to catch-up and be effective immediately. This 4-hour lab, on Security Automation for DevOps teaches ways improve security at the source and manage a secure environment across the lifecycle. Understand the DevSecOps stack and how to protect it by gaining visibility using automation, across development, applications, operating systems and the cloud covering SAST, DAST, 3rd party library scanning, continuous monitoring, vulnerability management and self-healing. Attendees will learn how start with simple security automation to protect DevOps environments - without becoming a bottle-neck in the process.

>> Pre-Register for SACON 2018

05. Beyond Corp (Arnab Chattopadhayay)

It includes Google Beyond Corp principles, Beyond Corp Architecture Components, Types Of Data, Data Processing Flow, Correlation, Exceptions, Deployment, 3rd party systems, Challenges & more

>> Pre-Register for SACON 2018

06. Enterprise Security Architecture (Bikash Barai)

Includes Architectural Methodologies, Major frameworks - Zachman & SABSA, challenges, CP - SSM, Key Elements, Threat Repository, NIST CSF & more

>> Pre-Register for SACON 2018

07. Immutable Architecture (Nilanjan De)

Includes Immutable Infrastructure, Advantages, Disadvantages, How to implement, demo & more

>> Pre-Register for SACON 2018

08. Cyber Risk Assessment Using Bayesian Network (R Venkat)

Includes Heat Map, Range Compression Problem, Uncertainty, Probability & Bayes Theorem, Bayesian Network & more

>> Pre-Register for SACON 2018

09. DevOps Container (Richard Bussiere) 

Includes understanding of security risk posed by containers, what to do, demo & more

>> Pre-Register for SACON 2018

10. Incident Response Automation & Orchestration (Amit Modi)

This session covers how to increase the efficiency of one's SOC

>> Pre-Register for SACON 2018

11. Security Architecture (Arnab Chattopadhayay)

Includes a brief history of Enterprise Architecture,Zachman framework, SABSA (in-depth), Security standards & more

>> Pre-Register for SACON 2018

12. API Security (Suhas Desai)

Includes API Security Trends, Risks & Security Governance

>> Pre-Register for SACON 2018

13. Threat Modeling Overview (Abhishek Datta)

Includes Threat Modeling Basics, Approach, Purpose, Threat Vs Vulnerability, STRDE Framework, Threat Rating, Risk Analysis Model, DREAD, Countermeasures & more

>> Pre-Register for SACON 2018

14. Threat Hunting (Chandra Prakash)

Includes threat hunting platform drivers, hunting styles, hunting maturity model (HMM), hunting strategy, data domains, data diversity, toolset diversity, kill chain, hunting process, data type & location, analytic technique, beacon, LatMov, staging, exfil & more

>> Pre-Register for SACON 2018

15.Deception Technology (Sahir Hidayatullah)

This includes an understanding of deception and who should use it

>> Pre-Register for SACON 2018

16. Threat Hunting Workshop (Shomiron Das Gupta) 

Includes fundamental understanding of threat hunting, process, plan and execution, tools & techniques, resources to learn, DNS Tunnelling, Webshells & more

>> Pre-Register for SACON 2018

17.Automotive Security / Connected Cars (Aditya Kakrania)

Includes fundamentals of connected cars, ECU (Electronic Control Unit) & types, Controlled Area Network (CAN) Protocol, On-Board Diagnostics, Components Of Connected Cars

>> Pre-Register for SACON 2018

18. Mobile App Security (Srinath Venkataramani)

This includes Mobile App Development - Attack Surface, Data authentication & App protection challenges, iOS & Android protection measures & more

>> Pre-Register for SACON 2018

19.IoT Forum Fresh Thinking (Arvind Tiwary & Bikash Barai)

This is a joint initiative by TiE & CISO Platform. It explains IoT Security Challenges, Complexity and Introduces some ways of solving it (a fresh approach)

>> Pre-Register for SACON 2018

20.Fresh Thinking IoT (Arnab Chattopadhayay)

Includes basic IoT security key components, hyper scale, key players, key security functions, functional aspects of IoT Security, Access control, network segments & more

>> Pre-Register for SACON 2018

21.IoT Hackfest (Sri Chakradhar K)

This session was heavily covered with demos, the slides cover very little material. Includes Latest IoT Attacks

Here are some indicators which will help you detect a compromise :

• Identification of same email from public domain to significant number of users or C-level employees or high value targets; encrypted attachments, password protected and zipped and protected to escape email malware filter; (put user in the reference list)

• End point alert / HIPS / Host based malware alerts for local script execution for the same user, raise incident

• Identify usual traffic volumes to multiple ports or IP addresses or excessive packet loss (connection over 4 hours to external IP )

• Examine abnormal services on known ports and abnormal ports for well-known services, verify reputation scores of IP (SSH to port 80)

• EDR and WAF alerts for scripts, hash mismatch

• Botnet filter alerts for traffic to blacklisted domains

• Email / SPAM filter misbehavior / maintainance activity followed by suspicious activity on the network specially related to unknown / suspicious remote destinations

• Monitor packet flow inside and outside from the network for likely patterns of Command and Control (C + C) traffic, outbound custom encrypted communications, covert communication channels with external entities etc.

• Threat intelligence alerts for connections / data sent to suspicious destination outside organization specially belonging to less reputed geographic location and at odd hours

• Examine if any data breach has occurred like large HTML packet

• Review hourly and daily reports of network usage to identify unusual occurrences and spikes in traffic

This was presented at SACON - The Security Architecture Conference - largest security architecture conference in the region. You can find the full presentation here. SACON International 2017 will be hosting a Cyber Security Workshop by Dr. Phil Polstra (Author Of 'Linux Forensic').

Dr. Phil Polstra (Author of 'Linux Forensic' & many more books) will be conducting Linux and Windows Forensic Workshop at SACON 2017. Check workshop agenda here

Top Past Talks By Moshe Ferber

Frequent Speaker at DEFCON, Blackhat, RSAC APJ, Royal Society London

Renowned Cloud Security Expert

1. From Zero To Secure In 1 Minute (Securing IaaS)

Conference : DEFCON 23

For complete presentation/slide : Click Here

2. Cloud Security for Startups by Mosche Ferber

Conference : Technopreneurship SIG

For complete presentation/slide : Click Here

***********

Top Past Talks Dr. Phil Polstra

Frequent speaker at DEFCON, Blackhat, BSides, GrrCON, ShakaCON..

Author of "Linux Forensic"

1. Cyber hi-jacking airplanes

Conference: DEFCON22

For complete presentation/slide : Click Here

2.One Device To Pwn Them All

Conference: DEFCON23

For complete presentation/slide : Click Here

***********

Top Past Talks Gregory Pickett

Frequent Speaker at DEFCON, BRUCON, Hack In Paris, Blackhat

Renowned Security Expert

1. Staying Persistent In Software Defined Networks

Conference: Black Hat USA 2015

For complete presentation/slide : Click Here

2. Abusing Software Defined Networks

Conference: DEFCON 22

For complete presentation/slide : Click Here

***********

Top Past Talks Murray Goldschmidt

Frequent speaker at RSAC, AusCERT 

Renowned DevSecOps Expert

1. DevOps – A How To for Agility with Security

Conference: RSAC APJ 2017

For complete presentation/slide : Click Here

************

This article is a contribution by Chitranjan Kesari, AVP IT, Lodha Group for the information security community.

The need for flexibility, speed and information sharing means is mandatory to maintain a robust security arrangement that can protect the data and offer ability to stay connected. A reliable BYOD policy is required to help and safeguard our network. BYOD is to develop a policy that defines exactly what sensitive company information needs to be protected and which employees should have access to this information, and then to educate all employees on this policy. We experience that safety of our network depends on knowledge of our employee on cyber security.

Below are a few fundamentals covered :

1. Virtual Desktop Infrastructure & Containerization 

It is way to address Virtual Hybrid Desktop issues by placing native applications inside a safe zone on a device. A virtual machine manager abstracts the container from the client hardware, boosting performance and reducing server strain by allowing client - side execution, while still improving security by isolating the container from certain functions, such as wireless network connections, USB ports or device cameras. Some virtual containers contain an entire operating system and productivity application suite, while others are purpose-built, single-function virtual devices that provide services like compliance monitoring or highly secure applications.

2. Chipset Level Security Technologies

These allow MDM to reach underneath a managed device's operating system, performing remote wipes and pre-boot virus scans, regardless of the device status. By providing access below the operating system, this technology allows administrators to correct problems by loading software patches and virus definitions, removing the need for third-party software tokens or hardware - based authentication devices. Anti-Theft technology from some reliable vendor extends security features such as remote, operating system independent device locking and unlocking to processors.

( Read More: Top 6 Reasons Why Data Loss Prevention (DLP) Implementation Fails )

3. Network Access Control Technology

This allows employees to use their personal devices on the network while providing the security and access control required by the enterprise. The approach combines granular access policies, automated enforcement, and complete visibility into every device and user on the network. Leverage software and hardware solutions to lock down and manage devices while simultaneously securing the data itself. Wireless networks have to be built for secure BYOD access and the way to do that is incorporating NAC for mobile devices.

4. Data loss prevention

Deploying these engines enables administrators to keep track of data traffic and immediately block suspicious users or activity. DLP tools can apply a use policy for information as it is created, whether it is a file, email or application. This means that data in rest, in use or in transit can be logged, reported tagged and encrypted at any stage, ensuring the prevention of unauthorized activity. As more firms allow employees the freedom to access the corporate database from a personal device, DLP technologies will be imperative to maintain secure data management.

( Learn More : Top Security Researchers are coming together for workshops and sessions on Cloud Security, Cyber Forensics, IR, SOC, Appsec & more at SACON (Security Architecture Conference). Registrations open here )

This article was contributed by Sridhar Govardhan, CISA, CISM, CEH, General Manager-Cyber Security at Wipro

Phishing is a type of social engineering attack. Using phishing email, the attacker cleverly manipulates the natural human tendency to trust others and tricks the victim into act as per the instructed in the email. To be convincing, the fraudster will use a combination of the following elements in the email - Use of authority, Secrecy and Pressure tactics.

Today’s email security solutions are designed to detect and prevent predominantly known threats using signatures and/or heuristics. Signature based detection technology fails in detecting / protecting zero-day threats and is ineffective in handling of polymorphic threats.

Also, Security technology lacks context of human behavior. Today’s security technology doesn’t have consideration of human action factored and completely ignores the social engineering attacks. Various forms of social engineering attack (Phishing, Whale Attack, CEO Fraud) is the highly exploited threat today and this is achieved by exploiting the human trust. To cover above threat scenarios, email security technology as to mature further.

With this background, the best security control an enterprise can design and implement is to make their users first-line of defence. An information security trained and educated user is the best preventive and detective control against phishing email threat.

Regular awareness and training sessions can provide basic concepts of phishing email and some additional knowledge of phishing. This knowledge alone will not suffice for a user to detect all variants of phishing, since targeted (spear) phishing emails can be made to look real with respect to content and context of the email.

To provide users a real-time view of how phishing emails would trick users and manipulate. A controlled phishing simulation exercise along with immediate feedback and training is be the best tactic.

( Read More: Bad USB Defense Strategies )

To achieve better results and effective user training, below key components of selecting the phishing simulation exercise :

• Phishing Simulation Tool

• Phishing email theme

• Frequency of the simulation

• Reporting and Awareness

1. Phishing simulation solution

One of the critical element in the process of building a phishing simulation is the solution which will be used for conducting the phishing simulation. The tool should have features,

• Built-in repository of varied templates covering different phishing categories and continually updated phishing email templates (commercial solution)

• Solution should be highly customizable w.r.t phishing email templates

• Extensive reporting options on completion data, average score, most missed items, user activity

• Trend graphing feature to understand the user behaviour over time

• Easy integration with messaging solution

• Granular reporting on user activity and overall participation division / project / department

• Integration with the existing Learning Management Solution (LMS)

( Read More: Free Resources For Kickstarting Your IT-GRC Program )

2. Phishing email theme

In every phishing simulation activity, theme of the phishing plays an important part in meeting the end objective of educating users on real threats. To provide a real-world experience and awareness, phishing simulation theme selected should align with an event or context relevant to the target individual or group. Below points to be considered for an effective simulation activity,

• Theme chosen for the phishing simulation should be aligned with business context and perceived risk to the user’s role / function / department

• Phishing simulation theme selected should have relevance to the individual or group selected  

• To achieve better results and learning experience, the complexity of the theme selected should be gradually elevated to next level

• Starting with a highly complex phishing theme will make many fail and will not achieve the end objective

• Each deceiving element of phishing email needs to be combined with other tricks typically used by attackers (example: look alike domain with camouflaged hyperlink, spoofed domain with double extension file)

3. Frequency of the simulation

Every phishing email sent by attackers is well planned and appropriately timed to an event targeting the victim (example: Tax returns, holiday shopping, M&A, etc). Below points to be considered for an effective simulation activity,

• High risk functions / department / individuals handling important role in the organization should be covered more frequently as part of the simulation. A matrix of risk and functions / department / individual, sample below

• Frequency of simulation should be changed based on perceived threat

• If the function or department to be covered is being targeted with phishing emails, change the risk score and increase the frequency

• Each simulation activity should be time bound, contextual themes if not conducted within the defined timeline will loss the value

• The coverage of user and frequency of simulation should be decided based on the perceived risk (Finance & Payments – 2 themes / month, senior leadership – 1 theme / month)

• “Too Much of Anything Is Bad” doesn’t apply to phishing simulation, the more the better

• When planning the campaign, for each function / department or individual phishing emails initiation “Day of the week” and “Time of the day” is an important element

(Read more : Top 9 Past Security Talks By Dr. Phil Polstra, speaker @SACON ) 

4. Analysis and Reporting

After every phishing simulation campaign, a mandatory detailed analysis of the results of the campaign should be part of the process. Analysis could provide valuable insights into the failure and success points. Analysis should factor the following points,

• complexity of the selected phishing theme

• theme of the phishing email

• targeted group

• number of times previously covered 

• Final report on the overall performance of the simulation phishing exercise should be shared with head of function / department

• Report should cover statics of failure and success points, few sample points below -

  • % of targeted users were successfully phished

  • % of targeted users clicked the URL and submitted details requested

  • % users who have access to critical data / information who failed

  • % of users opened mail, but they didn’t click the phishing URL

  • % of targeted users opened the attachment

• Good points should also be reported (if process allows reward few to encourage others)

• At advanced phase, analyse and provide details of timeline graph of failure and user reporting

• If possible, avoid revealing names of users who failed in the simulation in the management report

• If users are repeatedly failing, have a discussion with few users to understand the reason and constraint they have. Accordingly arrange for awareness / training sessions for the users

Few considerations to be taken care of :

• Communicate about the phishing simulation to the head of function / department before initiating the phishing simulation campaign

• If you are using an in-house solution, never use your enterprise external IP address range and frequently change the IP address

• Don’t use irreverent and loose themes, the sanity of the whole exercise will be lost

• If the campaign is targeted to large group of users belonging to same function / department, avoid using online feedback and declaration. Have delayed feedback, this will ensure users don’t inform others in the group.

What are your go-to solutions for designing an effective phishing simulation ? Community members share their knowledge here to help the community collaborate and grow faster. You can help too. Write an article today Click here to write(If you don't have an account, kindly register - It's Free)

Dr. Philip Polstra

Author of ‘Linux Forensic’, 'Windows Forensic', 'Hacking & Penetration Testing With Low Power Devices' | Frequent speaker at DEFCON, Blackhat, BSides, GrrCON, ShakaCON | Renowned forensic expert

About : Digital forensics professor by day. Hardware hacker and penetration tester by night. Associate Professor, Digital Forensics at Bloomsburg University of Pennsylvania. Attended Northcentral University

Dr. Phil Polstra shall be conducting a Handson 'Windows & Linux Forensic' workshop at SACON - Bangalore on 10 & 11th November, 2017. To register/know more click here

Top 10 Past Security Talks by Dr. Phil Polstra

1. Am I Being Spied On ? Low Tech Ways Of Detecting High Tech Surveillance

Conference : DEFCON22

Brief : Is someone spying on you? This talk will present several low-tech ways that you can detect even high-tech surveillance. Topics covered will include: detecting surveillance cameras with your cell phone, signs that you are under physical surveillance, detecting active and passive bugs with low cost devices, and detecting devices implanted inside computers, tablets, and cell phones.

For complete slide/presentation : Click here

2.Cyber hi-jacking airplanes

Conference: DEFCON22

Brief : This talk will take a systematic look at the mechanisms others are claiming would permit such cyberhijacking. Each of the most popular techniques will be examined mythbuster style. Along the way several important aircraft technologies will be examined in detail.

For complete presentation/slide : Click Here

3.Hacker In The Wires

Conference: DEFCON23

Brief : 

This talk will show attendees how to use a small ARM-based computer that is connected inline to a wired network for penetration testing. The computer is running a full-featured penetration testing Linux distro. Data may be exfiltrated using the network or via a ZigBee mesh network or GSM modem.

The device discussed in this talk is easily integrated into a powerful penetration test that is performed with an army of ARM-based small computer systems connected by XBee or ZigBee mesh networking.

For complete presentation/slide : Click Here

4.Mouse Jiggler Offense & Defense

Conference: DEFCON24

Brief : This talk will present ways of detecting and defending against such assaults on your system by mouse jiggler wielding individuals. It will also show you how to build your own simple mouse jiggler. Nothing beyond basic Linux usage is required to understand this talk. Attendees will leave with several ways to defend against mouse jigglers and the knowledge of how to create their own mouse jigglers.

For complete presentation/slide : Click Here

5.One Device To Pwn Them All

Conference: DEFCON23

Brief : This talk will present a device that can be used as a dropbox, remote hacking drone, hacking command console, USB writeblocker, USB Mass Storage device impersonator, or scripted USB HID device. The device is based on the BeagleBone Black, can be battery operated for several days, and is easily constructed for under $100.

For complete presentation/slide : Click Here

6.We are Legion : Pentesting with an Army of Low-power Low-cost Devices

Conference: DEFCON21

Brief : This talk will show attendees how they can do penetration testing with a network of small, battery-powered, penetration testing systems. The small devices discussed will be running a version of The Deck, a full-featured penetration testing and forensics Linux distro. The Deck runs on the BeagleBoard and BeagleBone family of devices (including the next-gen BeagleBone released in April aka the Raspberry Pi killer). These devices are easily hidden and can run for days to weeks off of battery power thanks to their low power consumption. Various configurations will be presented including a device the size of a deck of cards that is easily attached to the back of a computer which is powered by USB and can be connected inline with the computer's Ethernet connection. 

For complete presentation/slide : Click Here

7.Bypassing Endpoint Security $20 or less

Conference: DEFCON20

Brief : In this talk cheap easily constructed devices which can be used to bypass endpoint security software by making any USB mass storage (flash or hard) drive appear as authorized devices will be presented.

The design and implementation will be discussed in detail. Devices can be constructed for approximately $18 and $30 for a small package which requires soldering of 4 wires, and a slightly larger package which requires no soldering, respectively. Some familiarity with microcontrollers and C programming would be helpful, but not required for attendees to get the most from this talk.

For complete presentation/slide : Click Here

8. Mesh Stalkings-Penetration Testing With Small Networked Devices

Conference: BlackHat Europe 2013

Brief : This talk will show attendees how they can do penetration testing with a network of small, battery-powered, penetration testing systems. The small devices discussed will be running a version of The Deck, a full-featured penetration testing and forensics Linux distro. The Deck runs on the BeagleBoard-xM, BeagleBone, and similar ARM-based systems. These devices are easily hidden and can run for days to weeks off of battery power thanks to their low power consumption. While each device running The Deck is a full-featured penetration-testing platform, connecting systems together via a mesh network allows even more power and flexibility.

For complete presentation/slide : Click Here

9.Low-power Hacking Bootcamp training course

Conference: BlackHat USA 2015

Reference:

The previous talk links, documents, talk description, videos have been taken from various sources like Defcon and BlackHat .

Cyber Kill Chain Model 

In military strategy, a 'Kill Chain' is a phase model to describe the stages of an attack, which also helps inform ways to prevent attacks

• Situational Awareness - Ability to identify what is happening in the networks and system landscape
• Reconnaissance - Identification and selection of the target/s host or network by active scanning
• Weaponization & delivery - Transmission / Inject of the malicious payload in to the target/s
• Lateral Movement - Detect, exploit and compromise other vulnerable hosts
• Data Exfiltration - Steal and exhilarate data
• Persistency - Establish a foothold in the corporate network

Situational Awareness

• Outbound protocols
• Outbound protocols by size
• Top destination Countries
• Top destination Countries by size

Reconnaissance

• Port scan activity
• ICMP query

Weaponization & delivery

• Injection
• Cross Site Scripting
• Cross Site Request Forgery
• Failure to Restrict URL
• Downloaded binaries
• Top email subjects
• Domains mismatching
• Malicious or anomalous Office/Java/Adobe files
• Suspicious Web pages (iframe + [pdf|html|js])

Lateral Movement

• Remove or add account
• Remote WMI communications
• Remote Group Policy Editor
• Remote Session Communications (during outside working hours?)
• Antivirus terminated

Data Exfiltration

• Upload on cloud storage domains
• Suspicious HTTP Methods (Delete, Put)
• Uploaded images
• FTP over non standard port
• IRC communication
• SSH | ICMP Tunneling

Persistency

• Unusual User Agents
• Outbound SSL VPN
• Outbound unknown

This article highlights the Threat Management Process in Incident Response and brings in the understanding of the Kill chain model. Excerpts have been taken from a session presented at SACON - The Security Architecture Conference. You can view the full slide here.

For more in depth session on Incident Response, Threat Intel & many more - sign up for SACON here

3 Stages Of Incident LifeCycle

• Detection & Analysis
• Response & Recovery
• Post incident

( Read More: Bad USB Defense Strategies )

Threat Management - NIST Aligned Process

....view full table & slides here

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

Article submitted by Suryanarayanan K, ,Central Bank Of India

Phishing attacks are one of the most common security challenges that both individuals and organizations face in keeping their information secure. Phishing is the attempt to obtain sensitive information such as usernames, passwords, credit/debit card details etc., often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Phishing is typically carried out by email spoofing and it often directs users to enter personal information at a fake website, the look and feel of which are almost identical to the legitimate one. Also phishing emails may contain links to websites that are infected with malware.

One of the effective method to assess the awareness level among staff is to conduct phishing drill wherein a phishing mail will be sent to the mail ids of staff. The mail can have a link (intranet link) where staff will be prompted to fill in certain details. Subsequent analysis like number of staff opened the mail, number of staff clicked on the link provided, number of staff provided the details asked etc. will help in assessing the awareness level. It is to be ensured that no critical/sensitive information is collected from them, to avoid any type of possible misuse of the same.

Such a drill was conducted recently in the organization, details of which are as follows :

• A webpage in organization’s intranet server has been created for inputting the details by staff.
• A separate temporary mail server, outside organization’s domain, has been created for sending the mail to all staff. The domain used was different but looking similar to actual domain.
• A mail was sent to all staff (wherever mail ids available), asking certain details and requesting them to provide the details by clicking the link provided in the body of the mail. Though the information sought was not so critical (considering the possible misuse of the same), there was some sort of urgency created in the mail, like any other actual phishing mails do.
• The drill was very successful in the sense that nobody could recognize that this is an exercise conducted by the organization.

Summary of response by staff in this regard is as follows :

• Some of the staff have reported the receipt of the mail to their controlling offices and also to CISO through mail/phone and requested to confirm the genuineness of the mail.
• Some of the offices have advised the offices/staff under their control that it is a fraudulent mail and not to provide the information asked in the mail.
• Some of the staff reported the receipt of the mail to the incident response team of the organization.
• Some of the staff reported that the link is not opening at their end for providing the required details, which indicates that they will end up with providing the details if the link is opened.
• A good portion of staff from various offices across the country have clicked the link and provided the details.

Observations/findings from the drill are as follows :

• A good portion of the staff are aware of such phishing mails and the harm associated with it. They are aware that such mails are not to be responded.
• A major portion of the staff are not aware of such phishing mails. Considering the urgency mentioned in the mail, they have provided the details asked in the mail. Also they could not identify the difference in the domain name used for sending the mail.
• Since certain departments/staff have alerted the branches under their control, most of the branches/officials have not submitted the details. If the exercise was to a targeted group, say branches only, then the number of staff clicking the link and submitting the details may be more.

Considering the above, there is a need to improve the awareness level among staff, on a continuous basis.

An advisory with special reference to the phishing drill conducted with instructions regarding what they are supposed to do on receipt of such mails has been sent to all staff subsequently.

This gives a glimpse of Advanced Security Operations Centre (SOC) Features & Technical Capabilities. This document is not explicit, it assumes you have…

This was presented at SACON and speakers explain subjects in detail during sessions for deeper understanding. Next sessions are in order, you can pre-register/register for special deals and/or notifications here . You can check out the complete presentation here

Advanced Security Operations Centre (SOC) Features

• Threat Assessment & Hunting
  
  
  • Knowing threats & adversaries
  • Their tools & methods
  • Critical assets for targets
  • Existing controls & weaknesses
  • Monitoring presence, IOC,Management & Hunting

• Threat Intelligence
  
  
  • Internal threat intelligence
  • External threat intelligence
  • Application of threat intelligence
  • Automated consumption of threat intelligence (automated SIEM rules/runbook)

( Do More : Workshops on SOC, Threat Intelligence, Threat Hunting, Incident Response. To get notifications on the workshop session, keynote speaker etc. Register here )

• Situational Awareness
  
  
  • Context and enrichment
  • Visibility

• Security Analytics
  
  
  • Behavioral profiling for users & systems
  • Database searches & statistical modeling, reporting & visualization
  • Forensics capability

( Read more : Security Incident & Event Management (SIEM) Framework For Product Evaluation )

Advanced Security Operations Centre (SOC) - Technical Capabilities

• Data collection capabilities & compliance benefits of log management
• The correlation, normalization and analysis capabilities of SIEM (Security Incident & Event Management)
• The network visibility and advanced threat detection of NBAD (Network Behaviour Anomaly Detection) and user behaviour anomaly detection (UBA) by machine learning
• The ability to reduce breaches and ensure compliance provided by Risk Management
• The network traffic and application content in sight afforded by Network Forensics
• The automation of Incident Response by Artificial Intelligence/ Run Books
• IOC /  VM Management by Threat Intelligence
• Reporting & Visualization provided by Presentation Layer

SIEM as a platform should be a truly integrated solution built on a common codebase, with a single data management architecture and a single user interface.

Did you know you could compare all SOC/SIEM products and vendors on a single platform instantly ? 

You could compare and discover the SIEM products here.  FireCompass is an AI Assistant for Cyber Security Decision Making. Discover & Compare 1,000+ Cyber Security Products. Grab your FREE Account Now (For a Limited Time ONLY)………Claim Your Free Account Now By Signing Up

Do write to us at pritha.aash@cisoplatform.com if you'd like us to cover some topics, we'll add it to our research plan.

This gives a glimpse of how 'Machine Learning & Analytics' can be used for Threat Detection. This document is not explicit, it assumes you have prior knowledge of the subject, therefore only pointers have been mentioned.

This was presented at SACON and speakers explain subjects in detail during sessions for deeper understanding. Next sessions are in order, you can pre-register/register for special deals and/or notifications here . You can check out the complete presentation here

Dissecting Detection Systems

• Signature Based
• Anomaly Engines
• Analytics Workbench
• Learning Systems

Why Do We Need Analytics ?

• Cyber Security Refresh Rate
• Custom Payloads From Attackers
• Servers Not The Target
• Speed With Volume

Learning Systems

• Heuristic Learning
  
  
  • Virus Detection , OS Rootkit
• Anomaly Engines
  
  
  • DDoS Detection, Protocol Obfuscation, Malformed Data Streams, Application Breach
• Spot / Baseline / Profiles
  
  
  • Unordered action - new rule, new device, long dead user, database user event
• Time Series Analytics
  
  
  • DDoS, Flow Outliners, Protocol Breach, Zombies
• Classifiers
  
  
  • SPAM, Botnets, Authentication Anomalies
• Unassisted Learning
  
  
  • SPAM, DNS Detection, L2 Attacks

When is Machine Learning Working ?

• Credible / Clean training data
• Positive and timely feedback
• Picking the right features
• Consistent feature variations
• Consistent data pattern

Where Does Machine Learning Work ?

• DNS Based Detection
• DDoS/ Traffic Anomaly
• SPAM Mail Filters
• Authentications
• Application Modeling
• Threat Intelligence

Machine Learning Is Fading

• Variance Challenge
• The "state dataset" problem
• Mass labelling
• Complex selection challenges

How To Get Started With Machine Learning ?

• Programming in R /Python
• Data platforms - Splunk, DNIF
• Infrastructures - Generic Hadoop, Hortonworks

Did you enjoy reading this? This was presented at SACON. Great security minds from the world come together to present and conduct workshops on Threat Detection, Threat Hunting, IoT Security, Incident Response, Cyber Range Drills & more at SACON - International Security Architecture Conference. Check out this year's session plan here .

You can also tweet to us by tagging @CISOPlatform or #SACON and let us know what workshops you think should be added to help today's security builders ?