The Beginner's Guide to Threat Hunting

•

0 likes•400 views

There is no question that organizations struggle to identify attacks; in fact the global median dwell time is 101 days. Many security units have built threat hunting programs in order to mitigate this issue. However, according to a 2018 survey conducted by Cybersecurity Insiders, although 75% of respondents believe threat hunting is of major importance, only 18% of respondents’ organizations have someone knowledgeable enough to perform threat hunting. What are the inhibitors to threat hunting programs? Many security organizations feel overwhelmed by the prospect of building these programs themselves. To this end, DomainTools partnered with EMA to outline strategies security professionals can apply to their own environments. Join Managing Director of Research at EMA, David Monahan and DomainTools Security Sales Engineer, Taylor Wilkes-Pierce to learn the building blocks necessary to building a threat hunting program from scratch including practical steps your organization can put into place right away. In this webinar, you will learn: The threat hunting process Common pitfalls and mistakes Valuable data sources and useful resources How you can hunt using DomainTools Iris

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
David Monahan
Managing Research Director, Security and Risk Management
Enterprise Management Associates
@SecurityMonahan
The Beginner’s Guide to Threat Hunting
Taylor Wilkes-Pierce
Security Sales Engineer
DomainTools
@tw_pierce

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING2 © 2018 Enterprise Management Associates, Inc.
The Threat Hunting Process
Have a repeatable a process
ü  Document processes, procedures, and workflows BEFORE an
incident
ü  Allow for flexibility in the process
ü  Facilitates training
ü  Supports legal action
ü  Accelerates investigations
ü  Enables scalability

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING3 © 2018 Enterprise Management Associates, Inc.
The Threat Hunting Process
Maintain an activity log
ü  Reduces analyst rework over time
§  Improves evidentiary accuracy
§  Accelerates investigations
ü  Facilitates process improvements
ü  Assists training improvements
ü  Supports legal action
ü  Required if investigation outcomes/results are challenged

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING4 © 2018 Enterprise Management Associates, Inc.
The Threat Hunting Process
Maintain source data
ü  Metadata is not enough
ü  Supports legal action
ü  Maintains evidence
ü  Augments research for related cases/activities over time

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING5 © 2018 Enterprise Management Associates, Inc.
The Threat Hunting Process
Maintain data integrity
ü  Maintains evidence
ü  Required for chain of custody for legal action
ü  Required if findings are challenged
ü  Required if analyst integrity is challenged
ü  Augments research for related cases/activities over time

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING6 © 2018 Enterprise Management Associates, Inc.
Common Pitfalls and Mistakes
Investigations are art and science
ü  It’s good to think outside the box
ü  Dead ends are okay, as long as you learn from them
ü  As you develop your instincts, trust them
ü  Build relationships with other hunters and related groups
§  No one person knows everything
ü  Not all data is “real” data
ü  The absence of data can be data
ü  Learn a scripting language

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING7 © 2018 Enterprise Management Associates, Inc.
Scope of Threat Hunting
Internal
ü System Configs
ü Logs
ü Processes
ü Network Connections/Packets
ü Users/Identity
ü Files
ü IP Addresses

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING8 © 2018 Enterprise Management Associates, Inc.
Scope of Threat Hunting
External
ü Domains
ü Registrars
ü DNS registrations
ü Whois
ü Hosting providers
ü Passive DNS
ü IP v4 address (to some degree)
ü Web search (to some degree)

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING9 © 2018 Enterprise Management Associates, Inc.
Common Pitfalls and Mistakes
Things to watch out for
ü  Not all data is created equal
§  Keep track of your sources
ü  Domains that start bad tend to end bad
§  Guilt by domain (or IP) association
ü  Not all registrars are trustworthy
ü  An adversary may have gotten there first
ü  Do not add friction to users
ü  Be sure not to interfere with operations

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING10 © 2018 Enterprise Management Associates, Inc.
Common Pitfalls and Mistakes
Things to watch out for (cont’d)
ü  Know your environment and your assets
§  Identify your attack surfaces
ü  Coordinate efforts
ü  Isolation, takedown, and monitoring
ü  Not all threats are malicious
§  Accidental insiders
§  Duped providers

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING11 © 2018 Enterprise Management Associates, Inc.
The Threat Hunting Process
Acting on the “true” threat
ü  Relationships, Relationships, Relationships
§  Internal Executives: HR/Legal/Comms/Execs
§  Law enforcement
§  Domain registrars
§  Hosting providers
ü  Well-Documented Case
ü  Diligence and Patience (especially for Out of Country)

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Threat Hunting Demo

Potential Targets? Potential Vectors?
www.syncrocorp.com
www.newdlight.com
www.enterels.com

Use Passive DNS Observations to Build an
Activity Timeline

Security analytics involves collecting data from various sources, analyzing it to identify anomalies based on a model of normal behavior, and reporting insights. It provides visibility that is important for improving security and ROI given constrained budgets. As more devices are connected, the amount of security-related data will explode, making analytics essential to make sense of it. Options for implementing analytics include using SIEM or analytics platforms, or niche products. Key steps in making analytics work include leveraging existing data and tools, analyzing both structured and unstructured data, defining normal models specific to each organization, and continuously adapting to changes.

Cloud Storage and Security: Solving Compliance Challenges

Eric Vanderburg

This document discusses challenges and best practices for cloud storage and security. It begins by introducing the panelists and outlining the topics to be discussed, which include realities and pain points of cloud storage, how and where cloud security could be compromised, navigating legal and regulatory compliance, and recommendations for deploying the right cloud storage strategy. Key points made include that sensitive data is often stored in the cloud without visibility, cloud breaches and unauthorized access are concerns, and regulations like GDPR and ISO 27001 provide security standards to consider. The document emphasizes knowing cloud vendors, evaluating costs and benefits, and establishing secure data management practices throughout the data lifecycle.

Common sense in security

Peter Bassill

Peter Bassill, founder of Hedgehog Security and former CISO, discusses protecting clients' assets and brand reputation from dynamic cyber threats. He emphasizes using common sense in security by tailoring the PCI standard as a corporate baseline, auditing against it regularly, and planning penetration tests and awareness training. Bassill also stresses cost efficiencies like consolidation, watching the security budget like a P&L, and the high ROI of security awareness. His top tips include understanding executives, finding a helpful auditor, engaging with acquirers' PCI teams, and taking the PCI ISA training.

The Prescription for Protection - Avoid Treatment Errors To The Malware Problem

Eric Vanderburg

Malware is an ailment many companies suffer from but the prescription for protection is simpler than you think. In this presentation, Vanderburg and Salamakha apply the five rights for avoiding drug errors to the malware problem at the Advanced Persistent Threats Summit. 1) Right client – Authentication 2) Right route – Gaps and strategies 3) Right drug – Security controls 4) Right dose – Security/business balance 5) Right time – Staying up to date. Stay healthy, stay safe.

Security from Compliance or Compliance from Security?--Metrics are the key

Alan Covell

The document discusses the relationship between security and compliance. It argues that compliance alone does not guarantee security and that security should be the starting point. It recommends establishing valid risk metrics on at least a 10-point scale to measure things like asset risk across the organization. This would allow identifying the most critical risks to focus stringent security measures on, which could then meet or exceed compliance requirements by starting from a foundation of security.

Survival of the Fittest: How to Build a Cyber Resilient Organization

Tripwire

Cyber threats are growing increasingly complex, and with the explosion of the internet of things (IoT), organizations need to take steps to protect themselves and their customers. Intel has projected there will be over 200 billion IoT devices by 2020, and online data volumes are expected to grow up to 50 times what they are today. Infotech and security leaders are now evaluating a new cyber resilient architecture that can adapt and scale with rapid business digitalization and new IT models. Simplifying the security stack is no longer just a cost-saving priority – with cybercrime threatening to cost $6 trillion by 2021, it is also a prerequisite for uninterrupted visibility, responsiveness and resilience. In this webinar, guest speaker Jeff Pollard, Principal Analyst at Forrester, and David Meltzer, Chief Technology Officer at Tripwire, discuss the growing challenges of cyber threats and share steps you can take now to build a cyber resilient organization. Topics include: -How to identify and cut the technology bloat in your security operations. -Challenges and opportunities as IT transitions from on-premise to in the cloud. -Eliminating blind spots and dark spots for uninterrupted visibility, regardless of the endpoint or its location. -How to re-evaluate strategic planning so that you can align your security programs to new business models.

