Event Recording
Filipi Pires: #WhoIs: An Emerging Class of Incident Response Platforms Using Open Source Tools
Yeah. Thank you so much again, Christopher. So thank you for, for this, for everyone. Stay here with us to be here with us and thank you one more time. So this is my contact in social medias. One more time I using the ask, Christopher mentioned a lot of LinkedIn to mention that lot link Twitter. This is my mailing social medias. And if you have, you know, you'd like to follow me or send me questions, whatever I'm open to talk to you. And it was a pleasure by the way, and who am I? I'm a security recession, security developer, advocated super innovation. It's a Brazilian company. So my, my company responsible, you know, to produce new technologies actually. So it's very interesting and we have focus in four open source products, all those products it's open to the community. And if you have time, can explain more this in the end of this presentations, right?
So I might advocate from this amazing project it's hacking, not crime project, it's American actually starting America project. It's you know, because when you talk about the hacking on a hackers, sometimes the, the media using the wrong expression, because the media associated the hacking on a hacker with a bad guy, you actually is not because hacking is it's a mindset. You know, it's, it's a, it's a cultures total different. So I am advocate of this project and I can explain more again and what one other time. And I am part of the staff group of the deaf com group SA Paulo. You have the community here in San Paulo, Brazil. So I, I have a part of this staff team and I am security recession structure of the structure of the hacker security. I am a founder and, and structor of the modern artist course, by the way, in the last year I present of some of this topic and in the cybersecurity leadership in Berlin.
So it was a pleasure in that time. And I am a writer and bureau for this three magazines in Europe. It's so nice. So it's just something about me and this is our summary or agenda. So first of all, my idea is talk about what is thread, because just putting every body in the same page, I would like to suggest some brainstorming and suggest some change your mind, talk about the open CTI. And after that, if we, if we have time, I would like to present some demo and open questions, right? So first of all, guys, the idea is to talk about the thread. It's just probably, we have many different definitions of the, what is thread. Exactly. And my ideas is to chose this ISO because just, I need to chose one of this definition, right? So threads definition has Aion cows because during this event, we are talking about the are solutions and concepts and something like that related to DevOps, or, you know, our security, how can, you know, produce this new idea or how can provide this?
I was, I was hearing about the, the, before I start my talk, you know, what the kind of strategy is better to choose or something like that. You know? So, but first of all, we need to understand what is actually exactly a threat, right? So threat is a software attack, maybe a set of intellectual properly, or evenity theft, or maybe sabotage or all those information is, or information is stored. Distortion are example of the information, security threats. So it's very simple. All those things related to the softer, right, is related to a thread. Of course, maybe you have another definitions or another ID. It's not a problem. I just remember I chose this eyes of definition, right. And has results. Most of this organization chose the activity thread, hunting practice, right. To defended the organization because we have a sorority, right? So this is a, a secure frustration.
And you need to, to have the tools or, you know, many different tools to organize and automatize of this process. And the idea in the end of the day is, you know, to defend the companies from the networks on no threats, right? Because in the end of the day to protect or from unknown threats, that's idea. So my idea, when you talk about the brain store is the idea when you have this kind of team inside the company or this soar team maybe, or, you know, so team or maybe threat hunting team or threat intelligence or side threat intelligence CTI, right? So we need to work with the threat research because we need to research about the threats. We need to discover a new type of threat or kind of threats, you know, right. You need to provide the team because the idea, when you search something, you can provide the team, this kind of proactive line of defense, defense against advanced threat or advanced persistent threat actually.
And probably, you know, what, what is mean advanced, persistent threat. It's a kind of attack it's very advanced and then use many different techniques or something like that. Or another, it's a persistent because it's the time during this attacks related some more, more, more, more, or action or more, but many, many, many times, right? So when you need to think about the, or this kind of defensive structure, you need to have the, the inside of your team, the using the offensive techniques, Gartner talking about the vulnerabilities management. When you talk about the right. So you need to research about, we need to, to search about the vulnerabilities. We need to development. This kind of skills in our team, the exploitation development we need to looking inside of this reversal engineer, intrusion detections is another different excuse because this remember, this is the, if you, my idea is to talk about the new open your mind, right?
So the new brainstorm, because if you have different skills in your team, you can build it. You know, the good. So because of course, I know sor we have many open many tools, maybe private tools or open source tools, no problem, but you need to have the people to manage it deep. You know, this is the, the good thing in the end of the, this is the point in the end of the day, right? So looking inside the current analysis, because it's, you need to, you know, track, you need to treat this kind of attack after their attacking happened. And, and this is the challenge to deliver automated intelligence to the company to gain productive, because this is the main important, right? For your company to gain productive. This is the idea. So first of all, I create this kind of circle, right? Because first of all, you have a threat.
And after that you have this threat, it's no one and all, because we need to understand how this known threat works. Because after that, you can produce this in kind of intelligence. We remember when you talk about the CTI cyber threat intelligence, we, we already can produce this intelligence after you, of course receive this, this knowledgement, right? So because of this, it's very important to study this, this known threats, right? And of course, all those things will open your mind to understand more about the unknown threats. Perfect. In the end of the kind investigation, maybe you can produce a report because of this, all those information. You can, you know, produce this information to your manager, to your coordinator, your tech, or, you know, whatever people that you report, right. And you can improve your defenses mechanism, because this is important when you talk about the so, right, because it's, if you have so implemented your company, but you don't have this kind of intelligence or, or you don't have this kind of people inside your team, you just have a tool in the end of the day, right?
You just have a, a many tools and it's not a producer intelligence for you. And can you can't cannot pro protect your, your company, right? And after that, you can write, create a cyber threat intelligence. You can create it because you have a known threat and you have an unknown threat. So you can produce all this. You can, of course improve your mechanism, that you are the fastest mechanism. And you can, of course you change this kind of adaptation because you know, the strengthening cyber resilience, you need to have this because the cyber, the cyber, you know, the cyber crime, you are the cybersecurity, the, the, you know, the threats are changing all those in all the time, you know? So let's change our mind. So what or who is cyber threat hunting, or what is threat hunter threat hunting is a product approach in a cybersecurity defense, but here is the key offensive mindset.
This is my suggestion, my challenge to you, right? Because the 3d hunt is the process proactively and interactively searching to through the networks to detect first of all, to detect. And after that, to isolate the advanced threats to evade our, in this case, existing secured solutions, right? So this is a good action, because one more time, sometimes when you talk about the, the cybersecurity and that you talk about, for example, this thread hunting, or our analysis Analyst, maybe you can pick up this kind of guy and put him inside of the so team, or maybe inside the, you know, support team or maybe a blue team team or whatever team you could. You'd like to, you want to put this kind of professional, but here we have the key in my, you know, media opinion, you know, opinion because this kind of guy have a good, good, good, excuse, defense, cyber threats.
They focus in defense team, but truly, totally offensive mindset, right? So who is Fred hunter? What is Fred hunter? Fred hunter is a qualified, secure professional to recognize, first of all, needs to recognize he's late and disabled potential. APTs here is the key, this, the special guy inside, or you can put inside sor because remember, that's my idea during this conference was then this session, we have the, the so platform, or you have many others tools in cyber threat intelligence. And, and maybe the soar is part of your cyber threat intelligence, but you don't have the special guide to manage it, all those things. Right. So that's my point here. Okay. And this guy can, you know, looking for possible internals, external intruders intruders to discover it to the risk. And this is the, the guy important, this guy understand about the zero trust concept, but by the way, we, we have the, we had the, the, this zero trust event some month ago.
So we talk about this kind of concept and something it's very interesting. Right. So let's continue here. So the ready hunting based on your and IOCs, right? So IOC, it's very interesting because you can collect all those informations, like the domain IP link to a fishing website and a cryptographic check, or part of this value related, or, or related to some attack. So this is a kind of technique using in that thread, right? So, but this point here, it's very interesting because when you talk about IOC, this, all those information, it's possible to collect it after, to receive an attack after you, your company receives or suffering this kind of attack. So you can just remediate of the action after the attack, right? So you can find the suspect unknown, also domain or IP suspects, suspicion. We can, oops. You can find the signatures to detection, to detection or no holistic data such as antivirals or IDs, signatures, maybe data related to potential exploitation of vulnerability or, or the part of the exploitation exploit that you find.
And very important, you need to understand about the techniques and procedures, the famous CTPs right, and the associated to the suspicious, obviously this kind of attack, right? And here we can find the very interesting open source product project, right? This is a MIS it's a more information sharing platform. You can, you know, this is a kind of source that you can find. You can not fight. You can produce, you can putting actually putting many IOCs inside of this platform, and you can have many this information related and many attacks. And of course we can, you know, integrate of this tools or this project, actually with another different sources and you can produce this kind of intelligence or cyber threat intelligence in your company. This is a picture that I collected from Google. If it's not a problem, it's not from any company. So no problem here, but this is a kind of attack related, for example, while low key RESO, right?
And here we have a many information related this kind of attack. So it's a very interesting opening source project to using auto testing or environment, right? And another different technique is based on AA, right? Indicator of attack. It's kind of different here. Let me explain more this, in this case, the EOA, it's the focus. This is in why, right. And why the attacking use the intention. It's totally based on behavior, but here, when you talk about the UA, the point here, it's related to analyze this attack before happen in your company, right? Because of this, we need to understand about the tactics, techniques, and procedures, and to understand how this no threats work in an old threats works. Because when you understand all those two parameters, you know, using these expression parameters or these kind of threats, you can definitely, you can understand more this how attacker uses these different techniques, right?
So what information we can collect patient on UA, the some behaviors, realtime behaviors, for example, if you have many incu in your active director from the, the midnight, for example, it's a, you know, it's not a common behavior, right? It's not a related to an InPoint behavior. It's a related, you know, app, your environment behavior, right? And another is code execution method that Ork lengths library like a DLS call it a semi different sequence of events in your environment. Just all those information you need to, you know, search, you need to looking deeply to, to try and find some, you know, attack user behavioral in relationship to the digital threats. It's very common. Another point is about the CTPs link to the host data such as malware using attack. Like, you know, as some people can, you know, hear about some attacks and if is persistent in health competence using the attack.
And for example, another example is eternal host with a bad destinations, inter host with a nonstandard port. It's very, very, very common. You can see, you can find all those informations, but to several DMZ, to internal host connections of our smaller detection. And you know, how I mentioned in the midnight, for example, and the networks stood by internal hose, maybe problem is different. You know, if you don't have any red teams inside your, your company, why this kind of, you know, services are happening or, or this kind of are happening your environment and multiple alarm events for a single host, it's another suspicious behavior, right? The systems is reinfected with the malware, the same, the same system, maybe it's, you know, the focus, the target of this system and multiple, multiple logging from a different region. So it's impossible. You know, you have, you wanna work only one person, right?
And another is internal host using such SMTP protocols and internal holes. You're using many queries, internals and internal DNS. It vary guys, believe me, this is very, very, very common in many companies. This is need to looking deeply off this information. And this is a very interesting project, open CTI. It's a very interesting open source product. I dunno if probably we don't have a time to explain to make a demo, but this is a, this is a very interesting, you can put in the, you know, in the internet open CTI and you can hear have many sources of the attack you can using for, for example, the, the demo and not the demo. You, you have the, the, the most restrictions actually environment that you can find you can study, but you can, you can, you know, you can understand more of this project is it's.
As I mentioned, it's open source platform. And for me here in the second, it's very interesting because we have a many data you can about the knowledgement, you, they using the sticks to standards. Very interesting. When you talk about, you know, you manage and it it's, you can using it's based on MIS because I mentioned they have to using an instant response. It, one of the, part of the solar, right. And all those information is based on, on my attack. It's very interesting because maybe you can ask me, or you can think about, for example, I need to invest in my, you know, my budget in the, in the private solutions. Maybe you can invest in, but you have another, you know, open source solutions. Maybe you can try to find some information. Right. So I, I think we don't have many times to talk. I think we, I can finish my presentations. And if you have any questions, Christopher, please let me know if the guys have any questions and thank you one more time for this opportunity.
So I might advocate from this amazing project it's hacking, not crime project, it's American actually starting America project. It's you know, because when you talk about the hacking on a hackers, sometimes the, the media using the wrong expression, because the media associated the hacking on a hacker with a bad guy, you actually is not because hacking is it's a mindset. You know, it's, it's a, it's a cultures total different. So I am advocate of this project and I can explain more again and what one other time. And I am part of the staff group of the deaf com group SA Paulo. You have the community here in San Paulo, Brazil. So I, I have a part of this staff team and I am security recession structure of the structure of the hacker security. I am a founder and, and structor of the modern artist course, by the way, in the last year I present of some of this topic and in the cybersecurity leadership in Berlin.
So it was a pleasure in that time. And I am a writer and bureau for this three magazines in Europe. It's so nice. So it's just something about me and this is our summary or agenda. So first of all, my idea is talk about what is thread, because just putting every body in the same page, I would like to suggest some brainstorming and suggest some change your mind, talk about the open CTI. And after that, if we, if we have time, I would like to present some demo and open questions, right? So first of all, guys, the idea is to talk about the thread. It's just probably, we have many different definitions of the, what is thread. Exactly. And my ideas is to chose this ISO because just, I need to chose one of this definition, right? So threads definition has Aion cows because during this event, we are talking about the are solutions and concepts and something like that related to DevOps, or, you know, our security, how can, you know, produce this new idea or how can provide this?
I was, I was hearing about the, the, before I start my talk, you know, what the kind of strategy is better to choose or something like that. You know? So, but first of all, we need to understand what is actually exactly a threat, right? So threat is a software attack, maybe a set of intellectual properly, or evenity theft, or maybe sabotage or all those information is, or information is stored. Distortion are example of the information, security threats. So it's very simple. All those things related to the softer, right, is related to a thread. Of course, maybe you have another definitions or another ID. It's not a problem. I just remember I chose this eyes of definition, right. And has results. Most of this organization chose the activity thread, hunting practice, right. To defended the organization because we have a sorority, right? So this is a, a secure frustration.
And you need to, to have the tools or, you know, many different tools to organize and automatize of this process. And the idea in the end of the day is, you know, to defend the companies from the networks on no threats, right? Because in the end of the day to protect or from unknown threats, that's idea. So my idea, when you talk about the brain store is the idea when you have this kind of team inside the company or this soar team maybe, or, you know, so team or maybe threat hunting team or threat intelligence or side threat intelligence CTI, right? So we need to work with the threat research because we need to research about the threats. We need to discover a new type of threat or kind of threats, you know, right. You need to provide the team because the idea, when you search something, you can provide the team, this kind of proactive line of defense, defense against advanced threat or advanced persistent threat actually.
And probably, you know, what, what is mean advanced, persistent threat. It's a kind of attack it's very advanced and then use many different techniques or something like that. Or another, it's a persistent because it's the time during this attacks related some more, more, more, more, or action or more, but many, many, many times, right? So when you need to think about the, or this kind of defensive structure, you need to have the, the inside of your team, the using the offensive techniques, Gartner talking about the vulnerabilities management. When you talk about the right. So you need to research about, we need to, to search about the vulnerabilities. We need to development. This kind of skills in our team, the exploitation development we need to looking inside of this reversal engineer, intrusion detections is another different excuse because this remember, this is the, if you, my idea is to talk about the new open your mind, right?
So the new brainstorm, because if you have different skills in your team, you can build it. You know, the good. So because of course, I know sor we have many open many tools, maybe private tools or open source tools, no problem, but you need to have the people to manage it deep. You know, this is the, the good thing in the end of the, this is the point in the end of the day, right? So looking inside the current analysis, because it's, you need to, you know, track, you need to treat this kind of attack after their attacking happened. And, and this is the challenge to deliver automated intelligence to the company to gain productive, because this is the main important, right? For your company to gain productive. This is the idea. So first of all, I create this kind of circle, right? Because first of all, you have a threat.
And after that you have this threat, it's no one and all, because we need to understand how this known threat works. Because after that, you can produce this in kind of intelligence. We remember when you talk about the CTI cyber threat intelligence, we, we already can produce this intelligence after you, of course receive this, this knowledgement, right? So because of this, it's very important to study this, this known threats, right? And of course, all those things will open your mind to understand more about the unknown threats. Perfect. In the end of the kind investigation, maybe you can produce a report because of this, all those information. You can, you know, produce this information to your manager, to your coordinator, your tech, or, you know, whatever people that you report, right. And you can improve your defenses mechanism, because this is important when you talk about the so, right, because it's, if you have so implemented your company, but you don't have this kind of intelligence or, or you don't have this kind of people inside your team, you just have a tool in the end of the day, right?
You just have a, a many tools and it's not a producer intelligence for you. And can you can't cannot pro protect your, your company, right? And after that, you can write, create a cyber threat intelligence. You can create it because you have a known threat and you have an unknown threat. So you can produce all this. You can, of course improve your mechanism, that you are the fastest mechanism. And you can, of course you change this kind of adaptation because you know, the strengthening cyber resilience, you need to have this because the cyber, the cyber, you know, the cyber crime, you are the cybersecurity, the, the, you know, the threats are changing all those in all the time, you know? So let's change our mind. So what or who is cyber threat hunting, or what is threat hunter threat hunting is a product approach in a cybersecurity defense, but here is the key offensive mindset.
This is my suggestion, my challenge to you, right? Because the 3d hunt is the process proactively and interactively searching to through the networks to detect first of all, to detect. And after that, to isolate the advanced threats to evade our, in this case, existing secured solutions, right? So this is a good action, because one more time, sometimes when you talk about the, the cybersecurity and that you talk about, for example, this thread hunting, or our analysis Analyst, maybe you can pick up this kind of guy and put him inside of the so team, or maybe inside the, you know, support team or maybe a blue team team or whatever team you could. You'd like to, you want to put this kind of professional, but here we have the key in my, you know, media opinion, you know, opinion because this kind of guy have a good, good, good, excuse, defense, cyber threats.
They focus in defense team, but truly, totally offensive mindset, right? So who is Fred hunter? What is Fred hunter? Fred hunter is a qualified, secure professional to recognize, first of all, needs to recognize he's late and disabled potential. APTs here is the key, this, the special guy inside, or you can put inside sor because remember, that's my idea during this conference was then this session, we have the, the so platform, or you have many others tools in cyber threat intelligence. And, and maybe the soar is part of your cyber threat intelligence, but you don't have the special guide to manage it, all those things. Right. So that's my point here. Okay. And this guy can, you know, looking for possible internals, external intruders intruders to discover it to the risk. And this is the, the guy important, this guy understand about the zero trust concept, but by the way, we, we have the, we had the, the, this zero trust event some month ago.
So we talk about this kind of concept and something it's very interesting. Right. So let's continue here. So the ready hunting based on your and IOCs, right? So IOC, it's very interesting because you can collect all those informations, like the domain IP link to a fishing website and a cryptographic check, or part of this value related, or, or related to some attack. So this is a kind of technique using in that thread, right? So, but this point here, it's very interesting because when you talk about IOC, this, all those information, it's possible to collect it after, to receive an attack after you, your company receives or suffering this kind of attack. So you can just remediate of the action after the attack, right? So you can find the suspect unknown, also domain or IP suspects, suspicion. We can, oops. You can find the signatures to detection, to detection or no holistic data such as antivirals or IDs, signatures, maybe data related to potential exploitation of vulnerability or, or the part of the exploitation exploit that you find.
And very important, you need to understand about the techniques and procedures, the famous CTPs right, and the associated to the suspicious, obviously this kind of attack, right? And here we can find the very interesting open source product project, right? This is a MIS it's a more information sharing platform. You can, you know, this is a kind of source that you can find. You can not fight. You can produce, you can putting actually putting many IOCs inside of this platform, and you can have many this information related and many attacks. And of course we can, you know, integrate of this tools or this project, actually with another different sources and you can produce this kind of intelligence or cyber threat intelligence in your company. This is a picture that I collected from Google. If it's not a problem, it's not from any company. So no problem here, but this is a kind of attack related, for example, while low key RESO, right?
And here we have a many information related this kind of attack. So it's a very interesting opening source project to using auto testing or environment, right? And another different technique is based on AA, right? Indicator of attack. It's kind of different here. Let me explain more this, in this case, the EOA, it's the focus. This is in why, right. And why the attacking use the intention. It's totally based on behavior, but here, when you talk about the UA, the point here, it's related to analyze this attack before happen in your company, right? Because of this, we need to understand about the tactics, techniques, and procedures, and to understand how this no threats work in an old threats works. Because when you understand all those two parameters, you know, using these expression parameters or these kind of threats, you can definitely, you can understand more this how attacker uses these different techniques, right?
So what information we can collect patient on UA, the some behaviors, realtime behaviors, for example, if you have many incu in your active director from the, the midnight, for example, it's a, you know, it's not a common behavior, right? It's not a related to an InPoint behavior. It's a related, you know, app, your environment behavior, right? And another is code execution method that Ork lengths library like a DLS call it a semi different sequence of events in your environment. Just all those information you need to, you know, search, you need to looking deeply to, to try and find some, you know, attack user behavioral in relationship to the digital threats. It's very common. Another point is about the CTPs link to the host data such as malware using attack. Like, you know, as some people can, you know, hear about some attacks and if is persistent in health competence using the attack.
And for example, another example is eternal host with a bad destinations, inter host with a nonstandard port. It's very, very, very common. You can see, you can find all those informations, but to several DMZ, to internal host connections of our smaller detection. And you know, how I mentioned in the midnight, for example, and the networks stood by internal hose, maybe problem is different. You know, if you don't have any red teams inside your, your company, why this kind of, you know, services are happening or, or this kind of are happening your environment and multiple alarm events for a single host, it's another suspicious behavior, right? The systems is reinfected with the malware, the same, the same system, maybe it's, you know, the focus, the target of this system and multiple, multiple logging from a different region. So it's impossible. You know, you have, you wanna work only one person, right?
And another is internal host using such SMTP protocols and internal holes. You're using many queries, internals and internal DNS. It vary guys, believe me, this is very, very, very common in many companies. This is need to looking deeply off this information. And this is a very interesting project, open CTI. It's a very interesting open source product. I dunno if probably we don't have a time to explain to make a demo, but this is a, this is a very interesting, you can put in the, you know, in the internet open CTI and you can hear have many sources of the attack you can using for, for example, the, the demo and not the demo. You, you have the, the, the most restrictions actually environment that you can find you can study, but you can, you can, you know, you can understand more of this project is it's.
As I mentioned, it's open source platform. And for me here in the second, it's very interesting because we have a many data you can about the knowledgement, you, they using the sticks to standards. Very interesting. When you talk about, you know, you manage and it it's, you can using it's based on MIS because I mentioned they have to using an instant response. It, one of the, part of the solar, right. And all those information is based on, on my attack. It's very interesting because maybe you can ask me, or you can think about, for example, I need to invest in my, you know, my budget in the, in the private solutions. Maybe you can invest in, but you have another, you know, open source solutions. Maybe you can try to find some information. Right. So I, I think we don't have many times to talk. I think we, I can finish my presentations. And if you have any questions, Christopher, please let me know if the guys have any questions and thank you one more time for this opportunity.
Video Links
Stay Connected
Related Videos
How can we help you