Sagie

VP Research

Back to the list of Speakers and Sessions

Sagie VP Research, ZeroNetworks

Sagie is a defensive security researcher, leading the Zero-Labs team as VP of Research @ Zero Networks. With a bachelor's in Electrical-Engineer, Sagie started out designing and breaking-up communication schemas in the Intelligence unit of the military. After his service, Sagie went on to perform research on diverse topics, introducing new attacks techniques such as the "man-in-the-cloud" attacks and supply chain compromises against container developers. In recent years, Sagie is focused on research that delivers practical solutions to security teams, mainly in the form of open source security tools.


Workshop: Prevent First, Detect Second: An Open-Source Approach

Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.


As the authors of this talk can testify from experience, it feels almost impossible to detect cyberattacks, let alone stop them. Alert fatigue and a shortage of automation, skills, and personnel further exacerbate this problem, emphasizing the need for prevention mechanisms that allow defenders time to investigate threats.

Incident response, even if automated, is best done after an attack has already been thwarted. Easier said than done? Not really if you use the right tools!

The right tools we will discuss in this talk are our open-source RPC-Firewall and LDAP-Firewall. First, we prevent! We show how these tools can be used in every Microsoft domain environment to halt innumerable attacks throughout the kill chain. We can stop the initial stages of an attack by preventing domain enumerations via SharpHound, BloodHound.py, SOAPHound, and various LDAP queries. We can also prevent numerous types of privilege escalation and lateral movement attacks, including DCSync attacks, remote DCOM execution, PsExec, PetitPotam attacks, Coercing attacks, and many more…

Second, we detect! Our open-source tools write Windows events to the local event logs, which can be easily forwarded to your local SIEM. The RPC Firewall and LDAP Firewall also have their own Sigma rules published for them, making detection engineering even simpler. Using Sentinel as an example, we show how these events can be ingested into any SIEM, how baselines can be easily created, and how detection rules are formulated.

Finally, we will summarize with RPC and LDAP firewall internals, which will help guide the security community on how to better contribute, expand, and customize these open-source tools to bring more value to the community.