Threat Hunting with the Elastic Stack

Presented at BSidesDC 2019, Oct. 25, 2019, 8 a.m. (540 minutes)

With all new logs and updated material from our previous threat hunting workshops, this hands-on training class will walk attendees through leveraging the open source Elastic (ELK) stack to proactively identify malicious activity hiding within diverse data sets. The basic tools and techniques taught during this class can be used to investigate isolated security incidents or implemented at scale for continuous monitoring (SIEM) and threat hunting. Attendees will be provided with access to a preconfigured Elastic stack cluster and extensive sample logs containing malicious events waiting to be discovered on a simulated enterprise network. Attacker artifacts will be mapped to the MITRE ATT&CK Framework and tagged accordingly in the provided logs to help demonstrate the value of log enrichment, showcase both common and novel real-world attacker TTPs, and leverage a methodological approach to adversary and anomaly detection. Emphasis will be placed on live demos and practical training exercises throughout. The training will conclude with a friendly CTF tournament to give attendees the opportunity to collaborate and compete on teams in order to put their learning into practice and win some prizes.

Presenters:

• Jeff Magloire - Sr. Cyber Consultant at Polito Inc.
  Jeff has over 10 years of federal and commercial expertise in the field of Endpoint and Mobile based Intrusion Detection and Protection, Network Security, e-Discovery, Mobile Application Security, and Penetration Testing. Jeffrey holds a Masters of Science in Digital Forensics from George Mason Univ. along with a Bachelors in Business IT from St Johns Univ. Jeffrey also has earned certifications such as GIAC Certified Forensic Analyst, Encase Examiner and Encase E-Discovery, Xways, and Cellebrite certifications.
• Fred Mastrippolito - Hacker in Chief at Polito Inc.
  With over 15 years of experience in cybersecurity, Fred (@politoinc) was a founding member of an elite group of computer forensics and intrusion analysts for a major defense contractor. He has performed numerous web application assessments and penetration tests for financial services, federal government, and retail clients. He has managed SOCs, responded to incidents, and analyzed malware.
• Ben Hughes - Sr. Security Engineer at Polito Inc.
  As the lead instructor, Ben (@CyberPraesidium) brings over 12 years of diverse experience in cyber security, IT, and law. He leads Polito's commercial services including vulnerability assessments, penetration testing, incident response, forensics, and threat hunting. Prior to joining Polito, Ben worked on APT hunt teams at federal and commercial clients. He holds CISSP, GCFA, GWAPT, and Splunk certifications.

Links:

• https://bsidesdc2019.busyconf.com/schedule#activity_5d18103a4a19b560f9000014

Similar Presentations:

• DeepSec 2019 „Internet of Facts and Fears“ / Incident Response Detection and Investigation with Open Source Tools
• BSidesLV 2019 / Finding Evil with Mitre ATT&CK and the Elastic Stack
• BSidesLV 2017 / Elastic-ing All the Things - Saving anything at elastic stack and having fun with detections