Red Team Summit CFP now open! Register Here
Shopping Cart

No products in the cart.

What’s in the Box?? | I.R. Summit 2024

This webcast was originally published on July 19, 2024.

In this video, the speaker discusses cybersecurity strategies for small businesses, focusing on cyber deception, Sysmon, and the ELK stack. They explore practical, low-cost solutions to help small businesses defend against cyber threats effectively. The video also includes a hands-on demo of setting up Elasticsearch and integrating various security tools to enhance incident response capabilities.

  • The majority of businesses in the United States are small, with 90% having nine or fewer employees.
  • Cybersecurity measures like Sysmon and ELK can be leveraged to provide low-cost security solutions for small businesses.
  • Using older computers to set up cybersecurity measures like elastic stack can help small businesses maintain security without high costs.

Highlights

Full Video

Transcript

James Bierly

We’re going to talk about what’s in the box. We’re going to look at some things that are related to helping the smallest of businesses. Quick intro about me. founded secure point solutions, about five years ago.

We have customers as small as one user, that is getting 24/7 services all the way up to, 100, whatever.

I’ve been working with managed service providers and small businesses for a while. prior to that I worked for HP, Microsoft, Dupont, pioneer for, sysadmin work.

And then even before that, I was, I had no idea what I was doing with computers. I was deleting my system 32 folder or, deleting my TCP IP stack, because I didn’t know what the heck I was doing.

Yeah. but I’ve learned a little bit, so we’ll see if everything holds up here. All right? and then, of course. Oh, there we go. Okay. Why does the talk matter?

So, 90, percent of businesses in the United States actually have nine or less employees. Most, it providers won’t help them, unless, they’re willing to pay a higher minimum.

that actually is 13 million businesses. So these are coffee shops, your kid’s dentist office, the, the places down the street you’re, maybe on your, county square, whatever the case may be.

so I talked about this last year at the blue team summit. This is going to be a little more of the technical side because I said let’s do cool stuff.

Matter of fact, here’s me saying, let’s do some cool stuff when I talked about it last year. and the one that we’re going to talk about here is we’re going to talk a little bit of cyber deception and then we’re going to lean into Sysmon and elk.

And actually, Sysmon is great, but we’re going to talk about, some things that are, actually a little more available now that there’s no real cost.

So. All right. To kind of level set things the way that this is ir process, how sans shows it, and this is all well and good, the preparation, all those neat things, but here is the reality.

And, I’m going to warn you real quick, I am not one to really have a lot of transitions, but I felt that the next slide was super impactful. So don’t be mad at me, please. All right, so the ir process for most of the SMBs, and these are things that I’ve heard straight to my face from clients.

All right, there’s your preparation. Bought computer. Okay. Had a weird pop up. Getting worse.

When is bitcoin? I’ve actually had to drive 2 hours, before they became as common to a bitcoin atm so that I could pay a ransom for a customer that was joining with us, or wanted to come on board with us.

Oh, yeah, he’s home from college, so he’s going to come over and wipe the computer out. And I’m loving to see the shocked reactions because I think that’s more important than the funny ones because this is a real problem.

Bill sun moved around the icons. Now I can’t get to google. That’s to the google. that’s a common thing. And then they don’t know what to talk about. Okay. So, and I am actually, I admittedly am a little bit scatterbrained right now because my company has just taken on in the last week two separate, email compromises from people that were not our customers.

The, we have, we have people that know us and they reach out to us and say, hey, I got a company. Could you help them? And the reason that these small businesses are coming our way is because most incident response starts at 25,000 or more.

There may be companies that do it for less. We’re able to do it for less. because in some cases the difference in paying 25,000 or just closing up shop or maybe just having to tell everybody, hey, we don’t know what happened, to your data.

we’re sorry. So, we’re, we’ve been working with two of them where we didn’t have any instrumentation, until we get into the 365, we didn’t even know if the audit logging was turned on.

All right, so we’re going to talk about the black box, what it’s called. So, for those of you that maybe know about this, they’re actually internationally orange.

and there’s two of them on most airplanes. So, typically you have the aircraft recorder and then the cockpit voice. different models are built to, have up to 25 hours of data for those really long flights like from London to Australia.

