Threat Hunting with Indicators: Not for Prevention Anymore

  • Tuesday, 21 Mar 2017 3:00PM EST (21 Mar 2017 19:00 UTC)
  • Speaker: Philip Hagen

"Threat Hunting" is essentially using new intelligence to examine existing data collections. Network data such as NetFlow, Logs, and Full-Packet Capture provides extremely useful source data to facilitate threat hunting and this webcast will show you how.

Traditionally, network defenders have used intelligence such as indicators to feed so-called "prevention" or real-time detection systems. However, the shelf-life for most threat intelligence is growing shorter - often being "outdated" as soon as it is released. Instead, security practitioners should use this intelligence as a means of searching for previous activity consistent with those newly-available indicators. This is the essence of hunting.

In this webcast, we'll explore some recent intelligence releases (possibly including GRIZZLY STEPPE, the Shadow Brokers, or similar). Using pre-collected network evidence, we will identify some false positives that can be ruled out, saving you precious time as well as some potentially suspicious actions that warrant further investigation.

Learn more on this topic at the SANS Threat Hunting & Incident Response Summit & Training, April 18-25 in New Orleans. The Summit will focus on specific hunting and incident response techniques and capabilities that can be used to identify, contain, and eliminate adversaries targeting your networks.