Webcast: Let’s Talk About ELK Baby, Let’s Talk About You and AD
BHIS’ Defensery Driven Duo Delivers Another Delectable Transmission!
We know you are worried about your networks. After hours of discussion, we’ve come to the realization that some of our dedicated followers seem to be much more interested in catching malware than learning how to be (please forgive this next statement) “l33t hax0rs.”
Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_LetsTalkAboutELKBaby.pdf
2:47 – Why Are We Doing This?
5:07 – AT7: The Logs You Are Looking For
7:41 – AD Best Practices to Frustrate Attackers
9:37 – AT 5 – Complete Takedown & AT 6 – IOCs
12:04 – Blue Team-A-Palooza
14:22 – Windows Logging, Sysmon, and ELK – Part 1
16:45 – Implementing Sysmon and Applocker
21:45 – …And Group Policies That Kill Kill-Chains
22:31 – Here Are Some Important Blogs
23:35 – Summary Complete
25:28 – Introducing the Atomic Red Team
27:50 – Installing the Atomic Framework
29:29 – Squibbly Doo; The Results; Let’s Take A Step Back: The Atomic Tests; Another Step Back: WEF / Winlogbeat Config
33:41 – Executing T1015; Catching Executables; Executing T1003
42:02 – ElastAlert
43:21 – Now, On the ATT&CK
44:20 – Not Sure If That’s a Wrap Yet. (It’s Not)
47:11 – Check Out Our Dashboard
Links to preview:
This webcast is going to demonstrate an integration between our ongoing Windows baseline best practices configuration and improving your endpoint optics. But first, we’re going to summarize some previous webcasts, their content, and the order in which they should be reviewed to tie all of these things together. Then, with all the baseline content and configuration options summarized, we are going to help you put a bow on all that, just in time for the Holidays.
The bright blue bow this year will help you set another New Year’s resolution:
- We all pledge to produce better and more effective logging that reduces time to detection.
- We can use open-source, well-documented solutions to do so!
- We can make the world a better place together!
With that said, we will be using an ELK installation that includes ElastAlert, designed by the folks at Yelp. This installation will ingest our workstation logs and demonstrate a base level of alerts that you too can quickly deploy in your environment. We may also have enough cycles to discuss the Security Onion project and how it has improved our overall network optics.
As a wrap-up, we will introduce the Atomic Red Team framework. This tool, if you haven’t seen or researched it before, can be used to rinse and repeat the refining process for your workstation and server detection mechanisms. Once deployed along with your logging infrastructure, this tool can help you fine-tune your alerting processes.
Want to learn more mad skills from the person who wrote this blog?
Check out these classes from Kent and Jordan:
Available live/virtual and on-demand!