And then also while they sit on the tarmac, things like that. They’re designed to withstand a huge amount of extremes.

3400 g’s, like, was pretty impressive to me. so they use it to reconstruct crashes and other incidents. So how can we do this for cybersecurity.

So, a little mindset on this. so if no one reads your blog or reads the logs, is any of it actually being logged?

there is a large percentage of companies that you would help out with, in these situations that might only really be worried about recovery and reporting.

and then insurance and actual incident response teams will thank you for having this kind of information. there was an old blog post, and I could have swore that it was from, dragos that had said, had talked about how they responded to an incident, and they built a raspberry PI, running elk, or probably more like the hunting elk.

But, that kind of caught me by surprise. I’m like, oh, tiny little box could help save the day. So here’s where I’m bringing this to you, the community.

we all know you have an older computer, and we all know that there’s probably a small business that you frequent that maybe helping them out might, might, be worth your time, your talent, and your treasure.

so grab that old computer. your significant, other will thank you. If you get it out of the house, slap, whatever you like, ubuntu.

anything, that really matters in that regard. you could go docker, you could go bare metal. But what we’re looking at is we are going to build a, an elastic stack.

So here’s the things that I like about elastic. Our company actually, we have built our own system on top of elastic.

the elastic itself. It’s free, it’s really well documented. elastics, actual documentation is quite verbose. most people know it.

They’ve done it in a class, they’ve done a lab, they’ve done try hack me. They worked somewhere that had elastic, and then tons of integrations and tons of integrations that, that you can still get at the basic level.

so why not doing this in wazoo? Security onion, that’s fine. I I think security onion in a lot of situations would be overkill, especially if it’s a company of five people.

But I, If it’s what and it’s what you’re willing to invest your time into, great. The other side to this is, remember, what we’re trying to do is we’re trying to go back to, and I do hate going back time and slides, but it’s needed.

We’re trying to get closer to the top of this process. We’re trying to identify, we’re trying to maybe contain, so we can do those things with something like elastic.

We can do those things with security onion for sure. But also the one thing that this IR process doesn’t really get kicked off until someone who is actually a responsible ish adult says hey, we have bad select, we have an incident, we have alerts that we don’t understand.

oh, so many of those. Okay, so if you like Sysmon, great. Sysmon is it’s one of those things where every time you look, a new version comes out and it gets better and better.

So no problem, use, what you are good at. But again, remember, you’re providing this as sort of the, again, it’s the black box for when things go sideways.

All right, so we’ll talk about endpoints a little bit here. again, we’re trying to keep this as low cost for businesses as possible.

so if a customer, if a small business, if they’re not already using like a 365, or they don’t want to pay for a bigger, the higher end licenses.

Microsoft defender antivirus is great. It works. the old days of security essentials are long gone.

It’s already baked into windows, so your business wouldn’t have to necessarily, go out and download their own thing. if you pull up av comparisons, and those run either month to month or quarter to quarter, defender seems to stick it out pretty well.

what I really like is that we can collect logs from it. There’s this whole 1000 series of logs that are baked into your logging that you can pull.

You could actually, if you set up your black box, you could maybe set up an alert that says, hey, if event id 1006 goes off, maybe send me an email, maybe send the business owner an email.

Because we all know that AV is only as good as if somebody that actually notices that it caught something, if it caught something and says well, I quarantined it.

Well, did you? We don’t really know until we’ve actually maybe looked. You might have quarantined part of it. Canary tokens. I love canary tokens. I love, the cyber deception thing.

I know that there’s people with anti siphon that would agree, the tokens, the folders, files, whatever it is, they’re great.

Both for an outsider attacker that has maybe gotten a foothold on the network and starts poking around, but also an insider threat. I’ve actually dealt with a couple different incidents that they were, they ended up, it started maybe as a security incident or we were brought in from a security incident standpoint, but it ended up turning out that it was embezzlement, or theft of company, finances.

So having a thing that says financial reports and it looks all official from the outside, that might be a good way to catch someone, from snooping around.

a good friend of mine, he calls it pocket litter, because a lot of times we see, just like, one token in one folder, and that always looks a little sketchy, man.

Download as many as you want. Go out to canary tokens and or, uh.org and download as many as you want. Set them up to email to you, to the business owner.

Anyone. if you want to play around with a canary, as a honey pot, throw, it in docker. If your old computer that’s dusty, if it’s got a little extra horsepower, do it.

and I think, and one thing, and I know John, strand teaches a class on this, but one thing that I always took away from him is that a lot of the pros, the big time attackers, a lot of them, they’re really skittish about getting detected.

So it. I would imagine that if it. If an attacker gets onto a system and they start thinking, holy crap, I can’t honestly tell honey pot from regular, they may go elsewhere now, maybe not, but you’re, you’re, you’re not trying to make everything hundred percent effective.

You’re trying to create enough friction. All right? So doing stuff now, this is where things went off the rails a tadae.

because, me and my team had been working incidents, and I’ve been borrowing using up, virtual machines and stuff, both on my own machine, and I’m more than working from my home.

I’m remote. Remote. I’m in the hills of Missouri right now. So, we got the docker to work, but I didn’t trust it enough.

but the. I did, like, this docker version, this one that was set up, partly because it’s already on the eight, the v eight.

and also, it is set up with a bunch of the security settings on the inside so that they do communicate to each other, securely, but also their, it’s.

It’s less. Less of a risk of it, being compromised itself. so feel free to snag it.

if you find one that you like, I will definitely caution, do not get one that’s less than version 7.17, because the upgrade path from the sevens up to the eights.

It’s a, it’s a bit of a nightmare, so don’t recommend it. All right, demo. Let’s hope this works here.

All right, so we, are looking here at docker, or, sorry, at, elastic. And before we dive into this part, I want to show you they’re great about providing a ton of integrations, and they are, kind of, of all types.

we look at, like, os and system. Now, most of these, your average small business is not going to have them. they might have symantec, they might use one password, or you’ve maybe talked them into using one password, but by and large, these are free, even on the, normal, the normal subscription.

So you can, you can get some quality stuff, here. So, we were in the process of enrolling an agent, which I’ll demonstrate.

So, within the integrations, there’s one called elastic defend. a few years ago, elastic actually bought, endgame, and has baked their product into it.

And this, honestly, is, and can be just an EDR of its own. it has. You have tamper protection that you can set up.

it has. Let me see, find the right spot. You can set up your trusted apps. You can set up block lists, areas like that.

you can actually tell this if. Oh, you can actually decide the amount of fidelity that you want. Let me see if I can pull, this back up.

We already did it once, so it might. Okay, so here is, what you could do. So, we all know that the more you log, the more disk space you need, and things that we have to figure out.

So if you’re providing somebody, a small box, you’re like, I’m not sure how much this is going to hold. It might be seven days, it might be seven weeks. You can choose which level of collection you’re doing.

So a little bit of extra collection on top of av, some more machine learning type stuff, all the way up to full telemetry, edrhead, and, the ability to actually block.

So you can go in there and you can say, well, anything that’s a critical or a high, let’s just block it. they can call us and say, hey, we can’t get into this computer for some reason.

And you can go look at it later or have somebody look at it and you can find out, oh, hey, yeah, it got attacked, but it got isolated.

So we’ll dive back to here. installation is super simple.

and you simply add an agent and you would have gives you some options. Fleetwood allows the agents to communicate back.

You can run updates, you can slap an agent onto the system. apparently, my vm did crash, so that’s always great.

but we can do, let’s do a quick, let’s do a quick here.

this instruction does everything all the way from the download to probably going to help to do it in windows. Otherwise we’ll have a really, really weird response and it’ll ask, yes.

So as I said, we’re actually using, an instance, our own sim instance, just because the docker, has not played nice.

So hopefully, this one will play a little bit better. if we’re, if we’re going, so a couple other integrations that can be handy if you’re, if you’re, if the small business is already using Google or 365, well, you can enroll them as long as you enroll in the right one.

because there’s a bunch of them. Oh, there we go. Stop going away. Lots of Google platform.

Oh, my goodness. There. Okay, so Google workspace, and again, subscription requirement, the basic, so they’re free.

they walk you through how to set it up. You can do the same thing in 365. If, a small business says, oh, yeah, we use duo, well, pat them on the back and say, thank you.

And also say, hey, I can enroll your duo for you. Some of these are a little bit more, they’ll require the higher levels of subscriptions.

so don’t, don’t really worry about that. This is going to get you what I would. I hate to put percentages on it, especially when, when we’re working with small businesses, but in my experience, if you’re, if you’ve gotten to do like, MFA and you’ve provided them with something like this and maybe even added some of the automation, you’re, you’re 90% there with the problem and maybe more.

And, and usually that just comes down to, your customers or the clients, the small businesses, just what their use cases are.

All right, so it does say that it was successfully installed. Thankfully, something’s working today. so at this point, and for those of you, if you’ve, used this in the past, you can, you will see this.

Oops. You’ll probably have seen this stuff before. And so here we’re just going to look, you get a quick run of logs.

but you are now, like, if you’re doing this for a customer, you are now, gathering data for them.

You’re helping them help themselves in the future. So, I do want to dig in very quickly into the actual security part.

There’s rules that are built in. Oh, that’s, that’s what we can add. We can add rules. Everyone likes rules.

Add and we’ll do rules. Pre built security detection rules. Again, it’s basic. There’s like 1100 of them in here.

you can look at all the rules, but I would say turn them all on, it’s fine. And then set it up so that the ones that are real bad, like Mimikatz detected.

Yeah, you should probably just have the computer auto isolate itself from those things. so I’ve got a few minutes left here.

I wanted to at least open it up for some questions. Chris has a question, from Zoom says what sets off a canary token? I don’t know if you covered that or not.

Yeah, absolutely. most of the canary tokens that we would be talking about, they would be folders or files, an excel file, a word document.

These files actually, do, what the attackers are trying to do. It has a little piece of code that shoots back to canary tokens and then they trigger an email for you.

The idea is if you have a outside threat that starts stealing files, you’ll get detections because most likely they’re opening those files on their own machine or on a proxy machine that’s between the victim and the actual threat actor.

So. And you can fill them with garbage so that they’re not a two kilobyte file. You could fill it with garbage and most likely the attacker’s gonna see that and go, oh, crap, I think I just got, I think I just burned, some infrastructure here and they may leave.

You could also, obviously, you could take data. that looks legitimate, but it’s not like a bunch of made up credit card numbers, things like that.

you can also set off canary tokens if a website is cloned. fun fact, attackers are going to just be super lazy, so they’re going to copy all the code from one website and they’re going to paste it elsewhere and they’re not going to go through, that talk or that, all the scripting and all the HTML, they’re just going to copy paste.

Same reason why canary tokens, files actually work. Because an attacker, they want to know what this master password list is all about, so they’re going to jack it.

Eric Taylor

Does elastic have an AI assistant to assist the SoC analyst with handling true alerts.

James Bierly

Yes, it does. That is on the paid version, you can tie. So for like, our company, we tie, an AI into it, that we’re already paying for.

and it will kind of help you, through some things, from discord.

Eric Taylor

What recommended specs for headless box that’s doing this.

James Bierly

so I. That’s a. That’s an excellent question. I would say that the servers that we have been building, in testing this, we’ve been okay with a Linux box, four gigs, of ram, 30 gigs of, hard, drive space.

And then just kind of looking at that and determining how much logs are actually being, held. If your logging is way too high, you either need to log less stuff or you might need bigger storage.

Eric Taylor

Gotcha. Any recommended honey pots that you found beneficial?

James Bierly

so there is the open canary one. runs in Docker. Reason I love it is that you can actually change personalities just like the paid versions. You could have it set up looking like a server and then you could later change it and have it look like, a switch or something else.

There’s configurations. cowry is also a good one to protect from SsH attacks.

Eric Taylor

Gotcha. Last question. Any recommended configs for Sysmon? I know Ted mentioned the swift on security, which is a pretty good one. Any other ones outside of that one you’d potentially recommend?

James Bierly

there is the swift on security, and then I think, it’s olaf. I’m blanking on his last name. He has a good subset, and I believe his are kind of built into, like, you can almost modify or, or, m modify it on the fly.

But those are. Those are the two that I have used in the past and would recommend.