Threat hunting is a hot topic spurred on by the thought that it,s not a matter of if, but when, your organization will be breached. Mature security organizations are shifting in their approach from solely relying on reactive response and black box security tools to proactive hunting. This shift in approach requires large amounts of network and endpoint data to tie together attacker tools, tactics, and procedures. Security teams often have their hands tied due to limited budgets, politics and their ability to affect change with what information gets logged (just try getting a DNS admin to check a box that says "Debug" in prod). Hypothesis driven data acquisition can be used to overcome environmental challenges, provide a specific goal, and reduce analysis paralysis. This presentation will discuss hypothesis driven threat hunting using free and commercial tools for organizations which face common corporate roadblocks.

Kevin Foster - Kevin is SANS certified GIAC Forensic Analyst (GCFA) and GIAC Reverse Engineering Malware (GREM) who has experience leading forensic investigations with a variety of commercial and open source tools. He works with organizations on breach and pre-forensics preparedness. Matt Schneck - Matt is SANS GIAC Certified Forensic Examiner (GCFE) and specializes in Endpoint Detection and Response toolset selection and implementation. He helps to assist SRA clients with endpoint detective rulesets and investigations. Ryan Andress - Ryan is SANS GIAC Certified Forensic Analyst (GCFA) and has experience conducting forensic investigations with numerous commercial and open source toolsets. He has experience on projects involving product selection, implementation, configuration of Cloud Application Security Frameworks, and Tier 3 Forensic Investigations.

Recorded at BSides Philly 2017