Scoping an Intrusion using Identity, Host, and Network Indicators

  • Wednesday, 28 Apr 2021 10:30AM EDT (28 Apr 2021 14:30 UTC)
  • Speakers: Chris Crowley, Dale OGrady

Second webcast of a two-part series, this webcast covers post identification activities. The techniques covered here could also be used for initial identification, but they're discussed here as though there is already an initial identification which can be used. The effort discussed herein, is to effectively determine the scope of an intrusion.

Defenders fail to discover the full extent of adversary infrastructure. Defenders claim \containment" without thoroughly searching for adversary. Defenders limit the scope of searching for adversary capability and infrastructure for only know items...instead of accepting that the adversary isn't limited to using the tactics and techniques we've discovered. In fact, it's in the adversary's interest to have heterogeneous capability to persist through discovery of one tactic or technique. Adversaries reuse infrastructure because there is a cost of resources and complexity to maintain multiple parallel infrastructures. A single infrastructure is frequently good enough since defenders aren't consistently thorough in intrusion scope discovery or eradication.

This webcast highlights techniques for scoping an incident once discovered, and the sources available on the network endpoints for identification of adversary infrastructure.

Register today to be among the first to receive the associate spotlight paper written by security expert Chris Crowley!