admin – Tim Roth Practical Network Security

What a fun day! Thanks to all who attended my session at the Northern Ohio Security Summit “TRUE CRIME – the first 48 hours in your network” it was a packed house!

As promised, here are some resources to enable you to LIGHT up your network.

Feel free to hit me up on Linkedin with any questions.

Link to presentation – TimRoth_ClevelandSecuritySummit10_26

XBOX HACKERS

https://www.wired.com/story/xbox-underground-videogame-hackers/

https://darknetdiaries.com/episode/45/TimRoth_ClevelandSecuritySummit10_26

->Interrogating the Network (means to pull data from the network)

Means to enable packet capture – just an example

Packet Capture in Cisco Router and Switches

Netflow

Application visibility with Netflow (NO FIREROUTER required)

Available IPIX/NETFLOW records

Cisco Netflow support Matrix

->Collecting the Artifacts (means to collect the data)

1.Flow Collection

ELK Stack – collection of Netflow with ELK Stack + ElasticFlow

https://github.com/robcowart/elastiflow/blob/master/INSTALL.md

Setup Elastiflow (Netflow visual tool for ELK Stack)

https://www.catapultsystems.com/blogs/install-elastiflow-on-ubuntu-18-04-part-1/

https://www.catapultsystems.com/blogs/install-elastiflow-on-ubuntu-18-04-part-2/

https://www.catapultsystems.com/blogs/install-elastiflow-on-ubuntu-18-04-part-3/

2.Packet Collection

SNORT

SNORT Detection Strategies

Run snort on your Cisco Router

ZEEK/BRO

An Introduction to Threat Hunting With Zeek (Bro)

https://www.zeek.org/

ETA/JOY – encrypted traffic analytics

https://github.com/cisco/joy

Presentation on Cisco ETA/Project Joy

Slide Deck – Cisco ETA/Project Joy

Resources Referenced

TALOS BLOG –

https://talosintelligence.com/

https://talosintelligence.com/software (Open Source Projects – Snort, Immunet)

Books Referenced

https://www.amazon.com/Network-Security-Through-Data-Analysis/dp/1449357903

https://www.amazon.com/Network-Security-NetFlow-IPFIX-Information/dp/1587144387

Over the last year, I was introduced to a really cool open-source tool called Guacamole.Pretty funny name huh? It’s pretty much a HTML5 web based KVM with a central repository of all rdp, vnc, ssh, telnet resources.

I try to keep my sandbox, lab and home networks isolated. My workstation usually resides on my home network. To simplify remote access, I access the Guacamole web app that is hosted on my Ubuntu server.The Ubuntu server only has access to 3389/SSH into my sandbox and lab networks. Guacamole offers two factor support…for all you security people out there. General disclosure use at your own risk 🙂

Great how-to blog post on installing and configuring Guacamole.
https://jasoncoltrin.com/2017/10/04/setup-guacamole-remote-desktop-gateway-on-ubuntu-with-one-script/

Few notes of interest..
1.Settings for Server 2012
“hostname: (as appropriate)
username: (as appropriate)
password: (as appropriate)
domain: (as appropriate)
color depth: True color (24-bit)
security mode: NLA (Network Level Authentication)
Ignore server certificate: ticked”
https://sourceforge.net/p/guacamole/discussion/1110834/thread/b63b6dd5/

2.Main menu – After you login into one rdp session, you might want to open other tabs, navigate to the below link for a listing of all resources.
http://serverIPaddress:8080/guacamole/#/settings/sessions

3.I haven’t setup two factor yet…this post might be helpful
https://sourceforge.net/p/guacamole/discussion/1110834/thread/c50bf0e4/?limit=25

Enjoy,

Tim

Author: admin

True Crime – 1st 48 hours in your network….

Guacamole – good chip dip but even better KVM for your lab!

FOLLOW ME

Video Content

Categories

TALOS RSS FEED

Search ccietim.com

Search My Site

Categories