Presented at
DEF CON 32 (2024),
Aug. 9, 2024, 9 a.m.
(240 minutes).
As defenders, we are always outnumbered, but we are by no means outmaneuvered. Attackers may hide in the haystack of haystacks, but with scalable detection logic, efficient coding practices, a thorough investigation methodology, and a reasonable corpus of computing, we can still determine which haystack to look within, and subsequently find the needle.
This is often made possible by a detection pipeline. And knowing how detection pipelines work, and the role each component plays, can help us write more efficient, more accurate detections to make life hard for the attacker. By reducing the attacker's window of opportunity, whilst making the subsequent investigation easier for the would-be analyst, we can maintain a strong defensive position, forcing the attacker to burn significantly more resources in an attempt to make progress.
This workshop will run attendees through implementing a simple detection pipeline in code, and some basic detection rules, to understand how to:
- Ingest and normalize arbitrary log data, and make such data available for downstream detection rules;
- Implement detection logic, to isolate potentially malicious behaviour;
- Enrich log data with more context, aiding investigation; and
- Draw relationships from individual log entries, to reduce investigative noise.
Attendees should be comfortable with either Python 3 or Golang, including core language syntax and the execution environment of their preferred language.
Presenters:
-
Kathy Zhu
- Security Engineering Tech Lead at Google
Having worked in the security industry for 8+ years, Kathy is currently a Security Engineering Tech Lead in the detection space at Google. Her interest and experience is in detection engineering and software development. Outside of work, she also enjoys running, the outdoors, and reading.
-
Troy Defty
- Security Engineering Manager
Following over a decade in the UK and Australian InfoSec industries, including an 8-and-a-half year stint in red teaming, Troy jumped the proverbial fence from red to blue, and is currently a Security Engineering Manager at a tech company. His interest and experience is in detection engineering, red teaming, threat modelling, hardware, and assessing ICS environments. Other interests include music, electronics, the outdoors, travel, rugby, CTF, and making piano-related noise.
Similar Presentations: