| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
How do you find malicious activity? We often resort to the cliche, *you know it when you see it*, but how do you even *see it*, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results. Ross Wolf is a researcher at Endgame where he creates solutions to simplify detecting adversarial behavior in endpoint data. Prior to Endgame, Ross was an engineer at MITRE where he led projects that automated blue team processes by creating graphs of process activity and grouping related alerts. He was recently co-granted a patent for CALDERA, a project which automated post-compromise adversary emulation by chaining together attacker techniques. Ross also contributed to ATT&CK and the Cyber Analytics Repository.
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast