Endpoint Detection Super Powers on the cheap, with Sysmon

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 8, 2019, noon (30 minutes).

Based on my experience as a blue- and purple teamer I wanted to create a workflow toolkit for anyone with access to Splunk to get started with a set of tools that enables them to hit the ground running on a tight budget without compromising on quality. I will explain the pain of lacking visibility in a common Enterprise environment. I will present my hunting app, which contains over 150 searches and over 15 dashboards. Knowledge is power; The workflow has been intentionally built on generic searches to cover all attack variations, to be able to uncover most potentially malicious behaviour. The dashboards contain overviews, threat indicators and facilitate consecutive drilldown workflows to help the analyst determine whether this is a threat or not and allow them to whitelist.


Presenters:

  • Olaf Hartong
    Olaf is a person of many interests with a passion for defensive security and data. He has over 13 years of experience in security, he specializes in building and operationalizing SOC teams through the use of SIEM systems or log management systems such as Splunk. He is an expert Threat Hunter and works in close collaboration with the Red Team to facilitate Purple teaming workshops for his clients. He is the author of several security focused tools and blogs. Olaf has spoken at MITRE ATT&CKcon, ISF Live, Splunk Live, BlackHat, FIRST

Links:

Similar Presentations: