A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


A Process is No One: Hunting for Token Manipulation - Jared Atkinson, Robby Winchester Derbycon 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)

A Process is No One: Hunting for Token Manipulation
Jared Atkinson, Robby Winchester
Derbycon 2018

Does your organization want to start Threat Hunting, but you’re not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you’re not able to analyze it properly. This talk begins with the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding “analysis paralysis.” We will then walk through a detailed case study of detecting access token impersonation/manipulation from concept to technical execution by way of the Hypothesis Generation Process.

Jared Atkinson is the Adversary Detection Technical Lead at SpecterOps who specializes in DFIR. Jared spent two years at Veris Group’s Adaptive Threat Division (ATD) and four years with the U.S. Air Force Hunt Team. Passionate about PowerShell and the open source community, Jared is the lead developer of the PowerForensics project, Uproot, and PSReflect Functions. Robby Winchester is an experienced threat hunter and penetration tester. Over the course of his career, he has developed and supervised penetration testing, physical security, and breach assessments for several private sector and government clients. Previously, Robby worked for the U.S. Air Force Information Aggressors, providing full-scope network and physical red team operational assessments, and worked to integrate information security operations within traditional military operations for the U.S. Air Force’s RED FLAG exercise.

Jared - @jaredcatkinson, Robby - @robwinchester3

Back to Derbycon 2018 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast