Cyber War Stories from Adriatic SlovenicaSandi Bižal C|EH

IT Security Officer - Security Operations

March 21, 2019

Agenda

•Who are we?

•Goal of the Day!

•Why are we Here?

•Use Cases

•Answers

•Q & A

Who are we?

Sandi 101

• 12 years in InfoSec | SIEM ROCKS!• Nessus & Metasploit enthusiast

• Classical music lover!• Very much into Food porn!

Google is NOT your friend!

Goal of the day!

Whateveryou do !!!

DO NOT GET ARRESTED

Why are we Here?

Just how tough is it to get the passwords?

https://www.youtube.com/watch?v=RfAdux3XidM

OK Seriously…Why are we Here?

Real World Top-of-Mind Problems

Email

GDPR

Botnet

Authentication Anomalies

Malware

Privileged Account Monitoring

Funny Story

Trivia Question #1

What is this?

Trivia Question #2

What is this?

Use Cases

UC #1Email Tracking

All data we can have – now what?

UC #2GDPR Auditing - A

As seen by the Security officer

UC #3GDPR Auditing - B

As seen by the DPO

Make a guess? So who the hell is DPO?

Data Protection Officer

UC #4BOTNET !

From an unknown computer

No data about workstation and

Workstation IP number!

No data about workstation and

Workstation IP number!

End of story:

- Event logging on DC was raised with NTLM

Security

- Workstation was on DA (DirectAccess)

- User was administrator on laptop

- Computer was blocked in domain

- Now we get more data from DC to SIEM.

Lessons Learned

• Our data feeds were not enough

• User was administrator on laptop

• Active Directory auditing policies were incorrect

• After the re-config, we found the infected computer, because it was still….. <WHO WOULD LIKE TO ANSWER>?

What is this?

BEACONING !

UC #5Daily Events

As seen by the security officer

UC #6Anomalies within authentication logs

As seen by the security officer

UC #7Asset model with vulnerabilities

As seen by the security officer

UC #8Malware occurrence detected

As seen by the security officer

UC #9Regular group membership changes

UC #10Irregular group membership changes

UC #11Multiple changes to security groups

UC #12Funny story

System administrator bulk created and deleted users after discovering a mistake in provisioning script

Trivia Question #3

THE BEST OF THE BEST !!!

What the ?!? is this?

Answers

Answer #1:

Domain Admin Failed Login & Lockouts in 1 Month

Answer #2:

Domain Admin Failed Login & Lockouts in 1 Hour

PLEASE PATCH PUTTY !!!

• FROM HACKER NEWS!

FROM YESTERDAY: FROM HACKER NEWS!

Bonus Slides

Number of Privileged Account Logins per Minute

Out-of-the-box Dashboard

Privileged Account Logins per Minute

300

1,500

Q & A

Thank You.