BSidesSF 2019 has ended
Back To Schedule
Monday, March 4 • 11:45am - 12:15pm
Don't Boil the Ocean: Using MITRE ATT&CK to Guide Hunting Activity

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
As threat hunting becomes a focus for more and more organizations, the abilities of the staff who are being asked to hunt vary greatly. One of the greatest challenges of threat hunting is biting off more than you can chew.
Oftentimes, analysts want to "boil the ocean" and hunt without a specific purpose or plan. This talk is focused on using the MITRE ATT&CK framework as the catalyst to assist in building the hypothesis and plan to determine what we should hunt for and how we should build our hypothesis. To make this point, I will use an adversary emulation that we developed at Splunk and show how hunt teams can take the techniques defined in the MITRE ATT&CK framework and apply them to hunts that identify artifacts and indicators and how these initial findings can be fed into a process with ATT&CK to drive additional hunts, enabling hunters to gain more and more insight to better operationalize their findings.

avatar for John Stoner

John Stoner

Principal Security Strategist, Splunk
John Stoner is a Principal Security Strategist at Splunk. In his current role, he leverages his experience to educate and improve users’ capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He has authored multiple hands-on workshops that... Read More →

Monday March 4, 2019 11:45am - 12:15pm PST