Shopping Cart

No products in the cart.

Your Free and Open Source EDR Options!

Your Free and Open Source EDR Options

This webcast was originally published on May 14, 2021

In this video, the speakers discuss the effectiveness and accessibility of free and open-source Endpoint Detection and Response (EDR) tools. They explore the recent developments in the space, highlighting how these tools are now more accessible to smaller organizations due to their cost-effectiveness. The video also covers the potential of these tools in improving incident response and endpoint security, emphasizing their importance in the cybersecurity community.

  • Endpoint Detection and Response (EDR) is now accessible to smaller organizations due to inexpensive and powerful open source solutions.
  • EDR solutions are capitalizing on recent developments to provide enhanced security measures at lower costs.
  • The shift towards open source EDR tools represents a democratization of cybersecurity technologies, allowing broader access and utilization.

Full Video

Transcript

John

All right, let’s get started. Thank you so much, everybody, for joining. Once again, special thank you to Jack from Darknet Diaries. If you’re just joining us or you’re looking at the recording, please look at our YouTube channel.

There is, in fact, a full kind of breakdown of Jack being on our show, and we greatly appreciate it. And if you get the opportunity, please subscribe to, Jack’s podcast.

So, this is one of those, bhis webcasts that really is spinning out of the training classes that we’ve been doing.

Specifically my classes with the intro to security and then the intro to security operations center analysts, and then also the cyber deception, because everybody’s kind of getting into, like, how can we actually lock down the endpoint, do incident response in the endpoint, and be more effective at detecting and reacting to attacks at the endpoint?

M and there’s been some recent developments in the space that I think are incredibly powerful for the community. And by powerful, I mean they’re inexpensive. it’s kind of like this is now opening up to the masses.

It’s not just an issue of buying something like carbon black and silence or whatever and spending hundreds of thousands of dollars on that solution. There’s actually some really good open source and free EDR solutions that are out there that we can actually take advantage of.

Now, if you notice, I’m not at the studio. I’m not at home. I’m actually on the road, with my kids. They’re at a ski race right now. So m I’m from an undisclosed remote location in Bozeman, Montana.

So I apologize a little bit for the quality of the video in the background, but it is a very nice shade of brown. Also, I don’t have another system with the discord server app, so I’ll probably just go through the questions and ask Jason and debate to interrupt me with any questions they think that are really good for this particular webcast.

We have quite a bit to actually get through in this webcast as well. Why are we here? Free and open source tools. in the area of endpoint detection and response, is that holy grail?

Because if you’re a small organization and you’re trying to implement a security policy, you may not be able to afford these two tools. We’re going to talk about salespeople, and pricing here a little bit later, but just suffice to say, they’re generally really expensive tools.

Also, in this particular space, there is free, and then there is free. And what I mean by that is that old adage, there’s free as in beer, and then there’s free as in speech.

Some of these tools, whenever they talk about it being free, a lot of the vendors are using a very interesting model of trying to get people to use their products, which I think is really a good idea.

The more you can get your tool in the hands of people and then they start using that tool and they get trained in that tool and they get used to that tool, then that’s the tool that they’re going to want to use.

I’m not going to be able to demo all of them. There are some of them, that I just didn’t have time to set up a demo. And honestly, if we’re looking at a 1 hour webcast, I’m going to hit two.

I’m going to hit Velociraptor and I’m going to hit elastic. I might show something from Komodo, maybe, but I have screenshots from that as well. I want to do a shout out and apologies to some vendors, but I have to clear some things up.

Whenever we announced this webcast earlier this week, whenever Jason and Deb sent out the email, I got flooded by all of these different EDR vendors. They’re like, mister Strand, we would like the opportunity to talk to you about our product before your webcast.

Our product, we believe, is best in class. And, we really think it would really be a good thing for your viewers and your team to really get a chance to be exposed to what our product is doing and how our product is doing things differently.

So an apology to those vendors for not talking about your tool. I’m not going to do that. And I’ve got to be honest, a lot of our webcasts at Black Hills information security, most vendors cringe whenever they find out that their tool is talked about in one of our webcasts because it’s usually like this tool is broken.

This is how you bypass that tool. And it’s not something that you really want to throw up like a signal flare and get on our radar. Right?

And no, with our webcast, we don’t try to use our webcasts to try to sell things. Well, most of the time. Right? So I have to do an apology because I know that there’s some vendors on this webcast, they’re like, oh, I hope he talks about our tool.

I hope he talks about our tool. You really don’t, you really don’t want us to do that as a whole. So what the hell is EDR anyway. And I kind of start out with this question because in the industry theres this constant push to try to redefine things, right.

Because if you can come up with a new definition, like for years it was next gen firewall. Well, cool. If you can be the first to plant the flag in that term, then you own it, right?

Or whos the first to actually define things is the advanced persistent threat, cyber kill chain, Lockheed Martin trademark. There’s this big push to constantly come up with new terminologies and new definitions.

And EDR is really no different. Every single vendor is working to arc the definition of endpoint detection and response to be what their product does, right.

So years ago, really one of the only vendors that was on this space would have been carbon black. Have ran tripwire. They would have been in that space as well.

OS has been an open source solution for a very long time. But honestly, carbon Black was probably one of the first major vendors that we started seeing showing up constantly in our customer space.

And really the promise of carbon black back then was it was going to be a black box flight recorder for your system. So if something went wrong, you could jump into that computer and then you could see exactly this network connection was started by this process, which was begat by this process, which was begat by this process.

And it was good. They could tie all that together and they could put it in a cool little graph. And it was amazing, really. Carbon black had that market cornered, I would say for probably at least four or five years.

They were really one of the first major vendors that were able to inhibit that space and take ownership of that space. And the reason why is a lot of the traditional antivirus vendors were caught in, this cash cow quadrant whenever youre talking about products and innovation.

And what I mean by that is if youre McAfee and Symantec, if you go back, lets say 1012 years, you had the market corner for antibacterial. McAfee and Symantec were the vendors that you saw everywhere.

eventually you started seeing Microsoft Defender come up and it was garbage for a long, long, long time. And they were just dominant. you wouldnt see anything other than those two vendors.

So there was absolutely no reason for those two vendors to actually innovate at all. They just didnt have to. If everybodys buying your product, theres no reason for you to innovate.

Just keep pulling in that money. Thats your cash cow. So really, carbon black had a good run and then they actually bought and merged with bit nine for endpoint protection.

And right about that time, roughly, you started seeing things like silence start to pop up. You started seeing crowdstrike start to pop up. And for those particular vendors, there were some wins in the industry that were extremely beneficial for those particular vendors to take traction and then take off.

Mainly the era of ransomware hit. So if you look at silence, you look at Crowdstrike, really what drove those products is that they were really better, a lot better.

And even carbon black, once they got bit, nine much, much better at being able to stop attacks like ransomware attacks and actually tell you what that ransomware attack did.

Because carbon black and crowdstrike and silence and all these different vendors, they really started tying together basically the EDR stuff that carbon black was doing in their product because they could innovate.

The investors werent looking at it like, oh, were making lots of money, lets just keep making money. M they were looking at how can we actually be disruptors in this field? So you had a lot of these vendors in this endpoint protection space start implementing EDR like functionality where you could start tracking what an attack actually did.

Do they move laterally to other systems? Because you cant just go in and displace McAfee and Symantec and say where better? Once you could start showing security teams where better?

And by the way, I can show you, this process went, made these network connections, asked to access these systems, went to this IP address online. That’s it. People were just opening up their checkbooks.

But this gets into one of the problems that exists in the definitions today is, does it include prevention at its core? I would say the original definition of endpoint detection and response doesnt include prevention.

If youre looking at tools that were going to show like Velociraptor, that doesnt include prevention. If you look at carbon Black with detect and response, theyre actually breaking their product line up into two separate roles.

When youre looking forward into the future, it is absolutely going to incorporate prevention. It has to. Why would you run a product thats just going to do detection and incident response and not have the prevention attributes of it and many of the vendors it’s baked in.

If you look at Sentinel one, you look at cyber reason, you look at what Endgame was before they actually became elastic. It really was trying to pull that whole entire package together and incorporating that prevention aspect as well.

But this also is now moving into new spaces, because if you’re in the EDR space and you’re an investor and you’re looking for products to invest in. Unlike, one of my next slides, I’m going to show you a bunch of vendors.

You got to still have that differentiation, you’ve got to have that edge. And now we’re getting into the security orchestration, automation and response. How can we automate incident response?

By and large, I don’t know if someone, say something, I just heard a mic open up. All right, I’ll keep going. By and large, a lot of these vendors, whenever you’re talking about soars is pretty much, I don’t want to say garbage, but it’s the same crap that we’ve been sold for the last 20 years.

We’re just going to automate security because we can totally do that. You can with your general run of the mill malware, but you generally can’t with a targeted adversary. But they’re trying to develop these new things and then you have extended detection response.

Palo Alto really pushes this quite a bit, trying to tie together what you’re seeing on the network, what you’re seeing on the firewall, and what you’re seeing on the endpoint altogether into a unified security overview.

Out of all these, I would say XDR probably has a better chance of being a thing. like I said, security orchestration is something that people have been trying to sell us, trying to get working for years.

And it sounds great right up into the point that you destroy a mission critical system or you lock an executive out of their computer and all of a sudden automation doesn’t sound that good as well.

So thats setting the stage for the history of EDR and where were at with some of the definitions. And the other thing to remember is a lot of the vendors that are out there, they would disagree with me.

They would say, well, Mister Strand got this completely wrong. And what we think, this EDR space is just so happens to be exactly what our product does.

So youre going to see that a lot. And one of the things, whenever youre looking at vendors on this particular slide that a lot of these vendors have in common with each other is they are expensive.

Theyre not only expensive, but theres huge variations in their cost structure. Some of these vendors for customer, one, whenever Im looking at our customers at BHIs, lets say that theyre charging $100,000 just as a base set dollar amount, and then ill find another vendor that is doing something similar for this similar sized company that’s $200,000 and then one that’s 75,000.

And then you have some of the vendors, they’re selling somehow to some people, like same sized company, like almost a million dollars. So your pricing on these different vendors is ridiculously different.

There’s this huge discrepancy in the marketplace on what these people are charging. And by and large, it’s not just based on market vertical, like saying, we’re going to charge less to hospitals or we’re going to charge less to universities, it will charge more to financial institutions.

It honestly looks like these vendors look at each, individual customer and they try to develop a pricing structure that they think is at the maximum level that that customer will be willing to pay for their particular product as well.

So it’s all over the place and also depends on their payout structure for their sales teams, like quarterly bonuses, where they’re at with their quarterly bonuses. But I, will tell you, I can talk about how some of these products are really just, they don’t excite me.

Like, RSA doesn’t excite me very much. Cisco amp doesn’t excite me very much. But whenever you start looking at, like, crowdstrike silence. Carbon Black Sentinel, one cyber reason you’re really starting to look at these products where it’s very difficult to say that this product is exponentially better than all of the other products, or this product is twice as good, therefore justifies charging twice as much for that specific product.

So you’re really running into that huge problem with the cost associated, with these tools, and it’s just all over the place. And they’re going to do everything in their power as vendors to try to tell you that their product is.

We’re number one for a variety of reasons. I don’t want to go into it for too much data or too much detail, but if you really want to spend some time digging into how these products stack up against each other whenever they’re comparing apples to apples, let me actually go to that.

And I bring this up in my classes quite a bit. Oops, there we go. All right, so let’s go back to apt.

29. This is a good one. So any of these vendors, if you want to look at how they did whenever Mitre went and tested these particular products across the board, you can actually click on that product and you could say, okay, so for silence, what did they miss?

Right? And you can actually shut off some of these techniques. It’s not going to let me shut them all off. I don’t know why. Let me shut off tactic.

Weird. But, you want to uncheck, you want to basically check off everything except MSSP and nothing. If something got a yellow or a very dark blue, it means it missed it.

I know that some of the vendors are like, no, no, no, we did just fine. We caught it just fine if they had to go to the MSSP. But the MSSP has a certain level of data enrichment at their MSSP that many organizations won’t have access to if they’ve just bought the product.

So I like to show this because you can see that. What tool did I click on? Silence for? Apt 29. It missed initial compromise one, and missed collection and exfiltration, missed two, missed, deploy stealthy toolkit, missed three.

And if we compare that to another tool, one that is quote unquote free, like elastic. Elastic actually did pretty well, I would say pretty comparative to how, BlackBerry silence did in this particular example.

Now you have to be careful with this. You really have to be careful with this, because when you try to look at the tools through the lens of mitre, you have to understand that they basically use cobalt strike and they use Powershell Empire to actually model the attack techniques.

There’s nothing wrong with that. But basically what you find out is some of the vendors were better at detecting Powershell empire or better at detecting cobalt strike than other products, but they all missed stuff.

You can look at this as a way of level setting and saying, well, I want to see how well this really expensive solution did with the only free solution that’s up here is elastic.

The reason why they’re the only one that’s up here, I don’t see Komodo. Nope, Comodo is not part of this one. But the only reason why elastics here is because elastic does do EDR and it also does prevention.

You wouldnt put velociraptor in the mix here. You might add Waza, in year, possibly because they do have some detection capabilities and some reaction capabilities.

But by and large, if you can look at how the commercial products did versus something that was free, you can find out apples to apples from a comparison perspective as well. So that’s really helpful to kind of break this down.

But the thing that’s interesting is every single one of the vendors that was part of the mitre, ATT and CK evaluations, if you go to their websites, they hail the mitre, ATT and CK evaluations as they want, right?

They’re like, well, our product clearly was better than every other product that was used, and that’s total garbage, right? I think that there was absolutely clear losers, right?

There were some products and some of these evaluations that did incredibly poorly. But there was no one that’s like, this product is head and shoulders better than everything else.

And usually the products that did really well were also the products that did really well against cobalt strike and Powershell Empire. So you really cant trust the vendors and how theyre going to spin these things.

You really have to start digging in and developing a better understanding of what these products do. And I think that that’s why it’s so important to get into the free and the open source solutions.

To give you an idea of that apples to apples comparison, because you may not be in an organization that can afford sign Lance, you may not be in an organization that can afford crowdstrike or Palo Alto.

So what are you left with? Right. Are you basically going to go to your management and say, we’re going to get hacked and it’s going to hurt, it’s going to be real expensive? No, you still got to come back and say, okay, we’ve got to secure this.

How are we actually going to secure this with the tools that we have at our disposal. And hopefully at the end of this webcast, you’re going to have some pretty solid tools that you can use in your environment to help lock things down.

Why eer? Why would we do this? Why would somebody want to have that type of tracing? Because incident response is a nightmare without it. Still to this day in sans and in my classes and when I left 504, we teach how to do incident response with built in command line utilities on a Linux and Windows system.

The reason why we actually boil it down to those core utilities is because those are always going to be there. Those are always going to be tools that are there.

But I got to be honest, if we’re doing incident response, if you have one of these tools in play, wow, it makes incident response so much better just picking on Sentinel one.

We had a gig that, Jonathan Hamm and I were working on, and they actually had Sentinel one on a handful of the systems and they didn’t have it on a bunch of other computer systems for incident response.

Just going through Sentinel one, it was super easy to say, okay, well, it missed this particular powershell execution. so we can still do a search on that. Found it. Okay, great, here’s all the systems that have that executable that ran in the past couple of days.

Awesome. The other systems, it wasn’t so good. To actually find that level of execution, Jonathan had to go into, zeek data, look at SMB communications, see all these systems were talking to each other, correlate it, and found out the domain controller was compromised.

It got a lot more difficult because we had to bring other tools, to the table. So it makes incident response so much easier. I’m going to see why. also with EDR, and unfortunately in some of my examples, it’s like Onesie two z systems.

But when you’re dealing with EDR, you can actually query across multiple computer systems for a specific detection. If you have an executable hash or you have a yara file, that you can create, if you have a unique novel attack that hit your organization, you can quickly go to your EDR and you could do a search across the entire organization for that executable, for that DNS entry, for that file hash, and then pull that back, that correlation of that attack data.

That’s actually good threat intelligence. As much as I rip on threat intel feeds, if you’re a threat intel analyst and you learn how to take intel that’s on your organization or something that’s hot off the presses, and you can convert that into a search to look across your entire organization.

That’s actually really solid use of threat intel because you’re going to base it on what you see in your organization. If you’re just buying it and you’re trying to search for things, that’s what your antivirus does, that’s what your firewall does, that’s what your web proxy is doing.

They’re constantly taking these deny lists and doing a lookup. But if you find something novel in your organization and you see it execute well, now as a threat intel analyst, you can say great, within our EDR, I can do a search on that particular process, Mutex, and I can see if there’s any other processes that have that same mutex string and we can do that search as well.

Also, a huge reason why this space exists is windows logs suck. They’re just horrible. Not Sysmon, Sysmon is fine. But by and large, if you’re trying to do large scale incident response, if you’re trying to look at file hashes and you don’t have sysmon, good luck.

You’re screwed. If you’re trying to go through and pull DNS entries from local computer systems, yeah, that can be very, very difficult. And just going to the event logs doesn’t necessarily give that to you.

But if you have a good EDR in place, you can actually do a search for those particular network connections and those DNS settings as well. So why free, open source?

Well, to be honest with you, and once again, I’m going to make some vendors very mad. I love my emails the day of a webcast because it always happens, like today, that they get really, really, really frustrated.

I just realized that I have discord here. There we go. It’s really funny to me, if I say something that’s inflammatory against like some types of vendors, those vendors contact me.

So I hate vendors that don’t have free or open source products. Can’t stand them. I’m sorry. It just makes me very, very angry. Because they want you to spend hundreds of thousands of dollars on their product, right?

But at the exact same time, they don’t give you any type of proof whatsoever, right? It’s like, well just spend lots of money or they’ll give you a trial. And I’m going to show you the trial I love from Who is it?

Komodo. I’m going to show you the trial in Komodo where they give you access in an environment and it’s their environments completely controlled and there’s some subtle psychological games that they play here.

We got a question. Possibly the wrong place to ask this, but how do you set up a free EDR as a means to put out fires? How, do you position this as evidence management? Is it worth investigating and better tooling?

I’m going to talk about this a little bit later because if you can implement a free tool and you can utilize that free tool, it really helps set the stage for buying a commercial tool because now you have proof, right?

Like we can run this free tool. This is what it’s giving us. And more importantly, this is what we get if we actually start purchasing a commercial tool as well. So very cool.

I can actually see questions. I just realized it’s like my alert’s showing up on my phone. I’m just like, I’ll just set this right here so I can see questions. So if you want to ask me a question, just dot Fran Js in Discord in the Bhis live chat and then ill answer the question.

Otherwise you all are talking to each other as well. Im going to talk about googles ger. Google Ger and recall have kind of like stalled a little bit and im going to talk about Velociraptor instead.

So well get to that, here in a couple of seconds. But yeah, I hate it. Like if youre a vendor and you’re not giving back to the community in any way, just get out.

I mean, I know that that’s exceptionally harsh, but it is something that you should be pushing our vendors on MSSP’s. and free eDR is not a good combo.

No, absolutely, absolutely. You can run free EDRs with MSSP’s. You absolutely will be able to get that as well. And yes, the slides will be available as well.

So let’s go through. If they don’t have free and open source tools, I just get frustrated and I get angry. How do if it works? Well, we get a really cool Gui, a trial in their environment or they just pinky promise you, I swear that it’s going to work out as well.

another question is how the heck do you parse syslog files from open work router? That’s getting very specific. I’m, going to recommend Rita again, Drogi. The next webcast I do is going to be talking about how to set up Rita and set it up in your environment without a spam port as well.

So I’ll talk about that. many companies can’t afford full solutions and that’s something that I’ve learned with our pay as you can training. If you’re just joining us, I do pay what you can training for intro to SoC analysts, which is core security tech skills, and then intro to security just basically going through and diving in.

And this is the eleven things that you have to secure your environment before you do any of the other things. And we set up that training as pay, which you can because there’s a whole bunch of small organizations out there that just do not have the funds to do that.

This class and this webcast is actually part of that as well. And also remember, throughout all of this, you’re not paying for what a commercial tool does.

You’re actually paying for what the, commercial tool, or you’re paying for what the free open source tool does not do.

If you’re looking at these free tools, there was one of them, I was using one of my customer environments that was a commercial tool, multiple hundreds of thousands of dollars, and I wanted to throw my keyboard at my computer screen using it.

Yep, reta without a spam port. That’s coming up. so that is going to be a webcast you can run on any home network. So you really just kind of, you get very, very frustrated with the commercial tools.

And I remember sitting on a call with a representative of that particular product because I was like, I must be doing something wrong. This tool must have the ability for me to be able to quickly search for this particular executable executing across this entire environment.

And I had the vendors tech support person get on the system with me or we were doing a screen share and I told him what I wanted it to do and I showed him that open source tools do this.

And he basically told me I didn’t know how to do incident response. And it was funny because he actually was like honestly you really don’t know how to do incident response. If you don’t understand how this particular tool works, then I recommend that you actually take an incident response class.

And I was just like then you start to start to wonder, right? You start to wonder, maybe, maybe I’m missing a step here, but there’s certain things that like velociraptor or was that, does that, some of the commercial tools don’t do as well.

and Freddie, friedoun or Fredun, we’ll get you a link for the free and open source or the free, not free, but the pay what you can classes. We’ll get you that here in just a couple of seconds as well.

So one of the first ones I wanted to talk about is os sec. OSAC is probably the one I’ve been using the longest out of all these different tools.

It’s been around forever. we used to use it all the time for rootkit detection on Linux computer systems. It’s just an amazing tool.

I used it, like I said on Linux systems and then even on Windows systems. As far as the detections, they have OSAC plus and then they have OSAC enterprise. I’ve had no real experience with OS enterprise, but honestly on Linux it does a pretty solid job as well as being able to detect some of the things.

Now it specifically focuses in looking at logs and some key files. That’s one of the things that it really rocks at on Linux because Linux will actually give you some somewhat useful logs for things that are happening with people suing to different accounts, failed login attempts and things like that.

But it was really just awesome to work with it for a long time. I haven’t used it recently like in the past four years or so because somebody just put it in exactly Waza, really takes OSAC ultimately to the next level.

And I would recommend actually going to that as well. Also some additional things about it that I think are important is it can be intimidating to get started.

It’s not all that bad because if you actually go through and you look at their website, it actually looks like the teams have forked. There’s still a group of people that are contributing to the OSAC, website, and there’s people that have gone over to Waza.

I don’t know the politics of that, at all. I don’t want to get into it, but this is one of those tools I have to mention. One of the things I wanted to talk to you all about was, the book on Os sec, is the worst selling security book in history.

I’m quoting Andrew Haywire, who is one of the authors of the book. And it’s not that the book is bad, the book is amazing, but OSEC is actually really easy to get installed.

And that was one of the reasons why it’s not really a huge, seller. But it’s one of my favorite quotes from Andrew. He, was presenting at a con, and he said he was the author of the worst selling security book in history whenever he wrote about Os.

Also, their website, they have this huge aversion to screenshots. They don’t like it at all. So Wazza, is kind of like a fork, and they kind of lend into each other, right?

And I love the name because it goes back to those beer commercials. Anytime I hear anyone talking about or, like, put in Wazza, I’m always like, wazza. And I just think that that’s how we should all refer to the tool.

And I’m hoping someday to present and have, like, one of the authors of Wuzz in the, in the room and just look at their eyes whenever I refer to it like that.

And then see their soul die, right? And they’ll probably come up and they’ll tell me I’m mispronouncing it and, I don’t think so. I don’t think so at all. so originally, one of the more badass inventory systems, that was out there for a long time.

It had a really cool kind of SQL command line interface to be able to query processes and network connections across multiple different systems. And that was really cool. Boy, did it grow up.

you look at it now and it’s got this amazing elk, stack interface and just really, just probably one of the cooler tools now.

one of my regrets is I don’t use waza. in my intro to security class, I actually use, velociraptor. velociraptor is amazing.

It does a great job. And one of the reasons why I don’t use waza is it requires an elk stack to get the full featured capabilities. I have nothing against elk, it’s just my vm for the class is already something like 16 to 18 gigs for students to download.

So I’m really trying to slim that down a little bit and try to pull that together. It’s cool, but it’s not something I have in my classes yet at all.

It is easily one of the most. It is easily one of the most talked about tools, in any of my classes, people are constantly bringing up this tool with good reason.

Here you’ve got your kibana dashboard for, waza. It, talks about vulnerabilities. I think that’s one of the cool things that it has baked into it is it actually has the ability to, basically look for vulnerabilities on your systems.

is it going to be as good as running a Nessa scan? No, but honestly, who cares? my classes, my intro to security and intro to soc analyst class, mad Hatter, we run Velociraptor as well.

It actually does some vulnerability analysis out of the gate, which is neat, but this isn’t, for me, the coolest thing. even if it’s doing mediocre vulnerability management, which I’m sure it is somewhat mediocre, it’s still better than not having it.

You have it running on your systems, right on the, actual endpoints themselves. You can actually look at missing patches for things like Google Chrome.

It’s like Windows, Google Chrome is missing this particular patch and it’s a high vulnerability. it allows you to more continuously get a vulnerability report on your systems as well.

Additional, thing. Malware detection. Absolutely solid malware detection. They have their own rules. I don’t think they’re using the, sigma rules or they’re using some variation of the sigma rules, but they do a pretty solid job, not necessarily of picking up malware execution.

somebody keeps asking me if I’m ever going to run an incident response class like sec final four. No, I’m going to stick with the three. I have, intro to security, intro to soc analyst, core skills, and then the cyber deception class.

so if you’re interested, we’ll get you a link to my cyber deception class as well. But no, I’m not. There’s no way I think I could develop a class that’s as good as sans 504, because sans 504 is awesome.

And, they do just a fantastic job. And, Josh Wright is one of my best friends in the whole wide world and his class is great. So check that one out. All right.

So with this, you have the ability to detect, and I don’t really think it’s detection of malware is as good as silence or crowdstrike.

But what it seems to do really well at is a lot of the post exploitation things. If you get malware on the system and then all of a sudden it starts using w script or run DLL 32 in weird ways, it does a very, very good job of actually kicking this up and running it.

How many of these work on Mac OSX? Ossac does, and Waza also have agents for Mac OS and as does Velociraptor as well.

A lot of these tools, Gitzmeister will actually run on OSX as well. Just very, very, very cool stuff. A lot of them do. Now the one that got me really excited about Waza, is its ability to actually look at security vulnerabilities in containerization.

It actually can look at Docker and it can see what your docker containers are doing, which I think is really, really super cool. And it’s one of those areas that even the commercial EDR vendors aren’t really getting into.

The, aren’t even getting into the space of actually looking at, Docker and some of those virtualized, container platforms as well. Question was, how does this impact the performance of a system?

by and large, not that much. I was actually surprised if you’re actually running something like elastics, endpoint free EDR.

Whenever I got it running, it took like 2 seconds, and it’s like, it’s running. And I was like, okay, it doesn’t seem to be running. Then I tried to execute malware, and I started getting these alerts, and I was like, stop trying to run malware.

And I was like, okay, it’s working. I was seeing the alerts showing up on my dashboard in elastics, so incredibly lightweight, whenever they execute velociraptor in my class VM, and I’ll show you that class VM here in a second will actually, impact the system and the class, but that’s because we’re running the server and the client on the exact same system, as well.

Just some really cool things. The whole idea of container and virtualization security, it’s that new frontier, and it’s really cool to see was, actually there and, getting it running.

Like I said, I would run this in my class if it wasn’t for the fact that I had to run an elk stack to get it to run. Because my classes are designed for people that are relatively new to computer security.

They may not have really powerful computer systems. I had one of my students in one of my last classes that actually, was actually running it and I found out he was running Windows xP.

And we can laugh, but he was a student in India. That was literally the best system he had that he could just work with.

Velociraptor, this is the one that we use in my class. And some people were talking about Germany. There was somebody that mentioned recall, a little bit earlier.

A lot of those different people like that you don’t have to run elk, you can feed it splunk. I said, they’re really underpowered systems. Come on.

That doesn’t help me at all. Velociraptor is very cool. going from initial setup to actually pulling the data is like stupid fast, like really fast.

So my students actually build the entire velociraptor server, then they set up the client. We’ll get you a link for Rita here.

in this particular query thing here in just a couple of seconds. But, Velociraptor is very, very quick os query. I would put more in line with, tanium, like a free version of tanium where you want to inventory and query across multiple systems very quickly.

So I wouldn’t put it in the full EDR category quite yet. I would put OS query more in that tanium category. So there we go.

All right, so a very, very solid tool. And it’s by the people that brought us recall. And I’ve talked to people that say that they’re running Velociraptor on 10,000 nodes, right?

I just. Wow. That’s usually where you start to get to where you need to spend money, is that concept of basically scale.

So whenever you start getting to that scale and you’re looking at over 5000 systems, a lot of these open source solutions just start falling flat on their face. If you look at some vendors out there, like, I hate to call them a vendor, but they are.

If you’re looking at security onion, Doug Birx and his team, they absolutely scale security onion at ten gig network segments. It’s that cool.

That’s a vendor that I know for sure is running at scale, between one to ten gig networks for the network detection and response. And I’ve seen it and it works and it works really, really, really well.

Velociraptor, like I said, I’ve heard people running it on 10,000 nodes and that’s pretty cool. They brought us recall and they had some people from GRR, so they kind of know what they’re doing.

And the other thing that I really like about Velociraptor is it feels like it’s written for me like I’m a tech geek. This is a tech geek tool. That’s awesome. So let’s do a quick demo.

So this is like, I have the instructions on setting up velociraptor. This is what we run in my I think it’s intro to security class where you basically, oops, let’s actually go to velociraptor.

There we go. Let’s go velociraptor. Enter the sock. There we are. I don’t know why there’s a picture of a girl eating an apple and cringing.

That’s a bit weird. but we actually, is that an onion?

Jason

It’s an onion.

John

Okay, we’re moving on. we’re moving on. In all of my classes, we’re consolidating on a single platform. We run everything from Windows terminal.

And all of the labs are built in basic, all the labs are built in as just an HTML file on the desktop.

Within the windows terminal you can basically spin off and you can run Powershell, you can spin off and you can run ubuntu. I’ve got Windows subsystem for Linux running two, version two.

You basically follow the instructions and it’s all set up within this one vm in the intro to security, intro to soc analyst, core skills and also the cyber deception class.

So you set it up first, you just configure and generate the configuration for the server. I love how they’re using the exact same executable for the server and for the executable, just amazingly cool things you go through, you configure the server, you configure a user for the server, then you start the client up and it’s just basically running the exact same executable, with the config YAML that you created.

And then you’re in. Lucky for me, I’ve got the Julia Childs thing where I already have the PI done. I’m like oh hello, here’s the PI, we’ve got it. It’s running inside of Velociraptor.

A couple of cool things that you can do is one of my all time favorite things in any one of these tools is the ability to very quickly run commands on that system.

I can say I want to run, let’s say CMD, exe, ipconfig, like that. Then I launch it and I can queue up a whole bunch of different commands and then I can look at the output of those commands as they’re actually queued up, which is great.

You can do command Powershell and on your Linux, Unix and Mac systems, you can run a full bash command prompt on those computer systems as well.

For interrogation. You can actually create these hunts across the environment that are pretty solid. If I click. Plus I can give my hunt a description like that and I can say what does it actually include?

Like what systems do we actually run it on? I want to run it everywhere on every single system. I can break my systems up by labels so I can have systems that are in Aurora, Colorado, I can have systems that are in New York.

I can break up a variety of different categories and I can exclude systems by labels as well. This is useful because whenever you’re doing a hunt with an EDR, it isn’t just looking at a single system.

You want to be able to run this on multiple computer systems in unison. If you select the artifacts that you’re going to collect, these are the core artifacts that exist.

And as you can see we can pull things from Mac OS X, Linux generic is cross platform across these different systems. So it can be like generic Pstree.

So I’ll do that one for this one. And then you go down and then there’s windows, right? So windows I can say active directory, check for bloodhound evidence, evidence of execution, Firefox History Iis logs I can basically set up.

These are the things I want to collect from kerberosing to Powershell, bulk extractor, do a search on a specific file name, look in prefetch and so on. Then you can configure the parameters of your individual script.

You can review your script. That’s what’s going to execute on the target system. I can zoom in on that so I can say start request artifacts, generic system pstree specs, artifactsystems pstree.

And when it actually expires and its for the webcast and then you launch it. Oddly enough when you launch it, it doesnt launch it, which is a small gripe.

but you have to actually select it and hit the play button and then its going to run that specific hunt and it takes a while for it to execute and then it pulls those results back.

Then you can download the results for these different things and you can download them as CSV, you can pull them down as JSON CSV is really, really solid if you want to pull it down and then load it into a database and do some threat hunting in a database, which is really cool.

You can also look at an HTML output of these different results that have executed. And I have some examples up here.

So this is just a Ps list or P’s tree where I can see what processes are running on these individual computer systems. And then what is the process execution for this process?

You can see that services exe begat svchost, which begat win init which started services, which started svchost, which started winning it which started services, which started svchost, which actually got down to which I like to call it lasso, but whatever.

Then you have local security authority, subsystem service, you have all these different things. This is prefetch. I was able to download the prefetch for some execution on this particular computer system.

And you could download it in a nice little HTML report. But most of the time this is nice for actually looking at the results. But most of the time what you’re going to end up doing is you’re probably going to download it as a CSV file and you can make it fun, very, very cool things that you can do.

You can also look at the file systems on these computer systems. I should have a file system loaded. You can actually go into and do some searches on the file system.

you can actually check recycle bin on these particular computer systems and then do some syncing on these different folders, as well. So really whenever you’re looking at, for me personally, the way that this tool is built is, it honestly feels like, just feels nice.

this is the way I would want my tool to actually work. But once again, that probably has a tremendous amount to do with the fact that it’s written by people at Google that do incident response all the time and they don’t know anything about incident response.

Just like I don’t know anything about incident response. Is there a limit? Yeah, whenever you’re looking at the output for the HTML CKJ, it actually is limited to 100.

But that’s why you would import it as a CSV and then you could basically do analysis on your own as far as spreadsheets and stuff. So yeah, McGivens is saying, I’ve heard it from a number of people, it scales to like 10,000 systems.

That’s not the first time that I’ve actually heard that. Right. That’s amazing. So let’s talk about vendors and free open source. this is a trend that I like.

I like this trend. And really, if you’re looking at Comodo and you’re looking at elastic, they’re honestly leading this charge. And I have this picture proudly sucking at capitalism.

I think that some of these companies, they actually get, they get it. The more you get the product in the hands of people, the more they’re going to use it, the more they’re going to want to use it at work. They’re going to start paying for it.

So JSN asked if you can pull the file with Velociraptor. You can, that’s right here. If you go into the file, you can actually download the individual file or directory and copy it down locally.

So you can do that. And by the way, Velociraptor has some really solid training. So if you like this, please, please, please do me a favor and check out their training as well. So yeah, probably sucking at capitalism is basically where you’re giving things back as much as you can and somehow your number one goal isn’t profit and yet you make money.

It’s weird. If you’re looking at Komodo and elastic, they’re putting their products in the hands of people and they’re really trying to get more people using their products and using their endpoint products, which is going to sell more elastic licenses and so on and the same thing less.

So, with Comodo as a whole. All right, so elastic formally endgame. I like the name endgame. I don’t know why they didn’t stick with the name Endgame.

It was a good name. There was nothing wrong with it. Now they have the elastic security agent. I’m a little bit heartbroken by that. That’s just whatever. But yeah, one of the cool things about elastic is almost everyone uses elastic.

Many of the commercial tools that we’ve talked about, they use elastic. An endgame was a solid EDR. I mean, if you go back to the mitre evaluations, honestly, elastic did great.

It did really well. And if youre running on a system that has elastic running, it does a good job at M stopping malware. And I know that theres ways to bypass that.

Right. But they do about as good as anybody else. So all the cool kids are using elastic and now they just give their elastic agent away for free because they want those sweet, sweet elk licensing fees.

It’s elk is so cool. Even Amazon uses it. And I know that that’s a pretty harsh joke. At this point, I think there’s people that are still reeling. Elastic is moving to a much more closed model than an open source model.

And they’re blaming Amazon because Amazon is going to fork it and make elk do what Amazon wants it to do, which is a bummer. We’re going to have to see how that actually plays out over the next couple of years.

Let’s see how it works. Which one works best with security onion? Security onion you can actually have with Zaa, where it’s sent to security onion as well. All right, so the install is stupid.

I think that that’s one of the biggest things that a lot of vendors are missing, is how do you make your product available to people and how do you actually make it. So it’s super easy to get set up.

it’s like, getting people hooked on crack cocaine. Right. So if you want somebody to get hooked, you got to make it easy to get that hit. Right? And, elastic does that.

Jason

Yeah, you go into the crack cocaine route.

John

No, I’m not, I’m not going to talk about, I’m not. We’re not going to talk about schools.

Jason

Okay. All right.

John

Thank you very much for clarifying and keeping me on the shiny path. I appreciate it. So the install is stupid simple. Like once you get it set up, you can enroll agents in your fleet.

What you do is you download the elastic agent and then you basically run it with this command line invocation, and it gives you an enrollment token.

That enrollment token, basically automatically the agent goes and talks to the centralized server. The server registers with that token, and then it configures that as a service on that system to constantly talk back to your elastic server, back home.

Now, for my installation, I actually set it up, and it took me five minutes between the time I set out to do this, to the time I was actually stopping attacks and getting data from elastic.

Oops, let’s go here. I have that here. This is the security aspect of cabana. You got detections. I only had one host.

Honestly, it took five minutes to get it up and running. And it would be easy to push it out to an environment via group policy.

I think it would be just stupid simple to set it up, but it has all of these different rules that exist. let me kick this up a little bit more. Let’s go to 100 rows, maybe 200, 300.

Jason

But,

John

It has a pretty good list of rules, and they actually work, which is interesting to me that these rules work and they work as well as they do.

So if we go back to the detections, I may have just froze it up. Nope, there we go. If I go back, let’s say, let’s go back seven days ago, I have a couple of different, detections that I ran where I was executing, trustme exe.

And you can see the malware prevention alert. If I want to get the details for that, I can basically open it up, look at the table. It’s going to give me a full rundown of what that particular executable was, what its name was, and down below you’re going to see trustme Exe is what actually ran on this particular computer system, what user executed it, when it executed it as well.

what was Apache HTTP server was created by metasploit. Then today I was just playing around and I tried to run Netcat and Netcat was fired off and it actually detected that as well and stopped it.

So really easy to get it set up and running and it gives you that visibility into the endpoint very easily as well. I’m kind of falling behind, so absolutely.

Check out elastic before you like. If you’re looking at anything, you should be running velociraptor if you can’t afford anything at all. But if you can afford to set up an elastic instance inelastic and set it up and running, you can go from no EDR to a full elastic EDR with prevention, and you can do it in less than five to ten minutes.

and that’s just really cool right now. Opened from Comodo is interesting because they’re actually open sourcing their full EDR solution. And that’s gutsy, right?

That’s really, really cool. Didn’t see this coming. I didn’t see this coming at all. And if you want to make your product better fast, this is a good way to do it because you’re going to have tons of people contributing to the project as well.

Once again, solid detection and EDR capabilities. One of the cool things about Comodo EDR is it actually has a local log file. You can have it. You can use like winlogbeat, to pull the data off of that file as a log file, or win file beat, and then shoot that into your elastic instance.

Pretty straightforward to do. It’s just a simple flat file. Works better with their server infrastructure, kind of. Honestly, it’s funny, they have their full commercial solution that they have, I think it’s called vulcan.

And it works really, really well. I honestly think the sections that are built around this open source EDR are better than the other parts of it, like where it’s doing file integrity checking and doing a lot more heuristics.

I honestly feel like a lot of those are just garbage. But once you get into the EDR section, it’s really solid because it looks and feels like an elk stack.

Yeah, it can absolutely integrate into an elk stack very easily as well. Now, mad props to their marketing team. I want to see if anybody can see the problem here.

By the way, the tutorial, if you go Taz setting up elastic quick start guide, it’s literally, you follow the quick start guide and you’re up and running in five minutes.

Seriously, their website is that good? So does anybody, see the problem here? Dragon. Yep, it’s dragon. Sorry.

Might, be getting confused with their file analysis tool. So I love this. and this isn’t just like, this is hilarious when you see this. So if you’re looking at file detection, it’s kind of hard to see what’s actually going down here, but it says, what’s the process path?

The process path that executed was splunk d. So this is on their website, right, for their marketing. Right.

So somebody had asked, vpoops said, is there anything in syspawn, a tool that’ll upload hashes to virustotal? That tool is called deep blue cli.

Deep blue cli by Eric Conrad. We’ll do that as well. But here, I’ve got it. I enhanced it, right? So we’ve got it, splunk d. Now, when I saw this, I was like, oh, that’s rich, right?

But if you get access to their whole demo instance, which they got me hooked up with, and, they were showing it to me and really, really cool. In their demo instance, they have this whole entire marvel, universe systems.

It’s almost like Rob Lee from the Sans Institute set it up because it’s all comic book characters. The, black widow system, if you’re playing around, you dig into the malware.

It says mini cats execution. You’re like, okay, mini cats. I want to research that. Well, what’s executing mimicat right down your program files. Elastic agent metric beat.

So it’s like absolute shots fired, like splunk and shots fired at elastic as well. So it’s not just like this one off thing. It’s like, literally kind of core to what they’re doing as well.

So, as I said, these are some tools I hope that you get some opportunity to play with. Right. If you’re looking at pure free. Look at, like, wazza and Velociraptor, right?

If you’re going to have to play free play with Wazza, and Velociraptor, I would strongly encourage you do that. Now, if you actually want to kind of get a little bit into the vendors that are in the game of giving out their product for free.

I still think elastic, this company, this process path company, I think, is still doing better than Komodo. But I don’t want to completely shut the door on Komodo because that’s awesome.

Like I said, I personally prefer elastic, but if somebody was like, well, I prefer Komodo, I’d be like, okay, I guess that’s fine. I’m not going to argue that at all.

I would love to see more vendors, by the way, move the route of trying to do this open source and free tools. So whenever you’re looking at, whenever you’re looking at companies like security, onion, they do an amazing job.

When you’re looking at companies like thinkist and canary, they, do an amazing job. And now I put Komodo and elastic on that. And I would encourage you to, I would encourage you strongly to basically put these customers that are putting the products out there first and foremost, and really give them an opportunity before any of the other vendors out there, because maybe, just maybe, we will be able to push these environments and these companies to actually start doing more open source.

So somebody just said they have 30, thousand hosts. Wonder if velociraptor will hold up. And Friday said it will. So there you go. What the hell? Give it a shot.

What do you have to lose? If anything, you’re just going to smoke a server, right? It’s just cool. And I would love it if marketing directors would go through this presentation and they’d be like, what?

We need to give away our stuff for free. I know that Harvard MBAs at their company are going to say, well, no, we can’t do that because that’s not the way capitalism works.

Focus on our profits. So, yeah, it’s just, what about Komodo’s effectiveness? It’s actually really solid. It’s really, really solid. Found a representative from insight that was able to offer me a ten k deal for 100 agents on carbon black.

That’s crazy. So, all right, so that’s, that’s the end of the official part of this presentation. Okay. That’s the end of the. Yeah, Jason, what do you got?

Jason

I was just saying that is the end, correct? we are in over time now. And so, John, do you want to keep going overtime for a little bit?

John

I think we’re going to go over time. I think we’re going to go over time.

Jason

So if you need to head out, we’re going to answer some questions. We’re going to talk about some open source versions of backdoors and breaches for a few minutes. But if you got to go, go. We’ll see on the next Blackhawks webcast.

John

In addition to backdoors and breaches, I have something else I want to announce after you’re done talking about. I do. It’s a big day. I’d have to say it’s probably one of the biggest webcasts we’ve done ever. So stick around if you’ve got to go, go.

It’s all recorded. Jason, I’m going to stop sharing my screen. Do you want to talk? Because we’re going to have a webcast about these open source backdoors and breaches tools.

If anybody is out there and they want to build their open source source backdoors and breaches environment. I love Elon Musk’s quote, most likely we won’t sue you, but we don’t really care if people are scanning our cards and keeping it all in and kind of coming up with, variations of our game.

and what we have done here, it’s not like we’re going to go and do something crazy and stupid like create an incident response version of exploding kittens. we’re not doing that. We really don’t want people to do that either.

So, Jason, what are you going to show us? And then I’ve got to take it back before we actually close out. This is the end of the webcast, folks. Jeff, it’s over.

Jason

we’ll answer a few more questions, maybe, but Deb going to give you presenter status. So Deb’s going to show us the tabletop simulator version, and we’re giving you a sneak peek into what we’re going to start working on is every, this is available for you.

So if you want to go into steam, download tabletop simulator. I think it’s like 1999. None of that money comes to us.

John

That’s not what this is for.

Jason

But you can do a ton of stuff inside tabletop simulator besides backdoors and breaches. So you may be like, this is amazing. I didn’t know this existed. But, once you get tabletop simulator, then you can do a search for backdoors and breaches and then inside there is the whole game.

It is the whole game. And anytime we make updates to it, anytime we release expansion packs, anytime we do new consulting cards or new attacks, we will include it into the tabletop simulated version and then it’ll get pushed out to everybody.

So you all get that as well. So I would suggest, I would.

John

Suggest searching for bhis and not backdoors. They set that up with our company name inside the simulator. That’s awesome.

Yeah. You didn’t even know what we were doing, John. No, I didn’t know that they were doing that on the simulator with us. That’s really cool of them. I do wonder now that you pushed us away from backdoors and breaches, now I’m wondering what the hell comes up when you search those terms because you’re on your own.

It’s not sanctions. You’re on your own. Shut up and take my money. That’s free.

Jason

so if you notice too, there’s a green card. And the green card, if you’ve ever played backdoors and breaches, that’s going to come out in the expansion pack. So we are going to print one more expansion pack and that’s going to give you the ability to do consulting cards.

We’re going to have lots of consulting cards. What it’s going to look like demo in about a month or so. We’re going to have a full webcast to talk about all the open source solutions that are available to play backdoors and breaches.

So it’s free if you want to start doing your own, like John said, if you want to create your own and then inside the backdoors and breaches, Discord channel, you can set up your own games.

You can play with other people. We’re going to start live streaming using this. We’re going to bring people on so that we can play backdoors and breaches with other people. And we’re going to use a tabletop simulator so you can see how it all works and how it all plays.

John

now I want to call out if you’re a security team and you feel comfortable joining us on Discord and playing a game of backdoors and breaches with us, we would love it if you would do that.

We want you to anonymize who you are. Like you can use your discord handles, you can wear masks. In fact, I’m going to encourage people that we play backdoors and breaches with. I want to get real teams to play backdoors and breaches.

And I would like them like wear masks or something, obfuscate who they are. So you can see all real incident response teams play, the game and how they communicate this stuff as well. So if you’re willing, contact us on discord and say your team is willing to play and hopefully we can set you up in a future backdoors and breaches webcast.

Jason

And so we’re excited about this. we want to thank Cypher. Cypher is the one who built a tabletop simulator like a year ago. And, he was one of the first people that we reached out and was like, hey, can you tell us more about this tabletop simulator?

And he was like, please don’t sue me. And I was like, oh, no, no, no.

John

Fantastic.

Jason

Yeah, we just want to know how this works, how you built it. And then we’re like, can we hire you to help us put all this together? And so we ended up hiring them. and then some other people reached out and said, hey, I built an open source solution too, for my own internal use and for my teams.

Is that okay? And we’re like, can you please show us? And then they showed us and they’re like, again, like, you’re not going to sue me, right? And I was like, no, no. And we didn’t. And so they’re all available now.

John

We should, if we ever do a conference in Vegas or actually we’re going to do one in Reno, we should see if we can get a table on the floor and play the game and be like a dealer. That’d be awesome.

Jason

Ivan just said, can I use this during an ISC squared chapter meeting? 100%. You can use this in your training classes, you can use this in your organizations, you can use this in anywhere you want to use this.

You, can use this version or any of the other open source versions. It’s just go do something. All right, Jonathan, turn it back over to you.

John

All right, my turn. So I’m going to make myself a presenter, show my screen, go back to my slides. so this is the point where I just basically want to tell you all, I’m going to try to sell you something.

we suck at this. We’re not very good at this. I’m going to try to sell you something and I’m giving you an opportunity to leave. The webcast is over.

We’re done. Yeah, you can go too, right? You can go to the webcast is over. All the important things about learning and the open source stuff, we are now done.

But I’m going to try to sell you something that we do at Bhis. I don’t do this very often. I’m not good at it. I suck at it. Once again, it’s okay. You can totally leave if you want.

That’s fine. I’m hoping to see these numbers go down because I got. No one’s leaving now. They’re just leaving.

Jason

Everyone’s staying. They’re all ready for the pitch.

John

I hate it when there’s a sales pitch at the start or it’s slipped into the middle. I don’t like webcasts and a bait and switch. It’s like, that sounds good.

And then some jackass sits down and spends 15 minutes out of an hour trying to sell me stuff. And I never got a chance. I was like, I’m like, trapped. It’s like you step in a bear trap. It’s on your leg, and you’re like, trying to saw your leg off as quickly as.

But you have, like, the sunk cost fallacy. You’re like, no, I probably go to, how long can this guy go?

I’m really committed now to this. What does this happen? And also it’s anathema, when we say probably sucking at capitalism, we’re one of the few podcasts and webcasts that continues to have people show up.

And I think it’s because we’re honest with people. We give value. But I’m transitioning into the fact that I am, like, going to sell you something. And seriously, I’m not offended at all if you don’t stay, like, honestly, are we down now or are we still sitting?

I think people are joining.

Jason

We lost seven people left.

John

Our attendance has gone up. All right, so here we go. So what I’m announcing on this webcast is, Bhis is starting up security operations center services.

Jason

I should know this, right? I thought you knew this.

John

Yeah. So I’m waiting for my slides to show up. Oh, that’s great. PowerPoint. It’s like, no, this doesn’t even work on this computer because it doesn’t.

Jason

All right. It did go down by eight people. All right, keep going.

John

All right, there we go. And what we’re doing with our security operations center services, and by the way, you can totally leave. We’re working and partnering with SoC prime for log analysis.

We incorporate training. You get free access to your team for the anti siphon cyber range. We build cyber deception into our SoC because I think most security operations centers or managed detection and response groups need to have cyber deception right now, one of the only ones, that I know that does this and does it well, is binary defense.

Binary defense. And Dave Kennedy’s team do a great job. The other thing that we’re going to do is, and this is weird, but all of the security operations centers and managed detection response products, that we see almost all, there’s some really good ones out there, they suck and there’s a certain level of failure.

And we built, our sock around this idea that it’s going to suck and it’s going to fail, which is once again, once again, I’m not very good at this, so stick with me.

Okay. And what we have done is we have built red team simulation and emulation into it. I’m actually going to change this to emulation. I’m sorry, Bryson, but emulation, emulation is going to be part of it, because we believe that you have to go through and emulate attackers again and again and again.

Do this monthly or quarterly, find where we missed things, where the telemetry can be improved with our customers, feed that back into SoC prime in our log analysis and be able to start detecting it.

So we’re making an assumption that we’re going to miss stuff, right? And around that assumption that we’re going to miss stuff, we’re going to test constantly to find the stuff that we missed so that we can continuously get better in our customers organization as well.

So that’s red team emulation also, AC Hunter is part of it. So network based detection is baked into it as Well, that’s actually a very much a core thing.

And then also we do full active directory review with tools like Pink Castle, Plumhound, and some of our custom things as well. We’re trying to get into the security operations center game.

The reason why I basically stayed away from getting into a security operations center aspect of BHis for years is I didnt want to be beholden to one EDR agent, I didnt want to be beholden to one vendor.

Almost all of the security operations centers that we saw out there were horrible. And I didnt see a lot of people that were doing it, quote unquote. Right. And why in the hell are there still 1100 people on this webcast?

So the point is, we’re trying to do something different. We’ve got a handful of customers, we like what we’re doing. We think it’s pretty cool. Soc prime has been amazing.

Even if you don’t want to use our services, if you want somebody to help tune the hell out of your sim talk to Sockprime. Those guys are very, very very good. It’s incorporating all the things we’re best at cyber deception, doing red team operations and then automating that and then doing network threat hunting with AC Hunter.

So that’s our announcement. If you want to find out more, just type in questions inside of gotowebinar. Not in discord, but inside of gotowebinar.

Just type in demo and we’ll contact you and we’ll set up a time so you can just type that in the chat window. Just type in demo and then you’ll have your email and it’s not on discord where everyone can see who you are and what you’re doing, but just type in demo and we’ll get a hold of you and we’ll talk about it and we’ll kind of show you what we, what we have.

So like I said, we’re really excited. Go ahead, Jason.

Jason

I got three comments from a goodowebinar. one, is this a 24/7 SoC?

John

Yes. And it’s weird. Oh, go ahead.

Jason

No, go, feel free.

John

I was going to say, so you have MSSP, you have SoC, you have MDR, all of those different things are rolling together into different terminology. So security operations center is the most well known term across the industry, but for the hip cool kids, it’s probably much closer to an MDR managed detection and response.

Because we aren’t in the game of just collecting all of your event logs. We’re not going to collect all of your event logs. We’re specifically going to collect the event logs that are directly related to detecting attacks.

One of the reasons why we’re doing adversarial emulation with tools like Scythe and atomic Red team and we’re doing network threat hunting and doing the active directory review is because so many security operations centers, the analysts are just sitting there waiting for the alert and then they react to that alert.

And we want to be able to have it be much more interactive for the SoC analyst to dig into the network to do emulation, to learn red teaming and what we see happen with all of our systems administrators at BHI, not all, but a good number of our systems administrators, if they’re working with us on systems administration, security operations center for protecting Bhis, they get really, really good at offensive things and then they pop into being a pen tester and if they get really, really good at defensive things, they pop and they start doing forensics analysis work.

So we want to make sure that people have career paths to be able to move from the security operations center analyst into where they want to go. Because we have people now, they love working in elastic, they love working with, logs and all these different things, and they’re happy to stay where they’re at and we want to keep them there.

But if people want to move into other things, we want to give them the opportunities to do that. Just so our primary goal for this is to break even, which it’s funny because I had one of my friends that runs a soc, he’s like, you’re getting into this.

How do you expect to make money? And I’m like, I don’t. It’s just something cool. We have customers that are interested in this service. We’re already doing it for a number of them. And, it just seems like something fun to complement what we’re doing on the red teaming side.

All right, so next question.

Jason

I would just recommend if people want to get hired, I’m not saying you have to come to my job hunting live stream, but it may give you some tactics and techniques to go.

John

To his live stream. It’s great. The live stream is awesome. do you have a link? Can we post that out for people? Joking aside, I know that people, we kind of joke about it, but I think it’s probably one of the most important live streams for people, especially when Covid hit and a bunch of people lost their jobs.

And how many people has your live stream helped find jobs so far? Now, Justin?

Jason

56 that we officially know of. Like, people have come back and said we landed a job because of the things that we learned on your live stream. So we think there’s more, but 56 people have come back.

We bring a bell for him. Like, it’s right here. This is the actual bell. We ring every 10 seconds of.

John

Every.

Jason

Time the bell rings.

John

Time marches on. But, no, I really do think it’s one of the coolest things that I say. We, Jason and Deb, have really ran with this.

It’s one of the coolest things I think I have seen on the Internet is helping people out, and I love it. Jason, whenever I’ve been on a couple of times seeing people giving each other advice and tips, like, my favorite one was somebody said they wanted to work for company X.

Somebody was working at company X and they said, no, you don’t want to work at company X. I work there now. A lot of pain.

Jason

so, so we’re getting a lot of questions about overseas and.

John

Oh, yes. So eventually, this all is like pie in the guy garbage stuff, right? If our soc continues to grow, we end up getting a number of customers.

We are planning on opening up places, overseas and trying to get an office in Europe. And if there’s only somebody who was fluent in language in Europe and maybe new people in Europe, I don’t know, but maybe a country like Italy would be a good place to have some security operations center also.

I’m very interested. There’s a couple of people we’ve been talking to out of New Zealand, and my wife and I are like, we need to open a Bhis New Zealand office.

But no, we’re definitely looking for. We’re not going to discriminate against people because they’re overseas. Because I think that I hate shift work where people. it’s like, your shift is going to be from 08:00 at night until 06:00 in the morning the next day.

It’s like, that’s not. We’re not. We’re not Morlocks, right? we’re not troll people. Like, people have to have normal hours so there will be international.

Any other questions?

Jason

Is this legally under Bhis or is this a separate sock?

John

Nope. Legally, this is under Black Hills information security. I’m not starting another company for this. I’m gonna tell you, I am planning on starting up another company in Spearphish. They opt their.

Their, parking tickets in front of our office to $15, which isn’t that big of a deal. But if you don’t pay within ten days, they send you to collections and it hits your credit score.

So we’re going to start a company called Black or. Sorry, Spearfish. Parking sucks. It’s a c corp. And, we’re going to have all of our cars licensed in that. So if we don’t pay our parking tickets for 30 days, it’ll hit our credit.

But who cares? It’s a company that’s just there to get parking tickets. but we’re done. We’re done starting, like, any new businesses. So this is going to be under Black Hills information security.

Jason

All right? and then I wanted to be very clear. Someone asked, would you offer an internship with pay or without? We pay every intern.

John

Every intern gets paid. Every single intern gets paid. I’m horrible with interns. I need to do better. I do nothing but disappoint the hell out of interns. They’re like, I get to work with John Strand every day, and then they don’t hear from me for months, and they talk to testers and they’re like, is this how he is?

People are like, yeah, pretty much. He just kind of disappears for long periods of time. so we want to get better at our intern game, but, yes, if you do intern with us, it’s paid.

And we are always looking for interns that work really, really hard and are self directed.

Jason

So we have a intern page right up on the Black Hills website.

John

Yes, there is one. I will post it.

Jason

Yeah, we officially, we got requests to be an intern so often that we dedicated, a landing page on black elsewhere.

John

I think that’s enough for today. Like, and the tabletop exercises and the webcast and releasing a new service. And I even sprung this on Jason and dad. they didn’t even know.

I still find it really odd that there’s 1015 people. I appreciate you all hanging out. I appreciate you all being part of this.

And if this is your first time, welcome. And check out our pay what you can training. Check out our paid training. And I’m just going to say welcome to the family.

Jason

All right, everybody, thanks for joining us today for this Black Hills information security webcast. We had jack on for preshow. There’s so much today. make sure you join us for the news that happens also.

But, if you ever need a pen test or now a sock, where to find us.