GDPR, Data Privacy and Cybersecurity - MIT Symposium

Eric Vanderburg

SplunkLive! London 2017 - Building an Analytics Driven Security Operation Cen...

Splunk

This document discusses building an analytics-driven security operations center (SOC). It begins with an overview of traditional SOCs and their limitations, such as focusing primarily on alerts. It then discusses emerging trends in security operations that are driving the need for an analytics-driven SOC, such as the focus on detection and response. The document proposes seven enablers for building an analytics-driven SOC using Splunk, including selecting the right sourcing strategy, adopting an adaptive security architecture, optimizing threat intelligence management, deploying advanced analytics like machine learning, enabling proactive threat hunting, promoting automation and efficiency, and driving broader enterprise insights.

This document discusses security issues with big data and Hadoop. It notes that less than 5% of data is analyzed due to security concerns. It also states that while big data technologies provide increased profits across many business functions, the growth of big data without effective security solutions poses risks. The document proposes an approach called data-centric security that embeds security attributes and policies directly into the data itself to control access at the cell level within Hadoop.

Applied data analytics_v1_6.23

John C. Havens

The document discusses several IEEE standards related to ethics in technology design: P7000 addresses ethical concerns in system design; P7001 focuses on transparency of autonomous systems; P7002 is about data privacy processes. It also mentions principles of Privacy by Design and responsibilities of data controllers, including obtaining consent, ensuring accuracy of data, protecting data, and responding to access requests.

Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempo

Elasticsearch

Ajusta tus procesos de respuesta ante incidentes monitoreando la falta de cumplimiento, alertando sobre actividad atípica y personalizando exploraciones para automatizar las acciones de respuesta. Ve cómo Elastic le brinda a tu equipo de seguridad las visualizaciones y flujos de trabajo personalizados que necesitas para mejorar la eficiencia, optimizar la colaboración y poner realmente en funcionamiento la información de seguridad.

How to emrace risk-based Security management in a compliance-driven culture

Shahid Shah

This lecture was presented at the IEEE ITPC at the Trenton Computer Festival on March 16. Security and Regulatory Compliance aren’t the same thing – but they’re often confused. When you’re working in a government, healthcare, or financial environment there’s a tendency to think that if you’re FISMA-compliant or HIPAA-compliant or any other X-compliant that you must have good security. However, sophisticated risk management and real security don’t have much to do with compliance and you can actually great security and be non-compliant with regulatory requirements as well be fully compliant but not secure. This talk, led by Security guru Shahid Shah, will talk about how make sure risk-based security management is properly incorporate into compliance-driven cultures.

DataPreserve- SEVRAR Jan 09

Mike Garland

Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk

Splunk

This document discusses using Splunk software to build a security operations center (SOC) and monitor for threats and compliance. It provides an overview of Splunk's capabilities for security analytics, incident response, and compliance reporting. Specific applications mentioned include monitoring privileged user access, detecting data breaches, and ensuring compliance with the GDPR. The presentation emphasizes how Splunk allows flexible data collection and analysis across IT operations, security, and other domains to gain visibility and protect sensitive data.

10 Practical Tips to Prepare for the New Privacy Shield Era

Paul Hastings

This document outlines an agenda for a presentation on preparing for the new EU-US Privacy Shield framework. The agenda includes an introduction, a discussion of Privacy Shield guidance from the US Department of Commerce, tips for transitioning to Privacy Shield, and a roundtable with privacy officers from IBM, Mastercard, and Merck. The presentation will provide 10 practical tips for companies, including communicating about Privacy Shield, considering changes to data transfers and redress processes, and preparing documentation of compliance.

2011 SC Magazine Insider Threat Keynote

John D. Johnson

The document discusses managing insider threats to data. It defines the insider threat as anyone with authorized access who could exploit that access. It identifies intentional, security avoidance, mistakes, and ignorance as reasons for insider threats. It recommends proactive protection of data through access controls, monitoring, segmentation, encryption and education to prevent data breaches from insiders. Technology solutions should be chosen based on past incidents and balanced with the security budget.

BSIDES DETROIT 2015: Data breaches cost of doing business

Joel Cardella

Joel Cardella has over 20 years of experience in IT, including infrastructure operations, data centers, sales support, network operations, and security. He provides his email and Twitter contact information. The document discusses using a risk-based approach to cybersecurity and focusing on reducing risks to the business using positive return on investment. It provides examples of security strategies and a layered security model.

Top 10 Tips for Selecting a Threat and Vulnerability Management Solution

Enterprise Management Associates

This document contains a summary of a webinar discussing tips for selecting a threat and vulnerability management solution. It includes an introduction of the speakers and their backgrounds. The webinar then covers 10 tips for selecting such a solution, including allowing access to underlying data, assisting operational flexibility, delivering a knowledge base, enhancing security context, facilitating integration and automation, operating as a force multiplier, producing metrics and reporting, ensuring scalability and performance, supporting data compartmentalization, and simplifying collaboration. It concludes with an overview of RiskSense's platform and scoring model, and next steps.

Dataguise hortonworks insurance_feb25

Hortonworks

Insurance companies of all sizes are challenged to keep up with emerging technologies that deliver a competitive advantage. Recording: https://www.brighttalk.com/webcast/9573/192877 Big data holds the key to greater customer insight and stronger customer relationships. But risk of sensitive data exposure — and compliance violations — keeps many insurers from pursuing big data initiatives and reaping the rewards of business-driven analytics. Join Dataguise and Hortonworks for this live webinar to learn how you can free your organization from traditional information security constraints and unlock the power of your most valuable business assets. • What do you need to know about PII/PHI privacy before embarking on big data initiatives? • Why do so many big data initiatives fail before they’ve even begun—and what can you do about it? • How can IT security organizations help data scientists extract more business value from their data? • How are leading insurance companies leveraging big data to gain competitive advantage?

General Data Protection Regulation, a developer's story

Michelangelo van Dam

On May 25, 2018 all companies collecting and processing data of people from within the European Union must comply to the General Data Protection Regulation or GDPR. In this talk we'll cover what the GDPR is and how it will impact businesses within the EU and abroad, what can be done to comply to this regulation and how to proceed further. This talk will not provide you legal answers, but will give you technology solutions that will make your applications compliant to these regulations. Even if you're not processing data from the EU, these solutions will offer you better protection to the data you currently keep and will ensure that in the case of a breach, the impact will be minimum.

Haystax Carbon for Insider Threat Management

Haystax Technology

Haystax offers the Carbon platform for insider threat management. Carbon uses a whole person Bayesian model incorporating multiple data sources and expert judgments to provide a contextual risk rating. It mathematically models adjudicative guidelines and prioritizes risks to focus investigative resources. Carbon improves over traditional rules-based detection systems that generate too many false alarms by analyzing an individual's pattern of life over time through its integrated model.

Haystax carbon for Insider Threat Management & Continuous Evaluation

Haystax Technology

Haystax Technology, Inc. provides next-generation intelligence and analytics solutions that deliver up to the minute situational awareness and actionable intelligence for the public and commercial sectors. Haystax uses a combination of software and human analysis to turn large, disparate and unstructured data volumes into comprehensive and actionable information. In essence, these technologies allow users to find “the needle in the haystack” quickly and reliably.

Secure Software Design for Data Privacy

Narudom Roongsiriwong, CISSP

Data Loss Prevention

Reza Kopaee

This document provides an overview and agenda for a Data Loss Prevention presentation. It discusses trends in data loss, how DLP works to discover, monitor and protect data, and case studies of how DLP helps different types of insider and outsider threats. It highlights the advantages of the Symantec DLP solution, including its accuracy, sophisticated workflow for incident response, ability to identify sensitive data with Data Insight, and zero-day content detection through machine learning. The appendix discusses Symantec's leadership in the DLP market and new features of the latest DLP product version.

Insider threat kill chain

Tarun Gupta,CRISC CISSP CISM CISA BCCE

DAMA Webinar: The Data Governance of Personal (PII) Data

DATAVERSITY

To do effective data governance, analysts should preview the amount of data their organization is collecting and consider if it is all necessary information to run the business or just “nice to have” data. Today companies are collecting a variety of Personally identifiable information (PII), combining it with location information, and using it to both personalize their own services and to sell to advertisers for behavioral marketing. Data brokers are tracking cell phone applications and insurance companies are installing devices to monitor driving habits. At the same time, however, hackers are embedding malicious software in company computers, opening a virtual door for criminals to rifle through an organization’s valuable personal and financial information. This presentation explores: •What company data should be tagged as “sensitive” data? •Who within the company has access to personal data? •Is the company breaking any privacy laws by storing PII data? •Is the data secure from both internal and external hackers? •What happens if there is an external data breech?

Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...

Enterprise Management Associates

You Will Be Breached

Mike Saunders

YBB-NW-distribution

Mike Saunders

This document provides information about preparing for and responding to a data breach as a small to medium sized business. It discusses the importance of preparation, including forming an incident response team, defining important assets, establishing policies and procedures, and testing plans. When a breach occurs, the response should follow the PICERL framework - preparation, identification, containment, eradication, recovery and lessons learned. Effective preparation is key to limiting liability and damage from a breach. Resources for creating response plans and training are provided.

A Survey On Data Leakage Detection

IJERA Editor

Data is an important assets for an enterprise. Data must be protected against loss and destruction. In IT field huge data is being exchanged among multiple people at every moment. During sharing of the data, there are huge chances of data vulnerability, leakage or alteration. So, to prevent these problems, a survey on data leakage detection system has been done. This paper talks about the concept, causes and techniques to detect the data leakage. Businesses processes facts and figures to turn raw data into useful information. This information is used by businesses to generate and improve revenue at every mile stone. Thus, along with data availability and accessibility data security is also very important.

What's hot

Meetup presenation 06192013

Sqrrl

Applied data analytics_v1_6.23

John C. Havens

Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempo

Elasticsearch

How to emrace risk-based Security management in a compliance-driven culture

Shahid Shah

DataPreserve- SEVRAR Jan 09

Mike Garland

Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk

Splunk

10 Practical Tips to Prepare for the New Privacy Shield Era

Paul Hastings

What's hot (7)

Meetup presenation 06192013

Applied data analytics_v1_6.23

Poner en funcionamiento con alertas, dashboards customizados y líneas de tiempo

How to emrace risk-based Security management in a compliance-driven culture

DataPreserve- SEVRAR Jan 09

Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk

10 Practical Tips to Prepare for the New Privacy Shield Era

Similar to The Beginner's Guide to Threat Hunting

2011 SC Magazine Insider Threat Keynote

John D. Johnson

BSIDES DETROIT 2015: Data breaches cost of doing business

Joel Cardella

Top 10 Tips for Selecting a Threat and Vulnerability Management Solution

Enterprise Management Associates

Dataguise hortonworks insurance_feb25

Hortonworks

General Data Protection Regulation, a developer's story

Michelangelo van Dam

Haystax Carbon for Insider Threat Management

Haystax Technology

Haystax carbon for Insider Threat Management & Continuous Evaluation

Haystax Technology

Secure Software Design for Data Privacy

Narudom Roongsiriwong, CISSP

Data Loss Prevention

Reza Kopaee

Insider threat kill chain

Tarun Gupta,CRISC CISSP CISM CISA BCCE

DAMA Webinar: The Data Governance of Personal (PII) Data

DATAVERSITY

Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...

Enterprise Management Associates

You Will Be Breached

Mike Saunders

YBB-NW-distribution

Mike Saunders

A Survey On Data Leakage Detection

IJERA Editor

A Case For Information Protection Programs

Michael Annis

An information protection program helps companies protect valuable business information beyond just trade secrets. It establishes expectations for employees, acts as a deterrent against theft, and provides evidence that reasonable efforts were taken to maintain secrecy. The key aspects of an effective program include confidentiality agreements, policies on information access and use, training employees, and procedures for new hires, current employees, and departing employees. Classifying data and limiting access based on need-to-know helps control information flow within a company.

Addressing Future Risks and Legal Challenges of Insider Threats

Forcepoint LLC

Spo2 t17

SelectedPresentations

This document discusses how big data and security analytics can help organizations better protect themselves from cyber threats. It outlines how traditional security information and event management (SIEM) tools are no longer sufficient to handle the volume, velocity, and variety of security-related data. The document recommends taking a platform approach that combines both traditional IT security data and less traditional sources like industrial control systems, mobile devices, cloud services to gain better visibility into risks. It also emphasizes using statistical analysis and predictive modeling of this broader set of data sources to more accurately detect anomalies and advanced threats.

Catelas Legal - Intelligent Discoveryor Slideshare

Rob Levey

Catelas Security Webinar 12 14 10

Rob Levey

This document discusses a new approach to data leakage investigations and security called Catelas. Catelas uses behavioral science algorithms and social network analysis of log file data to map employee relationships and identify anomalous behavior, allowing proactive surveillance of the entire email network. This helps speed up internal investigations by identifying key suspects and custodians before collection begins. The approach aims to detect and contain information theft without collecting any emails. Catelas provides a single, holistic solution for security, compliance, and legal needs through intelligent collection and early case assessment.

Similar to The Beginner's Guide to Threat Hunting (20)

2011 SC Magazine Insider Threat Keynote

BSIDES DETROIT 2015: Data breaches cost of doing business

Top 10 Tips for Selecting a Threat and Vulnerability Management Solution

Dataguise hortonworks insurance_feb25

General Data Protection Regulation, a developer's story

Haystax Carbon for Insider Threat Management

Haystax carbon for Insider Threat Management & Continuous Evaluation

Secure Software Design for Data Privacy

Data Loss Prevention

Insider threat kill chain

DAMA Webinar: The Data Governance of Personal (PII) Data

Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from ...

You Will Be Breached

YBB-NW-distribution

A Survey On Data Leakage Detection

A Case For Information Protection Programs

Addressing Future Risks and Legal Challenges of Insider Threats

Spo2 t17

Catelas Legal - Intelligent Discoveryor Slideshare

Catelas Security Webinar 12 14 10

Recently uploaded

Choosing The Best AWS Service For Your Website + API.pptx

Brandon Minnick, MBA

Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API? Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose? Which one is cheapest? Which one is fastest? Which one will scale to meet our needs? Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!

Azure API Management to expose backend services securely

Dinusha Kumarasiri

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...

Alex Pruden

Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security. Paper Link: https://eprint.iacr.org/2024/257

Trusted Execution Environment for Decentralized Process Mining

LucaBarbaro3

leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...

alexjohnson7307

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/ DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen! Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell. Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten. Diese Themen werden behandelt - Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten - Wie funktionieren CCB- und CCX-Lizenzen wirklich? - Verstehen des DLAU-Tools und wie man es am besten nutzt - Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw. - Praxisbeispiele und Best Practices zum sofortigen Umsetzen

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike

Hiike

GNSS spoofing via SDR (Criptored Talks 2024)

Javier Junquera

In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security. This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing. The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.

Public CyberSecurity Awareness Presentation 2024.pptx

marufrahmanstratejm

5th LF Energy Power Grid Model Meet-up Slides

DanBrown980551

5th Power Grid Model Meet-up It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology. Power Grid Model The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services. Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability. Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization. What to expect For the upcoming meetup we are organizing, we have an exciting lineup of activities planned: -Insightful presentations covering two practical applications of the Power Grid Model. -An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024. -An interactive brainstorming session to discuss and propose new feature requests. -An opportunity to connect with fellow Power Grid Model enthusiasts and users.

WeTestAthens: Postman's AI & Automation Techniques

Postman

Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe

Precisely

Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market. Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.

Main news related to the CCS TSI 2023 (2023/1695)

Jakub Marek

An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers. The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 . The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

saastr

Skybuffer SAM4U tool for SAP license adoption

Tatiana Kojar

Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool. SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.

Serial Arm Control in Real Time Presentation

tolgahangng

FREE A4 Cyber Security Awareness Posters-Social Engineering part 3

Data Hops

GraphRAG for Life Science to increase LLM accuracy

Tomaz Bratanic

dbms calicut university B. sc Cs 4th sem.pdf

Shinana2

Recently uploaded (20)

Choosing The Best AWS Service For Your Website + API.pptx

Azure API Management to expose backend services securely

Best 20 SEO Techniques To Improve Website Visibility In SERP

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...

Trusted Execution Environment for Decentralized Process Mining

leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike

GNSS spoofing via SDR (Criptored Talks 2024)

Public CyberSecurity Awareness Presentation 2024.pptx

5th LF Energy Power Grid Model Meet-up Slides

WeTestAthens: Postman's AI & Automation Techniques

Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe

Main news related to the CCS TSI 2023 (2023/1695)

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

Skybuffer SAM4U tool for SAP license adoption

Serial Arm Control in Real Time Presentation

FREE A4 Cyber Security Awareness Posters-Social Engineering part 3

GraphRAG for Life Science to increase LLM accuracy

dbms calicut university B. sc Cs 4th sem.pdf

The Beginner's Guide to Threat Hunting

1. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING David Monahan Managing Research Director, Security and Risk Management Enterprise Management Associates @SecurityMonahan The Beginner’s Guide to Threat Hunting Taylor Wilkes-Pierce Security Sales Engineer DomainTools @tw_pierce

2. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING2 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Have a repeatable a process ü  Document processes, procedures, and workflows BEFORE an incident ü  Allow for flexibility in the process ü  Facilitates training ü  Supports legal action ü  Accelerates investigations ü  Enables scalability

3. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING3 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Maintain an activity log ü  Reduces analyst rework over time §  Improves evidentiary accuracy §  Accelerates investigations ü  Facilitates process improvements ü  Assists training improvements ü  Supports legal action ü  Required if investigation outcomes/results are challenged

4. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING4 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Maintain source data ü  Metadata is not enough ü  Supports legal action ü  Maintains evidence ü  Augments research for related cases/activities over time

5. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING5 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Maintain data integrity ü  Maintains evidence ü  Required for chain of custody for legal action ü  Required if findings are challenged ü  Required if analyst integrity is challenged ü  Augments research for related cases/activities over time

6. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING6 © 2018 Enterprise Management Associates, Inc. Common Pitfalls and Mistakes Investigations are art and science ü  It’s good to think outside the box ü  Dead ends are okay, as long as you learn from them ü  As you develop your instincts, trust them ü  Build relationships with other hunters and related groups §  No one person knows everything ü  Not all data is “real” data ü  The absence of data can be data ü  Learn a scripting language

7. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING7 © 2018 Enterprise Management Associates, Inc. Scope of Threat Hunting Internal ü System Configs ü Logs ü Processes ü Network Connections/Packets ü Users/Identity ü Files ü IP Addresses

8. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING8 © 2018 Enterprise Management Associates, Inc. Scope of Threat Hunting External ü Domains ü Registrars ü DNS registrations ü Whois ü Hosting providers ü Passive DNS ü IP v4 address (to some degree) ü Web search (to some degree)

9. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING9 © 2018 Enterprise Management Associates, Inc. Common Pitfalls and Mistakes Things to watch out for ü  Not all data is created equal §  Keep track of your sources ü  Domains that start bad tend to end bad §  Guilt by domain (or IP) association ü  Not all registrars are trustworthy ü  An adversary may have gotten there first ü  Do not add friction to users ü  Be sure not to interfere with operations

10. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING10 © 2018 Enterprise Management Associates, Inc. Common Pitfalls and Mistakes Things to watch out for (cont’d) ü  Know your environment and your assets §  Identify your attack surfaces ü  Coordinate efforts ü  Isolation, takedown, and monitoring ü  Not all threats are malicious §  Accidental insiders §  Duped providers

11. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING11 © 2018 Enterprise Management Associates, Inc. The Threat Hunting Process Acting on the “true” threat ü  Relationships, Relationships, Relationships §  Internal Executives: HR/Legal/Comms/Execs §  Law enforcement §  Domain registrars §  Hosting providers ü  Well-Documented Case ü  Diligence and Patience (especially for Out of Country)

12. IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING Threat Hunting Demo

13.

14.

15.

16.

17. Example

18.

19. Hunting With Passive DNS Data

20. Hunting With Passive DNS Data

21. Potential Targets? Potential Vectors? www.syncrocorp.com www.newdlight.com www.enterels.com

22. Use Passive DNS Observations to Build an Activity Timeline

23.

24.

25. Use Historical Data to Add Context

26.

27. Questions?

The Beginner's Guide to Threat Hunting

Recommended

Recommended

More Related Content

What's hot

What's hot (7)

Similar to The Beginner's Guide to Threat Hunting

Similar to The Beginner's Guide to Threat Hunting (20)

Recently uploaded

Recently uploaded (20)

The Beginner's Guide to Threat Hunting