Overview
Syllabus
RSAConference 2019 San Francisco March 4-8 Moscone Center
Know Your Environment
"Blueprinting" Methods Reactive • Firehose
Tools and Procedures
Intro to OsQuery
Pros/Cons
Low Prevalence Executables
Leveraging OsQuery
Getting ARP data from OsQuery
Automation Overview
Where do you put your data?
Data Collection
Data Storage
Querying Data
Docker
Filebeat
Next Steps
Using Statistical Analysis for Threat Hunting
Analyzing Data
Hunting Methodologies
Mac Addresses - Uncommon Environmental OUIS
Prevalence of Executables
Filtering Data
Mass Searching
A Story of Two Executables (PLink)
Taught by
RSA Conference