Red Team Summit CFP now open! Register Here
Shopping Cart

No products in the cart.

Intro to Network Security Monitoring (NSM)

This Anti-Cast was originally broadcast on October 23, 2024.

In this video, Troy Wojewoda discusses the fundamentals of network security monitoring and its importance in cybersecurity. He delves into various aspects of network security, including the roles of different technologies and the significance of having both real-time and historical data for threat detection and response. Troy also shares insights from his extensive experience in the field, emphasizing the complementary nature of network security monitoring and endpoint detection solutions.

  • Network security monitoring is a crucial complement to endpoint detection solutions, providing a high-level view of network traffic and potential threats.
  • The use of network packet brokers can enhance network security monitoring by allowing for traffic filtering, aggregation, and replication across multiple devices.
  • Historical data from network security monitoring is essential for retroactive detection and analysis, aiding in forensic investigations and threat hunting.

Highlights

Full Video

Transcript

Troy Wojewoda

Welcome everybody. Welcome to this webcast. My name is Troy Wojewoda and I’m going to be talking about introduction to network security monitoring. So this is an introductory talk. we will talk, we will get into some specific terms and technologies and such that will be useful but we’re not going to dive deep into those because again this is kind of where to get your.

When you’re getting started and you’re looking at network security monitoring, like how do you get started, some of the questions you may already have, maybe you’re not thinking of yet until you see this. So hopefully this is helpful and can be eye opening from that perspective.

So a little bit about myself. My name again is Troy Wojewoda. I work at Black Hills Information Security. I do a suite of different things at Black Hills. I started off when I came to Black Hills as a penetration tester at the.

At the time we didn’t have our security operations center. We’re managed soc, provider, but now we do and I’ve been, I’ve been finding a lot of, I’ve been spending a lot of my time over there helping out, doing continuous threat hunting as well as IR engagements, forensics deferred type related work that that also feeds into the SOC and helps out SOC customers as well as other other customers that come to us for, for those various needs.

Previously, before starting at Black Hills Information Security, I did a ton of different things. I started my information security career probably almost two decades ago as an intrusion detection analyst, which is a good kind of segue into this talk itself.

when I started that role I had no idea what it took or what it even meant to be an intrusion detection analyst. I thought I would be working in the basement in a dungeon somewhere just looking at screens with scrolling logs and such and really didn’t even have a good sound foundation or understanding of TCP, IP theory and all those kinds of things.

So if you ever were there, if you like opened up Wireshark or you looked at packet captures or something and you had no idea where you were, that’s kind of how I started in a role in which I was supposed to be finding evil across the wire.

but then as my career progressed I had opportunities put out those digital fires, so, so getting into incident response and doing those things and then my career kind of progressed in that direction mostly on the forensics and IR side of the House however I had the opportunity to do what we called security evaluations at some other organizations which were essentially just like what we’re used to or accustomed to today as penetration testing.

And even had the opportunity to manage individuals within security operations center. It was short lived moment but I was only filling that role temporarily. While we had an interim manager, I was acting as an interim manager as we have some management kind of coming and going.

but it gave me that unique opportunity to manage a team as well as. Not just people but also the technologies and the budgets and stuff like that that all come along with that.

So just getting going to go ahead and jump right into this, this talk. And this talk is about network security monitoring, what this is. And so I like this.

This definition is a continuous collection of network telemetry that ultimately aids in the detection of threat activity and discovered and also possibly discovering vulnerabilities. So what it helps us do is it helps us within our security operations centers, for near real time detections.

Like I was just referring to earlier with intrusion detection. That’s essentially where an intrusion detection system gets its data from, is from the network security monitoring solution that you have in place.

And we’re going to be talking a little bit more about that in this talk. but also what’s very important as well as retroactive detections, what I mean by that is essentially looking back at your historical data sets for evidence of compromises.

Threat, threat hunting. Right. And a lot of times that, that that topic itself doesn’t, doesn’t actually get I think the, the justice that it, that it deserves and that is that, and if you have an environment and you have this historical data collection lots of times, especially if you’re getting threat intelligence or you’re learning about adversarial activity after the fact that it already happens.

Which is most of the majority of the time when m. We learn about this threat activity, if it’s not happening in our environment, we’re learning about it through OSINT, channels, through blogs, through other different media, that’s telling us that this threat activity happened.

and then what do we want to do? We want to like say okay, well one of the first inclinations is like let’s look for this threat, let’s put in signatures, let’s make sure that this threat activity doesn’t happen in our environment.

And if we’re dealing with indicators of compromise that are being disseminated in those open Source channels, it’s less likely that those indicators of compromise are going to be valuable going forward, but more valuable actually looking back in your historical data sets.

Right, so, so say a vendor, security vendor blogs about threat actor, squiggly do that happened three months ago. if you have some type of historical record of, of that data, of data in your environment, from three months ago or two months ago or whenever that activity occurred, then you could look back for those indicators of compromise more, more of a realistic or a more valuable scenario than it actually is putting in going forward.

Most likely those indicators compromise have been burnt and they’re not very useful going forward. but, and also these this data that we can collect for network security monitoring solutions help us when we were involved in either an active IR or we come in to do forensics.

And one of the reasons why I actually wanted to put this talk together was because just talking with again going back to my consultant, work that I do here at Black Hills, we, we from time to time get pulled into or get called by prospective customers for help in IRS or help in a forensics investigation, that that came from an ir.

And the questions that they usually ask would, would I want to say easily be answered but likely to be answered if they had some type of network security monitoring solution in place.

And what I’m finding is as the evolution of endpoint detection, solutions have kind of evolved less and less. Companies are inclined to actually go down the path of network security monitoring and just put all their eggs in the EDR basket.

And so having conversations with colleagues of mine, with customers and my experience, I felt like it just doesn’t get enough justice to talk about the importance at least that I feel that should be talked about and discussed when we talk about we talk about network telemetry in itself.

So with that said, we tend to use these different terms when we’re discussing network security monitoring solutions. And what you often hear is a network security monitoring stack.

and so I’m showing here just a quick little visual what that stack, may be composed of. The full picture of network security, if you’re positioned in a specific choke point and you’re capturing data, the, the, the, the full picture of that data, the full amount of data that potentially can be analyzed and understood is full packet capture.

That’s going to be the full picture of, of the activity of network connections being sent and received. Sessions that are, that that were Created, tore, down all those things, the content in them, if it’s not encrypted, we have opportunities to see, the full picture, if you will, of that network traffic.

The next layer down is deep packet inspection. And there’s some technologies that do this. I’m gonna, I’m gonna talk about those here, but I’m not gonna get again into the weeds. But Zeek is one of the solutions that I’m gonna bring up.

Time, time again that does this deep packet inspection and logging of like metadata of all the things on the network. Then, you have your traditional ids. I’m, also including IPS in this.

So ids, or IPS intrusion detection versus prevention, they pretty much do the same thing, except one is just passive detection, just watches and is passive where prevention systems are in line with the network traffic.

And if it sees evil over the wire and it knows about that, it could, it can drop that traffic before it gets to its destination. and so, those are really the differences there.

Typically in network security monitoring stack, if you’re, if you’re getting this traffic passively via either a tap or a span, you don’t have the opportunity to drop the traffic because you’re just collecting copies of the traffic, going through a specific choke point.

I want to include it in here because this is an important, technology. And then there’s things like flows like ip, IP fix, which is the international standard name for what Cisco’s protocol is called netflow.

and then as we kind of go down this stack, we get less and less context, we lose context as we go down this network security monitoring stack. But there’s definitely potential for recording activity, of whether or not, certain traffic was allowed, or was denied or even happened in your environment.

You have something, right? So, again, going back to the stories where customers call us, we come in, they ask us was data exfiltrated? We look at the endpoint stuff. Well, the endpoint that was compromised wasn’t really, configured correctly as a start.

But then there’s no network security monitoring logs or data to answer that question of whether or not data was stolen or when was the initial, access and all those different things.

And then, I don’t want to, dismiss endpoint telemetry altogether. I mean, after all, network communications, requires endpoints to talk to each other.

endpoint technology is important. It gives us a lot of telemetry, but also a lot of ability to do response these days. And then there also is data that we can use to correlate whether it’s happening on the endpoint, what we’re correlating to, what we’re seeing also on the network, and vice versa.

Maybe we’re seeing stuff on the network coming from an endpoint, but that endpoint is not telling us something. and so we use those different data points to kind of try to understand, make heads or tails of a scenario that’s going on.

So in typical network security monitoring solutions, you’re going to have Essentially I’m going to, I’m, I’m boiling it down to three different points of perspective here or factors.

One is directionality. So we use this term a lot. we use these terms a lot when we’re describing where the data is originating from and going to, and vice vice versa. So m, you’ll, you’ll hear north, south traffic, which will refer to kind of data either leaving your environment, going out to the Internet or some other segment or in coming back or coming back down.

So whether it’s coming inside of your network, going out to the Internet would be south to north, or also known as egress. And then the inverse relationship to that is traffic originating from Internet coming into your environment, which would be ingress.

So we, we, we describe that as north, south traffic. And just in case you needed the little compass as a reference, there’s a little compass. But I’m sure no, everybody kind of gets those four points of of the, of the compass and then the lateral movement, the east west traffic.

So when we say lateral or east west, we’re referring to traffic that’s happening within an organization. So maybe from one compute, one laptop or desktop to another, or one laptop to a server or server to a vice versa within the network we refer to that as east, west or lateral flow.

How long did the connection last for? what, how much data was transmitted, how much data was received, and then content, if we’re able to get that, like what was actually in the data, what, what left, what came in.

Right. Are we talking about data exfiltration? We talk about sensitive data going out. Are we talking about possibly ingress of attacker tools coming in, malware and what have you for the threat actor to carry out their objective.

And some, and some other terms that we we talk about or concepts is the 5 tuple of a network connection. And when you hear about that, what does that Mean so essentially it’s the source and destination addresses, IP addresses, the source and destination ports and then the protocol, whether it’s tcp, UDP or even lower level like an IP protocol like icmp, those are the kind that those five different components make up the five tuple of a given network connection.

And we can use these things to kind of understand and follow these streams of data. The nice part about this relationship specifically when it comes to tcp, IP or UDP is generally the source port is randomly generated, randomly generated and the destination port is associated to typically with a common protocol, the server side listening on those certain ports.

So, so that that original destination port pretty much stays the same. It does stay the same where the source port would be randomly generated on each different TCP or UDP session coupled with the IP addresses and the protocol we can call that, that five tuple.

and this is also how if you ever heard of the concept or the term community ID string, it’s a hash of this 5 tuple communication with some salting as well that goes into there to give a unique hash of that.

And that hash can also be used to correlate specifically like endpoint network network telemetry that’s that’s being generated or being observed on an endpoint with also that that same corresponding network traffic that’s happening with maybe going through a choke point that your, your network security monitoring solution is, is seeing.

So for example Sysmon can generate a community ID string on the endpoint and that same community ID string if that network traffic is seen outside of the context of the endpoint on the network can be used to correlate the traffic with that system.

So it’s the same basically stream of data. All right, so, so why so again, our endpoint technology has evolved over the years.

We hear about EDR all the time and that’s great and so glad I’m so thankful that the EDR solutions that exist today do exist today that we didn’t have back when I started doing security monitoring and incident response to go in there and kill processes to contain hosts like the entire systems to contain them in a way in you can still interact with them pull different data, investigate, determine whether or not you’re dealing with a false positive or a true positive, type alerting you can, if it was false positive you can unquarantine.

that’s a powerful capability to have versus when I started doing IR monitoring incident response and that it was basically we saw something happening.

We would call the networking team and say shut down the switch port or literally go down the data center and start pulling cables and stuff like that, or try to find the system to shut them down. I mean that those would were our dance moves then because the technology just didn’t exist.

And so it’s great technology that we have today and it’s. And I’m not trying to make the argument that this replaces it. This is network security monitoring is a complement of the endpoint technology as well as the realization that not every single endpoint in the environment can have one of those fancy smancy EDRs on it.

Like if it’s not a Windows system, how valuable is that EDR compared to those EDRs that are running on your Windows host? what if it’s a system that like say an appliance, a firewall, or another type of appliance in your environment that’s not running 1m of the popular OSS or at least a version of maybe the kernel is.

But for lack of a better argument that there is no EDR on some of these solutions. And then you have, again, misconfiguration that happens.

Systems that come on the environment, come into the environment that may not be part of the domain, whether they’re unmanaged, they used to be, and they just fell off, or they’re true rogues that are in your environment.

maybe a vendor comes into your environment, plugs into the wrong switch port and your knack isn’t working, or you don’t have network access control put in place. there’s no EDR on that system. to, to to operationalize a route.

the other part, and this is kind of goes back to some of my experience dealing with IR and such is if the endpoint that you’re investigating is compromised or highly suspected to be compromised, how much do we actually trust is coming from the endpoint from a telemetry perspective, how much can we trust is the, is actually reality, Right?

So if we’re not seeing any activity is that we’re not seeing it because the activity is not happening, or we’re not seeing it because an adversary was able to tweak the endpoint, to not report it or just turn the EDR off, or for another slew of reasons, if that endpoint is truly compromised, it begs the question how much can we actually Trust that we’re seeing or not seeing from that endpoint.

So it just gives us a second set of eyes and really a that higher ground perspective and, and ultimately when we’re, when we’re dealing with threat activity, even though lots of times we’re operationalizing around singularity kind of events like detection fired, investigate, detection fired investigate, really a lot, a lot of things are a compilation of events.

And it is a compilation of events. There’s no threat activity that ex. Where one single event. I mean maybe, maybe you could make the argument that a single like packet or something could cause a denial of service or something.

But in most investigations that I deal with, at least all the investigations that I’ve ever dealt with, it’s a compilation of events. It’s a, it’s a, it’s, it’s events over time. And the, and, and, and I want to emphasize events, lots of events over time.

And so our objective when we’re dealing with this threat activity is to identify when obviously we want to contain and eradicate and go through those immediate steps within an incident response.

But we also want to answer the question how did the threat actor get in? How was the initial compromise, how did the initial compromise occur and what could we do better in the future to push up on the threat actor kill chain so we’re better prepared for future potential or attempts at initial access in the future.

So this is a slide I put together for a talk I did earlier this year was talking about threat intelligence and operationalizing threat intelligence.

But I kind of wanted to just show the importance of the difference rather of having your real time monitoring versus your historical data set. So this is an example of using threat intelligence, to operationalizing threat intelligence and using that in a way in which is beneficial for your organization.

And like I said just a little while ago, lots of times when we’re dealing with threat intelligence, we’re dealing with something that’s already been disseminated out in the public domain. And in that case using that threat intelligence to go look for in, go look against in your near real time monitoring solutions is very irrelevant.

in that the IPs, domains, hashes, all those things we’ll just stick with like the infrastructure side of the house with, with domains and IPs are most likely already burnt and not going to be even valuable learning forward.

But historically looking back you do have that, that is where is most applicable right now again it depends on how you’re collecting threat intelligence and how you’re using the threat intelligence.

if the threat intelligence that’s not disseminating in public domain, it’s something that say you’re watching a threat actor, you’re aware of a threat actor still active, but it hasn’t been publicly disseminated, then yes, those, those, those IOCs or those that intel can be useful in a near real time monitoring perspective.

But the stuff that’s being disseminated out in the public domain, not so much. And so that just kind of shows like having that ability to kind of look back and I believe network security monitoring and those solutions that produce that data allow us to have that historical data set that we can leverage to look back on.

And so getting back to like why I wanted to do this talk and this, this, this debate that we have amongst security practitioners amongst different organizations that just feel like well in the EDR is the way to go.

You just need a really good EDR and you, and you’ll be fine. And again I agree with the portion of that, right? As long as you’re, you can be 100% assured that your EDR is going to be pushed out to all your endpoints, it’s going to be 100% functioning.

there’s going to be no systems off net for weeks or months or even longer. Excuse me. and all the things that I mentioned just a bit ago, right?

There are environments that are very zero trust like environments, right? There’s no infrastructure, there’s no data centers users have, maybe a mobile device or a laptop and everything’s cloud resource.

There’s no backend infrastructure that an organization has. And in those environments I would agree that there’s probably not a lot that you can pull off from a network security monitoring perspective.

also environments that have lots of different points of presence to the Internet. I’m going to talk about those choke points here in a little bit and where we can best position ourselves for network security monitoring.

however there are organizations that are very dispersed, that are not centralized, they’re very decentralized from that perspective. They have satellite offices all around the country or the world and they just feel like they don’t need it or they’re just not positioned for it.

And again it depends on your environment, it depends on how you’re doing these kinds of things. It and then also the, the argument of encryption, like well, is it even going to be value add because most of this traffic should be encrypted anyways.

So all those arguments for why network security monitoring typically kind of falls short of being deployed or even being looked at again if you, if you, if you do it right and you have the the facilities to support this, you could pull off one network security monitoring solution that covers many, many endpoints.

So say one point of presence to the Internet, could be monitored. We could potentially be monitoring hundreds if not thousands of endpoints that are potentially talking outbound or eventually talking outbound in one way, shape or form.

the other part that’s really attractive for network security monitoring is the operating system that were that, that, that the operating systems that are involved with the network communications doesn’t really matter to from a network scary monitoring perspective.

The beauty about network traffic is it has to be agnostic to the operating system. It has to be ubiquitous. So we, we talk about protocols like very, very common protocols like DNS, and, and even TLS and ssl, tls, DNS, HTTP, these very common protocols that you’re going to find in your environments, they have to be able to interoperate between various operating systems.

So whether you’re a Mac OS or Windows or Linux, it doesn’t really matter if they can talk the network protocol, that network protocol has that commonality between them.

and so and therefore it doesn’t really matter whether or not you have a set of macOS or Linux systems that in your environment that don’t have that edr.

In a network security monitoring perspective it’s not as applicable, it’s not applicable at all in regards to those common network protocols. I already mentioned this before but that high ground advantage, right you’re, you’re dealing with or you’re looking at traffic that’s either originating from or being or communicating to a potential compromise, or a known to be compromised endpoint.

So how much can you actually trust that the data that you’re getting from that endpoint is the truth data. And so having that high ground perspective, you can at least verify or validate that traffic that’s being reported by the EDR is occurring or have the opportunity to collect data that the EDR is not telling you about or the system’s not telling you about.

And then really the systems that are not part of your systems in your environment, right, the rogue system, whether they’re true rogues that they’re not say they’re a system that’s not in control of your that your company is not in control of whatsoever or just an unmanaged system that fell off or whatever.

You have the opportunity to detect that presence of the, of those systems without having to rely on a deployed EDR solution which is only going to be really deployed to systems that you manage and know about.

And it all boils down to depth versus breadth, right? The endpoint is going to be your potential for getting the much more details of the activity that’s occurring where the network allows you to have that bird’s eye view of the breadth or coverage.

And before we can actually do that we have to be able to get visibility. So if we don’t have visibility we can’t do all these things. Like if we don’t have the right point of presence to what we want to collect and where we want to collect it, then we’re not going to be able to do that.

And that’s usually the hardest part. When we talk about, to when I, when I, when I’m consulting or discussing this with and organization that hasn’t deployed a network security monitoring solution, they just really don’t know where to get started.

And so this is just a very simplistic drawing. And again maybe you’re an environment that has a lot of off net systems and it’s a very zero trust type environment. But say you have a data center, with a set of systems that are very, very near and dear to your organization, that are within a data center, that have some type of point of presence to the Internet that are, that are that has a firewall or some other perimeter device separating that data center from, from the Internet or some other untrusted zone then you have the opportunity to position yourself into collecting network traffic.

So this very simplistic view of a network diagram kind of shows an Internet point of presence, a perimeter firewall at the top our dmz, so our set of systems that are Internet facing to some extent, right.

Maybe via web server, maybe if you’re still using an SMTP gateway and you haven’t kind of drank in the O365 Kool Aid and gone to that route and you’re like the 0.01% of the world.

but, but for whatever reason it might be a file share or something else that’s exposed to the Internet for whatever reason Your business needs to have you have some type of limited connectivity from the Internet to these systems that we refer to as our dmz.

And then we have our internal, our core router internally. Right? And then we may even have all these different, different subnets. so all these different different things going back to our network security monitoring stack, full packet capture, where do we want to be?

Where are strategic choke points? Well obviously the Internet points of presence, the less that we have the easier it is to deploy network security monitoring solution.

conversely the more Internet pops we have, the harder it is. Right. but then also comes with availability and I’m sure your network teams are probably screaming at you if you’re saying we need to consolidate our Internet pops, that there’s a valuable, there is an argument on both sides of that coin.

however I would make the. I would definitely try to consolidate to a limited number of points of presence for high availability and so on and so forth.

we talked about Zeek or the deep packet inspection type solutions and the idss and our ipss, they scale pretty well when you’re talking about those strategic choke points.

But what they don’t do very well is cover all the different endpoints below. there’s the technology that I referenced as ip, fix or netflow. And if you’re in an enterprise environment you probably already have this technology.

It’s built into enterprise grade, layer three switches and routers already and you likely already have this technology to produce a flow of data coming, going through those different route points and so everywhere where you have one of those layer three switches or routers in your environment you likely already have the capability or the technology that in house to have flow data.

And when we’re collecting network security, we’re doing a network security monitoring collection. again the opportunities here is to get visibility into these very common protocols that are going to be, they’re going to be there.

The ones on the left here, the ones I have labeled as ubiquitous. You’re going to find them in every single environment. I don’t care, I don’t care what environment you’re in. I’ve, I’ve been in a lot, over my career.

You’re going to find those no matter what. Even, even I know we’ve evolved onto HTTP 2 and HTTP 3 in some cases. in, in those instances that those exist you’ll still see legacy HTTP, I guarantee it.

but you’ll almost, almost guarantee you, I will guarantee you you’ll see DNS and TLS all day through those network choke points. and then you get into like different protocols that are going to be specific to the environment you’re in.

Obviously if you’re in a Windows environment, and you’re able to get some visibility into lateral movement, or areas within say a, say your data center or something like that, you’re going to see remote desktop, SMB, those kinds of things.

Hopefully you don’t see a lot of that at your perimeter. That would probably not be a good thing. but those usually those protocols are typically utilized inside an environment and not going out to untrusted zones, like the Internet or allowing inbound connections from them, over those protocols.

And so how do we get this traffic? So there’s one of two ways. it’s either via a tap or an inline tap or a span. And so the way that this works is you have a, say a router or a switch that’s capable of doing, of spanning traffic.

You have all these different computers that are connect all these different systems and hosts if you will that are connected to this switch and then you configure that switch to say I want to mirror the traffic going the connected like host A and host B and host C, maybe going out to your isp, I want to mirror that to the network security mattering stack.

and so you would work with your network security folks or your NOC or your network engineers to configure that switch or the router technology to perform that, to configure it as a span for which segments that you would like to span.

the one thing I wanted to highlight with spans is that say for this simple example here we have a switch that has a gigabit ports, that the span traffic itself is also on a gigabit port.

And therefore if you aggregate this traffic in a way in which the aggregated traffic is over a gigabit, then that traffic is not going to reach it to your network security monitoring stack and you’re going to lose, you’re going to lose traffic.

And so that’s one downside with with going with a span. obviously the upside with going with span is you’re not involved, you’re not in line with any traffic and therefore it’s just all passive.

and so Sometimes companies like to take the more conservative route and not getting in the way of inline in line network communications. And so so the network switch via or the span via switch is an attractive approach.

It also depends on how big that choke point is that you want to monitor in the first place. And then the the, the other solution here is to go with like an inline tap.

And, and with that case you will find you would, you would find what which area that you’d want to that that choke point that you want to monitor. And and this tap would literally be in line with the connection.

So say your firewall is segment B and segment A is your Internet service provider connection. You’re in in line here with that connection at the Internet point of presence from the packets leaving your environment going to your ISP and then vice versa.

and in these kind these scenarios the tap technologies guarantee that you’ll get a bit for bit copy of the traffic that’s going through that tap.

and then a lot of these technologies and I’m not going to go into like which commercial technologies are best because I try to typically stay with stuff that’s in with open source and things.

But with this type of technology you’d want to work with your network engineers. but there are a lot of robust solutions out there that fail in a way in which if the tap goes down traffic can still flow in your IT organization and not and not interrupt any of that traffic.

However in reality I just know like the politics that do come along with balancing cybersecurity demands and needs with network operations, sometimes that can get into into areas in which you can’t pull things like this offer.

When you do anything you do that interrupts any types of IT operations cybersecurity gets blamed for it. And so spans are sometimes a little bit more attractive in that regard.

But then we run into the scenario in which say I have a network security monitoring solution but I want to, but I want to do more than just full packet capt. Say full packet capture is cool and we have it for a limited amount of time.

But I want to do deep packet inspection and I and we already have an ids and all oh by the way networking has that span reserved for if they need to do any troubleshooting and they’re not going to give that up right because they need to be able to do troubleshooting from time to time and they don’t want to swap it out.

And so so that presents a challenge. Right? We have one output from the spanner tap, that is reserved for whatever. but we want to feed it to multiple, multiple devices or multiple solutions downstream.

And then we have another challenge and which is that say we want to, we have multiple different choke points, and they’re not high bandwidth or high rate of data traversing, but they’re different segments within the environment.

And we have a network security monitoring M solution that can handle all that. but, but it can only handle like say for example in this screenshot it only has four interfaces to listen in on, to be able to see that traffic and produce the data off of that network traffic.

So two different issues. thankfully there’s this concept of network packet brokers, that allows us to compensate for both of those two different scenarios.

and so a packet broker, network packet brokers is just a common term, but they essentially have the ability to filter traffic, to do load balancing, to aggregate traffic and then also to do traffic replication.

And so really the data aggregation, traffic replication and traffic filtering is what we’re interested in when we’re trying to pull off this network security monitoring solution.

And so the first example I’m showing here is that problem one where we have too many downstream devices, and not enough, and only one input device.

And in that case we use what was called a regeneration tap. And that regeneration tap, takes the traffic that it’s going to expand and regenerates. It essentially copies it to multiple outputs.

And so therefore you could take the same traffic and send it to your, your full packet capture solution, to your deep packet inspection, to Zeke, to ids, one for networking, for troubleshooting.

And however, maybe you have a DLP solution that needs to look at network traffic. and that was already in place and that was what and that needs to be there and can’t be removed.

so now you can take the same data and split it into multiple different downstream outputs. And on the side of you have multiple inputs, there the concept of an aggregation tap.

And so you would then have so multiple different choke points like I explained before. But instead of but now you could take that traffic, say you have a span or a tap, that’s looking at traffic going to and from your Internet point of presence and then also Maybe to your data center or domain controllers or however you, you set it up.

you may have the opportunity to collect some other information from other segments in your environment and bring that back to an aggregation tap which then all that traffic can then gets consolidated to aggregate out to each individual output.

and lots of these, these technologies not only allow you to do this either regeneration or aggregation but also allow you to do filtering. So I have an example of a simple TCP dump filter there where say for example this host 192.168.1.0101 is say a web server that only listens on Port 443 and it’s all encrypted traffic and it’s, and it’s inside and you, and you have high confidence that it’s only always going to be encrypted.

you can filter that out for example and say I don’t want to see any of this traffic because it’s 50% of all the traffic that is going through this tap is, this is, is going to this host over this port and it’s all encrypted.

We know about it, we have very good web logs. Let’s go ahead and put this TCP dump filter in there. And now we have more room for the traffic that we can utilize better in our network security monitoring solution.

This is just a an example of an actual geographic choke point that I learned about when I was in College shortly after 911 I remember for some reason Afghanistan was in the news a lot in Pakistan.

But this is a geographic region that’s been a m, military strategic point of presence for a very long time and you can see why to move masses of amounts of troops through.

There’s only one area that makes sense in this 20 mile path and that is in the Khyber Pass. and I remember learning about this in college and then later on in my cybersecurity career.

We’re talking about strategic choke points. This, this, this popped up and I thought oh this is a good example kind of show what it looks like in in say a non digital perspective.

So we do not security monitoring and placement. So where that placement is you have to kind of get your bearings when you’re doing your analysis.

am I outside the firewall? Am I inside the firewall? Is this traffic east to west? and so it’s very, very important when you’re looking at network traffic, whether it’s in your sim or somewhere else to kind of, set that in your mind.

Okay, what am I looking at? Am m I looking at traffic that’s on the outside of my perimeter that’s leaving or coming in or in the inside and then again east to west to kind of understand.

And what I mean by that is when you’re looking at going back to the simplistic scenario here where you have a perimeter firewall and say internal core router or whatnot, it’s going to depend on where that network security monitoring solution is going to be best aligned for.

there’s going to be. When you’re on the outside of your perimeter, you’re going to be best aligned to at least detect or be prepared for attacks against your perimeter, against your firewall, against maybe your VPN solution and all your stuff that’s in the dmz right when those systems get, get popped, you’re not going to see that activity anywhere else.

But if you’re not positioned, unless you’re positioned above that, above that perimeter firewall. I got a, I got a little bit of a story to show at the end of this slide deck. But if anybody was following the, the news at the beginning of this year or at least spring, March, April ish of 2024, the Palo Alto, the panel esque vulnerability was discovered this way by a security vendor that was monitoring on the outside of their customers perimeter and that was the only way you were able gonna detect when that Palo Alto was compromised where the threat actor was pivoting in from.

Conversely if you’re looking at traffic on the inside, you’re gonna, you’re gonna be best prepared to look for like say beaconing information or beaconing traffic and all those kinds of things. Stuff originating from inside the environment going out.

I’m keeping in mind network address translation. So natting, right? So you’re gonna, you’re gonna have that network address translation most likely on the outside, where you’re only going to see your public IPs and the public IPs that are interfacing with your perimeter, and then, and then on the inside, if natting is being done there, unlikely it is, then you’re going to see private IP space.

So on the inside you’re m more likely to be able to correlate that with endpoint activity, on the outside not so much and don’t forget about netflow.

And I can’t say this enough every single time whether it was doing IR at previous companies or are doing it as consultant. this is a technology, netflow is a technology that already probably exists in your environment right now you just need the means to collect it.

so like I said, Those Enterprise Grade Layer 3 switches and routers already have the capability to export out netflows. Most a lot of enterprise grade sims, if they’re not an actual like dedicated netflow collector just needs to be put in place or implemented to collect the netflows.

one, one area where not just netflow but if think about from a strategic internal deployments perspective. Say you have pops all over the place and it’s very difficult to monitor your perimeter.

but say you only have select areas inside your network where you have your highly sensitive systems right? You might have highly sensitive enclaves or OT environments that are, have somewhat limited connectivity to the IT environment.

I would recommend at a minimum trying to get some type of network security monitoring in front of your domain controllers. If you’re in a Windows environment. Your domain controllers as we all know are the keys to the kingdom and you want to protect those things as much as possible.

So one example is just basically being positioned at least in front of the those highly sensitive systems. And there’s a lot of other examples as well where we can get network telemetry without having to actually pull off a network security monitoring solution.

Application, proxy logs, firewall logs. If we’re not already talking about like application proxy firewalls, dhcp. Poor man’s knack. If you’re trying to implement a NAC solution and you’re having difficulty doing that or you don’t have the budget to do that, that just looking at your DHP traffic, you could probably pick out systems that are not part of your domain that are requesting IP addresses as soon as they’re plugged into switches.

if you can’t get access to those perimeter network security monitoring choke points. for example for like DNS, there are internal resolvers, maybe you can get like some of the logs from those internal resolvers to get answers to some of that activity.

And then we have the cloud, right? So we talked about traditional networks but there’s this capability of having network security monitoring in the cloud as well. Amazon has what they call both VPC flow logs as well as traffic monitoring.

So you can create These software based taps where you could deploy these network security monitoring solutions to and get traffic to and from your different VPCs that you have deployed as well as in Azure where you have packet capture capability between the different virtual nets as well as the concept of a virtual tap.

Which is interesting because I think a year or two ago Microsoft just abruptly said that they were stopping the use of virtual taps and they didn’t really give like a very good reason why.

But then all of a sudden it just came back as a capability that is now available in Azure. so you do have same thing to what we saw in AWS as having a virtual tap capability in your Azure cloud environments as well as the flow logs that can be produced.

