Packt Emails
Packt
US · packtpub.com

#126: Atomic Code Red!

And Using ElasticStack to Secure Your Systems.

This email was sent

Is this your brand on Milled? Claim it.

#126: Atomic Code Red!

Hello!

Welcome to another _secpro! This time, we're getting rid of the "cyber" in "cybersecurity" for a while as we get physical - with physical pentesting! It's something everyone knows about, but do we know enough? Then we're covering some of the week's hottest news stories, playing with tools, and diving into another chapter of Threat Hunting with Elastic Stack in Cybersecurity Fundamentals.

This week's highlights:
Cheers!
Austin Miller
Editor-in-Chief

This Week's Articles

How to utilize Atomic Red Team Framework for Sophisticated Threat Simulations
Learn to use Atomic Red
In this article, Sai will help understand you a framework called the Atomic Red, a red team tool developed from the perspective of a Blue team member. Just what we love in the _secpro!
TELL US WHAT YOU THINK!

What's Happened This Week in Cybersec?


Keeping up with the news is difficult. That's why we've condensed the biggest stories from the best news sources around - just for you, right here. Click the links below to find out what's been going on!
 
  • Krebs on SecurityWho’s Behind the SWAT USA Reshipping Service?: Last week, KrebsOnSecurity broke the news that one of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. In today’s Part II, we’ll examine clues about the real-life identity of “Fearlless,” the nickname chosen by the proprietor of the SWAT USA Drops service.
  • Bruce Schneier - Online Retail Hack - "Online marketplaces sell tiny pink cowboy hats. They also sell miniature pencil sharpeners, palm-size kitchen utensils, scaled-down books and camping chairs so small they evoke the Stonehenge scene in “This Is Spinal Tap.” Many of the minuscule objects aren’t clearly advertised. But there is no doubt some online sellers deliberately trick customers into buying smaller and often cheaper-to-produce items, Witcher said."
  • Bruce Schneier - Decoupling for Security - In the last few years, a slew of ideas old and new have converged to reveal a path out of this morass, but they haven’t been widely recognized, combined, or used. These ideas, which we’ll refer to in the aggregate as “decoupling,” allow us to rethink both security and privacy. Here’s the gist. The less someone knows, the less they can put you and your data at risk. In security, this is called Least Privilege. 
  • Bruce Schneier - Crashing iPhones with a Flipper Zero - The Flipper Zero is an incredibly versatile hacking device. Now it can be used to crash iPhones in its vicinity by sending them a never-ending stream of pop-ups.
  • Security Affairs - Pro-Palestinian hackers group 'Soldiers of Solomon' disrupted the production cycle of the biggest flour production plant in Israel: The group published on its Telegram Channel a video showing several screenshots from systems used to control the processes at the plan. This type of attack can have a significant impact on the company and the community, as the target is an important component of the food supply chain.
  • Security Affairs - Attackers use Google Calendar RAT to abuse Calendar service as C2 infrastructure: Google warns of multiple threat actors sharing a public proof-of-concept (PoC) exploit, named Google Calendar RAT, that relies on Calendar service to host command-and-control (C2) infrastructure. Google Calendar RAT is a PoC of C2 over Google Calendar Events, it was developed red teaming activities.
  • Security Affairs - Dolly.com pays ransom, attackers release data anyway: Cybercriminals are hardly a trustworthy bunch. Case in point: Dolly.com. The Cybernews research team believes that the platform suffered a ransomware attack and at least partially paid the ransom – but was duped. The attackers complained that the payment wasn’t generous enough and published the stolen data. Not only that, but the criminals also shared a chat with the company on an underground criminal forum.

Cybersecurity Fundamentals

 

Threat Hunting with Elastic Stack


Ready for another Elastic Stack tutorial to improve our threat hunting skills? Here's part two of our five-week foray into the basics of Elastic Stack in cybersecurity, using the book Threat Hunting with Elastic Stack.
READ THE BOOK HERE!

Elastic Solutions


Elastic uses the concept of solutions to organize ways that the stack can be used to solve use cases. The three solutions are as follows:

  • Search: Enterprise Search
  • Observe: Health and performance logging and metrics
  • Security: Threat detection and response

We're going to be focused on the Security solution. That said, now that you have Kibana running, you can explore the Enterprise Search and Observability solutions. They are all available and have no cost. The very basic data that we have sent into the stack so far won't populate much, if any, of those solutions; so beyond being able to see the interface, there isn't much else to do. Using Enterprise Search, you can connect to GitHub, Slack, Salesforce, Google Drive, and so on to search everywhere from within Kibana. This is tremendously powerful and there are security use cases for this, but it's not specifically a security-focused solution.

Observability

The Observability solution is a unified location to search for traditional logging, metrics, and so on. This data can be fed from the Beats as well as Elastic Agent. The most common data sources would be two beats that we didn't discuss, Metricbeat and Heartbeat, along with the System Filebeat module.

As a brief example, I'll use Heartbeat to populate the Uptime app for the Observability solution. It's not necessary for you to complete this as it's not part of a direct security use case. That said, we can see the up/down status of some network/web, track the TLS certificate status, and even send alerts when a service isn't available.

Security

Now we get to the Security app. We're going to spend a lot of time in this app in the forthcoming chapters. This app is a central hub to view and manage Elastic's security capabilities. Network data and endpoint data are coalesced here and correlated across various data sources and types.

This is a rapidly maturing solution by Elastic and the capabilities are making tremendous leaps forward at every minor release. It's almost impossible to keep up. That said, there's a bit too much here to cover in screenshots, but as mentioned previously, we'll spend a great deal of time on this in the coming chapters.

As with all of Kibana, these are filterable and searchable from anywhere.

Next week, we'll explore integrating Elastic with Kibana and getting the most out of the dashboard.
READ THE BOOK HERE!

Have You Tried...


It's about time we include some tools, tricks, and other useful content relating to Elastic Stack. Until the end of our dive into Threat Hunting with Elastic Stack, we will include a few things that you can play with whenever you get the chance.
  • jasonish/evebox - A web-based Event Viewer (GUI) for Suricata EVE Events in Elastic Search.
  • floragunncom/search-guard - Search Guard(®) is an Elasticsearch plugin that offers encryption, authentication, authorization. It supports authentication via Active Directory, LDAP, Kerberos, JSON web tokens, SAML, OpenID and many more.
  • counteractive/o365beat - Elastic Beat for fetching and shipping Office 365 audit events
  • 9oelM/elasticpwn - Quickly collect data from thousands of exposed Elasticsearch or Kibana instances and generate a report to be analysed.
  • SHolzhauer/elastic-tip - Elastic TIP is a python tool which automates the process of aggregating Threat Intelligence and ingesting the intelligence into a common format into Elasticsearch with the main goal of being used by the Security solution.
FORWARDED THIS EMAIL? SIGN UP HERE
SecPro
Copyright © 2023 Packt Publishing, All rights reserved.
As a GDPR-compliant company, we want you to know why you’re getting this email. The _secpro team, as a part of Packt Publishing, believes that you have a legitimate interest in our newsletter and the products associated with it. Our research shows that you opted-in for communication with Packt Publishing in the past and we think that your previous interest warrants our appropriate communication. If you do not feel that you should have received this or are no longer interested in _secpro, you can opt out of our emails using the unsubscribe link below.

Our mailing address is:
Packt Publishing
Grosvenor House
11 St Paul's Square
Birmingham, West Midlands, B3 1RB
United Kingdom

Add us to your address book


Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Recent emails from Packt
Are you sure?

Lists help you organize the brands that you care about. Your lists are private to you.