Overview
Explore the evolution and practical application of threat hunting in cybersecurity through this Security BSides London conference talk. Delve into the distinction between traditional security monitoring and modern threat hunting techniques. Discover key datasets, analytical approaches, and cutting-edge Tactics, Techniques, and Procedures (TTPs) essential for effective threat hunting at scale. Learn about real-world compromises that evaded traditional detection methods but were uncovered through hands-on threat hunting. Gain insights into the Paris Model, manual vs. automated approaches, and the impact of events like the Shadow Brokers leak. Examine various data sources, analysis techniques, and tools used in threat hunting, including hashes, endpoints, network tools, and memory injection. Understand the role of frequency analysis, machine learning, and automation in enhancing threat detection capabilities. Acquire practical tips for implementing threat hunting, including a quick insider attack demonstration and the use of tools like Imhotep. Explore strategies for improving defense and detection methods, and gain perspective on the relationship between threat hunting and Red Team activities.
Syllabus
Introduction
Who is Alex Davies
The beginning of threat hunting
What is threat hunting
Manual vs automated
The Paris Model
Manual vs Automation
Shadow Brokers
Where do you begin
Attack Framework
Data Source
Analysis
Hashes
TTPs
Endpoints
Network Tools
Memory Injection
Frequency Analysis
Machine Learning
Automation
Practical tips
Quick insider attack
Imhotep
How to do defense better
How to do detection
The Red Team
Taught by
Security BSides London