Today's threat landscape has evolved to a point where the barrier to entry for network exploitation is drastically low. Additionally, the increased usage of native OS tools for network administration has made "living off the land" post-exploitation easier than ever. How do security professionals prioritize what to do? The answer is to base it off of the intruder's priority. If the intruder cares about your network, they'll be back, and probably move laterally to expand their accesses. This essentially lumps intrusions into two categories: threats that got in and went no where, threats that got in and went somewhere. You should care about the latter over the former. This talk will discuss some strategies on collecting a better transactional record of what happens inside networks and how to use these transactions to conduct better post-exploitation analysis and pro-active hunting on threats that are already poking around.

John T. Myers is a co-founder and CTO of Efflux Systems, a Maryland based security startup. Prior to Efflux, John's career focused on cyber and intelligence operations for the U.S. Air Force. As Director of Operations, he guided cyber operations training programs and directed large scale Red Flag cyber ops planning and exercises. As a Senior Cyber Analyst, John led counter-cyber intel missions and developed advanced tactics, techniques, and procedures (TTPs), analyzed unknown network activity, and was ultimately awarded for uncovering traffic from a top-10 DoD threat. He was also competitively selected for DoDs premiere 3-year Computer Network Operations Develop Program (CNODP), where he engineered and developed CNO capabilities. Here he also discovered security flaws and critical vulnerabilities in DoD systems, cutting reporting and countermeasure response times in half. John graduated Magna Cum Laude with a BS in Computer Science from Rennselaer Polytechnic Institute and holds a MS in Information Systems and Network Management from Strayer University, Maryland.

Recorded at BSides Philly 2016