Name: Don't Boil the Ocean: Using MITRE ATT&CK to Guide Hunting Activity
Start: 2019-03-04T11:45:00-0800
End: 2019-03-04T12:15:00-0800

Back To Schedule

Don't Boil the Ocean: Using MITRE ATT&CK to Guide Hunting Activity

Feedback form is now closed.

As threat hunting becomes a focus for more and more organizations, the abilities of the staff who are being asked to hunt vary greatly. One of the greatest challenges of threat hunting is biting off more than you can chew.
Oftentimes, analysts want to "boil the ocean" and hunt without a specific purpose or plan. This talk is focused on using the MITRE ATT&CK framework as the catalyst to assist in building the hypothesis and plan to determine what we should hunt for and how we should build our hypothesis. To make this point, I will use an adversary emulation that we developed at Splunk and show how hunt teams can take the techniques defined in the MITRE ATT&CK framework and apply them to hunts that identify artifacts and indicators and how these initial findings can be fed into a process with ATT&CK to drive additional hunts, enabling hunters to gain more and more insight to better operationalize their findings.

Speakers

John Stoner

Principal Security Strategist, Splunk

John Stoner is a Principal Security Strategist at Splunk. In his current role, he leverages his experience to educate and improve users’ capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He has authored multiple hands-on workshops that... Read More →

Don't Boil the Ocean Using MITRE ATT&CK to Guide Threat Hunting Activities Stoner pdf

Monday March 4, 2019 11:45am - 12:15pm PST
IMAX

Track: IMAX, Talk

BSidesSF 2019

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

John Stoner