Prevention eventually fails. Bypassing tools such as Windows Defender Antivirus may be challenging, but it can be done. What then? What's left?

Modern attack frameworks typically leave telltale signs of their presence. This talk will explore how a properly orchestrated Windows event logging environment will shine light on both attempted and successful exploitation in a modern Windows environment, focusing on leveraging Microsoft Sysmon logs and other event logs to centrally hunt malice in a Windows environment. 
Sysmon adds critical threat hunting capabilities to any Windows environment, including full command-line logging, logging the hash of every running process and DLL, and much more. Sysmon 14 added the ability to block specific actions often used by malware, including downloading executables and shredding (overwriting and then deleting) files.

This talk will delve into the differences between malware delivery vehicles - droppers, downloaders, and crypters - and their payloads. It's common in the industry to track evil payloads, but less common to nitpick over exactly where the delivery vehicle stops and the payload starts. Using threat intelligence to identify and track the differences between the two can pay big dividends in early initial access detection. For example, crypters are a type of software used to encrypt, obfuscate, and change evil payloads to make them harder to detect. In this talk you'll hear about one crypter that is used to deliver many threats including Remcos, RedLine, and AsyncRAT. Identifying and tracking this crypter's unique behavior means it can be detected earlier in its infection chain, even before it delivers its payload. You will leave the talk understanding how you can use threat intelligence to help you pinpoint and track malware delivery vehicles, like in the example above. You'll be armed with specific detection opportunities for droppers, loaders, crypters, and current prevalent threats like Qbot. This talk is for a wide audience, from those new to cybersecurity to experienced security analysts.

Teambuilding is a critical process for any SOC given the workload and risk of burnout. It is up to SOC managers and architects to find strategies to create better processes and workplace. This talk will offer helpful tips to get your SOC functioning like clockwork.

In today's rapidly evolving threat landscape, OneNote malware is an emerging concern for organizations that rely on this popular note-taking application. This presentation will provide a comprehensive overview of OneNote malware, exploring its various forms and the methods employed by adversaries to compromise systems. Attendees will gain valuable insights into the anatomy of OneNote malware attacks, including the tactics, techniques, and procedures (TTPs) commonly used by threat actors. We will also discuss the latest trends in OneNote malware campaigns, revealing their objectives and potential impacts on targeted organizations. Crucially, this presentation will offer practical guidance for Blue Teams on detecting and mitigating OneNote malware threats. We will demonstrate how to leverage various tools, techniques, and best practices to enhance your organization's security posture. This includes understanding the TTPs, implementing effective threat hunting methodologies, and adopting a proactive and layered security approach. We will also discuss some hunting queries to hunt OneNote malware. By the end of this presentation, attendees will be better equipped to defend their organizations against OneNote malware threats and to implement robust security measures that minimize potential risks. This talk is aimed at Threat Hunters, Security Analysts, Incident Responders, and IT professionals seeking to expand their knowledge on OneNote malware and enhance their organization's defenses.

We all know Zero Trust Architecture is not a point solution but yet many vendors sell them as one Product or Solution. Most Zero Trust Products are deployed as Proxy Solution but Zero Trust is more than just securing at the edge or Proxy. In this presentation, we will cover What is Zero Trust Architecture ,various components of ZTA /Micro Segmentation and how they all relate together. 1. Proxy / Edge (SASE) 2. Network Segmentation ( Broader Segmentation at Wireless/ Corporate to Micro Segmentation at Application) 3. Identity & Device Trust 4. System Security ( Identity, Device, Application and Responding to Incidents to limit the damage) 5. Modern Identity & Access Control techniques 6. Moving from Enterprise to Application/Cloud( BeyondProd approach) Author will also share various challenges in deploying each of these components.

We'll begin this talk with a brief history of purple teaming, TTPs, and security testing, and the technical and organizational pitfalls that hinder scalability. We'll then immediately dive into an introduction of open source Verified Security Tests (VSTs) (https://github.com/preludeorg/test) - a more structured, scale-ready format of the TTP. VSTs have characteristics that encourage scale and safety. In the context of this presentation, we'll focus on VSTs that are designed to test the efficacy of defensive technologies. Verified Security Tests can be mapped to classification systems, such as MITRE ATT&CK, CVE or NIST controls. Mapping tests provides a natural grouping so you can analyze results through a lens you're familiar with. The second component to introduce are open source probes (https://github.com/preludeorg/libraries) - temporary processes that requires no special privileges and no installation to run. A probe can just be started. Probes are designed to be very lightweight - measuring between 1-50KB on disk - and to run anywhere you have code. As such, probes can deploy out on devices ranging from laptops to servers to cloud environments and OT infrastructure. Combining probes and VSTs provides a foundation for continuous security testing of production endpoints. This presentation will then dive into a brand new concept, Blurple Teaming: deploying continuous security testing at scale, integrating defensive controls, and embedding the process within the SOC to better improve defenses. By attaching an EDR control, users are able to send all missed detections to a vendor in real time. Every time a VST should have been caught - but wasn't - the event can be sent to a vendor for analysis. By running VSTs continuously, you can validate whether or not a fix is deployed in a reasonable time period. After outlining the technology/process, we'll begin an interactive session where attendees can follow along a quickstart tutorial for deploying probes and running verified security tests. By the end of the session, attendees will have been able to deploy multiple probes, create a schedule of VSTs, and begin collecting results.

Join SANS Author and Senior Instructor Christopher Crowley for an interactive virtual session that will dive into survey data, key findings, and trends from active SOC managers and analysts.

Key topics will include capabilities that compromise a SOC such as:

- Technology deployed and satisfaction

- Staff composition, hiring, and retention

- SOC budgets

Register now to attend this session and to be among the first to receive the 2023 SANS SOC Survey whitepaper.

Next generation cloud security monitoring and cyber defense strategies involve a comprehensive approach to securing cloud-based systems and protecting them from cyber attacks. The rise of cloud computing due to digital transformation projects and cloud first strategy has increased the need for advanced security measures to protect sensitive data and prevent cybercrime. To implement effective cloud security monitoring, organizations should adopt a multi-layered approach that includes proactive threat intelligence gathering, threat detection and analysis, incident response, and continuous monitoring. In this presentation or talk we will discuss about some of the key tools, tactics, and techniques used for cloud security monitoring and cyber defense such as SIEM, Threat Intelligence, etc Implementing next generation cloud security monitoring and cyber defense strategies is crucial for ensuring the security of cloud-based systems and protecting against the growing threat of cybercrime specially in a multicloud environment.

Collaborate and analyze data with your fellow peers using BlueHound: a new open-source tool that gives blue teams the power to find and eliminate the paths adversaries would take if they were inside their network. With BlueHound, the entire cycle of data collection, analysis, and reporting is automated. It is also 100% shareable. Anyone can customize and share their favorite BlueHound configuration with their peers, so anyone can have the best defense posture. Built on the foundation of NeoDash, Neo4j's dashboard builder, BlueHound takes any graph data - including SharpHound, cloud assets, vulnerability reports, network access, and basically any other data that you want - analyzes it, and visualizes the risk with out-of-the-box charts. Use BlueHound to ask graph data any question. Want to learn if any vulnerable hosts have a path to domain admins? Or how a ransomware could spread inside your organization? BlueHound can not only answer and visualize all of these questions but can also be used to collaborate with other peers, making knowledge sharing as easy as copy/paste. Let us dive into the practical use cases of BlueHound, showing which problems it could solve. We will also explain the mechanics of BlueHound and the underlying Cypher queries that help answer some of the most pressing security questions.

So you've bought a next generation SIEM and have done the heavy lifting of ingesting and parsing disparate data from a dozen sources. What happens next? In order to make use of this new platform it requires that analysts become experts in the search syntax, log format and parsing structure across multiple log types. Scaling this skillset out across an entire SOC is difficult if not impossible. Building operational dashboards lowers the barrier for a SOC to get answers from a dataset. It's simply not enough to just throw a handful of widgets onto a "single pane of glass" and call it a day. Building functional dashboards relies on combining the disciplines of data analysis and user experience. When built right, dashboards can do more than simply visualize data, they can enable an entire team/organization to quickly ask questions of data without needing to be an expert with the platform.

As cyber threats continue to evolve and become more sophisticated, organizations are deploying an increasing number of detection rules to help identify these threats. However, the management of these rules and the assurance that your rule set does not result in excessive false positives can be a challenge. In this talk, we'll explore the concepts and tools Target uses to fuse detection rules and detection case results to better understand rule effectiveness, gaps, and scope. We'll also share our observations and ideas about content tagging and standards that can help improve the effectiveness of threat detection and response. By combining detection and response data, organizations can achieve better outcomes and stay ahead of evolving cyber threats.

At the center of many network intrusions is data theft. From confidential research to customer data, the lifeblood of many organizations are often put up for sale to the highest bidder or held hostage by ransomware gangs. As post-exploitation activity, the process of data theft goes through a similar kill chain where threat actors need to identify data to compromise, access it, aggregate it and finally get it out of the environment. Much like the Cyber Kill Chain, each one of these stages provides opportunities for defenders to stop or otherwise inhibit a threat actor's ability to exfiltrate pilfered data. In this talk, Gerard Johansen will cover the four key phases of the Cyber Pilfer Chain: - Discovery: How do threat actors find your open shares and other data repositories? This section will focus on how threat actors use post-exploitation tools to identify vulnerable data. - Access: How do threat actors gain access to open shares? Valid credentials are critical in this phase. This section will focus on how detecting malicious credential use is critical to detecting data theft. - Aggregation: Threat actors will leverage a compromised system or systems to aggregate compromised data. There they can compress the data and prepare it for exfiltration. - Exfiltration: Threat actors use a variety of methods to get the data out of the network. This section will focus on network Courses of Action. For each of these stages, common threat actor TTPs are discussed along with Courses of Action that blue teams can take to prevent the theft of data. The overall goal is gaining an understanding of how threat actors carry out data exfiltration and examine the ways that blue teams can identify their activity and shut them down before those confidential memos are up on Pastebin.