🌟Glimpses from our workshop at Data Security Council of India#AISS2023.
The workshop was titled "Detection Engineering and Adversary Emulation". Swapnil A. focused on why it's important to detect behaviours, and how to test detections using adversary emulation.
Going through the various methods threat actors steal credentials from browsers, how to build detections for these methods and a live threat hunting session using Splunk and FourCore ATTACK!
#DetectionEngineering#AdversaryEmulationHardik Manocha
Register now for this two-part series, where CDW will explore how Microsoft Sentinel and Defender XDR can help you hunt, detect and respond to threats using the power of threat intelligence and automation.
Attention SOC Analysts! Are you tired of spending countless hours on manual research and investigation? Look no further than Anomali! Our advanced capabilities provide you with comprehensive threat intelligence, automated alert triage, real-time analytics, proactive threat hunting, seamless integration, and incident response playbooks. With Anomali, you can reduce manual tasks and focus on protecting your organization.
Streamline your workflow and enhance your threat detection, analysis, and response. Check us out now! #Anomali
In the aftermath of a cyberattack, swift and effective response is crucial to minimize damage and downtime. The key is restoring systems quickly and safely, often through backups. However, identifying the right recovery point can be challenging.
Rubrik’s Threat Hunting feature scans backup snapshots to find indicators of compromise (IOCs), pinpointing the exact time and scope of infection. This precise recovery minimizes data loss and downtime, helping businesses resume normal operations faster.
Read More: https://lnkd.in/e8-x_DJK#DOFtechnology#ServiceDriven#DataProtection
Rely on Attack Detective to automatically scan your environment with custom parameters and dataset to determine the potential attack surface. Quickly filter the results and verify them in your Data Plane to remediate the threat in the least time possible.
Rely on Attack Detective to automatically scan your environment with custom parameters and dataset to determine the potential attack surface. Quickly filter the results and verify them in your Data Plane to remediate the threat in the least time possible.
Start now with Attack Detective to validate your detection stack in less than 300 seconds with an automatic read-only ATT&CK data audit to find blind spots in your log source coverage.
Rely on Attack Detective to automatically scan your environment with custom parameters and datasets to determine the potential attack surface. Quickly filter the results and verify them in your Data Plane to remediate the threat in the least time possible.
Rely on Attack Detective to automatically scan your environment with custom parameters and datasets to determine the potential attack surface. Quickly filter the results and verify them in your Data Plane to remediate the threat in the least time possible.
https://lnkd.in/duWUn_d6
Rely on Attack Detective to automatically scan your environment with custom parameters and dataset to determine the potential attack surface. Quickly filter the results and verify them in your Data Plane to remediate the threat in the least time possible.
Threat & APT Hunter | Incident Responder | Digital Forensics Examiner | Malware Analyst | Reverse Engineer | I like mind challenges and puzzles to solve | Views are my own | Share != Agreement
#Hunting_Maturity_Model#Threat_Hunting
This is a series to help new New Hunters and SOC analysts to Understand Threat Hunting
How to hunt advanced threats (hopefully) before they happen (before they reach critical data assets
This post is part of a series of posts on hunting maturity levels
Previous Posts:
HMM 0:
https://lnkd.in/dKdpV9gK
HMM 1:
https://lnkd.in/dE8rpt69
HMM2 Hypothesis Generation:
https://lnkd.in/dNDjjwhr
Hunting Maturity Level 2:
Overview:
1. Hypothesis Generation
2. Prioritization
3. Execution
4. Findings and Reporting
Last time we discussed hypothesis generation
This time we discuss Prioritization,
By now you should have a backlog of ideas and hypotheses for hunting, many people and branches of cybersecurity resilience should contribute to hypothesis generation.
Check last post for more on that
Now, before enthusiastically jumping to execution, but a lot of work, and probably find nothing, because you didn’t pick the most probably accurate hypothesis.
You should take your time and think about each scenario, ask yourself the following questions:
1. What am I looking for?
2. How will I observe this behavior?
3. Do I have the proper log sources for that?
You should also know what is the probability of such an activity happening, but how do you know before executing the hunt?, isn’t that the point of threat hunting?!
This is the epistemological question of many other fields, how to make an unbiased educated guess, and it is not easy, but it is the reason why threat hunting is an interesting puzzle, this is the value and core of Threat Hunting.
Similar to medical diagnosis or scientific research, it needs you to make an educated approximate guess on how likely a hypothesis to happen.
Some good advice is:
1. Use Occam’s razor (if there are many valid explanations for an anomaly, the simplest one is most probably the correct one)
2. Everybody has cognitive biases
So you will need to know
what the SOC analysts might have missed due to these biases
What current threat detections might have missed due to high thresholds for say brute force vs. a slow attack
…etc
3. Know normal
You should know what normal behavior a user will perform
What is a grey area, an anomaly but not an attack
Due to developers or vendors using scripts or admins ..etc
And what is malicious,
This requires very good experience in building good Threat Detections and bypassing them
To conclude this is the trickiest part of Threat Hunting.
#HMM_2#Hunting_Season#Happy_Hunting
Till next time!
🇵🇸
Threat & APT Hunter | Incident Responder | Digital Forensics Examiner | Malware Analyst | Reverse Engineer | I like mind challenges and puzzles to solve | Views are my own | Share != Agreement
#Hunting_Maturity_Model#Threat_Hunting
How to hunt advanced threats (hopefully) before they happen (before they reach critical data assets)
Since one can’t start building the 10th floor before the first!
Hunting Maturity Level 0
Before hunting you need
Threat Detection Use-case framework (well-engineered with good coverage)
Good data modeling
log sources visibility, parsing and unified field names and field values (for an example action field should be allowed or blocked nothing else like (denied or client reset or server reset all of these mean blocked))
And actually good log sources
Sysmon or EDR telemetry (raw logs not alerts) sent to SIEM with good query capabilities (Splunk or HELK)
Good NDR (Zeek) raw logs not alerts to the SIEM as well
And proxy logs at the least
#HMM_0