Dekel Paz

As the authors of this talk can testify from experience, it feels almost impossible to detect cyberattacks, let alone stop them. Alert fatigue and a shortage of automation, skills, and personnel further exacerbate this problem, emphasizing the need for prevention mechanisms that allow defenders time to investigate threats.

Incident response, even if automated, is best done after an attack has already been thwarted. Easier said than done? Not really if you use the right tools!

The right tools we will discuss in this talk are our open-source RPC-Firewall and LDAP-Firewall. First, we prevent! We show how these tools can be used in every Microsoft domain environment to halt innumerable attacks throughout the kill chain. We can stop the initial stages of an attack by preventing domain enumerations via SharpHound, BloodHound.py, SOAPHound, and various LDAP queries. We can also prevent numerous types of privilege escalation and lateral movement attacks, including DCSync attacks, remote DCOM execution, PsExec, PetitPotam attacks, Coercing attacks, and many more…

Second, we detect! Our open-source tools write Windows events to the local event logs, which can be easily forwarded to your local SIEM. The RPC Firewall and LDAP Firewall also have their own Sigma rules published for them, making detection engineering even simpler. Using Sentinel as an example, we show how these events can be ingested into any SIEM, how baselines can be easily created, and how detection rules are formulated.

Finally, we will summarize with RPC and LDAP firewall internals, which will help guide the security community on how to better contribute, expand, and customize these open-source tools to bring more value to the community.