1
00:00:08,050 --> 00:00:13,530
All right, so in the last lecture, we dug into known vulnerabilities, right, using components with

2
00:00:13,530 --> 00:00:14,150
no bones.

3
00:00:14,590 --> 00:00:16,620
Now I want to talk about detections.

4
00:00:17,280 --> 00:00:17,600
Right.

5
00:00:17,940 --> 00:00:20,030
How can you respond to something you can't see?

6
00:00:20,220 --> 00:00:27,330
You can't write mean you need to have sufficient logging, not just in the local logs or whatever the

7
00:00:27,330 --> 00:00:32,820
asset is that you're monitoring, but also there's something to be aggregated into a central location

8
00:00:32,820 --> 00:00:40,080
so that you can correlate events and infer relationships between different events and then respond.

9
00:00:40,420 --> 00:00:40,590
Right.

10
00:00:40,740 --> 00:00:43,410
You can prioritize risk and you can respond appropriately.

11
00:00:43,800 --> 00:00:47,430
And so this is actually the last part of the last top 10.

12
00:00:48,390 --> 00:00:53,060
You know, insufficient logging and monitoring is the bedrock of nearly every major incident.

13
00:00:53,310 --> 00:00:53,640
Right.

14
00:00:53,670 --> 00:00:55,230
I mean, this is a big deal.

15
00:00:55,830 --> 00:01:00,930
You know, if you can't detect an attacker probing your network, well, I mean, how can you expect

16
00:01:01,290 --> 00:01:04,520
to not be compromised or even to respond to the compromise when it happens?

17
00:01:05,280 --> 00:01:09,840
So, you know, it's really important that you make sure that lots of not only stored locally, but

18
00:01:09,840 --> 00:01:12,680
also, like I said, sent to a SIM like Splunk.

19
00:01:12,690 --> 00:01:14,820
And because we have our cyber range set up, we can do that.

20
00:01:14,820 --> 00:01:14,990
Right.

21
00:01:15,000 --> 00:01:16,290
We can run tests with a map.

22
00:01:16,770 --> 00:01:18,300
We can scan our Web app with berp.

23
00:01:18,840 --> 00:01:18,990
Right.

24
00:01:19,080 --> 00:01:24,000
You can see here, I'm scanning it right now and and then we can see, you know, how the app responds.

25
00:01:24,180 --> 00:01:27,330
So, for example, if I just fire up, here's our web, right?

26
00:01:27,810 --> 00:01:28,860
Let's just fire up in that.

27
00:01:29,400 --> 00:01:34,050
I should see if we can scan it with an aggressive scan and maybe we'll fire up, go bust or something

28
00:01:34,050 --> 00:01:34,590
like that, too.

29
00:01:34,860 --> 00:01:38,550
We're just looking to make sure that we can get that log data inside the app.

30
00:01:39,420 --> 00:01:46,710
So Zero in map will do a very agreeable scan, will assume that the Web application is already active

31
00:01:47,130 --> 00:01:49,940
and go ahead and minimize the app behind it.

32
00:01:52,670 --> 00:01:58,160
Then we'll run an aggressive scan, we'll do a full report, scan zero two six five five three five

33
00:01:59,150 --> 00:02:02,870
output will be, let's call it like Justyn that.

34
00:02:04,140 --> 00:02:10,690
Me the reason why it's blocked and where we want to scan ten one hundred zero ninety one that is due

35
00:02:10,710 --> 00:02:11,080
shop.

36
00:02:11,390 --> 00:02:17,060
And we also want to do a version of numeration and run some people in my scripts against it so we can

37
00:02:17,060 --> 00:02:23,670
say redefault default scripts tac lowercase s capital C and diversion enumeration as well.

38
00:02:24,590 --> 00:02:25,820
So this should be really noisy.

39
00:02:27,590 --> 00:02:30,170
We can press spacebar and update as the scan runs.

40
00:02:31,320 --> 00:02:32,670
You can also open a new tab.

41
00:02:34,170 --> 00:02:35,730
And run, go buster against it.

42
00:02:41,310 --> 00:02:47,640
Looking at you like Sirocco buster, we'll just find a very noisy scan and you can see here I'm just

43
00:02:47,640 --> 00:02:49,980
basically using a previous check that I've done.

