D9 Feed the Beast! Threat Hunt Use-Cases from the Front Lines
Date & Time
Tuesday, March 31, 2020, 4:00 PM - 4:50 PM
Going beyond basic perimeter defense, threat hunting cuts through the noise of endpoint telemetry and anti-virus data to find nation state-level Advanced Persistent Threats (APTs) that hide below the alert threshold. Learn how to overcome the legacy challenge of relying upon Packet Capture (PCAP) data to detect adversaries and transform Hunt operations by leveraging Endpoint Detection and Response (EDR) telemetry data, knowledge of APT behavior to find hidden adversaries. Vendor-agnostic use cases and analytics from both private and public sector hunts will provide context for relevant application to any organization.
In this session, we will provide a framework for planning and executing hunts, show why focusing on EDR telemetry data can more add value than network data, and how we strengthen hunting through a Purple Team approach. We’ll also demonstrate how to use intelligence sources to inform collection management and threat hunting use cases. The techniques covered in this session can be used against a variety of data sources and are vendor agnostic.
Because Threat Hunting can be both an art and a science, the barrier for entry for many organizations is high. Even when a mature state has been reached, some are left thinking “now what?”. Hunters must balance intuition with reputability by documenting hunts and applying the MITRE ATT&CK framework, but they must also feed the beast by constantly leaning on and learning from Cyber Threat Intelligence (CTI), Incident Response (IR), and Red Teaming operations to inform analytical use cases to drive every hunt.
Technical Level: Medium
Main Conference Session