Possible improvements for next year(s)

[juju4]

Background:

ideas list. requirements/outcomes to be determined by BTV.

Features/Capabilities

• Kubernetes. possible monitoring with falco
• Possible multi-cloud, Azure, GCP
• Develop IOT?
• Have an AI/bot somewhere to exploit? https://github.com/LAION-AI/Open-Assistant
• Attack with powershell-core on linux (which also has logging capabilities like windows side)

Infra

• Logs: Leverage more cribl pipeline options like sampling, enrichment, trimming and so on
  • https://cribl.io/blog/trimming-unnecessary-fields-from-logs/
  • https://docs.cribl.io/stream/xml-unroll-function
• Logs: More infra logs like teleport in SIEM
• Logs: May want to send velociraptor server/client logs to main or separate from linux/play field?
• Logs: same for filebeat own logs from clients but likely harder to filter. may be easier to send them to separate file other than /var/log/syslog and create specific pipeline for it
• Logs: collect from linux journald instead of syslog
• Deployment: a dedicated infra jumphost inside aws to launch deployment would be nice, especially for windows/winrm side that's less easy to tunnel through teleport. it can also be used as self host agent for github action and do deployment directly. Or with a Tower/AWX web UI for ansible.
• cost management: https://www.infracost.io/, https://github.com/kamranahmedse/aws-cost-cli, https://github.com/mivano/azure-cost-cli
• Backup access: if teleport is unavailable, what's the backup? serial console seems to require being inside AWS and will need a local account with password set (aka _breakglass). likely keep openvpn + easier for winrm tunneling
• RBAC (more reminder than improvement) roles/groups: seceng (infra), contributors, redteam, iot (KC), public/during defcon

[juju4]

• Set up a aws server with github actions agent to pass normal limit - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners

[juju4]

• Splunk: configure CIM/Data inventory

[juju4]

• Elasticseach has few integrations for sysmon linux and osquery but using elastic agent instead of beat. may want or not use it https://docs.elastic.co/integrations/sysmon_linux https://docs.elastic.co/integrations/osquery https://www.elastic.co/guide/en/fleet/current/beats-agent-comparison.html#additional-capabilities-beats-and-agent else filebeat has module for osquery https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-osquery.html https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html

• grafana dashboards for logs system, volume, licensing, error/warn: cribl, splunk, so

• anticipate more / test early full environment load on logging and probably other aspects

[juju4]

• osquery fields parsing by cribl (#137)

[juju4]

• network capture: use packetbeat
• enterprise setup: add chat like mattermost (or o365 if can deal w license), upload service like up1, lufi or timvisee/send (end-to-end encryption, enabled or find way to disable fully/partially if in scenario)
• Add clamwin/clamav to have some AV coverage/logs like most environments have (or maybe another free one on win?)
• kubernetes. how?
  • paas (aws, azure...)
  • over VM with k3s, minikube or else
  • security coverage? falco, other

[juju4]

From sans-ab email thread

• https://github.com/Fortiphyd/GRFICSv2
• build "lego city" PLC
• https://www.fortiphyd.com/training/ ($)

[juju4]

on web side (vulnerable webserver, wiki...), need to generate some normal+noise traffic on webserver else not really real word. same with AutoHotKeys to do noise on Windows end-users

[juju4]

• On velociraptor offline collections config. it is always possible to extract config of a given triage binary. Sample configs: https://github.com/juju4/velociraptor-offline-collections
• PR review for teleport cluster https://github.com/blueteamvillage/btv-sec-eng-teleport-cluster/pull/8