Q1: Can you recap all the 12 crucial skills for 2017?
Here you go, the list of 12 crucial Windows Security Skills for 2017 by CQURE Academy:
#1 Skill: Machine Learning for Threat Protection
#2 a Skill: Incident Response Plan
#2 b Skill: Malware Analysis Sandbox
#3 Skill: Whitelisting
#4 Skill: Privileged Access Management
#5 Skill: Well done PKI Implementation
#6 Skill: Hardware-based Credentials Protection
#7 Skill: PowerShell Level Master
#8 Skill: Learn How to Talk Security to Managers
#9 Skill: Event Tracing For Windows
#10 Skill: Log Centralization
#11 Skill: Mastered Windows Server 2016
#12 Skill: Pentesting Yourself When You Can
Q2: Can you share slide deck from the Webinar?
Here you have complete slide deck:
Q3: How to protect Windows server from ransomware?
Here is a link to our blog post about it.
Q4: Last year Microsoft bought a company and a tool that does packet capture of AD servers to monitor user behavior and possible abuse. Can’t remember the name, have you heard about this tool?
Microsoft Advanced Threat Analytics – it is a great example of machine learning technology working for your system security.
Q5: What is the most difficult thing about being a security specialist?
The most difficult is to make a decision about the long-term research without knowing if it is a success or not. For a regular company, it is a big commitment. Luckily all research we have done resulted in something cool. For example, here is the link to our latest research. For example, here is the link to our latest research.
Q6: We are looking for a “simple” new syslog-server, which one do you advise?
Have a look at Kiwi – their product are not free but very good and well known for years.
Q7: Are you able to spot that there is jumping between Windows kernel ring levels ?
In theory, you can see it by verifying RPL and CPL values but in practice, you should expect all Windows kernel things to happen at the ring 0.
Q8: Is there any difference when dumping the private key if the private key is protected KSP (CNG) and CSP (CryptoAPI)?
It depends on where it is in the moment of dumping it. When it is in the OS memory – yes, absolutely, for example using crypto::cng command from mimikatz.
Q9: Would you run sysmon on servers?
Absolutely yes.
Q10: What is the risk of using old operating systems like Windows XP?
Very high – we should not be using something that has not been managed and updated for such a long period of time + there are so many issues with them.
Q11: How do you secure environments, where Python is widely used and installed since libraries like scapy, can replace most tools in an attacker’s arsenal?
The environment is really safe when it defends itself not when you block some tools. We know it is significantly harder to work in an environment full of Pythons but you can do this by limiting account privileges.
Q12: What is the best way to defend against ARP poisoning? Do sticky macs work?
Port security 🙂
Q13: Will you provide training for the beginners?
We are considering it! Stay tuned!
Q14: About the pre-authentication “kekeo” attack: if the pre-auth tickets are signed by the private key on the SC then won’t it be sufficient to revoke the SC cert to prevent the reuse of the tickets?
The best approach is to disable the user.
Q15: Do I need sysmon monitor network connections for browsers?
Depends on what is your goal. Both options are fine. The user may execute some malicious Java Script and you may want to know where it comes from. Depends on the type of information you would like to get.
Q16: How to split sysmon logs in threads by theme?
Do you mean filtering? You can do that in the Event Viewer directly. Filter or select the chosen events and in the right pane, you have the option to Save Selected Events.
Q17: I would love to join your next webinars!
Thank you! We will be running them from time to time 🙂 This time we wanted to set up your moods for 2017.