Cybersecurity content (in English and Polish):
https://www.youtube.com/playlist?list=PL0RdRWQWldOAAKBqOVEutxKMP-a6CNoLY
Michał Sołtysik - Deep packet inspection analyses - why the typical approach is not enough (ENG):
Title of the lecture: Deep packet inspection analyses: why the typical approach is not enough.
Description of the lecture: There is an unquestionable need to perform regular deep packet inspection analyses, i.e. network edge profiling. Providing standard SOC type services that use tools, such as SIEM, SOAR, IPS, WAF, EDR and others leads to a partial waste of human resources due to the constant dealing with the so-called "false positives". The cybersecurity industry is currently characterized by superficiality, insufficient competence and low cyber awareness. Cybercriminals are in possession of hundreds of mechanisms that they regularly take advantage of to break through firewalls. In this lecture, I will present an advanced view of the realities that teams such as SOC are unable to deal with, and explain why this is the case. I will use extensive knowledge of a variety of threats, based on analysis of 252 different network protocols from the areas of IT, OT and IoT.
Content:
Example number 1 - based on different level monitoring of HTTP traffic through SIEM system vs. DPI analysis on the example of RCE - Unauthorized User Account Creation vulnerability.
Example number 2 - based on File Upload / RCE vulnerability and HTTP traffic.
Example number 3 - based on TCP, FTP, DNS, PNIO, ICMP, RTCP, UDP, ICP, NBNS and SNMP traffic.
Example number 4 - based on RTT Measurements during DoS / DDoS cyber attacks.
Example number 5 - based on Modbus/TCP, WTP, H.225.0 RAS, GTP, RTCP and PFCP traffic.
Example number 6 - based on GTP, TIPC and CIGI traffic.
Example number 7 - based on ADwin and BAT_GW traffic.
Example number 8 - based on RCE vulnerability and MANOLITO and EtherCAT traffic.
20 simple tips - how to be a proficient network traffic analyst performing deep packet inspections.
URL: https://www.youtube.com/watch?v=_ulFvQ1z7j8
Click to watch on YouTube:
Michał Sołtysik - Deep Packet Inspection Analysis - Examining One Packet Killers (ENG):
Title of the lecture: Deep Packet Inspection Analysis: Examining One Packet Killers.
Description of the lecture: Security Operations Center (SOC) teams monitor network traffic using SIEM and IPS solutions, along with other security tools. However, these tools can sometimes fall short in their capability, particularly when faced with complex attacks that exploit legitimate network protocols, such as a single, crafted packet. To combat these threats, SOC teams must adopt advanced techniques such as Deep Packet Inspection (DPI). The webinar explores DPI analysis techniques to detect and mitigate "One Packet Killers", using real-world examples from DHCP, H.225.0, Modbus over TCP, WTP, and BAT_GW protocols. Furthermore, it examines the intricacies of each protocol and highlights how specific message manipulations within these protocols can activate Denial-of-Service (DoS) attacks or disrupt communication flows. By mastering DPI techniques and addressing these protocol security weaknesses, SOC teams can enhance their ability to maintain a robust network security posture.
Content:
Opening words
Why IPS, WAF, and SIEM solutions are not enough.
Summary of the need for deep packet inspection analysis.
The four main categories of weaknesses/vulnerabilities.
DoS Attack Categories.
One Packet Killer via a vulnerability (CVE-2021-45105).
One Packet Killer via a weak protocol design in DHCP.
One Packet Killer via a weak protocol design in Modbus over TCP.
One Packet Killer via a weak protocol design in WTP.
One Packet Killer via a weak protocol design in BAT_GW.
One Packet Killer via a weak protocol design in H.225.0.
Findings (a breakdown of the possibilities and limitations behind functionalities within protocols which can be misused for DoS attacks under specific circumstances).
Protocol-based DoS Attacks.
DoS Attacks: Classification and Protocol Weakness Examples.
Some possible reasons why an attacker might send a single such packet ('One Packet Killer').
Conclusions of the webinar.
Recommendations on protocol weaknesses.
An example of a 'Silent Killer' using a ubiquitous protocol DNS.
Q&A.
Closing words.
URL: https://www.youtube.com/watch?v=8cX7Fn5AM04
Click to watch on YouTube:
Michał Sołtysik - Remcos RAT threat analysis on Windows including IEC 60870-5-104 traffic (ENG):
Title of the lecture: Remcos RAT threat analysis on Windows including, surprisingly enough, IEC 60870-5-104 traffic.
Description of the lecture: Typically, malware uses popular protocols such as HTTP or TLS to exfiltrate data. However, Remcons uses IEC 60870 part 5, which provides a communication profile for sending basic telecontrol messages between two systems usually in electrical engineering and power system automation, for that very reason.
Content:
Remcos analysis
IEC 60870-5-104 traffic analysis
URL: https://www.youtube.com/watch?v=4fc_NcJxIyw
Click to watch on YouTube:
Author:
Michał Sołtysik
Cybersecurity Analyst & Consultant
Specializing in deep packet inspection (i.e. network edge profiling and 0-day attacks).
To date, he has identified 253 protocols in the IT, OT and IoT areas used for cyber attacks.
Additionally, a Digital and Network Forensics Examiner, CyberWarfare Organizer and SOC Trainer.
C)CSA - Certified Cyber Security Analyst
C|SA - Certified SOC Analyst
C)NFE - Certified Network Forensics Examiner
C)DFE - Certified Digital Forensics Examiner
WCNA - Wireshark Certified Network Analyst
C|ND - Certified Network Defender
C)ISSO - Certified Information Systems Security Officer
C)PTC - Certified Penetration Testing Consultant
C)PTE - Certified Penetration Testing Engineer
C)PEH - Certified Professional Ethical Hacker
C)VA - Certified Vulnerability Assessor
RvBCWP - Red vs Blue Cyber Warfare Practitioner
CM)IPS - Certified Master Intrusion Prevention Specialist
CIoTSP - Certified Internet of Things Security Practitioner
OOSE - OPSWAT OT Security Expert
CNSP - Certified Network Security Practitioner
CNSE - Certified Network Security Engineer
CCE - Certified Cybersecurity Expert
CCSS - Certified Cyber Security Specialist
Accredited by ANAB under ISO/IEC 17024.
Accredited by the NSA CNSS 4011-4016.
Approved by DoD under Directive 8570 (previously) / 8140 (presently).
Mapped to NIST / Homeland Security NICCS's Cyber Security Workforce Framework.
Mapped to NCWF (NICE Cybersecurity Workforce Framework).
Approved on the FBI Cyber Security Certification Requirement list (Tier 1-3).
Recognized by NCSC - part of GCHQ (UK's intelligence, security, and cyber agency).
Contact:
Mail: [email protected]
LinkedIn: https://www.linkedin.com/in/michal-soltysik-ssh-soc/
Accredible: https://www.credential.net/profile/michalsoltysik/wallet