June 22, 2018 | Posted in Red Teams by Dan Astor, Evan Perotti
Security Risk Advisors is proud to have been a Gold Sponsor at BSides PGH on Friday, June 22. In addition to continued involvement in and support for the BSides organization, Security Risk Advisors’ Dan Astor and Evan Perotti presented on the their experience using a SIEM for Red Team work. The presentation slides are available on Slideshare, below:
Presented at BSides Pittsburgh, June 22, 2018
Did we get the creds? Do we have a beacon? Are we burned? All questions that get asked during a red team engagement with high frequency. With a full red team infrastructure, you need to manage a mini-network to be successful. Cobbling together monitoring scripts, tailing files, or grepping for tokens to see if payloads were downloaded or if phishing credentials were entered can be painful and inefficient when you could instead be planning your next move or taking advantage of a successful compromise.
We need some way to organize all these logs and data into a centralized location that can alert us when important events happen. Perhaps a SIEM… By ingesting logs from all our hosts used during an engagement, we can begin to visualize our network of attack machines and create alerts for priority events like phishing credentials being submitted, IR teams and security vendors hitting your server, and changes in server health. This talk will cover the ins and outs of why to use a SIEM for your red team infrastructure, the free products out there that can assist, and how we went down the path of using Elastic for our Red SIEM. We’ll also be releasing our tools, scripts, and resources to aid you in deploying and monitoring your own Red SIEM.
Bio: Evan Perotti – Evan is an operator for Security Risk Advisors’ Technical Assessment team. His focus is in red team operations, network penetration testing, reconnaissance activities, and spear phishing. He has developed a number of open source and private tools to automate common offensive activities.