And In October of 2022 it was announced Microsoft and Corelight, the vendor commercialized solution of Zeek teamed up to integrate Zeek which is the technology that Deepak inspection technology that is now available for Defender for Endpoint.

So I said this is kind of cloud ish because of Zeek telemetry that’s normally produced on a network choke point but on the actual Endpoint so it’s not network traffic on through the networks actually being generated on the Endpoint.

and so this was interesting. We did some research into that in order to get data. It’s not the same so we’re not collecting data like we normally would in security monitoring solution. We have this historical data set, all this information.

rather we have the ability to go into our 360. Either our 365 portal or we can use the Graph API to query information to go quote unquote hunting for network activity.

So there are some limitations and it’s still a fairly new technology but there’s two ways again to get to it. You can go first of all you have to have an E5 license to have this capability built into the EDR tape capability within Defender for Endpoint.

that might change. It might have already changed stuff changes a lot in cloud environments. but in time doing this research you still needed to have an E5 license to have that Zeek integration in Windows Defender for Endpoint.

But you would go into your365 portal, go to advanced hunting section and look and this is how typically this is how you would look for it. You can also use the Graph API.

This is just using the Graph API, utility to do kind of like the same query you could see there where. What’s really nice about this is it gives you some information about that network security or that network telemetry, but also ties it into which process executed what was the command line, the full command line, which is kind of neat because sysmon, type 3 I think is the network events related to endpoints.

But in those it only tells you the process that executed, not the full command line that was used. You’d have to then go find the type 1 events and then, and then, and then correlate those together.

But in this case we actually see the full parent child process as well as the command line that created that connection. There are definitely some limitations here.

Not all the protocols that Zeek does out of the box at its DPAC inspection solution on a network is available in this. So when I did this research a little while back, a few months or at the beginning of the year, it was DNS, hp, icmp, SSH and TLS were the only protocols that were supported.

and then again you can’t look back 30 days. You have to search for this. It’s API. These are API queries. So it’s not like you could just so go pull all the network logs for last week and pull them down.

It doesn’t work that way. APIs and API limited queries so you can only really hunt against the data instead of pulling it back and getting the full picture.

but still, still pretty interesting concept. Some tools. There’s lots of tools I that we can use for network security monitoring and analysis. These are just a very very small subset.

I put some some markers here. Whether or not we’re talking about full packet capture capabilities versus say Zeke, and I did call out corelight even though I try not to talk about vendors and pay for solutions here.

but corelight, is in a unique situation where the vendor, the commercialized vendor of Zeek, that produces and actually provides Zeek for free open source security onion, a great resource for learning, a bunch of different network or suite of tools for doing network traffic analysis, capturing and all that.

And then on the Black Hill side we actually have an open source version of a tool called Rita, which takes Zeek data. Both of these solutions, RITA and AC Hunter, Community Edition.

There is an AC Hunter paid for edition, but this is the Community Edition. Both of these solutions take Zeek data, and do the analysis, the beacon analysis and stuff. That is really the power engine behind behind Rita in that.

and same for AC Hunter. Quick little screenshot of Wireshark. hopefully you’ve already seen this before. If not, this is kind of how the breakdown, you have the packet list at the, well, the filter at the top and then your packet list the middle there, the packet details.

That’s where it breaks out the tree of the actual packet where we see the different layers of the ip. the packet adds its encapsulator decapsulated, that we can look at in Wireshark.

And then the bottom layer is the packet byte. So the raw. The binary itself that, that traverse that, over the wire. And then, we could see also this is like a hex dump of not only the binary, the offset on the left, the binary in the middle, and then, the ASCII equivalent on the right, T Shark is the Korean line equivalent to Wireshark.

I wrote a blog about both Wireshark and T Shark and getting started with those. So if you haven’t checked that out, go ahead, check that out. I wrote that last year during Shark Week when Discovery Channel does their Shark Week thing and just thought it would be kind of a nice little introd to Wireshark and Tshark.

so please, go check that blog out if you haven’t already and you’re interested in learning more about, those tools. I already mentioned Zeek. I, I could talk a lot about Zeek. The class that I teach, a network forensics class, spends almost an entire day on Zeek.

Not just learning about Zeek and the power behind it, but also in the class we. I have examples in labs where you can actually write custom Zeek scripts to get more out of Zeek than than just comes right out of the box.

There is a lot of potential that’s inside of Zeek, that just needs to be. Take that. That needs to, There’s a little help coming to the surface, but there’s a lot and really there’s not a technology, from full packet capture to netflows in between, that comes, I mean, I know there’s some commercial products that do Zeke like stuff, but, for being open source and honestly, 25 plus years, next year it will be 30 years old, I believe.

Verne Paxton started in 1995. I didn’t really become popular until 20, 2012. Ish, early, early two thousand and eighteen. but but again technology has been around for a very long time.

It used to be called bro. That’s where you see the quote there from, from Richard. I really like that quote where it kind of talks like even though it’s labeled as intrusion detection system, it’s really not fair to call it IDS, where IDs is kind of alert in there real time.

It’s a more of like a forensic or a collection of network metadata that we can use to kind of look back and do that forensics investigation, do the hunting, and do a bunch of various things.

So I know I’m coming up on the top of the hour here but I just wanted to kind of show why it’s, why it’s important and why it’s still very, very relative to have a network security monitoring in place.

I mentioned the Pan OS X, vulnerability, already. but this was instrumental velexity did an extremely great job at detecting this zero day in action as it was occurring.

and in doing so they wouldn’t have been able to do so if they didn’t have network security monitoring above the perimeter, above the firewall itself, the firewall that was compromised.

And so if you haven’t read about the full breakdown of Alexi did in this, in this research and analysis, there’s two links there to go check out. I actually did an IR for a customer that was unfortunately, had had their power auto firewall compromised.

And they didn’t have network security monitoring on the outside and they had very little in the inside. And it was extremely difficult ir, engagement to kind of go through and put all the pieces together.

again we can use network security monitoring to identify gaps and do auditing as well. one of the things that I’ve used ZEEK for specifically in the past is to kind of look at the traffic that’s in your environment.

I remember going back when we were trying to dep. We were trying to get out of the environment. protocols like SSL and TLS 1.0 and everybody in it were high fiving each other saying we just pushed GPOs and we’re great, we didn’t break anything.

We’ve got these weak protocols out and we just looked at our network, our ZEEK data and we just saw where Zeek, even though TLS is an encrypted protocol, it negotiates the algorithms in the TLS level or the encryption level that it’s that both parties are going to talk to and that’s all on clear text and gets recorded by Zeke.

and we could see and we were able to see. Yeah, well it’s not entirely out of our environment. this is an example of shell shock. When shell shock happened everybody was freaking out.

this goes back a little bit in 2014. but when shell shock came, came about this was a 20 plus year old vulnerability that existed in Bash. So it could have existed for a very long time until it was detected.

you have that historical data set. We can go back and look and see that there was activity in our Zeke logs for example that was leveraging that that exploit or not.

Right. And so that was a quick, a nice litmus test for that. the Sunburst malware. This is the malware that was associated with the Solar Winds compromise.

It used DNS DNS to talk out. so one of the things that you can definitely get a good visibility on when you’re monitoring your choke points, specifically your Internet point of presence, is DNA traffic has to leave your environment in order to get answers back.

And so if you’re just looking there, you were able, in collecting there, you were able to know whether or not you were a victim of the SolarWinds compromise. not just a victim of the compromise, but a victim that the threat actors actually were interested in.

The Solar Winds compromise. I think copyright is like 18,000 plus customers. but the apt actor that was behind that was only interested in a very small set of those organizations.

And they use DNS to communicate whether or not they were an organization they cared about or an organization that they didn’t care about to stand down. so you’re able to kind of see that and then just the takeaways here. Bird’s Eye View, one to many coverage.

that historical recorder kind of thing. M pushing up in the kill chain and all those kinds of things. Not a replacement for edr, hopefully. I didn’t get into like a holy war with anybody that’s very EDR centric and say I’m gonna fight you in the parking lot at 3:00pm I, I definitely think that they’re complimentary and the EDRs are definitely needed.

it’s just that it’s, it’s not a silver bullet. Right. And that’s it, that’s all I have. So I know we’re right at the top of the hour. Zach.

Zach Hill

Yeah. Awesome, man. Appreciate you being here as always, dude. It’s always fantastic. Do you have a few minutes for questions?

Troy Wojewoda

Sure.

Zach Hill

Because you’re all good. There was a couple that we got through Zoom. Discord, goes pretty quick. If there’s any questions in Discord, we’ll try to get to them. but just a quick couple ones right off the bat.

Larry, says that he loves the Infosec wizard shirts and would love to get one, which is awesome to hear. they’re not available on the Spearfish store as of right now.

the only way, the way that you can get them right now is by visiting us at conferences. And I get to give them to you, gift them to you. but we’ll, we’ll probably look at putting those on the, Spearfish store at some point.

And then Min, said that they love your background and they would. They want you to share it. So if you could share your background, if you, if you are willing.

Troy Wojewoda

Sure. Where I got it from?

Zach Hill

yeah. Or maybe just the background, but you could share. Yeah, I think you talked about that. Did you use the same thing?

Troy Wojewoda

So the background is from a movie. Does anybody know? I mean, I’m sure people on Discord probably know what movie it’s from. it’s from a movie in the 80s, but it’s called War Games. So. Yep, they got it.

They got it before I even said it. And so, actually this is the, the the Whopper. Right, the simulated Whopper in War Games, where, it basically started a, a simulation of, a, nuclear fallout between us and, at the former Soviet, Union.

so, yeah, pretty good movie. If you have. If you’ve never seen War Games, I highly suggest you check it out. War Games and Sneakers are my two old school, like, hacker movies that I absolutely love.

and actually written and produced by the same people. So, yep.

Zach Hill

Love it, man.

Troy Wojewoda

Does anybody know the password into the Whopper by chance? What, Matthew Broderick used to get into the Whopper.

Zach Hill

What do they win if they get it right?

Troy Wojewoda

Everybody’s frantically Googling global thermonuclear warfare here. Yeah, there it is. We got a lot of them. Joshua.

Zach Hill

That’s awesome, dude. I love it. I love it.

Troy Wojewoda

Yeah.

Zach Hill

Oh, now like, Zoom, is going crazy now with more with everybody chiming in there, so I gotta, like, scroll up. Sorry about that. No, can you explain again why a firewall? Oh my goodness.

I’m sorry.

Troy Wojewoda

No, you’re fine.

Zach Hill

I, I was Trying to like read this question but so many people are putting stuff in Zoom that it keeps, keeps going like the window keeps going down. Sorry. Anyway, can you explain why firewall cannot see the compromised traffic and only an external NSM can view capture that compromise traffic.

Troy Wojewoda

Yeah. So in, in regards to the the actual pan OS compromise itself, the firewall, so whether it sees it or not, whether it was being recorded.

Right, so what was happening is the what was, what was, was happening with the firewall was that it was a zero day exploitation on the global protect feature within Panos.

And what was being exploited was a cron job, where there’s a bunch of things being exploited but one of the primary things was a cron job that was using Python to do things and that Python was then being executed on the threat actor’s behalf and sending data out on the initial cause is I believe what velexity first like saw the firewall wasn’t recording that activity because it wasn’t set up to record it itself.

It was recording log activity that was designed to record and that was that there, so there was some limited traffic recorded in the firewall.

So you saw like for example like the web logs would be recorded that showed IP addresses but with all your other user activity that, that, that kind of blurred and you didn’t get the details in the web logs of whether or not anything was being successful or not.

I believe one of the exploits used an injection technique. So it was requesting invalid resources to the web server itself which was writing to the web log in a way in which that then the exploited cron job was reading the web logs.

And then once it would do that, it would then get the commands that were being put in that were, that were actually being injected into the web logs and then also deleting and purging their activity in the web logs right within the firewall.

So even if you were pulling the web logs off of the firewall, the threat actor was actually purging the web logs, sanitizing them before those logs can get exported out to your sim.

I mean it just goes back to like if you’re dealing with a compromised host, a system, a firewall, a workstation, a server, it doesn’t matter if that system is compromised. how much can you actually like trust what’s happening in there?

Yes, you’re going to get some valuable data out there but having that high ground approach can, can see okay we’re seeing activity that’s, that’s, that’s emanating from this device that m looks like successful connections but the device is telling me nothing’s going on.

So having that high ground approach is extremely critical to being able to discover stuff like that.

Zach Hill

Thank you sir. I just want to throw a friendly reminder out there also. We’ll answer a couple more questions but at the end of our anti casts, every Wednesday we do an ama.

So if you have the zoom, application application installed on your device, at the bottom of your screen you’ll see a button that says Breakout rooms. we will join a breakout room here when we’re finished.

And in that breakout room it’s a very open ended kind of ask us anything. So if you have questions about cyber security certifications, your journey or questions about anti siphon, join that ama.

It’s again very open format. Everybody is welcome and it’s kind of a good time for everybody to connect and network with one another. So definitely check that out if you’re interested. But I’m going to get back to you.

A couple more questions here if you got a, if you still have a few minutes. Troy. Thank you sir. I just lost it again because now the screen went away again.

Sorry. how much of the telemetry can you get from netflow like full packet captures generates huge volumes of traffic. Is there a way to capture netflow and trigger FPC when needed?

Troy Wojewoda

oh that’s a, that’s a, that’s a good question. So, so, so, so there’s no way to trigger an FPC like full packet capture after the netflow has been generated.

But what you could do is you could have something where you have like full packet capture solution and say it, that say it’s set up to like say you can only retain it for a couple days.

But then you have like something like either Zeek or netflow that’s also kind of seeing the same data and then, and then, and then if there’s certain conditions are met you could then trigger to say this stream, this, this flow, go into the full pack capture and grab it out of what’s already been collected and pull it down.

so that would be one way. But, but if you’re just dealing with the net flow itself, you’re losing the context of the full packet capture. You could start with the full packet capture and generate NET flows for sure.

but once you lose the context you can’t get it back back the NetFlow data will, will show you source and destination IPS and ports, the protocol. It’ll tell you when the, the flow started, when the flow ended.

So you’ll get a duration, you’ll get pat, you’ll get data sent and receive so you get an idea of the directionality of the flow. So one thing you could do with netflow, if you’re looking at like say your perimeter and that’s all you had, you can look for large transfers of data from that perspective but you would only see this many bytes went in this amount of time.

but you wouldn’t see the actual like data itself.

Zach Hill

Thank you sir. are there free full PCAP capture? or do they just like TC but TCP dump to disk?

Stenographer, was what I remember using. Is that still a thing?

Troy Wojewoda

Stenographer? I don’t know if they’re still maintained. Ar. Ar, which I reference here is a full packet capture solution that looks like it’s still being Updated on GitHub Security.

Onion I believe has some capabilities of doing full packet capture as well. and then there’s commercial, there’s commercial solutions. I’m not sure exactly if Stenographer is still maintained.

I know it started off as a Google project. and then really I, I mean I’ve rolled my own. There’s you can actually Google full pack, capture, roll your own.

Derek Banks is another analyst that works here at bhis. he actually wrote a paper of how you can roll your own full packet capture. And it’s just using TCB dump, and then in a way in which you can then say roll the packets like every minute or, or however you want to roll them.

Wireshark does in T Shark, it’s a command line equivalent, has the capability of doing that as well. but if you were going to do something that was going to be more like say, say operationally reliant and not just if you’re just.

If you’re just messing around or. Actually I give this example in my class as well. If you’re like in an environment that say an OT environment or something where you just need to do like a very tactical capture.

Wireshark can be definitely used. Bring your laptop down the data center, find that span that’s going to have that traffic and then do like There’s ways you can configure it to write the PCAPs every so many bytes or seconds or something like that.

That where you have where you can maintain it. But if you wanted like an actual robust network security monitoring stack, I would definitely look at either doing something with TCP dump, or looking at some of these other open source tools like Archemy or what’s Security Onion.

Security Onion, does some interesting things and I don’t track everything that it does. but for example, like one of the things I know it does with Zeek is it’s configured to, when Zeke sees a executable file transferred over the wire, Security is configured to extract that executable file off of the, out of the network traffic and into disk.

so you don’t typically see a lot of legitimate executable files being transferred, over the network. and so that’s one of the things that you could look into. And Zeek has the capability of doing it itself.

It’s just you have to kind of get it out of there. I go over that stuff in my class about how to actually extract file, objects out of captures with various different tools and approaches.

but again securing has a lot of different things you can do and I think they even have classes too and I would definitely encourage you to check those out as well.

Zach Hill

Thank you, sir. is a VPC flow equivalent to netflow in traditional networks?

Troy Wojewoda

Yeah, but for aws. Yes. Yep.

Zach Hill

I’m trying to pull up your class here really quick so I can share it with everybody. But if anybody has any other questions for you, is there a, good way to get a hold of you?

Troy Wojewoda

you could try Discord. I tend to get lost in Discord. I’ll be honest. I don’t know if it’s like ADHD or I’m like allergic to discord. if I’m not responding, I, I think like hitting up some of the more active anti siphon folks.

They know how to get a hold of me me. if you really do need, need a question, LinkedIn is a good, good way to get, get it. I, I do have my Twitter there at Wojiblaze, but I’m, I’m not a very active like Twitter person either, unfortunately.

awesome. Sometimes my free time is getting away from all the digital things.

Zach Hill

Right? It’s, it’s so nice sometimes to just, just touch grass. It is, it really is, is. It is awesome, man. I know we got asked if you got anything else, coming up do you have anything else planned that you’re gonna be joining us for training?

Webcasts. We have.

Troy Wojewoda

So, yeah, training coming up in December, early December. I have another webcast coming up at the end of December, right before Christmas. I’m still debating on what I want to do that with that.

I might I might do some cloud centric talks for that. But just stay tuned because I haven’t decided what talk I’m going to do yet. but, but we, me and another colleague are working on an incident response, class for Azure 365.

and so that’s something that’s coming next year. That’s not. It’s, it’s in the works. We’re still developing it. But Spring of next year we’re looking at doing, doing azure specific and 365, incident response and forensics, geared, class.

Zach Hill

Awesome. That’s, that’s exciting to hear. and speaking of your training that’s coming up in December, this is, we, we haven’t even announced this yet.

We’re still getting a couple things together. But one thing is live for this, In December, on December 4th, we are doing a Secure Code Summit.

So I just put a link in the chat for Zoom. So if you guys are interested, you can definitely go over to Zoom and sign up there. We’ll have more information released in the coming weeks about this event.

But secur code summit December 4th and the following two days on December 5th and 6th, we’ll have training there as well. So it’ll be live training that you guys can attend and Troy’s class will be there.

So if you guys are interested in learning more with Troy, your next opportunity will be for the our December summit for Secure Code Summit. So stay tuned for that. There’ll be a lot more information coming.

we’ll be back here again next week, same time, same place and we’ll be joined by Andrew, Krug. and as always you guys can go to www.poweredbybhis.com that will give you a listing of everything that we kind of have coming up for live events.

So go ahead and check that out. But until then, Troy, thank you so much for being here, sharing your information with us man. It’s always appreciated.

Troy Wojewoda

Thank you. Zach. Good seeing you. Ryan. Likewise.

Zach Hill

Awesome.

Troy Wojewoda

Everybody, thanks for coming. Thanks for attending.

Zach Hill

Thank you everybody. And if you are interested in joining the ama, I’m going to head into that breakout. Breakout, room right now. So, we’ll see you over there. And for everybody else, see you next week.

Take care, everybody.