|9:00 am - 9:15 am ET || |
Welcome & Opening Remarks
|9:15 am - 10:00 am ET || |
|10:00 am - 10:15 am ET || |
|10:15 am - 10:45 am ET || |
Compose Your Hunts With Reusable Knowledge and Share Your Huntbook With the Community
How many times are you re-implementing the almost same hunting procedure for different EDR/SIEM systems? How many times are you trying to reuse the hunting logic constructed for other APT hunts? How many times are you following the hunting logic in other hunters' blogs and re-coding their latest hunting flows? There should be a better way of doing it, a way to hunt with composable, reusable, and shareable hunt flows, so threat hunters can minimize repeating themselves and focus on hunting knowledge accumulation, reuse, and sharing for developing more advanced hunts.
In this talk, we introduce Kestrel threat hunting language, an Open Cybersecurity Alliance (OCA) project recently announced at RSA Conference 2021, to foster knowledge sharing and collaboration in the threat hunting community. We explain the idea of hunting knowledge composability and demonstrate constructing hunt flows with multiple simple and complex hunting steps. The talk starts with writing and executing simple Kestrel hunting steps for common hunts, such as matching ATT&CK TTP patterns, finding related entities, enriching entities with threat intelligence, and visualizing geo-locations of host IPs. Next, we explain the data pipeline Kestrel utilizes to access more than a dozen free, open-source, and commercial monitoring/EDR/SIEM systems. And we demonstrate a cross-host hunt from a Linux server to a Windows machine by connecting and correlating multiple data sources. After the taste of creating composable hunt flows in Kestrel, we explain the entity-based cyber reasoning abstraction Kestrel brings to threat hunters over security logs and data, and discuss hunting knowledge reuse and sharing with community-contributed patterns, analytics, and huntbooks. We will share a list of references to the project, tutorials, and technical blogs to help attendees jump-start their hunts in Kestrel, and engage with the community to defend against ever-evolving cyber threats together.
Jiyong Jang, Principal Research Scientist and Manager, IBM Research
|10:50 am - 11:20 am ET || |
Stay ahead of the game: automate your threat hunting workflows
It is very important nowadays to stay up to date with all of the cyber threats that are posing all over the world. It is widely known that there are not enough resources to be found to fill up every Security Operation Center (i.e. SOC). Therefore, many organizations struggle with coping with the massive amount of new type of attacks and generated alerts from their tooling.
During this session, you will learn how to hunt (and automate your hunt) for active cyber threats in your environment and contain them using integrated connections to network, endpoint, and cloud products. This session is targeted at SOC management, cyber security engineers, threat hunters, and analysts. It will touch on threat detection, investigation and response. All the code will be made available after the session.
|11:00 am - 11:15 am ET ||Threat Hunting Summit en Español |
Welcome & Opening Remarks
|11:15 am - 11:45 am ET ||Threat Hunting Summit en Español |
|11:25 am - 11:55 am ET || |
What are you missing in Infrastructure Threat Hunting? A legacy approach of NetFlow Analysis.
Randomly blocking any port or service is not a good idea for an ISP. To prevent this from happening in a production environment, the detection method must be reliable. The integration of threat intelligence data into the existing infrastructure firewall, DNS RPZ, is done on a regular basis. Although proactive threat hunting is carried out, it is insufficient for a countrywide ISP that serves 110k+ home users with broadband internet. Network traffic, not packet capture with payload, but Flow data, is required for analysis to make the most of the threat hunting mechanism.
NetFlow provides the required network traffic data to aid in the detection of unusual patterns in internet user behavior, and so on. In this lecture, I'll discuss a hypothesis that can help us improve our threat hunting process using NetFlow data.
|11:50 am - 12:20 pm ET ||Threat Hunting Summit en Español |
|12:00 pm - 1:00 pm ET || |
|12:25 pm - 12:55 pm ET ||Threat Hunting Summit en Español |
|1:00 pm - 1:30 pm ET || |
2021 Velociraptor Content Competition Awards
|1:35 pm - 2:05 pm ET || |
Building Better Hunt Data
This talk focuses on one of the least discussed areas of threat hunting -- data quality! Low quality data is a significant contributor to inefficient hunting operations and in this talk we'll discuss how we've addressed this problem at Brex. We'll cover telltale signs of low quality data, technical solutions for improving data quality, and how high quality data increases hunting efficiency, including
|2:10 pm - 2:25 pm ET || |
|2:25 pm - 2:55 pm ET || |
Hunting Beacon Activity with Fourier Transforms
Defending your enterprise in 2021 means defending against adversary tools that establish periodic callbacks to the adversary’s infrastructure. For example, Cobalt Strike Beacon. But as any threat hunter can tell you, finding unknown beaconing activity is not an easy task. An interesting approach to this problem is to think like an electrical engineer, and use a Fourier Transform to identify periodic signals in your network. By switching analysis to the frequency domain, periodic activity becomes the signal that you’re looking for in all the noise. This talk will show a working implementation of a Fourier analysis, that can be used to find periodic beaconing activity.
|3:00 pm - 3:30 pm ET || |
Hunting and Scoping A Ransomware Attack
Encrypting all your files is a ransomware actors' final objective. But when the frantic helpdesk calls start coming in, can you quickly identify all impacted devices? Can you determine if data exfil and extortion are part of the attack? Can you tell if they destroyed your backups? This talk will cover common ransomware gang "hands on keyboard" techniques for stealing your data, disabling defenses, and making your data and devices resistant to recovery. Participants will take away hunt logic which can be employed right away for early detection and rapidly scoping a ransomware compromise.
Andrew Skatoff, Cyber Security Senior Manager, Federal Reserve Bank of Richmond
|3:35 pm - 4:15 pm ET || |
|4:15 pm - 4:30 pm ET || |