Purpose Driven Hunt: What do I do with all this data?

Presented at DerbyCon 7.0 Legacy (2017), Sept. 22, 2017, 4 p.m. (50 minutes)

Does your organization want to start Threat Hunting, but you’re not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you’re not able to analyze it properly. This talk focuses on the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding “analysis paralysis.” We will then walk through a case study of Golden Ticket detection from concept to technical execution by way of the Hypothesis Generation Process. Along the way, we will detail some of the most common Golden Ticket indicators and will release a new PowerShell script for extracting Kerberos ticket information without any dependencies on external binaries. Jared Atkinson (@jaredcatkinson) is the Defensive Services Technical Director at Specter Ops who specializes in Digital Forensics and Incident Response. Jared spent two years at Veris Group’s Adaptive Threat Division (ATD) leading the technical buildout of Veris Group’s Hunt capability. Before Veris Group, Jared spent four years leading incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks. Passionate about PowerShell and the open source community, Jared is the lead developer of the PowerForensics project, an open source forensics framework for PowerShell, Uproot, a WMI-based IDS, and maintains a DFIR focused blog at www.invoke-ir.com. Robby Winchester is an experienced threat hunter and penetration tester with six years of experience in information security. Over the course of Robby’s career, he has developed and supervised penetration testing, physical security, and breach assessments for Fortune 100 clients. Robby worked two years for the U.S. Air Force Information Aggressors, providing full-scope network and physical red team operational assessments to the Department of Defense. Prior to that, Robby developed and integrated information security operations with traditional military operations for the U.S. Air Force’s RED FLAG exercise. Robby has a BS in Computer Science from the U.S. Air Force Academy and an MS in Information Security and Assurance from Western Governor’s University. Robby holds CISSP, GIAC Penetration Tester (GPEN), and several other information security certifications. Jared - @jaredcatkinson Robby - @Robby - @robwinchester3

Presenters:

• Robby Winchester
• Jared Atkinson

Links:

• https://www.derbycon.com/friday-schedule/#event-44

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / A Process is No One: Hunting for Token Manipulation
• BSidesSF 2019 / Don't Boil the Ocean: Using MITRE ATT&CK to Guide Hunting Activity
• Black Hat Europe 2017 / A Process is No One: Hunting for Token Manipulation