Defensive talks NOT 'sexy'? What's sexier than catching an attack like Target- APT- SET or your Pen Tester? Let me show you some sexy logging

DerbyCon 4.0 - Family Rootz

Presented by: Michael Gough
Date: Sunday September 28, 2014
Time: 15:30 - 15:55
Location: Stable Talks

Many say Windows logs are 'haaaaarrrrrd' I say you just don't know where to start. This talk will show you how. Six Event ID's were all that was needed to detect the Target breach- assuming logging and auditing was enabled- properly configured and forwarding to a Log Management/SIEM Solution of some kind. And of course- alerting on them.Target- Neiman Marcus and Michael’s all got hammered with the largest Credit Card Breach in history. Why didn’t they detect or were alerted to this attack? Turns out the data was there- they just didn’t know what to look for or properly alert for it. This talk will walk through BlackPoS/Kaptoxa malware- really a typical advanced attack behavior- what it did log-wise and how to detect this type of attack through properly configured logs. The malware or actions were far from sophisticated and made more noise than most advanced malware does. Learn what logging was triggered and how you can detect this type attack using your logs. A take-away- a new defacto standard 'Windows Logging Cheat Sheet' will be provided to attendees so they know how to enable- Configure- Gather and Harvest Windows log data. Many othwer tips and tricks will be discussed as well.The purpose of this talk is education! This talk will walk through what the BlackPoS/Kaptoxa malware did and the Windows event log entries it created- or should have created if logging was properly enable and configured. A new defacto standard 'Windows Logging Cheat Sheet' will be shared with attendees so they now know how to enable and configure Windows logs that would have contained all the data needed to detect an attack like Target- Neiman Marcus and Michael's suffered. Windows Logging is not hard and should be part of your Malware Management Framework. The talk will also point out the complete and utter failure of three PCI compliant companies to detect such a noisy unsophisticated malware that skimmed tens of millions credit cards. The goal of this talk is to make people aware that the log data is there and available- if you know how to enable and configure it and for everyone to use and implement in order to greatly improve your Information Security Program. The attendee will leave with a significant increase in Windows log management understanding that they can go back and actually implement!

Michael Gough


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats