We can all agree that threat detection is an essential component of a functioning security monitoring program. Let's start thinking about how to take our tradecraft to the next level and hunt for ways for evil to do evil things. This talk will run through some of the observations gathered during hunting expeditions inside the networks of multiple Fortune ranked organizations. We hope to challenge you to expand your security operations, moving beyond traditional signature based detection.
2. New slides, who dis?
Danny Akacki
Hunting: Defense Against The Dark Arts 2
Who: @DAkacki
(in conjunction with and on behalf of
@find_evil & @StephenHinck)
What: Hunter of things
Where: Fortune blah blah blah
About:
• Mandiant x2
• GE Capital
• Long, sordid love affair with Philly.
• Enthusiastic hugger.
#HumanZoo
3. Hunting: Defense Against The Dark Arts 3
Problem Set
• Find Evil
• Find Ways for Evil to do Evil Things
• Drive maturation of monitoring & detection capabilities
4. Hunting: Defense Against The Dark Arts 4
Traditional Detection vs. Hunting
Not
❌ Tools
❌ Alerts
❌ Automation
5. Hunting: Defense Against The Dark Arts 5
Hunting As A Methodology.
• Think layers.
• Linear.
• Iterative.
• Hypothesis driven.
7. Building a Hunt Program
Hunting: Defense Against The Dark Arts 7
"Understanding is the first step to acceptance,
and only with acceptance can there be
recovery.“
— Albus Dumbledore
8. Hunt Program
Mature detection capabilities
Use Cases + Playbooks
Guiding processes for SOC / CIRT
Technology & Tools
Operationally-driven and requirements-based
SOC + CIRT
Security operations and incident response
Formalized Security Program
Chartered and backed by an executive sponsor
Hunting: Defense Against The Dark Arts 8
Hunting Capability Pyramid
Must be this
tall to ride
9. Hunting: Defense Against The Dark Arts 9
http://blog.sqrrl.com/the-cyber-hunting-maturity-model
Hunting Maturity Model
10. Building a Hunt Program
Hunting: Defense Against The Dark Arts 10
1. Establish executive sponsorship and mission charter/objectives
2. Establish and implement enterprise logging strategy
3. Aggregate, centralize, and process data
4. Make data available within a (fast) searchable interface
5. Drive maturity
• Develop Use Cases
• Are we getting the right data?
• Review tooling and associated requirements
• Reintegrate hunt mission data to security operations
11. Hunting + IR Detection Maturation
Hunting: Defense Against The Dark Arts 11
HUNT SOC DETECT
IR USE CASE
Ongoing Hunt
Missions
Feed Incident
Response activities
IR outcomes affect
SecOps
Lessons Learned
incorporated to
SecOps
Detection
capability
improvement
Evil
Non-Evil Risk
12. Fantastic Use Cases and How To Make Them
Hunting: Defense Against The Dark Arts 12
• Scenarios to help solve/uncover problems and guide your thinking.
• Can be simple or complex
• Helps to identify data / capability requirements and gaps
• Aligned to an attacker lifecycle: Kill Chain or ATT&CK
• Contains Internal TTP used to achieve the Use Case Objectives
• Data – What should we collect to detect events of interest?
• Tools – What can we use to handle our Data?
• Logic – How can we best leverage both our Data and Tools?
13. Use Cases: Slide 2: Detection Bugaloo
Hunting: Defense Against The Dark Arts 13
Incident
Events of Interest
Detection Use Case
Events of Interest, ex.
1. $Endpoint1 seen making
DNS requests for known
bad domain
2. HTTP Proxy sees
$Endpoint1 requesting
binary with unknown MD5
3. Network logs show
periodic suspicious
communications from
$Endpoint1 to multiple
new hosts in unlikely
countries
14. Use Case Design Tree: Objective
Hunting: Defense Against The Dark Arts 14
15. Use Case Design Tree: Tools & Capabilities
Hunting: Defense Against The Dark Arts 15
16. Hunt Mission Outcomes
Hunting: Defense Against The Dark Arts 16
•Benefit: Activity shown not to be present
•Next Step: Evaluate hunt mission effectiveness
No Detection
•Benefits: Activity shown to be present
Hunt mission effectiveness validated
Identify best practice / compliance issues
•Next Step: Escalate as appropriate, monitor to closure
Detection:
Non-Malicious
•Benefits: Activity shown to be present
Hunt mission effectiveness validated
Identify security incidents
•Next Step: Escalate as appropriate, monitor to closure
Detection:
Malicious
17. Sorting Out Your Data
Hunting: Defense Against The Dark Arts 17
"Not Slytherin, eh? Are you sure? You could be great, you know."
18. Data Sources
- Remote Access
- Web Proxy
- IDS / IPS
- Email
- WAF
- DNS
- DHCP
- NetFlow
- Firewall
- Router / Switch
- Wireless Infrastructure
- Agents
- Antivirus
- Operating Systems
- Active Directory
- File, Print, Database
- Other Services
External Feeds
- Paid, Free, OSINT
Internal Feeds
- Recon Data
- Threat/Risk Models
- IR Lessons Learned
- Critical Asset Inventory
- Identity & Access
Management (IAM)
- Scheduled Service
Interruptions
- Terminated Users
- Acceptable Use Policy
- Employee Work Hours
- Physical Access Logs
Security
Network
Endpoint
IT
Threat Intel
HR
Hunting: Defense Against The Dark Arts 18
19. Two Types of Events
Hunting: Defense Against The Dark Arts 19
1. Observed Originated from a device that handled the event in some way
2. Synthetic Generated through automated analysis of event data
20. What is the Right Data?
Hunting: Defense Against The Dark Arts 20
• Original source data wherever possible
• Ensure the presence of important metadata
• Generally, observed events > synthetic events
• Synthetic events can provide useful context in the form of analytics
• Logs must enable pivoting
• Minimum - one extractable / consistent data point to correlate log sources
21. Ready the Spells!
Hunting: Defense Against The Dark Arts 21
• Understand the network
• Learn critical assets
• Develop enterprise logging strategy
• Ensure data sources use consistent time settings; implement NTP, use GMT (or UTC)
• Plug in to asset, change, and configuration management processes
• Account for other organizational use cases
• IT Operations
• Forensics / Incident Response
• Compliance / Audit
• Clean up the hunt dataset
• Normalization
• De-duplication
• Parsing
• Enrich and contextualize the dataset...!
22. Event Enrichment
Hunting: Defense Against The Dark Arts 22
• Internally-sourced Intelligence
• Attack Trees
• Red Team / Penetration test output
• TTPs from previous incidents
• Deviances from baselines / Expected behavior
• Organizational risk profile / Threat context
• Externally-sourced Intelligence
• Paid subscriptions
• OSINT
• Free feeds
• Passive DNS, WHOIS, etc.
• Geographical data
• ISAC, Infragard, etc.
• Context
• Environmental
• Refer to "Data Source" slide
• Previous hunt and IR output
• Malware analysis
• Analytics, Ex:
• Geo-infeasibility
• Beacon detection
• DNS entropy
• Data exfiltration
23. Tools of the Trade
Hunting: Defense Against The Dark Arts 23
"It is important to fight, and fight again, and keep fighting, for only
then could evil be kept at bay, though never quite eradicated"
— Albus Dumbledore
24. Criteria for a Working Hunt Platform
Hunting: Defense Against The Dark Arts 24
• Rapid search with high quality UI and / or API
• Stacking
• Group and reduce the dataset to more easily identify outliers
• Improves feasibility of analyzing large environments
• Pivoting
• Move laterally through the dataset
• See the whole picture
• Nice to Have
• Tagging and Enrichments
• Intelligence Integration Support
• Automation: Rules & Alerting
25. All About The Galleons
Hunting: Defense Against The Dark Arts 25
• Budget!
• Driven by Operational Requirements
• Tool/Vendor Selection Process
• Evaluation Success Criteria
• Multiple Tools: Diverse Perspectives
• Free and Open Source Software!
• NXLog
• Sysmon
• Moloch
• Wireshark
• Bro Network Security Monitor
• ELK Stack (ElasticSearch, Logstash, Kibana)
• Security Onion Linux Distribution– Da Real MVP
+ a bunch of other stuff not listed here...
27. Sample Hypotheses to Drive Hunt Missions
Hunting: Defense Against The Dark Arts 27
1. Sensitive corporate data stored only in
approved locations
2. Large or extended outbound data transfers
meet business needs
3. Reconnaissance activities against DMZ hosts
provide advance warning of pending malicious
activity
4. VPN logins by users are geographically
feasible
5. Domain controller baselines are simple and
deviations rarely occur
6. Service credentials are used only in expected
ways and for their appropriate services
7. Web proxies are appropriately configured to
block suspicious traffic
8. Services communicate using secure,
encrypted protocols
9. Tunneling HTTP traffic and other proxy
avoidance techniques are not allowed in or
out of our network
10. The use of management tools (such as
PSExec) occurs only within approved change
windows
11. Endpoints are not added to the network
without infosec visibility
28. More Data, More Problems
Hunting: Defense Against The Dark Arts 28
"Dobby is... free."
30. 1. Remote Access
Hunting: Defense Against The Dark Arts 30
Hypothesis: Remote access to our environment is conducted using approved means
Discovery:
• Remote access is occurring over multiple protocols to / from unapproved hosts
• VNC to / from production network
• RDP to domain controllers from DMZ
• Evidence of unapproved remote access utilities such as LogMeIn, GoToMyPC, etc
Recommendation:
• Evaluate unapproved connections for mitigation or for risk acceptance
• Ensure that risk accepted software is fully patched and up to date
• Implement strong encryption, jump boxes / VPN ACLs, and two-factor authentication where possible
31. 2. Data Storage
Hunting: Defense Against The Dark Arts 31
Hypothesis: Corporate data is only stored in approved locations
Discovery:
• Sensitive corporate data stored on unencrypted and infected external media
• Unrestricted use of common cloud data storage providers
• Unmanaged source code repositories (intellectual property)
Recommendation:
• Evaluate DLP implementation and allowed web proxy categories
• Consider establishing formalized agreement with a cloud storage provider
• Bring unmanaged data stores under management in support of development teams
32. 3. Proxy Infrastructure
Hunting: Defense Against The Dark Arts 32
Hypothesis: Our proxy infrastructure is properly configured
Discovery:
• Not blocking known malicious categories
• Not blocking executable downloads
• Proxies not logging all necessary protocol metadata
• Ex. User Agent, Status Code, Byte Counts, X-Forward-For, etc.
Recommendation:
• Validate security operations' requirements of proxy infrastructure
• Re-evaluate proxy configurations for appropriate changes
• Ensure security operations are looped in to the change management process
33. 4. Approved Protocols
Hunting: Defense Against The Dark Arts 33
Hypothesis: Protocols transiting our network are secure and approved for use
Discovery:
• Various insecure protocols identified in use across the network
• Unencrypted: Telnet, FTP
• Deprecated: SNMP v2, cleartext SMTP
• Risky: IRC, TOR / i2p
Recommendation:
• Identify opportunities to deploy secured versions of protocols
• FTP SFTP
• Telnet SSH
• SNMP v2 SNMP v3, etc.
• Evaluate implementation of risk detection and mitigation strategies
34. 5. Approved Clients
Hunting: Defense Against The Dark Arts 34
Hypothesis: Internet access is achieved using known and approved client software
Discovery:
• Suspicious user-agents identified - indicating potential latent infections
• Extremely out of date software, including: client browsers, Flash, and Java
Recommendation:
• Begin incident response procedures to evaluate and triage endpoints
• Evaluate consistency of patch and vulnerability management processes
35. 6. Privilege Management
Hunting: Defense Against The Dark Arts 35
Hypothesis: Account management is rooted in best practice
Discovery:
• Service accounts used for unrelated purposes or shared by users
• Regular and privileged users with non-specific accounts
• Direct privileged logins without approved privilege escalation process (e.g. sudo)
• Suspicious usernames that do not conform to the organizational standard
• User account belonging to terminated user active on the network
Recommendation:
• Evaluate suspicious or ambiguous accounts for mitigation or for risk acceptance
• Ensure security operations are tied into the HR termination workflow
• Update organizational username standard and privilege management processes
36. 7. Security Architecture
Hunting: Defense Against The Dark Arts 36
Hypothesis: Event logs provide information needed to validate control effectiveness
Discovery:
• Non-security specific appliances with disabled security functionality
• Ex. Cisco ASA scan detection disabled
• Security specific appliances improperly placed
• Bro NSM placed post-proxy, post-NAT
Recommendation:
• Evaluate IT systems for security value (non-traditional security appliances)
• Ex. Network devices
• Modify configuration and placement of systems to meet requirements
37. 8. Process Execution
Hunting: Defense Against The Dark Arts 37
Hypothesis: Endpoints only execute processes required for business functions
Discovery:
• Obfuscated PowerShell execution
• Mimikatz and other persistence toolkit execution
• Suspicious filenames/paths/registry entries, etc.
• Users installing browser toolbars and miscellaneous adware/spyware
Recommendation:
• Call the IR Team
• Adjust detections / controls to rapidly detect and prevent future occurrences
38. 9. DNS
Hunting: Defense Against The Dark Arts 38
Hypothesis: DNS resolutions occur within the bounds of best practices
Discovery:
• "Weird" protocol deviations/padded packets suggesting exfil or C&C
• Uncontrolled resolutions that are not forced through corporate infrastructure
• Resolutions for unusual or risky domains
• Ex. Dynamic DNS domains, domains appearing to be algorithmically generated
• Initial resolutions for suspicious domains + subsequent unusual communication
Recommendation:
• Harden organizational DNS infrastructure
• Ex. Implement DNSSEC, prevent zone transfers, etc.
• Configure perimeter devices to only accept DNS requests from corporate DNS
• Implement protocol anomaly detection to identify protocol misuse
39. Thinking Ahead
Hunting: Defense Against The Dark Arts 39
"The one with the power to
vanquish the Dark Lord
approaches..."
— Sybill Trelawney
40. Ensuring Successful Outcomes
Hunting: Defense Against The Dark Arts 40
• Goals
• Reduce attack surface
• Harden the environment
• Improve detection and monitoring
• Don't bother hunting without using the outputs!
• Lessons Learned / AAR
• Feedback loop on IR processes
• Create new or improve existing detections
• Metrics
• Cannot improve what is not measured
• The absence of something is still something
• Most metrics will trend upwards before they come down
• 'Time to Detect' and other metrics will trend downward over time
41. Hunt Methodology: From Art to Science
Hunting: Defense Against The Dark Arts 41
Begin evolution from intuitive art to a more rigorously structured science
43. Resources
Hunting: Defense Against The Dark Arts 43
FireEye Threat Analytics Platform: Hunting at Scale
https://www.fireeye.com/products/threat-analytics-platform.html
MITRE: Adversarial Tactics, Techniques & Common Knowledge
https://attack.mitre.org
The Threat Hunting Project: Compendium of useful resources
http://www.threathunting.net
Loggly: Helpful logging guidelines
https://www.loggly.com/intro-to-log-management
Security Onion: Peel back the layers of your network
https://securityonion.net
44. Resources
Hunting: Defense Against The Dark Arts 44
The Bro Network Security Monitor
https://www.bro.org/
Jack Crook: Finding Bad
http://findingbad.blogspot.com/
Sqrrl Blog
http://blog.sqrrl.com/
The Elastic Stack
https://www.elastic.co/products
Of 2 Minds – How Fast and Slow Thinking Shape Perception and Choice
https://www.scientificamerican.com/article/kahneman-excerpt-thinking-fast-and-slow/
45. FIN
Hunting: Defense Against The Dark Arts 45
In Conclusion:
• Building a program is hard, building a capability less so.
• The tools and knowledge are out there.
• Context is king.
• Silo’s will kill you. Share early, share often.
• While you’re here, meet someone new. Strike up a conversation. This is what it’s all
about.
• Completely unrelated and completely related at the same time. Be kind to one
another. Work is hard, life is harder. Give hugs.
So what have we done so far and what are we trying to do. We can’t just throw a tool at the problem.
The central theme is People, Process and Technology with the emphasis on people.
Tools will fall down. Tools will make you complacent. This is a hands on keyboard issue.
Tools / Alerts / Automation are all aspects of detection and hunting can and should bleed into these.
Hunting is a set of methodologies for analyzing large datasets in search of incidents and context to fuel future automated detections.
This isn’t going be a how to A then B Then C presentation.
This is a build on to use when thinking about spinning up your programs and processes.
So what do I mean when I refer to a methodology?
This not a linear process. More rorschach painting than whoever paints stuff with straight lines. I’m not an art historian what do you want from me.
Iterative. What do I mean by iterative. You’re going to go through this same process again and again.
hypothesis driven exercise.
All about layering. layer a hunt methodology as part of our detection strategy.
outside of pre-existing definitions or signature-based rulesets
This is a lot of information but Sqrll has the best TLDR I’ve seen yet.
Hypothesis. attempt to debunk assumptions about the environment. Go over later in the presso.
Tools and analysis techniques to attack the problem set and validate our hypothesis
Uncover: Risks not currently detected by automation, we are able to use this information to improve our monitoring program.
We need certain things to build a solid foundation.
Who hasn’t seen David Biancos Pyramid of Pain? Well he’s given us a fetish for pyramids. (originally the Martini Glass of Sadness)
Nod to David Biancos PoP. If you haven’t read him, do it later.
Sponsor: Communication. You need to be able to articulate why this is important to people who’d job it is not to know. How will it make us safer?
SOC/CERT = Even if its third party. What good is hunting if you have no one to pass the findings to/take action on.
Tech and Tools: Grepping 14TB of logs is no way to go through life son.
Now we mature
Used to improve governance, improved overall detection = Playbooks.
Difference between a hunt capability and a formalized hunt program.
You can ELK/SO with one dude and be capable to find evil.
TL:DR (capable)
Tools, Information, Someone who cares.
People Process Technology
It’s helpful to visualize where you are to get where you want to go. Sqrl (big data startup) does it again with this model.
Make a note to check out the Sqrll blog for really solid information/tip/tactics.
Most orgs are about a ‘1’. My personal experience shows me even the largest of orgs that while they have all the tools and people in the world, can’t bring it all together.
Ask: After seeing the criteria on this slide, by a show of hands, how many of you feel your organization is at a level 1?
Level 2?
Level 3 or 4?
Speaking to friends who know this kind of thing, you’re looking at a GE or a Target in the upper echelon.
So where do we start?
Where are we going?
What does it take to get there?
At a minimum, we need to iterate through a few projects before we reach the point where we can hunt. Some of these will be easier than others based on the resources available to you.
Logging:
What do we have?
What do other depts have? (multiple splunk instances)
Logging Levels
This all has to go somewhere. Normalize.
Now search. And I’m not talking 20 mins for a single splunk search. Regex/Grep/transforms manually don’t manage when you can have a tool manage that for you.
Maturity.
Data without context is worthless.
What are your crown jewels. Start there.
Reintegration.
Metrics.
How’s it scale/automate/repeat?
Time to Detect.
Total incidents which are going to go up before they come down, but that’s a good thing.
This is a team effort and its’ not just the executive buy in you need.
As you build, keep in your sights how what you’re doing is affecting other areas in the organization. Silo’s will frustrate and derail.
It’s important to think of this process as affecting everything else around you.
Hunt: come up with 3 types of data
Evil
Risk (way for evil to do evil thing)
Stupid
IR
Can be fed from Hunt (give example from GE)
Investigation results feed SecOps.
SOC:
Reintegrate lessons learned
After action review from IR
Send to detection team
Has a responsibility to Update the use cases
The key is that the information, wherever it comes from, is reintegrated in to the hunt operations.
Something not present on this slide is engaging with your Red Team / third party PT
I just mentioned the word Use Case. Let’s talk about how to construct them.
Here is goal, here's what I need to fulfill the goal. Who cares about this? Why?
What has to happen for the detection to occur? Is it a rule in a SIEM or is it a choose your own adventure/cognitive steps on behalf of the hunter?
Doesn’t have to be complex, Guides your thinking.
“Doesn’t matter how you got there, just that you got there?
The goal is to get it away from the human, automate so you can work on something new.
Formalize detection in general. What are alerts? Tied to incident? Ticket in the system?
I’m going to run through a couple of use case design trees.
Another slide to tie the use case concepts together.
A use case is the wrapper, specifies events of interest fulfilling the aim of the use case, found ‘em and classified as undesirable? Incident.
It’s helpful to guide use case development on attack lifecycles
Here is an example of Use Cases based on stages
MITRE ATTCK model
Lockheed
Behaviors seen from threat actors as they complete their mission
So, we have our use case defined. What do we need to make it happen.
Doing a design tree on the tools can help you identify where gaps exist. How you can potentially apply to your own env.
AOI = Activities of Interest.
What can you hope to accomplish? What’s your goal for management?
NO such thing as a failed hunt: Nothing is still something.
This is not about swinging for the fences.
No Detection: Either your clean or your just not being effective enough. Seek to Disprove.
Non Malicious: Looking at things like policy violations, out of date software. Compliance.
Malicious: Proof of the program.
Great you’ve got your data cloud/lake/resevoir/cluster of puppies. Whatever you want to call it. Now how to we Collect and process as a hunter.
Visualizes all the different places you can get data. Where can you get what you need?
Hopefully your data is plentiful and varied, but too much just as much of a problem as not enough.
More traditional include security, network and endpoint.
My personal experience has always been more network focused and it was surprising to me how many endpoint based analysts scoffed at it.
Threat Intel is the new hotness
IT: This is a great starting point for your initial use case creations. What are your critical assets? Do you even know? That’s what the bad guys are going after.
HR is probably the least thought of. Employee work hours? Who thinks of that. Terminated users.
Once worked for a small bank and via acquisition after acquisition we’d routinely find users no longer with company X with domain creds still active on the network.
There are essentially 2 different kinds of event. Thing of this as straight the tap or fancy filtered water.
Observed: Directly from the device (firewall/proxy) that processed the data.
Synthetic: Generated from some kind of sensor. This example from FireEye’s Threat Analytics platform.
The metadata is important.
So which is better?
Original wherever possible. Less processing/manipulation. Closer to source truth.
Proxy and firewall contain different things but complementary.
Review to make sure you’re getting what you need. Is parsing working?
Important metadata that you need to have without diving into a pcap.
Pivoting: Dstipv4. What did it do? Who did it talk to? Who else talked to it? When did it do the thing I saw? Created a timeline.
You’re got your plan, you’re got your data. You’re still not ready.
Show of hands: How many of you can see with 100% you know what you critical assets are?
How many of you are sure there is stuff nobody knows about? Shadow IT
Who ever has a network diagram that’s even up to date by a year? Hunting tells the true story.
Logging Strategy: Log levels?
Time Settings: Timeline is so important.
Account For Org Use Cases:
Who else can use what you want? Share infor and work together.
Clean up.
Normalize: disparate headers in different log sources
Parsing: SIEM or Hunt Tool.
Your data and the events contained within are utterly useless without context.
Previous Output: Hey we saw this a year ago.
Malware Analysis: example Pulling out domains
Analytics: sexy stuff, new, not perfect but promising.
Intel: Red Team interaction is so important if they also want to play ball. Third Party? Don’t hire dudes who just brag they got in but screw you not telling you.
Baseline, find the weird through the normal.
Risk Profile: there's some interesting work being done in this space re:cyber insurance.
What shall we wield?
Your tech needs to compliment your brain. How do we execute the plan?
Stackers:
What seems odd / out of place
Telnet? IRC?
Pivot: swim through your data
Nice to Have:
Tagging. Tag domain controls, get notified when an admin change was made.
Intel: Match on IOCS, Ips Domains, imphashes. This is the very least you should be cultivating.
No such thing as a free cheesesteak.
Vendor Selection:
How many agents is too many?
Multiple Tools: Cannot rely on thing, it will fall down and you’ll need to pivot.
Open Source: You can do this stuff without a budget.
Cool. So you’ve got tech, you’ve got buy-in, you’ve got structure. Now do the thing.
Wall o Text ENGAGE.
Way to start thinking how to apply to your own env.
What are we supposed to be seeing vs what’s there.
Hypotheses may be:
Intelligence-Driven: threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans
Situational-Awareness Driven: Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends
This ones always a crowd pleaser
Here we come to the Interesting / Evil / Stupid
What follows is stuff we actually found in client enviroments.
Before I get it into, its worthwhile to note we found a lot of this using Bro Network Security monitor.
If you can only do one thing today its seeting up bro, learn bro.
As a network guy This ones been one of my go-to for a long time.
Discovery:
No categories (ratio analysis of accepted to blocked is an easy one)
XForwardFor I wanna slap myself.
Swore up and down they didn't’t have these things.
Why are you guys allowing this when you have the choke points to stop it.
Is our infrastructure configured the way it needs to be?
If you can get host based detection you’re ahead of the game.
Networking depends on dns, malware depends on dns.
Plan for success.
Shift mindsets: Find Incidents Find new ways of finding incidents.
When I first started, there was an emphasis on it’s not how you go about finding the answer, just that you got the right one.
System 1 - Intuitive
- Potentially biased
- Efficient / Fast
- Draws on available knowledge/experience/how things work in a specific environment
System 2 - Conscious
- Slow
- Effort to remove bias
- Deliberate
- Includes all types of analysis including, critical thinking, structured analytics techniques, empirical/quantitative methods
Please raise your hand if you have done some hunting in the past.
Please keep your hand raised if your current organization has some type of hunting program in place today.
Keep your hand up if your org does not have a program but is thinking about implementing one.
One more question – How many of you feel like you learned something new here today?