Presented at
DeepSec 2020 „The Masquerade“,
Unknown date/time
(Unknown duration).
Defenses focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even your people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaires in your infrastructure? IR detection and response relies on a structured process of identifying observables and collecting evidence. One aspect of this is the practice of proactively seeking out evil in your infrastructure, finding needles in haystacks that link to other needles and unveiling how an organization was compromised and possibly even answering the "why?". This is commonly referred to as Threat Hunting. In this hands-on training participants will learn about the basic building blocks for an IR detection and investigation programme. The training will introduce the basics so that a participant will be able to take this knowledge and build up a programme in their own organisation. Using tools like ELK or HELK, Grr, Sysmon, and osquery, we will explore how to deploy and use these tools as basic free options to build the foundations of the threat hunting programme. The labs will look at how Mitre ATT&CK and things like sigma rules are used to help identify indicators of attack. With interactive labs on a simulated corporate infrastructure of both windows and linux client, we'll explore the capabilities provided by these tools to hunt for common techniques used by Malware and threat actors.
Participants will walk away with a basic understanding of threat hunting and the tools needed to develop a hunting practice in their own organisation through the following agenda:
Intro to threat hunting
Threat hunting and the IR process
Understanding the requirements
Backend Tools
Detection/Reporting tools like Mitre ATT&CK and Sigma
Endpoint tools: osquery and sysmon
Hands on exercise will be spread across the 2 days
Participant Requirements:
Working knowledge of Windows (no OSQuery experience required);
Working knowledge of the Linux shell (no OSQuery experience required);
Basic SQL,
Laptop with a SSH client
Presenters:
-
Thomas Fischer
- FVT SecOps Consulting, Sophos
Thomas Fischer has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated. Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.
Craig Jones is Senior Manager of Security Engineering in Sophos, responsible for detection engineering, IR and security infrastructure.@albanwr
-
Craig Jones
- FVT SecOps Consulting, Sophos
Thomas Fischer has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated. Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.
Craig Jones is Senior Manager of Security Engineering in Sophos, responsible for detection engineering, IR and security infrastructure.@albanwr
Links:
Similar Presentations: