and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l...
Transcript of and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l...
![Page 1: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/1.jpg)
Hack the SIEM and Win the War
![Page 2: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/2.jpg)
Many Thanks to the Following...
All the people that taught me this stuff
![Page 3: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/3.jpg)
Who the hell is this guy?
![Page 4: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/4.jpg)
![Page 5: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/5.jpg)
In The Beginning...
![Page 6: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/6.jpg)
![Page 7: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/7.jpg)
And Now
![Page 8: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/8.jpg)
![Page 9: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/9.jpg)
And The Hits Keep On Coming
![Page 10: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/10.jpg)
![Page 11: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/11.jpg)
What is a SIEM?
I don’t know either but I’ll sell you 2 of them
![Page 12: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/12.jpg)
![Page 13: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/13.jpg)
Why is it Weak?
Have you ever tried to patch a SIEM?
![Page 14: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/14.jpg)
![Page 15: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/15.jpg)
Because this is your consultant
![Page 16: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/16.jpg)
![Page 17: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/17.jpg)
And this is their company slogan
![Page 18: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/18.jpg)
![Page 19: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/19.jpg)
![Page 20: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/20.jpg)
Why Target It?
![Page 21: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/21.jpg)
Because it has its hands in everything
![Page 22: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/22.jpg)
Seriously, how many servers does it take to make a SIEM?
![Page 23: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/23.jpg)
Now let’s abuse it
![Page 24: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/24.jpg)
The Attack
Recon Exploit Collect
![Page 25: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/25.jpg)
Recon
Check the Vendor Site
Under the customer section you will have all the targets you ever need
Documentation
You need the tech specs, specifically the API ports.
Check the Forums
Super strict member policy
Go to a Conference
Because we all know hotel wireless is frickin locked down.
Sales Engineers
You can spear phish or find them at a bar, it all amounts to the same thing.
Get a Free Version
Maybe...but you have to ask nicely
![Page 26: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/26.jpg)
Say What????
![Page 27: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/27.jpg)
Exploit / Collect
Cred Reuse
This is always a thing
Default Creds
Cause Admins are lazy
Um….Lots of Stuff
Seriously, a metric F*** ton
API
CURL, CURL, CURL
Interface
Nothing to see here, just another user...
But Do You Need To?
Probably Not
![Page 28: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/28.jpg)
DEDEMO
![Page 29: and Win the War Hack the SIEM - Immunity Inc...Alien Vault ZBlackStratus (NetForensics)l EventTracker Gestalt ALERTLOGIC tenable CLICK RSA n Trustwave (Intellitactics) a NetlQ V) McAfee](https://reader035.fdocuments.us/reader035/viewer/2022071414/610e9b356f6739431f06b816/html5/thumbnails/29.jpg)
THANKS!