Abstract image of a woman sitting on books and studying on a laptop

Blue Teaming on a Budget of Zero

Download as PPTX, PDF
K
Kyle Bubp

The document discusses building a security program with zero budget by using open source and free tools. It provides recommendations for tools to use at each step: asset discovery (NetDB), vulnerability scanning (OpenVAS), web application scanning (Arachni, ZAP), intrusion detection (osquery, Sysmon), configuration management (CIS benchmarks, Ansible), patching (Windows, Linux), logging (ElasticStack), and breach simulation (CALDERA, Infection Monkey). It emphasizes starting with a solid documentation foundation and focusing on people, processes and tools to build security from the ground up.

Technology
Related topics:
Information Security Blue Team
1 of 39
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
THREATCARE Open Source Defense Building a Security Program with Zero Budget
Agenda •Budget challenges beyond CapEx/OpEx •Foundations: The big picture and where to start •Specific free & open-source tools to help at each step •Real-World Experiences and Fun Stories* *Randomly dispersed throughout
whoami – Kyle Bubp • Just a dude trying to make things better.
Security: What’s the “True Cost”? • Security = People + Processes + Products People • Salary • Training • Personal Dev • Management Processes • Plan (policy) • Build (tech) • Test • Improvement Products • CapEx/OpEx • Support • Time to Value • Labor:Value
Why FOSS? Not just for people with budget constraints! It’s about time and control.
Commercial 1. Google search 2. Choose three 3. Contact vendors 4. Proof of concept 5. Wine & dine 6. Procurement 7. Implementation Elapsed time: weeks/months FOSS 1. Google search 2. Download 3. Configure Elapsed time: minutes/hours Why FOSS?
Shelfware Products that are purchased, but never get used or never fully achieve their intended value
What ends up on the Shelf? What would get them off the shelf?
Start with a solid foundation.
Foundational Blueprints and Frameworks •NIST Standards and Frameworks •CIS Critical Security Controls •ISO 27000 •MITRE ATT&CK
Blue Teaming on a Budget of Zero
Document everything! A core documentation repository is critical •Policy, procedure, how-tos, etc: • MediaWiki • Atlassian Confluence ($10 for up to 10 users) •Incident Response Ticketing/Documentation: • RTIR (https://bestpractical.com/download-page) • The Hive (https://thehive-project.org/)
Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
Blue Teaming on a Budget of Zero
The Asset Discovery Dilemma Active Scanning? Nmap? Vuln Scanner? No. Ask your network! NetDB https://netdbtracking.sourceforge.net/ .ova available at https://www.kylebubp.com/files/netdb.ova
Other network mapping approaches •nmap + ndiff/yandiff • Not just for red teams. • Export results, diff for changes. • Alert if something changed. •Netdisco • https://sourceforge.net/projects/netdisco • Uses SNMP to inventory your network devices
Data Discovery •Users are good at putting sensitive data on the network. •Find it with OpenDLP
OpenVAS •Fork of Nessus •Still maintained •Default vuln scanner in AlienVault •Does a great job in comparison w/ commercial products
Web Apps too! •Arachni Framework (arachni-scanner.com) •OWASP ZAP (Zed Attack Proxy) •Nikto2 (more of a server config scanner) •Portswigger Burp Suite (not free - $350) •For a comparison – sectoolmarket.com
In addition to fixing vulnerabilities… •Build in some additional security on your web servers. (also part of a secure configuration) •Fail2ban Python-based IPS that runs off of Apache Logs •Modsecurity Open source WAF for Apache, IIS, & nginx
Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
Protect
Intrusion Detection and Prevention
Host-based IDS • Monitor Critical and Sensitive Files via Integrity Checks • Detects Rootkits • Can monitor Windows Registry • Alert on Changes
Windows 10 – Out of the box – CIS Benchmark
Secure Configuration •CIS Benchmarks / DISA Stigs •Configuration Management, while not exciting, is important •Deploy configs across your enterprise using tools like GPO, Chef, Puppet, or Ansible •Change Management is also important • Use git repo for tracking changes to your config scripts
PATCH IT ALL (kinda)
Patching Windows +
Patching Linux +
Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
What’s happening on the endpoint? •Facebook-developed osquery is effectively free EDR • Agents for MacOS, Windows, Linux • Deploy across your enterprise w/ Chef, Puppet, Ansible, or SCCM • Do fun things like, search for IoCs (hashes, processes, etc.) • Pipe the data into ElasticStack for visibility & searchability •If you only need Windows, check out Microsoft Sysinternals Sysmon
What’s happening on the network? •Elkstack •Suricata •Bro •Snort •SecurityOnion: put it all together
Logging and Monitoring •Central logging makes detection and analysis easier •Many options here, such as Windows Event Subscription, rsyslog •Can also pipe to one central location with dashboards, such as ElasticStack •Good idea to include DNS logs!
Testing Controls
Breach and Attack Simulation • CALDERA (Based ATT&CK) • Uber Metta • Endgame RTA • Guardicore’s Infection Monkey • Barkly’s Stackhackr • Nextron Systems’ APTSimulator • AlphaSOC’s flightsim
Education
Phishing Education • Phishing Frenzy • Social Engineering Toolkit (SET) • GoPhish
Parting thoughts… • Build versus Buy • Security Requirements don’t change, regardless of budget. • Build a strong foundation and branch out. • Consider scenarios – solve one scenario at a time, NOT all at once! • Stay curious and contribute to projects you like. • Community! Share ideas – learn from others • DOCUMENT EVERYTHING
Kyle Bubp kyle@threatcare.com @kylebubp @threatcare

More Related Content

PDF
Smart Platform Infrastructure with AWS
James Huston
 
PDF
Alexander Naydenko - Nagios to Zabbix Migration | ZabConf2016
Zabbix
 
KEY
Migrating big data
lauraxthomson
 
PDF
Hacklu2011 tricaud
stricaud
 
PDF
Dublin JUG February 2018 - Microservices in action at the Dutch National Police
Bert Jan Schrijver
 
PDF
Get There meetup March 2018 - Microservices in action at the Dutch National P...
Bert Jan Schrijver
 
ODP
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
PDF
Alexei Vladishev - Opening Speech
Zabbix
 
Smart Platform Infrastructure with AWS
James Huston
 
Alexander Naydenko - Nagios to Zabbix Migration | ZabConf2016
Zabbix
 
Migrating big data
lauraxthomson
 
Hacklu2011 tricaud
stricaud
 
Dublin JUG February 2018 - Microservices in action at the Dutch National Police
Bert Jan Schrijver
 
Get There meetup March 2018 - Microservices in action at the Dutch National P...
Bert Jan Schrijver
 
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
Alexei Vladishev - Opening Speech
Zabbix
 

What's hot (20)

ODP
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
PDF
My pwk & oscp journey
M.Syarifudin, ST, OSCP, OSWP
 
PDF
Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016
Zabbix
 
PPTX
Security workflow with ansible
devanshdubey7
 
ODP
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
PDF
20140708 - Jeremy Edberg: How Netflix Delivers Software
DevOps Chicago
 
PDF
Devoxx PL 2018 - Microservices in action at the Dutch National Police
Bert Jan Schrijver
 
ODP
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
PPTX
Open stack jobs avoiding the axe
Jim Leitch
 
ODP
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
PPT
Zabbix introduction ( RadixCloud Radix Technologies SA)
Martin Markovski
 
ODP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
ODP
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
PDF
NGINX User Summit. Wallarm llightning talk
Wallarm
 
PDF
IT security for all. Bootcamp slides
Wallarm
 
ODP
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
ODP
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
PPTX
Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2
Paris Monitoring
 
ODP
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
PDF
Trouble Ticket Integration with Zabbix in Large Environment
Alain Ganuchaud
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
My pwk & oscp journey
M.Syarifudin, ST, OSCP, OSWP
 
Ryan Armstrong - Monitoring More Than 6000 Devices in Zabbix | ZabConf2016
Zabbix
 
Security workflow with ansible
devanshdubey7
 
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
DevOps Chicago
 
Devoxx PL 2018 - Microservices in action at the Dutch National Police
Bert Jan Schrijver
 
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
Open stack jobs avoiding the axe
Jim Leitch
 
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
Zabbix introduction ( RadixCloud Radix Technologies SA)
Martin Markovski
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
NGINX User Summit. Wallarm llightning talk
Wallarm
 
IT security for all. Bootcamp slides
Wallarm
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
Nouveautés de Zabbix 3.0 - Paris Monitoring meetup #2
Paris Monitoring
 
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
Trouble Ticket Integration with Zabbix in Large Environment
Alain Ganuchaud
 
Ad

Similar to Blue Teaming on a Budget of Zero (20)

PPTX
Open Source Defense for Edge 2017
Adrian Sanabria
 
PPTX
Blue Teamin' on a Budget [of zero]
Kyle Bubp
 
PPTX
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
PPTX
How To Start Your InfoSec Career
Andrew McNicol
 
PDF
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
MyNOG
 
PPTX
Disruptionware-TRustedCISO103020v0.7.pptx
Debra Baker, CISSP CSSP
 
PPTX
Information Security: Advanced SIEM Techniques
ReliaQuest
 
PPTX
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
PDF
Construye tu stack de ciberseguridad con open source
Software Guru
 
PPT
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
PPTX
Where to Start When Your Environment is Fucked
Amanda Berlin
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
PPTX
InheritedASecurityDept
Amanda Berlin
 
PPTX
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
PPT
Event - Internet Thailand - Total Security Perimeters
Somyos U.
 
DOCX
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Open Source Defense for Edge 2017
Adrian Sanabria
 
Blue Teamin' on a Budget [of zero]
Kyle Bubp
 
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
How To Start Your InfoSec Career
Andrew McNicol
 
Are you ready for the next attack? reviewing the sp security checklist (apnic...
Barry Greene
 
Are you ready for the next attack? Reviewing the SP Security Checklist
APNIC
 
Are you ready for the next attack? Reviewing the SP Security Checklist
MyNOG
 
Disruptionware-TRustedCISO103020v0.7.pptx
Debra Baker, CISSP CSSP
 
Information Security: Advanced SIEM Techniques
ReliaQuest
 
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
Construye tu stack de ciberseguridad con open source
Software Guru
 
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Where to Start When Your Environment is Fucked
Amanda Berlin
 
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
InheritedASecurityDept
Amanda Berlin
 
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Event - Internet Thailand - Total Security Perimeters
Somyos U.
 
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Ad

Recently uploaded (20)

PDF
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
PDF
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
PDF
“The Future of Visual AI: Efficient Multimodal Intelligence,” a Keynote Prese...
Edge AI and Vision Alliance
 
PDF
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
PPTX
SGT Report The Beast Plan and Cyberphysical Systems of Control
hopegirl587
 
PDF
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
Kalilur Rahman
 
PDF
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
PPTX
Build automations faster and more reliably with UiPath ScreenPlay
AndreeaTom
 
PPTX
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
ThousandEyes
 
PPTX
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
PDF
Decision Optimization - From Theory to Practice
Eray Cakici
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
PDF
Early detection and classification of bone marrow changes in lumbar vertebrae...
IAESIJAI
 
PDF
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
PDF
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
PDF
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
PDF
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 
PDF
A symptom-driven medical diagnosis support model based on machine learning te...
IAESIJAI
 
PDF
Altius execution marketplace concept.pdf
Wandor
 
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
Ensemble model-based arrhythmia classification with local interpretable model...
IAESIJAI
 
“The Future of Visual AI: Efficient Multimodal Intelligence,” a Keynote Prese...
Edge AI and Vision Alliance
 
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
SGT Report The Beast Plan and Cyberphysical Systems of Control
hopegirl587
 
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
Kalilur Rahman
 
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
Build automations faster and more reliably with UiPath ScreenPlay
AndreeaTom
 
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
ThousandEyes
 
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
Decision Optimization - From Theory to Practice
Eray Cakici
 
Data Virtualization in Action: Scaling APIs and Apps with FME
Safe Software
 
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
Early detection and classification of bone marrow changes in lumbar vertebrae...
IAESIJAI
 
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
ment.tech-Siri Delay Opens AI Startup Opportunity in 2025.pdf
thomasnova26
 
The AI Revolution in Customer Service - 2025
Body of Knowledge
 
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 
A symptom-driven medical diagnosis support model based on machine learning te...
IAESIJAI
 
Altius execution marketplace concept.pdf
Wandor
 

Blue Teaming on a Budget of Zero

  • 1. THREATCARE Open Source Defense Building a Security Program with Zero Budget
  • 2. Agenda •Budget challenges beyond CapEx/OpEx •Foundations: The big picture and where to start •Specific free & open-source tools to help at each step •Real-World Experiences and Fun Stories* *Randomly dispersed throughout
  • 3. whoami – Kyle Bubp • Just a dude trying to make things better.
  • 4. Security: What’s the “True Cost”? • Security = People + Processes + Products People • Salary • Training • Personal Dev • Management Processes • Plan (policy) • Build (tech) • Test • Improvement Products • CapEx/OpEx • Support • Time to Value • Labor:Value
  • 5. Why FOSS? Not just for people with budget constraints! It’s about time and control.
  • 6. Commercial 1. Google search 2. Choose three 3. Contact vendors 4. Proof of concept 5. Wine & dine 6. Procurement 7. Implementation Elapsed time: weeks/months FOSS 1. Google search 2. Download 3. Configure Elapsed time: minutes/hours Why FOSS?
  • 7. Shelfware Products that are purchased, but never get used or never fully achieve their intended value
  • 8. What ends up on the Shelf? What would get them off the shelf?
  • 10. Foundational Blueprints and Frameworks •NIST Standards and Frameworks •CIS Critical Security Controls •ISO 27000 •MITRE ATT&CK
  • 12. Document everything! A core documentation repository is critical •Policy, procedure, how-tos, etc: • MediaWiki • Atlassian Confluence ($10 for up to 10 users) •Incident Response Ticketing/Documentation: • RTIR (https://bestpractical.com/download-page) • The Hive (https://thehive-project.org/)
  • 13. Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
  • 15. The Asset Discovery Dilemma Active Scanning? Nmap? Vuln Scanner? No. Ask your network! NetDB https://netdbtracking.sourceforge.net/ .ova available at https://www.kylebubp.com/files/netdb.ova
  • 16. Other network mapping approaches •nmap + ndiff/yandiff • Not just for red teams. • Export results, diff for changes. • Alert if something changed. •Netdisco • https://sourceforge.net/projects/netdisco • Uses SNMP to inventory your network devices
  • 17. Data Discovery •Users are good at putting sensitive data on the network. •Find it with OpenDLP
  • 18. OpenVAS •Fork of Nessus •Still maintained •Default vuln scanner in AlienVault •Does a great job in comparison w/ commercial products
  • 19. Web Apps too! •Arachni Framework (arachni-scanner.com) •OWASP ZAP (Zed Attack Proxy) •Nikto2 (more of a server config scanner) •Portswigger Burp Suite (not free - $350) •For a comparison – sectoolmarket.com
  • 20. In addition to fixing vulnerabilities… •Build in some additional security on your web servers. (also part of a secure configuration) •Fail2ban Python-based IPS that runs off of Apache Logs •Modsecurity Open source WAF for Apache, IIS, & nginx
  • 21. Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
  • 24. Host-based IDS • Monitor Critical and Sensitive Files via Integrity Checks • Detects Rootkits • Can monitor Windows Registry • Alert on Changes
  • 25. Windows 10 – Out of the box – CIS Benchmark
  • 26. Secure Configuration •CIS Benchmarks / DISA Stigs •Configuration Management, while not exciting, is important •Deploy configs across your enterprise using tools like GPO, Chef, Puppet, or Ansible •Change Management is also important • Use git repo for tracking changes to your config scripts
  • 27. PATCH IT ALL (kinda)
  • 30. Build from the ground up 1. Identify 2. Protect and Harden 3. Detect 4. Respond 5. Recover
  • 31. What’s happening on the endpoint? •Facebook-developed osquery is effectively free EDR • Agents for MacOS, Windows, Linux • Deploy across your enterprise w/ Chef, Puppet, Ansible, or SCCM • Do fun things like, search for IoCs (hashes, processes, etc.) • Pipe the data into ElasticStack for visibility & searchability •If you only need Windows, check out Microsoft Sysinternals Sysmon
  • 32. What’s happening on the network? •Elkstack •Suricata •Bro •Snort •SecurityOnion: put it all together
  • 33. Logging and Monitoring •Central logging makes detection and analysis easier •Many options here, such as Windows Event Subscription, rsyslog •Can also pipe to one central location with dashboards, such as ElasticStack •Good idea to include DNS logs!
  • 35. Breach and Attack Simulation • CALDERA (Based ATT&CK) • Uber Metta • Endgame RTA • Guardicore’s Infection Monkey • Barkly’s Stackhackr • Nextron Systems’ APTSimulator • AlphaSOC’s flightsim
  • 37. Phishing Education • Phishing Frenzy • Social Engineering Toolkit (SET) • GoPhish
  • 38. Parting thoughts… • Build versus Buy • Security Requirements don’t change, regardless of budget. • Build a strong foundation and branch out. • Consider scenarios – solve one scenario at a time, NOT all at once! • Stay curious and contribute to projects you like. • Community! Share ideas – learn from others • DOCUMENT EVERYTHING