44
00:02:52,030 --> 00:02:53,560
So with the increased number of threats

45
00:02:56,320 --> 00:02:58,180
to like 20 or something like that.

46
00:03:00,030 --> 00:03:01,500
Hello, it's good to me.

47
00:03:04,000 --> 00:03:06,080
Right, so we should be generating a lot of noise right now.

48
00:03:09,660 --> 00:03:17,610
And if you look at my source IP, you can see on zero that 160 for one one six eight zero dot one sixty

49
00:03:17,610 --> 00:03:18,200
four.

50
00:03:18,570 --> 00:03:22,500
So we can flip over to Randy Moralez, get into Splunk.

51
00:03:23,180 --> 00:03:24,930
Let's do a search over the last day for this.

52
00:03:29,450 --> 00:03:29,990
See what happens.

53
00:03:30,020 --> 00:03:30,500
We've got.

54
00:03:32,520 --> 00:03:37,080
All right, so that finished and you can actually see we've got a lot of events that are being blocked

55
00:03:37,680 --> 00:03:41,350
by our open since firewall, right?

56
00:03:42,270 --> 00:03:43,110
It's being filtered.

57
00:03:45,090 --> 00:03:45,750
So that's good.

58
00:03:48,440 --> 00:03:51,660
Action was blocked, right?

59
00:03:51,740 --> 00:03:54,620
This guy is definitely blocked in the direction, is inbound.

60
00:03:55,760 --> 00:03:56,120
That's good.

61
00:03:56,150 --> 00:03:59,240
Let's look at some of these other source types and Surakarta.

62
00:03:59,930 --> 00:04:01,460
Let's look at the job source type.

63
00:04:02,120 --> 00:04:03,210
So this is really interesting.

64
00:04:03,230 --> 00:04:05,750
We can see that this is clearly an attack, right?

65
00:04:05,750 --> 00:04:11,150
Because we have the same source, IP 119 116 zero 160 for.

66
00:04:13,700 --> 00:04:24,290
Hitting the same target, but it's hitting different endpoints, for example, index asp up text, comment,

67
00:04:25,010 --> 00:04:26,560
feedback podcast.

68
00:04:26,570 --> 00:04:26,850
Right.

69
00:04:26,870 --> 00:04:28,090
It's just doing force browsing.

70
00:04:28,370 --> 00:04:31,960
And you can see these are strings are changing every time.

71
00:04:32,660 --> 00:04:35,420
And the reason why that's happening, because we told to do that.

72
00:04:36,890 --> 00:04:39,210
Right, controls IDUs tab.

73
00:04:39,950 --> 00:04:42,200
You can see random agent is selected.

74
00:04:42,650 --> 00:04:45,140
And we have our word list that we saw in Zwack.

75
00:04:45,740 --> 00:04:49,940
So in this case, we actually don't have insufficient logging in monitoring.

76
00:04:50,240 --> 00:04:52,420
We're not vulnerable here because of the way we set up our lab.

77
00:04:52,790 --> 00:04:56,030
But, you know, a lot of times there are still gaps.

78
00:04:56,150 --> 00:05:00,340
You know, a lot of times post requests aren't logged with the same verbosity as get requests.

79
00:05:00,800 --> 00:05:06,230
And so an attacker might or switch the method from get to post in order to evade some logging and detections

80
00:05:06,230 --> 00:05:06,870
and that sort of thing.

81
00:05:07,160 --> 00:05:11,840
So it's always important to make sure that your logs are appropriate, that the appropriate levels are

82
00:05:11,930 --> 00:05:17,860
in place, and that you have, you know, maximum visibility into all of the Internet's connected inputs.

83
00:05:18,410 --> 00:05:18,580
Right.

84
00:05:19,160 --> 00:05:20,180
So that's it for this.

85
00:05:20,450 --> 00:05:21,920
We're going to wrap up this entire section.

86
00:05:23,040 --> 00:05:26,270
Oos, penetration testing, and I hope it's been very helpful to you.

87
00:05:26,840 --> 00:05:30,000
Now we're going to move on to the next piece, which I think you guys are absolutely going to.

88
00:05:30,090 --> 00:05:30,810
All right.

89
00:05:30,840 --> 00:05:32,850
I'll see you guys in the next lecture by.