Threat Hunting With Scored Network Features

Presented at BSidesDC 2017, Oct. 8, 2017, 1:30 p.m. (50 minutes)

Most organizations collect mountains of network data from across their enterprise but few actually take a look behind the curtain that is their SIEM dashboard. Shifting from a reactive approach to a more proactive methodology is essential to detect increasingly clever adversaries and advanced threats. But with so much data, where do we start? This talk will present an introduction to threat hunting with network data, specifically focusing on extracted network features. It will span the process of contextualization, enrichment, and finally analysis. Red team members will gain a deeper understanding of advanced methods that lead to their detection while blue team members will learn some potential new tricks to try with their own data. These concepts will be applied and demonstrated by telling a fun for all ages story of a "fictitious" threat detection and response scenario involving Mickey Mouse and friends.


Presenters:

  • Justin Warner - Principal Security Engineer at ICEBRG
    Justin Warner (@sixdub) is a Security Engineer at ICEBRG where he aids customers in gaining large scale visibility of their network and regularly assists partners in performing network forensics as part of incident response engagements. Justin is an Air Force Academy graduate, former USAF Cyber Ops officer, and former red team lead where he focused on adversary emulation operations against several fortune 100 companies as well a federal, state, and local government organizations. Justin has a passion for and uses his “free time” for threat research, reverse engineering, and playing with red team tools.

Links:

Similar Presentations: