Hello and welcome this course in which we're talking about defensive python. So far in this learning path, we've been rather focused on the offensive side and how we can use python to automate a lot of offensive activities. In this course, we're going to talk about the other side and more blue team and defensive python. And so we're going to start out with this video with our introduction to defensive python where we'll have two sections. We're going to start out with an introduction to defensive python sort of talk about why we want to use python defensively and some of the ways that we can do so, after that we're going to dive a lot more into that by talking about how we can automate defense with python and so let's get started. So as I mentioned, so far this learning path has been very focused on offense. However, that's not to say that if you're on the defensive side, the techniques that we've covered are not useful. In fact, pretty much everything that we've covered is useful for defenders as well. The whole premise behind ethical hacking and pen testing is have someone offensively attack the system, find out what's wrong with it so that you can fix it. And so if you can use python offensively, you can help identify the vulnerabilities and holes in your defenses and then fix them before anyone else can find them and take advantage of them. And so many of the different techniques we've talked about so far in this learning path are directly applicable in their current form. However many of those techniques or the skills that we've demonstrated can also be useful defensively directly. For example, reconnaissance. So we've talked a lot about how to evaluate the attack surface of an organization and that's really useful for a defender as well. If you have issues with say shadow IT, where their systems being set up that aren't authorized and that you don't know about the ability to determine, this system exists and this is what it's doing. It's not only good for patching the vulnerabilities in the system, It's good for knowing the systems even there. And so a lot of those scripts and techniques that we've talked about there in our reconnaissance course, also useful for defense. Another example of something useful defensively as password analysis. And so we talked a lot about finding passwords, determining if they're strong, determining if maybe someone's using variations on the same password, etcetera. And so for most organizations, passwords are one of their biggest lines of defense and one of the weakest ones as well. A lot of the time, the most common technique that attackers used to gain access to environments is account takeover attacks. They determine a username and a password and they log in as that user. And so anything you can do to make that harder is probably a good thing. So multifactor authentication, great idea but also doing some work to see if someone has access to my environment or looking at these passwords are they easy to break or our passwords easy to find is a good idea and we covered ways to do that early and earlier courses. A third source of invaluable information is the registry. So the windows registry is essentially a giant configuration file for the operating system. And we could spend entire courses just talking about, Well if you look here, this is a value of interest. Here's how you can use it offensively or defensively. Here's why you should monitor it, etcetera. And so we've looked at a couple cases here and discuss the skills behind it. But just in general knowing more about the windows registry and building some monitoring scripts in python definitely can help your security. And then finally we talked about searching the file system for certain keywords, etcetera. And so that can be useful for finding credentials, finding sensitive data, etcetera. Another application could be for regulatory compliance. So for example, you're supposed to protect certain types of data in certain ways. And so the ability to check a computer to say, do I have any data that matches these criteria? If so and it's not protected in the proper way? We've got a problem that we need to fix. And so defensive application of the skills that we've looked at and other courses in the starting path. And so those are some examples of where the offensive techniques and scripts that we've looked at can be just slightly tweaked or even reused exactly as they are in turn to defensive purposes. However, we also can develop scripts that are focused solely on defense and that's what we're going to be talking about here in this course. And so our attack chain in the earlier courses here was eventually based off of brute force, password guessing or credential stuffing. So we started out with reconnaissance and learned what we could about the target environment. And so our end goal hopefully was learning about vulnerabilities that are known for the system also useful for patching by the way. But if we couldn't find any vulnerabilities, we can always fall back. We've identified that this is the type of system with a log in portal. Let's see if we can guess the user and password. And so then we talked about automating that process in our initial access section. When we talked about gaining access to credentials, we discussed stealing credentials which then could be fed into this brute force, password guessing, credential stuffing, etcetera. And so we're really focusing in on this account takeover, partially because it's an excellent way to demonstrate automation with python and also it's a really common attack vector. And so if you can do it, if you can detect it and if you can block it you're in a better position. And so, how could we use python to detect and protect against this particular attack factor. So we're going to look at a few different ways for doing so and our goal of the first section of our diagram at the bottom here as you see is suspicious traffic that we can define in a few different ways. So one thing that we're going to do is we're going to take advantage of Windows event logs. And so the Windows operating system has a lot of logs that store a lot of data and some of that data is useful for detecting brute force password guessing attacks. And so we'll take a look at using python to access Windows event logs and look for signs of the failed logins that are sort of a finger printers signature for these types of attacks. And if we see them and we see too many of them for some definition of too many. We've got a suspicion and we need to start digging into what's going on our systems. The other thing that we're going to look at is network traffic. Network traffic is a great source of information and python and Scapee are great for performing network traffic analysis. And so we're going to take a look at network traffic in a couple of different ways. So one way is we're going to specifically look for the type of traffic that looks like a brute force attack. We'll look at a couple of protocols and using skay P to sniff and analyze traffic will determine was this a successful authentication or did it fail and if it failed, it failed because of the password being incorrect. If so, and that happens enough. We've got a brute force password guessing attack or a credential stuffing attack. And that's suspicious traffic that we want to do something about. The other approach that we're going to take is a little bit more general. And so we're going to do a very, very high level introduction to machine learning because python has a lot of machine learning functionality and covering all of it is several courses all by itself. So we're going to focus in on just a couple of things. We're going to talk about some of the most important part of machine learning, which is a feature selection or making sure you put the right data into the system. And so we'll talk about how to pick some good features for python if you want to start detecting anomalous traffic on your network. And then after that we'll just do some basic statistical analysis to say, does this packet look weird. And if it does look weird, we should probably investigate further. And so at the end of these different analysis techniques, we essentially have reached the point where we have suspicious traffic for some reason. Either we've looked at the logs, we know that there's a credential stuffing attack going on. So we need to grab that stuff off the network or we've looked at network traffic and we're like this is either absolutely a password attack or it's weird enough that we want to look at it further. And so we've got suspicious traffic. We can investigate and we can respond. But we also could take action sort of more of an active defense. And that's what we're going to be looking at in the connection hijacking part of this course. So we're going to talk about monitoring network traffic and for some protocols, we'll talk about taking them over. And so a connection between maybe a malicious client in a malicious server will steal control of the connection from the client. And so were the ones communicating with the server instead. And so the case that will look at here, we're going to use that control over the connection to terminate it. However, that scene level of control could also be used to say communicate with our command and control server to direct its traffic to a honeypot or something like that. And so it's just one option for how we can use python to take a more active role in defence, moving beyond detection to active defense. And so in this video we started out with an introduction to defensive python. So a lot of the rest of this learning path, the other courses we've been talking offensively, that doesn't mean that they're not useful for a defender. Pretty much every capability we've talked about could be directly applied to defense. A small point of ethical hacking. They could also be tweaked slightly to achieve other defensive goals. And then we had the potential for writing code designed specifically for defensive purposes, which is what we're doing in this course. And so with the attack chain that we've been demoing in the rest of this course, we've talked about identifying that attack chain and some anomalous traffic and then also taking a little bit of a response. And so that's what we're going to be doing in the rest of the videos in this course. And so let's get started. Thank you.
