BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.nsec.io//Z9TZAS
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-2024-Z9TZAS@cfp.nsec.io
DTSTART;TZID=EST:20240516T100000
DTEND;TZID=EST:20240516T120000
DESCRIPTION:As the authors of this talk can testify from experience\, it fe
 els almost impossible to detect cyberattacks\, let alone stop them. Alert 
 fatigue and a shortage of automation\, skills\, and personnel further exac
 erbate this problem\, emphasizing the need for prevention mechanisms that 
 allow defenders time to investigate threats.\n\nIncident response\, even i
 f automated\, is best done after an attack has already been thwarted. Easi
 er said than done? Not really if you use the right tools!\n\nThe right too
 ls we will discuss in this talk are our open-source RPC-Firewall and LDAP-
 Firewall.\nFirst\, we prevent! We show how these tools can be used in ever
 y Microsoft domain environment to halt innumerable attacks throughout the 
 kill chain. We can stop the initial stages of an attack by preventing doma
 in enumerations via SharpHound\, BloodHound.py\, SOAPHound\, and various L
 DAP queries. We can also prevent numerous types of privilege escalation an
 d lateral movement attacks\, including DCSync attacks\, remote DCOM execut
 ion\, PsExec\, PetitPotam attacks\, Coercing attacks\, and many more…\n\
 nSecond\, we detect! Our open-source tools write Windows events to the loc
 al event logs\, which can be easily forwarded to your local SIEM. The RPC 
 Firewall and LDAP Firewall also have their own Sigma rules published for t
 hem\, making detection engineering even simpler. Using Sentinel as an exam
 ple\, we show how these events can be ingested into any SIEM\, how baselin
 es can be easily created\, and how detection rules are formulated.\n\nFina
 lly\, we will summarize with RPC and LDAP firewall internals\, which will 
 help guide the security community on how to better contribute\, expand\, a
 nd customize these open-source tools to bring more value to the community.
DTSTAMP:20260415T010315Z
LOCATION:Workshop 2
SUMMARY:Prevent First\, Detect Second: An Open-Source Approach - Sagie\, De
 kel Paz
URL:https://cfp.nsec.io/2024/talk/Z9TZAS/
END:VEVENT
END:VCALENDAR