🎥 Webinar - AWS and Suricata (Fundamentals)

We will be hosting an open webinar about the applicability and usage of Network Intrusion Detection Systems (specifically Suricata) and traffic analyses in AWS environments.

In it we'll cover the role network intrusion detection systems play in the MITRE ATT&CK AWS Matrix, networking, deploying and configuring Suricata as well as spending some time with 3CS AutoMirror to create an automated workflow that increases resiliency and security of your NIDS deployments.

The event is interactive and attendees are encouraged to participate as much as possible.

What

We'll be covering the following topics in the event:

Applicability of NIDS and Traffic Analyses in AWS

NIDS role in MITRE ATT&CK® AWS Matrix

Introduction to AWS VPC and its components

Subnetting; DHCP options; Access Control Lists
NAT Instances
Bastion Hosts

Introduction to AWS EC2 in the context of NIDS and traffic capture

Instance Types
Security Groups
Placement Groups & HPC

Deployment and configuration of Suricata

VXLAN
ENI - Elastic Network Interface

AWS Traffic Mirroring
Deployment and configuration of 3CS AutoMirror

Automation
High Availability

When

20th of April @ 4PM UTC. Additional timezones.

Duration of the webinar: 2 hours

Who

The event is open to everyone, even though we will not invite accounts that were created solely to interfere or spam the event. By the time registration closes, if you did not receive an invitation, please reach out to us.

How

Using a Google/YouTube-enabled e-mail address:

REGISTER HERE

Registration closes on the 18th of April.

Attending

ACCESS THE STREAM HERE

Simply visit the URL listed above at the time of the event. Even though you'll receive an email from YouTube inviting you to the stream a few days before the event date, the stream will only be live at the scheduled date.

Participating

There are many different ways that you can interact with us during the event, allowing you to chose the one you're most comfortable with.

The following will be monitored during the event to answer your questions:

Slack: #training in the 3CORESec Community Slack
Slack (DM): @Diogo Braz in the 3CORESec Community Slack
Twitter: Either through a DM or by tweeting at @DiogoBraz
Email: training@3coresec.com

Unfortunately YouTube Live Chat is not available in private streams.

Community Update - 3CORESec Blacklist 📓 🍯

Recently we tweeted about some issues we had with 3CORESec Blacklist , a platform that shares - openly and freely - a subset of the information seen and processed by our honeypot network. While those issues have been addressed, and seeing as significant changes were made to how we monitor the generation of the lists (which is reflected in our status page ) and how we determine if an IP should be listed as an offending IP or not, this felt like a good opportunity to write a bit more about the platform as well as the changes we made. For regular users of Blacklist 📓 the first thing they’ll notice is an increase on the numbers of IPs we include. That is a direct result of the changes we made and the growth of the honeypot network itself. We have not - and will not - ever increase the period for which we query the honeypot network, as we believe anything higher than 24h (as specified in the project page) for IP addresses can quickly fall into a decaying state that adds little value

Detection as Code (DaC) challenges - Introducing Automata

This blog post is the second part of our Detection as Code (DaC) challenges series. You can read part one here . The development process of detections by itself doesn't pose a lot of barriers for security engineering teams, as they are typically done in a lab/controlled environment, but after tuning and deploying rules to a SIEM, the work is only starting. Many things can go wrong after this, and a process of continued and automated testing is crucial. Detection Validation In an ideal (and fictional) world, once the datasets are parsed, normalized, and put into production, detections developed by your team would work forever. Still, the reality is quite different. Maintenance is heavy work that needs to be done frequently - especially if you work on an MSP - but the reality is that the ecosystem lacks tooling and processes to do it proactively. Effectiveness is an important metric and crucial to the successful response of incidents in time, and effectiveness is what we aim to ensu

The undetectable way of exporting an AWS DynamoDB

In this post we'll go over how we found a limitation in the current AWS CloudTrail logging features that limit detection capabilities of possible abuse against AWS DynamoDB, in the event of the user's AWS IAM keys being compromised. The objective of this article is to make users aware of this limitation and discuss alternatives for increasing the detection of attacks that might abuse it. This information was shared initially with AWS and only after going through the disclosure process with their security team did we decide to write it. Introduction & Methodology A big part of the work done for our MDR platform comes from adversary simulation. Even though a lot of effort is put into developing our detection capabilities against a known killchain , we're constantly looking for alternative ways of attacking AWS workloads, regardless if the techniques are seen being used in the wild or not. Our methodology for doing these simulations is quite straightforward. We sta