Don't Boil the Ocean: Using MITRE ATT&CK to Guide Hunting Activity

Presented at BSidesSF 2019, March 4, 2019, 11:45 a.m. (30 minutes).

As threat hunting becomes a focus for more and more organizations, the abilities of the staff who are being asked to hunt vary greatly. One of the greatest challenges of threat hunting is biting off more than you can chew. Oftentimes, analysts want to "boil the ocean" and hunt without a specific purpose or plan. This talk is focused on using the MITRE ATT&CK framework as the catalyst to assist in building the hypothesis and plan to determine what we should hunt for and how we should build our hypothesis. To make this point, I will use an adversary emulation that we developed at Splunk and show how hunt teams can take the techniques defined in the MITRE ATT&CK framework and apply them to hunts that identify artifacts and indicators and how these initial findings can be fed into a process with ATT&CK to drive additional hunts, enabling hunters to gain more and more insight to better operationalize their findings.

Presenters:

  • John Stoner - Splunk
    John Stoner is a Principal Security Strategist at Splunk. In his current role, he leverages his experience to educate and improve users’ capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He has authored multiple hands-on workshops that focus on enhancing these specific security skills. His writings can be found on Splunk blogs, most notably in the Hunting with Splunk: The Basics and Dear Buttercup: The Security Letters series. John developed and maintains a Splunk application that drives greater situational awareness and streamlines investigations. He enjoys problem solving, writing and educating.  When not doing cyber things, John enjoys reading or binge-watching TV series that everyone else has already seen. During the fall and winter, you can find him driving his boys to hockey rinks across the northeastern United States. John also enjoys listening to, as his teammates call it, "80s sad-timey music."

Links:

Similar Presentations: