BSidesCharm 2018 will try something new that I am calling Lab Village. The idea is to have hands-on technical labs for open source infosec tools plus at various times throughout the day, someone that uses that tool for a living showing how they would solve that exercise. It is extremely difficult to explain how to tell when the assumption you made is incorrect in a generic sense, but in specific situations, it is significantly easier.
We need volunteers to build hands-on labs and to do live analysis. If you are interested in helping, please contact me on Twitter or email Forgotten ForgottenSec com!
My dream is to cover the major open source DFIR tools like:
- Snort/Suricata IDS
- Bro IDS
- Autopsy/Sleuth Kit
- Wireshark/Network Miner/Xplico
- Windows Logs – no specific tool, but …. lots to do here
Lab builders will end up helping to build the following:
- Memory Image(s) with Malware
- Hard Drive Image(s) with Malware
- PCAPs with:
- Data Exfil + Profile of Normal
- Malicious Web Traffic
- And so on
So I tweeted a SOC PSA about great places to start detection. I gave a few ideas and got back many responses about things to include. The discussion focused on Level 1, but I started adding more and categorized things. The levels are my own opinion and will likely change over time as I add more depth and breadth to this list.
Here is the list:
- full DNS logs
- Firewall Logs from both OS network firewalls
- Block SMB internally and alert on events
- Block HTTP from non-proxy
- Bro logs/Netflow
- Admin Auth logs
- Proxy Logs – @lmeyerov – assuming you have proxies required
- Anti-Virus Logs – @hhf – Great indicators
- Email Logs – @chadalt – excellent data source for watching for phishing.
- IDS/WAF Logs
- HTTP Headers
- Web Server Logs
- Database Logs – Auth + Query
- Application Logs
- Hashes of Binaries transmitted
- DHCP Logs – @stielervaneeden
- Host Logs – @hhf – Great indicators, but the log to value trade-off for host auth logs is lower than other logs mentioned here.
- Process Execution Parent-Child Relationships – @MrBenChung
- Application Whitelisting Logs (if App Whitelisting is deployed) – @MrBenChung