The document summarizes a presentation by Chris Sanders on analyzing the investigation process in digital forensics and incident response. Some key points:
1. Sanders argues that the field of digital security is undergoing a "cognitive revolution" to develop more structured and repeatable investigation methods.
2. He proposes using a scenario-based approach and investigation simulator to study how analysts navigate cases and make decisions. This could help identify ways to increase accuracy and speed.
3. Case studies analyzing novice and expert analysts found that novices rely more on intuition while experts employ more reflection and metacognition when investigating cases.
Art into Science 2017 - Investigation Theory: A Cognitive Approachchrissanders88
This presentation was delivered at Art into Science 2017 in Austin, TX. I discuss the ongoing cognitive crisis in information security, and present original research methods and results related to the investigation process.
Threats that Matter - Murray State University 2017chrissanders88
In this presentation I discuss the current state of information security and where innovation is failing to make it back to smaller businesses. I identify threats that matter most to businesses through the lens of a framework for the evaluation of threats. I also describe five things you can do to increase your network security right now in the wake of these threats.
Building a Successful Threat Hunting ProgramCarl C. Manion
Understanding the key components necessary to build a successful threat hunting program starts with visibility, the appropriate tools and automation. Skilled, experienced analysts, engineers and incident responders with analytical minds who can apply concepts and approaches to a variety of different toolsets are also instrumental to the process. In this presentation, We'll describe and discuss some of the most common challenges, recommended best practices, and focus areas for achieving an effective threat hunting capability based on lessons learned over the past 15 years.
Building a Threat Hunting Practice in the CloudProtectWise
Building a Threat Hunting Practice Using the Cloud
James Condon, Director of Threat Research and Analysis ProtectWise and Tom Hegel, Senior Threat Researcher ProtectWise
Topics:
Threat Hunting 101
Requirements for Effective Threat Hunting
How the Cloud Can Help
Threat Hunting Best Practices
Questions
Next Steps
Threat hunting and achieving security maturityDNIF
In this virtual meetup of DNIF KONNNECT (04.04.2019), where the growing DNIF community connects, interacts, shares and helps each other to grow and learn about the latest in threat hunting and many more...this time we have Mr. Ankit Panchal from NSDL who shall demonstrate an end to end demo of how you can achieve security maturity.
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Art into Science 2017 - Investigation Theory: A Cognitive Approachchrissanders88
This presentation was delivered at Art into Science 2017 in Austin, TX. I discuss the ongoing cognitive crisis in information security, and present original research methods and results related to the investigation process.
Threats that Matter - Murray State University 2017chrissanders88
In this presentation I discuss the current state of information security and where innovation is failing to make it back to smaller businesses. I identify threats that matter most to businesses through the lens of a framework for the evaluation of threats. I also describe five things you can do to increase your network security right now in the wake of these threats.
Building a Successful Threat Hunting ProgramCarl C. Manion
Understanding the key components necessary to build a successful threat hunting program starts with visibility, the appropriate tools and automation. Skilled, experienced analysts, engineers and incident responders with analytical minds who can apply concepts and approaches to a variety of different toolsets are also instrumental to the process. In this presentation, We'll describe and discuss some of the most common challenges, recommended best practices, and focus areas for achieving an effective threat hunting capability based on lessons learned over the past 15 years.
Building a Threat Hunting Practice in the CloudProtectWise
Building a Threat Hunting Practice Using the Cloud
James Condon, Director of Threat Research and Analysis ProtectWise and Tom Hegel, Senior Threat Researcher ProtectWise
Topics:
Threat Hunting 101
Requirements for Effective Threat Hunting
How the Cloud Can Help
Threat Hunting Best Practices
Questions
Next Steps
Threat hunting and achieving security maturityDNIF
In this virtual meetup of DNIF KONNNECT (04.04.2019), where the growing DNIF community connects, interacts, shares and helps each other to grow and learn about the latest in threat hunting and many more...this time we have Mr. Ankit Panchal from NSDL who shall demonstrate an end to end demo of how you can achieve security maturity.
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Learn more about DNIF KONNECT here - https://dnif.it/dnif-konnect.html
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Threat hunting is the best, proactive approach. But, excelling at threat hunting, discovering adversaries takes time, patience, planning, and some serious skills. Mature beyond the basics of hunting and evolve your program!
After anomalous network traffic has been identified there can still be an abundance of results for an analyst to process. This presentation is for data scientist and network security professionals who want to increase the signal-to-noise.
Flare is a network analytic framework designed for data scientists, security researchers, and network professionals. Written in python, flare is designed for rapid prototyping and development of behavioral analytics. Flare comes with a collection of pre-built utility functions useful for performing feature extraction.
Using flare, we'll walk through identifying Domain Generation Algorithms (DGA) commonly used in malware and how to reduce the dataset to a manageable amount for security professionals to process.
We'll also explore flare's beaconing detection which can be used with the output from popular Intrusion Detection System (IDS) frameworks.
More information on flare can be found at https://github.com/austin-taylor/flare
www.austintaylor.io
The Information Security Community on LinkedIn, with the support of Cybereason, conducted a comprehensive online research project to gain
more insight into the state of threat hunting in security
operation centers (SOCs). When the 330 cybersecurity and IT professionals were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many
responses included “unknown” and “advanced” when
describing threats, indicating the respondents understand
the challenges and fear those emerging threats.
Read the full report here.
In our webinar “What is Threat Hunting and why do you need it?" we discussed the folowing key points:
1. What Threat hunting is.
2. Why it is becoming so popular and what kinds of attacks are making it necessary.
3. What the challenges are.
4. Threat Hunting and Investigation services for attacks.
5. Case studies.
Find out more on https://www.pandasecurity.com/business/adaptive-defense/?utm_source=slideshare&utm_medium=social&utm_content=SM_EN_WEB_adaptive_defense&track=180715
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
https://www.enoinstitute.com/training-tutorials-courses/cyber-threat-hunting-training-ccthp/ Learn how to find, assess, and remove threats from your organization in our Certified Cyber Threat Hunting Training (CCTHP) designed to prepare you for the Certified Cyber Threat Hunting Professional (CCTHP) exam.
In this Cyber Threat Hunting Training (CCTHP) course, we will deep dive into “Threat hunting” and searching for threats and mitigate before the bad guy pounce. And we will craft a series of attacks to check Enterprise security level and hunt for threats. An efficient Threat hunting approach towards Network, Web, Cloud, IoT Devices, Command & Control Channel(c2), Web shell, memory, OS, which will help you to gain a new level of knowledge and carry out all tasks with complete hands-on.
RESOURCES:
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2020 Edition By Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2019 Edition By: Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Hunting Cyber Criminals: A Hacker’s Guide to Online Intelligence Gathering Tools and Techniques 1st Edition by Vinny Troia/Amazon.com
Cyber Threat Hunting Training: Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer by Muniz Joseph and Lakhani Aamir/Amazon.com
CUSTOMIZE It:
We can adapt this Cyber Threat Hunting Training (CCTHP) course to your group’s background and work requirements at little to no added cost.
If you are familiar with some aspects of this Cyber Threat Hunting (CCTHP) course, we can omit or shorten their discussion.
We can adjust the emphasis placed on the various topics or build the Cyber Threat Hunting Training (CCTHP) around the mix of technologies of interest to you (including technologies other than those included in this outline).
If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Cyber Threat Hunting Training (CCTHP) course in manner understandable to lay audiences.
Your adversaries continue to attack and get into companies. You can no longer rely solely on alerts from point solutions to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake
Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...Alex Pinto
This session will center on a market-centric and technological exploration of commercial and open-source threat intelligence feeds that are becoming common to be offered as a way to improve the defense capabilities of organizations.
While not all Threat Intelligence can be represented as "indicator feeds", this space has enough market attention that it deserves a proper scientific, evidence-based investigation so that practitioners and decision makers can maximize the results they are able to get for the data they have available.
The presentation will consist of a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide. All the statistical code written and research data used (from the publicly available feeds) will be made available in the spirit of reproducible research. The tool itself will be able to be used by attendees to perform the same type of tests on their own data (called tiq-test).
Some of the important questions and answers that emerge in this presentation include:
"Are Threat Intelligence Feeds a statistical good measure of the population of 'bad stuff' happening out there? Is there even such a thing?"
"How tuned to YOUR specific threat surface are those feeds?"
"Can we actually make good use of them even if the threats they describe have no overlap with the actual incidents you have been seeing in your environment? (hint: probably not)"
We will provide an open-source tool for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with current publicly available network feeds and easily extensible for private or commercial feeds (called combine).
Using Canary Honeypots for Network Security Monitoringchrissanders88
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budgetchrissanders88
This presentation was originally given as a lightning talk for a Charleston ISSA meeting. I talk briefly about malware analysis, and how to get started with malware analysis on a budget using virtualization.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Threat hunting is the best, proactive approach. But, excelling at threat hunting, discovering adversaries takes time, patience, planning, and some serious skills. Mature beyond the basics of hunting and evolve your program!
After anomalous network traffic has been identified there can still be an abundance of results for an analyst to process. This presentation is for data scientist and network security professionals who want to increase the signal-to-noise.
Flare is a network analytic framework designed for data scientists, security researchers, and network professionals. Written in python, flare is designed for rapid prototyping and development of behavioral analytics. Flare comes with a collection of pre-built utility functions useful for performing feature extraction.
Using flare, we'll walk through identifying Domain Generation Algorithms (DGA) commonly used in malware and how to reduce the dataset to a manageable amount for security professionals to process.
We'll also explore flare's beaconing detection which can be used with the output from popular Intrusion Detection System (IDS) frameworks.
More information on flare can be found at https://github.com/austin-taylor/flare
www.austintaylor.io
The Information Security Community on LinkedIn, with the support of Cybereason, conducted a comprehensive online research project to gain
more insight into the state of threat hunting in security
operation centers (SOCs). When the 330 cybersecurity and IT professionals were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many
responses included “unknown” and “advanced” when
describing threats, indicating the respondents understand
the challenges and fear those emerging threats.
Read the full report here.
In our webinar “What is Threat Hunting and why do you need it?" we discussed the folowing key points:
1. What Threat hunting is.
2. Why it is becoming so popular and what kinds of attacks are making it necessary.
3. What the challenges are.
4. Threat Hunting and Investigation services for attacks.
5. Case studies.
Find out more on https://www.pandasecurity.com/business/adaptive-defense/?utm_source=slideshare&utm_medium=social&utm_content=SM_EN_WEB_adaptive_defense&track=180715
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
https://www.enoinstitute.com/training-tutorials-courses/cyber-threat-hunting-training-ccthp/ Learn how to find, assess, and remove threats from your organization in our Certified Cyber Threat Hunting Training (CCTHP) designed to prepare you for the Certified Cyber Threat Hunting Professional (CCTHP) exam.
In this Cyber Threat Hunting Training (CCTHP) course, we will deep dive into “Threat hunting” and searching for threats and mitigate before the bad guy pounce. And we will craft a series of attacks to check Enterprise security level and hunt for threats. An efficient Threat hunting approach towards Network, Web, Cloud, IoT Devices, Command & Control Channel(c2), Web shell, memory, OS, which will help you to gain a new level of knowledge and carry out all tasks with complete hands-on.
RESOURCES:
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2020 Edition By Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Cyber Threat Hunting A Complete Guide – 2019 Edition By: Gerardus Blokdyk/vitalsource.com
Cyber Threat Hunting Training: Hunting Cyber Criminals: A Hacker’s Guide to Online Intelligence Gathering Tools and Techniques 1st Edition by Vinny Troia/Amazon.com
Cyber Threat Hunting Training: Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer by Muniz Joseph and Lakhani Aamir/Amazon.com
CUSTOMIZE It:
We can adapt this Cyber Threat Hunting Training (CCTHP) course to your group’s background and work requirements at little to no added cost.
If you are familiar with some aspects of this Cyber Threat Hunting (CCTHP) course, we can omit or shorten their discussion.
We can adjust the emphasis placed on the various topics or build the Cyber Threat Hunting Training (CCTHP) around the mix of technologies of interest to you (including technologies other than those included in this outline).
If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Cyber Threat Hunting Training (CCTHP) course in manner understandable to lay audiences.
Your adversaries continue to attack and get into companies. You can no longer rely solely on alerts from point solutions to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake
Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...Alex Pinto
This session will center on a market-centric and technological exploration of commercial and open-source threat intelligence feeds that are becoming common to be offered as a way to improve the defense capabilities of organizations.
While not all Threat Intelligence can be represented as "indicator feeds", this space has enough market attention that it deserves a proper scientific, evidence-based investigation so that practitioners and decision makers can maximize the results they are able to get for the data they have available.
The presentation will consist of a data-driven analysis of a cross-section of threat intelligence feeds (both open-source and commercial) to measure their statistical bias, overlap, and representability of the unknown population of breaches worldwide. All the statistical code written and research data used (from the publicly available feeds) will be made available in the spirit of reproducible research. The tool itself will be able to be used by attendees to perform the same type of tests on their own data (called tiq-test).
Some of the important questions and answers that emerge in this presentation include:
"Are Threat Intelligence Feeds a statistical good measure of the population of 'bad stuff' happening out there? Is there even such a thing?"
"How tuned to YOUR specific threat surface are those feeds?"
"Can we actually make good use of them even if the threats they describe have no overlap with the actual incidents you have been seeing in your environment? (hint: probably not)"
We will provide an open-source tool for attendees to extract, normalize and export data from threat intelligence feeds to use in their internal projects and systems. It will be pre-configured with current publicly available network feeds and easily extensible for private or commercial feeds (called combine).
Using Canary Honeypots for Network Security Monitoringchrissanders88
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
CISSA Lightning Talk - Building a Malware Analysis Lab on a Budgetchrissanders88
This presentation was originally given as a lightning talk for a Charleston ISSA meeting. I talk briefly about malware analysis, and how to get started with malware analysis on a budget using virtualization.
This talk was given at BSides Augusta 2016. It was conducted by @real_slacker007 of CyberSyndicates.com; The creators of Mercenary-Linux. This slideshow covers numerous vulnerabilities within the DNS protocol and the methods used to exploit them. In addition to vulnerabilities and attacks, it also displays several IOC's that can be used to signature the attacks.
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Applied Detection and Analysis with Flow Data - SO Con 2014chrissanders88
In this presentation, we discuss the benefit of using flow data for detection and analysis. We also discuss the SiLK flow analysis suite and the FlowPlotter tool that can be used for generating ad-hoc visualizations from flow data, as well as the upcoming FlowBAT tool that is used to ease analysis of this very useful data type.
BSA2016 - Honeypots for Network Security Monitoringchrissanders88
At the BSides Augusta 2016 conference, I presented the economic challenges of defensive security and how honeypots can be used for cost effective network security monitoring.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Presentation on organisation, courses and workshops of the Library of the University of Amsterdam - meeting between subject librarians of the University of Oslo and the University of Amsterdam, October 9th, 2013.
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox
ZoneFox is an award winning market leader in User Behaviour Analytics, providing critical insights around data-flow that you need to secure against the Insider Threat.
Applied cognitive security complementing the security analyst Priyanka Aash
Security incidents are increasing dramatically and becoming more sophisticated, making it almost impossible for security analysts to keep up. A cognitive solution that can learn about security from structured and unstructured information sources is essential. It can be applied to empower security analysts with insights to qualify incidents and investigate risks quickly and accurately.
(Source : RSA Conference 2017)
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Security Analytics for Data Discovery - Closing the SIEM GapEric Johansen, CISSP
Although SIEM has been the cornerstone of security data analysis for years, it has struggled to meet the data triage and analysis needs required for incident response and hunting. It is too slow, difficult to use, and is often inadequately tuned or maintained to be helpful for on-demand data analysis.
In this session we’ll explore new security analytics technologies – rapid search, natural language, pattern-based correlations, and unstructured data – that can extend the on-demand data analysis of the SIEM to improve threat hunting and accelerate incident response.
Presented at AusCERT: May 25, 2016.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Digital forensics research: The next 10 yearsMehedi Hasan
Today’s Golden Age of computer forensics is quickly coming to an end. Without a clear strategy for enabling research efforts that build upon one another, forensic research will fall behind the market, tools will become increasingly obsolete, and law enforcement, military and other users of computer forensics products will be unable to rely on the results of forensic analysis. This article summarizes current forensic research directions and argues that to move forward the community needs to adopt standardized, modular approaches for data representation and forensic processing.
@2010 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved
Jon Murphy, National Practice Lead, AOS
Top 10 Trends for 2015 in Information Tech Risk Management
ITRM is more than merely security hardware and apps under the control of an overworked network admin. It is strategic and tactical process, technology, and people in various roles and levels working collaboratively to protect vital organizational assets like data, information, ability to delivery timely, and reputation. Organizations need continuous, current, Actionable InsightSM about probable sources of majorly impactful risks and threats. Then and only then are they adequately prepared to make the smartest investments in continuing education, process improvement, and procedures for the proper use of the right technology for their situation. This multi-media, interactive presentation will cover the current top trends for 2015 in ITRM and that Actionable InsightSM - what your organization can and should do about likely and impactful IT risks and vulnerabilities.
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Cloudera, Inc.
Learn how to:
* Detect threats automatically and accurately
* Reduce threat response times from 7 days to 4 hour
* Ingest and process 100+TB per day for automated machine learning and behavior-based detection
Why the DoD Uses Advanced Network-traffic Analytics to Secure its NetworkNovetta
Advanced network-traffic analytics changed the way many of the largest agencies within the Department of Defense handle their cyber security efforts, and we've just published a whitepaper describing why and how. The paper provides important information about how an enterprise can significantly reduce damages caused by sophisticated attackers, including:[clear]
A description of the limitations of today’s security solutions and how advanced network-traffic analytics can help improve enterprise security.
Two case studies about how the Department of Defense benefits today from advanced analytics.
A high-level review of the technical architecture of an advanced network analytics solution and how it can be used to thwart attacks.
A discussion of how enterprises and their security teams will benefit from a network-traffic analytics approach to enterprise security.
2018 - Using Honeypots for Network Security Monitoringchrissanders88
A strong detection and response capability is required for the success of security program because prevention eventually fails and a motivated attacker can always find a way in. However, economics are not in favor of network security monitoring (NSM). Due to the hardware, software, and labor required it's expensive to deploy an NSM capability and hire qualified analysts to maintain and investigate the high volume of alerts, especially at scale.
In this presentation I'll discuss how honeypots are re-emerging as a practical solution for driving down the cost of network security monitoring. These aren't your traditional honeypots meant to sit outside the firewall to research automated malware. These are focused, use case specific honeypots that are designed to provide detection with a favorable signal to noise ratio. By integrating honeypots into your NSM strategy and taking a targeted approach, a grid of honeypots can realistically become your most cost effective detection tool. I'll make the case for honeypots like these and discuss implementation strategies that I've seen work. You should come away from this presentation with a unique perspective on honeypots and an actionable plan you can use to start evaluating and deploying tactical honeypots in your network.
In this presentation Jason Smith and I discuss how you can apply the hacker mindset to cooking. We provide several tips and tricks for cooking like a hacker and making food with maximum deliciousness and minimum effort. Photo credits to Serious Eats.
Minding the Metacognitive Gap - BSides NOLAchrissanders88
As security investigators, even those of us with a great deal of experience aren’t very good at identifying how we perform our jobs successful. Our inability to understand our own thought processes can be defined as a lack of metacognitive awareness, and it negatively impacts our ability to perform investigations efficiently, and to train new apprentice investigators. In this presentation, I’ll discuss the metacognitive gap as it relates to security investigators. This will include a discussion of dual process theory and the role of intuitive and reflective thinking, as well as modern research techniques such as eye gaze tracking that can help us become better as investigators and build better tools to support our endeavors.
BSides Augusta 2015 - Building a Better Analyst Using Cognitive Psychologychrissanders88
The information security industry and the vendors that support it have placed emphasis on the tools we use to investigate security breaches. However, we rarely win or lose battles in the trenches because of the tools we buy. Instead, our result is typically determined by the tools we are born with and nurture over time. While machines are ideal for collecting data and finding anomalies, there is no tool better for connecting the dots than the human mind. Of course, the human mind is not without its own limitations and challenges we must overcome. This presentation discusses metacognition and how it applies to the investigative process.
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
In this presentation, Chris Sanders and Jason Smith discuss the importance of using flow data for network security analysis. Flow data is discussed from the viewpoints of collection, detection, and analysis. We also discuss the FlowPlotter tool, and the use of FlowBAT, a graphical flow analysis GUI we've created.
Developing Analytic Technique and Defeating Cognitive Bias in Securitychrissanders88
In this presentation, I discuss the evolution to the analysis era in information security and the challenges associated with it. This includes several examples of cognitive biases and the negative effects they can have on the analysis process. I also discuss different analytic techniques that can enhance analysis such as differential diagnosis and relational investigation.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
3. Agenda
Era of Analysis
DFIR Cognitive Revolution
Researching the Investigation Process
Data, Data, and more Data
The economics of NSM are not in our favor –
how can we study the investigation process to
make it more efficient?
4. Economics of Security
“If you want to understand the world of nature,
master physics. If you want to understand the
world of man, master economics.” - Taufiq
Rashid
High
Demand for
Security
Expertise
Low Supply
of Security
Practitioners
Expertise
Services
Software
5. Evolution of NSM
“The profession
[security] is so
nascent that the how-
tos have not been
fully realized even by
the people who have
the knowledge.”
Every thought-based
profession goes
through a cognitive
crisis and revolution.
Ours is coming.
6. Symptoms of a Cognitive Crisis
1. Demand for expertise greatly outweights
supply
2. Most information cannot be trusted or
validated
3. Inability to mobilize and tackle big systemic
issues
7. The Cognitive Revolution in
DFIR
1. Understand the processes
used to perform
investigations and draw
conclusions
2. Develop repeatable
methods and techniques
for performing
investigations
3. Build and advocate
training that teaches
analysts how to think
about investigations, not
just how to use tools.
8. Investigations as Mental
Labyrinths
The investigation is
the core construct of
information security.
At a high level, an
investigation is a
series of decisions
that begets other
decisions.
Defenders don’t
always know if
they’ve taken the
correct path.
9. Navigating the Labyrinth
Alert
OSINT
Reputation
File Hash
Sandbox
Behaviors
AV Detections
(VT)
Imphash
More File
Hashes
Friendly Host
Network PCAP
Host
Windows
Logs
Security Log
System Log
App LogRegistry
File System
Hostile Host Network
PCAP
Flow
10. Studying the Investigation
Process
Goal:
Increase Accuracy
Decrease Time
How do you study
something human
thought?
Challenges:
Creating unique
investigation scenarios
takes time
There is no universal
set of tooling
11. A Scenario-Based Approach to
Investigation Analysis
Create a tool-agnostic investigation simulator
Make it portable and self contained
Seed it with investigation scenarios where one
variable can be addressed at a time
Allow it to log investigator actions and output a
log of decisions being made
15. The Compromise
1. Victim visits friendly
website
2. Redirect to EK landing
page
3. Download flash exploit
4. Exploit is successful and
ransomware file
downloads
5. Ransomware installs and
executes
6. Ransomware begins C2
communication
16. What data did analysts look at
first?
72%
16%
12%
Observed
PCAP Flow OSINT
Data Suggests:
Analysts prefer a higher context data set…
…even if other data sets are available
…even if lower context data sets can lead to a resolution.
Analysts don’t fully understand their own techniques
49%
28%
23%
Reported
PCAP Flow OSINT
17. Did the first move affect analysis
speed?
Data Suggests:
While PCAP provides richer context, it may slow down
the investigation if that’s where you start
Starting with a lower context data source can increase
speed when working with higher context data
16
10
9
PCAP Flow OSINT
27
13 13
PCAP Flow OSINT
Avg Time to Close Weighted Time to Close
18. What happens when Bro data
replaces PCAP?
46%
25%
29%
Observed (Bro)
Bro Flow OSINT
72%
16%
12%
Observed (PCAP)
PCAP Flow OSINT
19. What happens when Bro data
replaces PCAP?
16
10
9
PCAP Flow OSINT
Avg Time to Close (PCAP)
10 10 11
Bro Flow OSINT
Avg Time to Close (Bro)
Data Suggests:
Better organization of high context data sources
can yield improvements in analysts performance
20. What data sources were viewed
most and least frequently?
Data Suggests:
Network data is used more frequently than host data…
…even when host data can be used exclusively to resolve.
…even when easy access is provided to host sources.
Revisting data is more prevalent on higher context data
sources
Data Sources Viewed Data Sources Revisited
PCA
P
84%
Flow
11%
OSIN
T
5%
21. How many steps were taken to
make a disposition judgement?
Data Suggests:
At some point, the number of data sources you
investigate impacts the speed of the investigation
Understanding where data exists and when to use it
can impact analysis speed
6
12
9
3
0
5
10
15
6-10 11-15 16-20 21-25
Number of Steps
9
12
14
24
0
5
10
15
20
25
30
6-10 11-15 16-20 21-25
Avg Time to Close
22. Did analysts investigate friendly or
hostile systems first?
9%
91%
Observed
Friendly Hostile
Data Suggests:
Analysts are more compelled to investigate unknown
external threats than internal systems
Analysts don’t fully understand their own techniques
41%
59%
Friendly
Friendly Hostile
23. Do analysts seek to prove or
disprove the alert?
Data Suggests:
Analysts are almost always seek to prove an
alert...
...despite the fact that disproving it is usually faster.
Prove vs. Disprove
Prove
88%
Dispr
ove
12% 19
8
0
5
10
15
20
Prove Disprove
Avg Time to Close
Every town had one doctor and they were also your vet
Many home remedies spawn from this time – milk as a treatment for stomach ulcers is an example
Major health crises were frequent and impossible to control
How do we research a process that is intrinsically human?
We ended up with an investigation game
TIMECHECK – 15 MINUTES
Sidebar: Analysts looked at the PCAP 100% of the time, even if it wasn’t necessary.
This points to tendencies gained from training. Most shops don’t have easy access to host data.
Anecdotal – Experts I knew took less than 10 steps.
Anecdotal – Novices I knew took > 15.
