Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate Your Data Analytics!

Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate Your Data Analytics!

How do we collect the right data for the detection of specific adversarial techniques?" That is a very important and common question for organizations planning on leveraging ATT&CK for their defensive strategy. One approach might be reading the data sources metadata available per each technique in the ATT&CK framework. That is a good first step, and it is already helping organizations to integrate the framework with their current security controls. However, as you go deeper into the specific recommended data sources per technique, it is very important to understand that not every technique variation requires the same data sources. In addition, there needs to be a way to validate if what we are collecting aligns with the data analytics being created. In this talk, we will share our current experiences contributing to the "Data Sources" section of ATT&CK framework and the Cyber Analytics Repository (CAR) project. We will show how to use pre-captured datasets from our open source project named Mordor to expedite simulation of adversarial techniques and validation of data analytics. In addition, we will show how we leverage Jupyter Notebooks to develop and test data analytics from projects like CAR to finish the validation process and provide recommendations

Da14e7010f1ba24d2d9ecff3b65c719d?s=128

Roberto Rodriguez

October 30, 2019
Tweet

Transcript

  1. Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate

    Your Data Analytics! 1
  2. @Cyb3rWard0g & @Cyb3rPandaH • Projects ◦ @HunterPlaybook ◦ @THE_HELK ◦

    ATTACK-Python-Client ◦ @OSSEM_Project ◦ @Mordor_Project ◦ OpenHunt ◦ Blacksmith & More • Founders: ◦ @HuntersForge 2 https://github.com/hunters-forge
  3. Agenda • Explore ATT&CK ◦ 2018 -> 2019 • ATT&CK

    Data Sources Opportunities • Enter Mordor • Mordor & CAR • CAR & Threat Hunter Playbook (Notebooks) • Hunters Forge! 3
  4. Explore ATT&CK How do I query ATT&CK? 4

  5. Exploring ATT&CK Metadata! 5

  6. How do I access ATT&CK Metadata? 6

  7. ATTACK-Python-Client Github Project • A Python module to access up

    to date ATT&CK content available in STIX via public TAXII server. It leverages cti-python-stix2 and cti-taxii-client python libraries developed by MITRE. • Goals ◦ Allow the integration of ATT&CK content with other platforms ◦ Allow security analysts to quickly explore ATT&CK content and apply it in their daily operations ◦ Explore all available ATT&CK metadata at once ◦ Learn STIX2 and TAXII Client Python libraries https://github.com/hunters-forge/ATTACK-Python-Client 7
  8. ATTACK-Python-Client Installation • Via PIP: pip install attackcti • Or

    Straight from Source ◦ git clone https://github.com/hunters-forge/ ATTACK-Python-Client ◦ cd ATTACK-Python-Client ◦ pip install . • Jupyter Notebooks Available ◦ pip install -r requirements.txt ◦ cd notebooks ◦ jupyter lab https://github.com/hunters-forge/ATTACK-Python-Client 8
  9. Some Available Functions 9 https://attackcti.readthedocs.io/en/latest/attackcti_functions.html

  10. ATT&CK Metadata - Jupyter Notebook https://github.com/hunters-forge/ATTACK-Python-Client/tree/master/notebooks 10

  11. Explore ATT&CK Querying ATT&CK 101 11

  12. 12

  13. 13

  14. Explore ATT&CK Any New Data Sources? 14

  15. ATT&CK Techniques (519) and Data Sources • Almost 51% of

    techniques have data sources defined • Around 49% of techniques do NOT have data sources defined • Pre-ATT&CK data sources maybe? • Opportunities to collaborate and define those without data sources? https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb 15
  16. ATT&CK Techniques (519) and Data Sources 16 https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb

  17. Looking for anything to do this weekend? 17 https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb

  18. ATT&CK Techniques with Data Sources (265) 18 Process Monitoring: 178

    Techniques File Monitoring: 107 Techniques Process Command Line: 103 Techniques https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb
  19. ATT&CKing with the right data ATT&CKcon 2018 Talk! 19

  20. Credentials in Registry -> DS -> Sub-DS -> Events 20

    T1214 Windows Registry Process Monitoring Process Command-Line Parameters Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 8 Sysmon 10 Process Termination User terminated Process wrote_to accessed https://www.youtube.com/watch?v=QCDBjFJ_C3g
  21. ATT&CK Data (OSSEM-> attack_data_sources) https://github.com/hunters-forge/OSSEM 21

  22. A lot more to do.. Going deeper! 22

  23. API-To-Event Project (Windows Security) https://github.com/hunters-forge/API-To-Event 23

  24. Security https://github.com/hunters-forge/API-To-Event 24

  25. API-To-Event Project (Windows Sysmon) https://github.com/hunters-forge/API-To-Event 25

  26. Sysmon https://github.com/hunters-forge/API-To-Event 26

  27. A few opportunities! Exploring Data Sources 2.0! 27

  28. A few opportunities.. • ATT&CK Data sources covered by other

    data sources • Windows Event Logs data source is too broad! • ATT&CK data sources and the wrong platforms! • Validation of ATT&CK data sources recommendations ◦ What specific event logs per data source? 28
  29. A few opportunities! • ATT&CK Data sources covered by other

    data sources • Windows Event Logs data source is too broad! 29
  30. Credentials in Registry - Windows Registry 30 https://www.youtube.com/watch?v=QCDBjFJ_C3g T1214 Windows

    Registry Process Monitoring Process Command-Line Parameters Registry Creation Process created Registry Registry Modification Process Registry Registry Access Process Registry Sysmon 12 Sysmon 12 Security 4663 Security 4657 Security 4663 Registry Deletion Process deleted Registry modified accessed Sysmon 13
  31. Windows Registry & Windows Security Event Logs? 31 https://www.youtube.com/watch?v=QCDBjFJ_C3g T1214

    Windows Registry Process Monitoring Process Command-Line Parameters Registry Creation Process created Registry Registry Modification Process Registry Registry Access Process Registry Sysmon 12 Sysmon 12 Security 4663 Security 4657 Security 4663 Registry Deletion Process deleted Registry modified accessed Sysmon 13
  32. ATT&CK Techniques with Data Sources (265) 32 Process Monitoring: 178

    Techniques File Monitoring: 107 Techniques Process Command Line: 103 Techniques https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb
  33. ATT&CK Techniques with Data Sources (265) 33 Process Monitoring: 178

    Techniques File Monitoring: 107 Techniques Process Command Line: 103 Techniques https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb Windows Event Logs
  34. Windows Event Logs … a Universe Behind? 34 https://www.youtube.com/watch?v=QCDBjFJ_C3g Windows

    Event Logs 4656 4657 4658 4660 4670 4663 4741 4742 4743 4776 4768 4771 4769 4770 5144 5140 5143 5142
  35. Windows Event Logs 35 Windows Event Logs 4656 https://www.youtube.com/watch?v=QCDBjFJ_C3g 4657

    4658 4660 4670 4663 Audit Registry Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Deletion Win Registry Key Permissions Change Win Registry Key Access Win Registry Key Deletion Audit Computer Account Management 4741 4742 4743 Computer Account Creation Computer Account Change Computer Account Deletion
  36. Windows Event Logs 36 Windows Event Logs 4656 https://www.youtube.com/watch?v=QCDBjFJ_C3g 4657

    4658 4660 4670 4663 Audit Registry Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Deletion Win Registry Key Permissions Change Win Registry Key Access Win Registry Key Deletion Audit Computer Account Management 4741 4742 4743 Computer Account Creation Computer Account Change Computer Account Deletion
  37. Windows Event Logs 37 Windows Event Logs 4656 https://www.youtube.com/watch?v=QCDBjFJ_C3g 4657

    4658 4660 4670 4663 Audit Registry Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Deletion Win Registry Key Permissions Change Win Registry Key Access Win Registry Key Deletion
  38. Windows Event Log 4656: A handle to an object was

    requested 38 https://www.youtube.com/watch?v=QCDBjFJ_C3g Windows Registry 4656 Audit Registry Audit File System Win Registry Deletion Request Win Registry Access Request File Monitoring File Deletion Request File Access Request
  39. Windows Event Log 4657: A registry value was modified 39

    https://www.youtube.com/watch?v=QCDBjFJ_C3g Windows Registry 4656 Audit Registry Audit File System Win Registry Deletion Request Win Registry Access Request File Monitoring File Deletion Request File Access Request Windows Registry 4657 Audit Registry Win Registry Key Value Modification
  40. Windows Event Log 4658: The handle to an object was

    closed 40 https://www.youtube.com/watch?v=QCDBjFJ_C3g Windows Registry 4656 Audit Registry Audit File System Win Registry Deletion Request Win Registry Access Request File Monitoring File Deletion Request File Access Request File Monitoring 4658 Audit File System File Handle Closed Windows Registry 4657 Audit Registry Win Registry Key Value Modification
  41. Currently collaborating with ATT&CK team.. 41

  42. A few opportunities! ATT&CK data sources and the wrong platforms!

    42
  43. ATT&CK Windows Data Sources & Platform (2019) 43 https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb

  44. A few opportunities! • Validation of ATT&CK data sources recommendations

    ◦ What specific event logs per data source? 44
  45. Credentials in Registry - Windows Registry 45 https://www.youtube.com/watch?v=QCDBjFJ_C3g T1214 Windows

    Registry Process Monitoring Process Command-Line Parameters Security 4656 Security 4657 Security 4658 Security 4660 Security 4670 Security 4663 Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Permissions Change Win Registry Key Deletion Win Registry Key Access Sysmon 12 Sysmon 13
  46. Wait! Where is all this happening so far? 46

  47. Data Analytics Development (Example) 47 Define a Research Goal Simulate

    Adversary Define Detection Model Validate Detection Model Document and Communicate Findings Model Data https://www.youtube.com/watch?v=DuUF-zXUzPs
  48. Data Analytics Development (Example) 48 Define a Research Goal Simulate

    Adversary Define Detection Model Validate Detection Model Document and Communicate Findings Model Data https://www.youtube.com/watch?v=DuUF-zXUzPs
  49. How do we validate our data recommendations? 49

  50. Data Analytics Development (Example) 50 Define a Research Goal Simulate

    Adversary Define Detection Model Validate Detection Model Document and Communicate Findings Model Data https://www.youtube.com/watch?v=DuUF-zXUzPs
  51. More than just testing security controls! 51 Simulate Adversary Test

    Security Controls Model Adversary Behavior • Endpoint Agent Detection • Analytics Platform Rules • Can I see it in my environment? • Learn adversary behavior • Map data sources to adversary actions • Study derived techniques
  52. A basic adversary simulation flow! 52 https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1571754303.pdf Plan Engagement Emulate

    Adversary Collect & Analyze Data Can I see it? Enable Telemetry No Document Results Yes
  53. What do we need for Credentials in Registry? 53 https://attack.mitre.org/techniques/T1214/

  54. What do we need for Credentials in Registry? 54 https://attack.mitre.org/techniques/T1214/

  55. What else do we need for Credentials in Registry? 55

    • Windows Registry? ◦ Enable Audit Object Access > Audit Registry • Process Monitoring? ◦ Enable Audit Detailed Tracking > Audit Process Creation • Process Command-line Parameters? ◦ Enable Administrative Templates\System\Audit Process Creation > Include command line in process creation events
  56. What else do we need for Credentials in Registry? 56

    https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists • Windows Registry? ◦ Enable Audit Object Access > Audit Registry ◦ Set Audit Rule to trigger event! • Process Monitoring? ◦ Enable Audit Detailed Tracking > Audit Process Creation • Process Command-line Parameters? ◦ Enable Administrative Templates\System\Audit Process Creation > Include command line in process creation events
  57. What else do we need for Credentials in Registry? 57

    https://github.com/hunters-forge/Blacksmith/blob/master/aws/mordor/cfn-files/scripts/default/Join-Domain.ps1#L37-L49 • What are we testing? ◦ Available default automatic logon user Settings!! Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value pgustavo Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value W1n1!2019
  58. What else do we need for Credentials in Registry? 58

    https://github.com/hunters-forge/Set-AuditRule/blob/master/registry/default_logon_user.md • Set Audit Rule! How? ◦ Download https://github.com/hunters-forge/Set-AuditRule ◦ Import-module Set-AuditRule.ps1 ◦ Set-AuditRule -RegistryPath "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -IdentityReference Everyone -Rights QueryValues -InheritanceFlags None -PropagationFlags None -AuditFlags Success
  59. What else do we need for Credentials in Registry? 59

    • Testing Commands? ◦ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f password /t REG_SZ /s
  60. What about technique variations? 60

  61. What else do we need for Credentials in Registry? 61

    • Testing Commands? ◦ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f password /t REG_SZ /s ◦ Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name *password* ◦ C#, Python, etc!
  62. Are we ready? 62

  63. We need an environment setup.. working! 63

  64. Execute -> Collect -> Analyze -> Repeat 64 Model Adversary

    Behavior Test Security Controls Data produced Simulating Adversarial Technique
  65. Same Technique + Some Variations 65 Model Adversary Behavior Test

    Security Controls Data produced
  66. Credentials in Registry Data Mapping 66 Process Registry Key Value

    Queried
  67. Credentials in Registry Data Mapping 67 Process Registry Key Value

    Queried EVENT ID TASK 4688 Process Creation 4673 Sensitive Privilege Use 4656 Registry (Request Handle) 4690 Handle Manipulation 4663 Registry (Access) 4658 Registry (Closing Handle) 4689 Process Termination
  68. Credentials in Registry Data Mapping 68 Process Registry Key Value

    Queried EVENT ID TASK 4688 Process Creation 4673 Sensitive Privilege Use 4656 Registry (Request Handle) 4690 Handle Manipulation 4663 Registry (Access) 4658 Registry (Closing Handle) 4689 Process Termination Process Monitoring Process Command-Line Parameters Windows Registry Process Monitoring
  69. Credentials in Registry - Windows Registry 69 https://www.youtube.com/watch?v=QCDBjFJ_C3g T1214 Windows

    Registry Process Monitoring Process Command-Line Parameters Security 4656 Security 4657 Security 4658 Security 4660 Security 4670 Security 4663 Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Permissions Change Win Registry Key Deletion Win Registry Key Access Sysmon 12 Sysmon 13
  70. Credentials in Registry - Windows Registry 70 https://www.youtube.com/watch?v=QCDBjFJ_C3g T1214 Windows

    Registry Process Monitoring Process Command-Line Parameters Security 4656 Security 4657 Security 4658 Security 4660 Security 4670 Security 4663 Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Permissions Change Win Registry Key Deletion Win Registry Key Access Sysmon 12 Sysmon 13
  71. Spending +time producing data & -time analyzing 71 Model Adversary

    Behavior Test Security Controls Data produced Takes Time! Similar Events?
  72. Same Technique + Some Variations 72 Model Adversary Behavior Test

    Security Controls EVENT ID TASK 4688 Process Creation 4673 Sensitive Privilege Use 4656 Registry (Request Handle) 4690 Handle Manipulation 4663 Registry (Access) 4658 Registry (Closing Handle) 4689 Process Termination
  73. We might be all doing this.. 73

  74. We might be doing this over and over.. 74

  75. What if we share our datasets? 75

  76. From Zero to Data Analytics Validation! 76

  77. Enter Mordor 77

  78. Mordor Project @Mordor_Project • Pre-recorded security events generated by simulated

    adversarial techniques in the form of JavaScript Object Notation (JSON) • Pre-recorded data categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework. • Data represents not only specific known malicious events but additional context/events that occur around it. 78 https://github.com/Cyb3rWard0g/mordor
  79. Mordor Standard Environments • Environment designed to replicate a small

    research network • Standardized and documented setup • Platforms ◦ Windows ◦ Linux • Endpoints Telemetry ◦ Windows Security Auditing ◦ Event Tracing for Windows (ETW) (NEW!!) • Network Telemetry ◦ Network Logs • Environments Available: Shire and Erebor 79 https://mordor.readthedocs.io/en/latest/index.html
  80. Mordor Environments: The Shire 80

  81. The Shire Design 81

  82. The Shire Telemetry: Win Logs & Sysmon 82 https://github.com/Cyb3rWard0g/OSSEM/tree/master/data_dictionaries/windows/sysmon

  83. The Shire: Event Log -> WEC -> HELK 83 https://mordor.readthedocs.io/en/latest/mordor_shire.html#

  84. Mordor Environments: Erebor (Lonely Mountain) 84

  85. Erebor Design 85

  86. Erebor Telemetry: ETW Events via SilkETW 86 https://medium.com/threat-hunters-forge/threat-hunting-with-etw-events-and-helk-part-1-installing-silketw-6eb74815e4a0

  87. Erebor: ETW Events -> Event Log -> WEC -> HELK

    87
  88. How do you collect data? • We use Kafkacat! •

    kafkacat is a generic non-JVM producer and consumer for Apache Kafka >=0.8, think of it as a netcat for Kafka. • In consumer mode ◦ Kafkacat reads messages from a topic and prints them to standard output (stdout). You can also redirect it to a file (i.e. JSON) • In producer mode ◦ Kafkacat reads messages from standard input (stdin). You can also send data to kafkacat by adding data from a file. 88 https://github.com/edenhill/kafkacat
  89. Consuming Data (Taking a snapshot of data) 89 https://mordor.readthedocs.io/en/latest/export_mordor.html $

    kafkacat -b <Kafka-IP>:9092 -t <kafka-Topic> -C -o end > file.json • -b : Kafka broker • -t : Topic to consume from • -C : Consumer Mode • -o : Offset to start consuming from
  90. Consuming Data -> Creating Mordor File (Video) 90 https://mordor.readthedocs.io/en/latest/export_mordor.html

  91. 91 https://mordor.readthedocs.io/en/latest/export_mordor.html

  92. Producing Data (Injecting Adversary Dataset) 92

  93. Producing Data (Injecting Adversary Dataset) 93 https://mordor.readthedocs.io/en/latest/import_mordor.html $ kafkacat -b

    <Kafka-IP>:9092 -t <kafka-Topic> -P -l file.json • -b : Kafka broker • -t : Topic to produce to • -P : Producer Mode • -l : Send messages from a file
  94. I just want to download all the datasets.. 94 $

    git clone https://github.com/hunters-forge/mordor.git $ cd mordor/small_datasets/ $ find . -type f -name "*.tar.gz" -print0 | sudo xargs -0 -I{} tar xf {} -C .
  95. Expedite Analytics Validation! 95 https://github.com/hunters-forge/mordor Model Adversary Behavior Test Security

    Controls Data produced
  96. Validate Analytics! 96 Mordor File Validate Analytics 2 + 2

    = 4
  97. Where do we get analytics from? 97

  98. I have data with me and I am ready! 98

  99. Mordor & CAR The MITRE Cyber Analytics Repository (CAR)! 99

  100. CAR-2019-08-001: Credential Dumping via Windows Task Manager • The Windows

    Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking “Create dump file”. This saves a dump file to disk with a deterministic name that includes the name of the process being dumped. • This requires filesystem data to determine whether files have been created. • Contributors: Tony Lambert/Red Canary 100 https://car.mitre.org/analytics/CAR-2019-08-001/
  101. But, How do I simulate that technique? 101

  102. 102 https://github.com/hunters-forge/mordor/blob/master/small_datasets/windows/credential_access/credential_dumping_T10 03/interactive_taskmngr_lsass_dump.md

  103. CAR-2019-08-001: Procdump - File Create (Pseudocode) files = search File:Create

    lsass_dump = filter files where ( file_name = "lsass*.dmp" and image_path = "C:\Windows\*\taskmgr.exe") output lsass_dump 103 https://car.mitre.org/analytics/CAR-2019-08-001/
  104. But, where do I run that? 104

  105. Enter Jupyter Notebooks 105

  106. What are Jupyter Notebooks? • Think of a notebook as

    a document that you can access via a web interface that allows you to save: ◦ Input (live code) ◦ Output (evaluated code output) ◦ Visualizations and narrative text (Tell the story!) • Uses include: ◦ Data cleaning and transformation ◦ Statistical modeling ◦ Data visualization ◦ Machine learning, and much more 106 https://jupyter.org/
  107. IPython -> Jupyter Notebook The Jupyter Notebook project is the

    evolution of the IPython Notebook library which was developed primarily to enhance the default python interactive console by enabling scientific operations and advanced data analytics capabilities 107 https://jupyter.org/
  108. How Do Jupyter Notebooks Work? • Jupyter Notebooks work with

    what is called a two-process model based on a kernel-client infrastructure. • This model applies Read-Evaluate-Print Loop (REPL): ◦ Takes a single user’s inputs ◦ Evaluates them ◦ Returns the result to the user 108 https://jupyter.org/
  109. Jupyter Notebooks Architecture 109 https://jupyter.org/ WebSockets ZeroMQ Notebook File (json)

    Client Kernel Jupyter Server Jupyter Document
  110. Mordor -> Jupyter Notebooks CAR-2019-08-001: Credential Dumping via Windows Task

    Manager 110
  111. The ThreatHunter-Playbook @HunterPlaybook • A Threat hunter's playbook to aid

    the development of techniques and hypothesis for hunting campaigns by leveraging security event logs from diverse operating systems. • It documents detection strategies in the form of interactive notebooks to provide an easy and flexible way to visualize the expected output and be able to run the analytics against pre-recorded mordor datasets 111 https://github.com/hunters-forge/ThreatHunter-Playbook
  112. OpenHunt Library • Via PIP: pip install openhunt • Or

    Straight from Source git clone https://github.com/Cyb3rPanda/openhunt cd OpenHunt && pip install . 112 https://github.com/hunters-forge/openhunt
  113. None
  114. Is You Ready? haha 114

  115. Hunt The Planet! 115

  116. Threat Hunters Forge Community! 116

  117. Threat Hunters Forge Slack Community! 117 https://launchpass.com/threathunting

  118. Remember this initiative with Mordor? 118

  119. What if everyone gets a notebook too? 119

  120. Wait, Whaaat? 120

  121. Wait, Whaaat? 121

  122. The Binder Project 122 • The Binder Project is an

    open community that makes it possible to create shareable, interactive, reproducible environments. • The main technical product that the community creates is called BinderHub, and one deployment of a BinderHub exists at mybinder.org. • Who is it for?: ◦ Researchers, Educators, people analyzing data and people trying to communicate the data analysis to others!! https://mybinder.readthedocs.io/en/latest/introduction.html#what-is-the-binder-project
  123. BinderHub 123 BinderHub connects several services together to provide on-the-fly

    creation and registry of Docker images. It utilizes the following tools: • A cloud provider such Google Cloud, Microsoft Azure, Amazon EC2, and others • Kubernetes to manage resources on the cloud • Helm to configure and control Kubernetes • Docker to use containers that standardize computing environments • A BinderHub UI that users can access to specify Git repos they want built • BinderHub to generate Docker images using the URL of a Git repository • A Docker registry (such as gcr.io) that hosts container images • JupyterHub to deploy temporary containers for users https://binderhub.readthedocs.io/en/latest/overview.html
  124. Binder Design! 124 Repo2Docker Pod https://github.com/repo https://github.com/repo Docker Image Exists?

    No Push Image Up to date? Yes No Yes Kubernetes Cluster Jupyter Notebook Pod Docker Registry https://binderhub.readthedocs.io/en/latest/overview.html#a-diagram-of-the-binderhub-architecture Creates
  125. Open Infrastructure for Open Hunts! 125 https://github.com/hunters-forge/ThreatHunter-Playbook

  126. Open Infrastructure for Open Hunts! (LIVE!) https://mybinder.org/v2/gh/ hunters-forge/ThreatHunter- Playbook/master 126

  127. Threat Hunter Playbooks via Binder (Video) 127 https://github.com/hunters-forge/ThreatHunter-Playbook

  128. 128

  129. Goal: Share and Empower the Community! 129

  130. Let’s do it together! 130

  131. Threat Hunters Forge References • GitHub: https://github.com/hunters-forge • Python Library:

    https://github.com/Cyb3rPanda/openhunt • Slack Invitation: https://launchpass.com/threathunting • Official Blog: https://medium.com/threat-hunters-forge • Founders: @Cyb3rWard0g & @Cyb3rPandaH • Official Twitter: @HuntersForge • @HunterPlaybook • @THE_HELK • @OSSEM_Project, @Mordor_Project & More
  132. Thank You! Muchas Gracias! 132