Hello and welcome this course in which
we're talking about defensive python. So far in this learning path, we've been
rather focused on the offensive side and how we can use python to automate
a lot of offensive activities. In this course, we're going to
talk about the other side and more blue team and defensive python. And so we're
going to start out with
this video with our introduction to defensive python where
we'll have two sections. We're going to start out with an
introduction to defensive python sort of talk about why we want to use python
defensively and some of the ways that we can do so, after that we're going
to dive a lot more into that by talking about how we can automate defense
with python and so let's get started. So as I mentioned, so far this learning
path has been very focused on offense. However, that's not to say that
if you're on the defensive side, the techniques that we've
covered are not useful. In fact, pretty much everything that we've
covered is useful for defenders as well. The whole premise behind
ethical hacking and pen testing is have someone
offensively attack the system, find out what's wrong with it so
that you can fix it. And so if you can use python offensively, you can help
identify the vulnerabilities
and holes in your defenses and then fix them before anyone else can
find them and take advantage of them. And so many of the different
techniques we've talked about so far in this learning path are directly
applicable in their current form. However many of those techniques or the skills
that we've demonstrated can
also be useful defensively directly. For example, reconnaissance. So we've talked a
lot about how
to evaluate the attack surface of an organization and that's really
useful for a defender as well. If you have issues with say shadow IT,
where their systems being set up that aren't authorized and that you don't
know about the ability to determine, this system exists and
this is what it's doing. It's not only good for patching
the vulnerabilities in the system, It's good for
knowing the systems even there. And so a lot of those scripts and
techniques that we've talked about there in our reconnaissance course,
also useful for defense. Another example of something useful
defensively as password analysis. And so we talked a lot about finding
passwords, determining if they're strong, determining if maybe someone's using
variations on the same password, etcetera. And so for most organizations,
passwords are one of their biggest lines of defense and
one of the weakest ones as well. A lot of the time, the most common
technique that attackers used to gain access to environments is
account takeover attacks. They determine a username and
a password and they log in as that user. And so anything you can do to make
that harder is probably a good thing. So multifactor authentication,
great idea but also doing some work to see if someone
has access to my environment or looking at these passwords are they
easy to break or our passwords easy to find is a good idea and we covered ways
to do that early and earlier courses. A third source of invaluable
information is the registry. So the windows registry is essentially
a giant configuration file for the operating system. And we could spend entire
courses just talking about, Well if you look here,
this is a value of interest. Here's how you can use it offensively or
defensively. Here's why you should monitor it,
etcetera. And so we've looked at a couple cases
here and discuss the skills behind it. But just in general knowing more
about the windows registry and building some monitoring scripts in
python definitely can help your security. And then finally we talked about
searching the file system for certain keywords, etcetera. And so that can be useful
�for finding
credentials, finding sensitive data, etcetera. Another application could be for
regulatory compliance. So for example, you're supposed to protect
certain types of data in certain ways. And so
the ability to check a computer to say, do I have any data that
matches these criteria? If so and
it's not protected in the proper way? We've got a problem that we need to fix. And
so defensive application of
the skills that we've looked at and other courses in the starting path. And so
those are some examples of
where the offensive techniques and scripts that we've looked at
can be just slightly tweaked or even reused exactly as they are in
turn to defensive purposes. However, we also can develop scripts
that are focused solely on defense and that's what we're going to be
talking about here in this course. And so our attack chain in the earlier
courses here was eventually based off of brute force, password guessing or
credential stuffing. So we started out with reconnaissance and learned what we
could about
the target environment. And so our end goal hopefully was learning
about vulnerabilities that are known for the system also useful for
patching by the way. But if we couldn't find any
vulnerabilities, we can always fall back. We've identified that this is the type
of system with a log in portal. Let's see if we can guess the user and
password. And so then we talked about automating
that process in our initial access section. When we talked about gaining
access to credentials, we discussed stealing credentials which
then could be fed into this brute force, password guessing,
credential stuffing, etcetera. And so we're really focusing
in on this account takeover, partially because it's an excellent way
to demonstrate automation with python and also it's a really common attack vector.
And so if you can do it,
if you can detect it and if you can block it you're
in a better position. And so,
how could we use python to detect and protect against this
particular attack factor. So we're going to look at a few
different ways for doing so and our goal of the first section of our
diagram at the bottom here as you see is suspicious traffic that we
can define in a few different ways. So one thing that we're going
to do is we're going to take advantage of Windows event logs. And so the Windows
operating system has
a lot of logs that store a lot of data and some of that data is useful for
detecting
brute force password guessing attacks. And so we'll take a look at using python
to access Windows event logs and look for signs of the failed logins that are sort
of a finger printers signature for these types of attacks. And if we see them and
we see too many
of them for some definition of too many. We've got a suspicion and we need to start
digging into what's going on our systems. The other thing that we're going
to look at is network traffic. Network traffic is a great source
of information and python and Scapee are great for
performing network traffic analysis. And so we're going to take
a look at network traffic in a couple of different ways. So one way is we're going
to specifically look for the type of traffic that looks
like a brute force attack. We'll look at a couple of protocols and
using skay P to sniff and analyze traffic will determine was
this a successful authentication or did it fail and if it failed, it failed
because of the password being incorrect. If so, and that happens enough. We've got
a brute force password guessing
attack or a credential stuffing attack. And that's suspicious traffic that
�we want to do something about. The other approach that we're going to
take is a little bit more general. And so we're going to do a very,
very high level introduction to machine learning because python has a lot of
machine learning functionality and covering all of it is several
courses all by itself. So we're going to focus in
on just a couple of things. We're going to talk about some of the most
important part of machine learning, which is a feature selection or making sure
you put the right data into the system. And so we'll talk about how to
pick some good features for python if you want to start detecting
anomalous traffic on your network. And then after that we'll just do some
basic statistical analysis to say, does this packet look weird. And if it does look
weird,
we should probably investigate further. And so at the end of these different
analysis techniques, we essentially have reached the point where we have
suspicious traffic for some reason. Either we've looked at the logs, we know that
there's a credential
stuffing attack going on. So we need to grab that stuff off the
network or we've looked at network traffic and we're like this is either
absolutely a password attack or it's weird enough that we
want to look at it further. And so we've got suspicious traffic. We can investigate
and we can respond. But we also could take action sort
of more of an active defense. And that's what we're going to be looking
at in the connection hijacking part of this course. So we're going to talk about
monitoring
network traffic and for some protocols, we'll talk about taking them over. And so a
connection between
maybe a malicious client in a malicious server will steal control
of the connection from the client. And so were the ones communicating
with the server instead. And so the case that will look at here, we're going to use
that control over
the connection to terminate it. However, that scene level of
control could also be used to say communicate with our command and control server
to direct its traffic
to a honeypot or something like that. And so it's just one option for
how we can use python to take a more active role in defence,
moving beyond detection to active defense. And so in this video we started out with
an introduction to defensive python. So a lot of the rest of this learning
path, the other courses we've been talking offensively, that doesn't mean that
they're not useful for a defender. Pretty much every capability we've talked
about could be directly applied to defense. A small point of ethical hacking. They
could also be tweaked slightly
to achieve other defensive goals. And then we had the potential for
writing code designed specifically for defensive purposes,
which is what we're doing in this course. And so with the attack chain that we've
been demoing in the rest of this course, we've talked about identifying
that attack chain and some anomalous traffic and then also
taking a little bit of a response. And so that's what we're going to be doing
in the rest of the videos in this course. And so let's get started. Thank you.
