Modern Threat Hunting with your SIEM on a $0 Budget – Ryan Fried – ESW #284
Security analysts can move past traditional Indicators of Compromise from threat intel like domains, hashes, URLs, and IP addresses. These indicators typically aren't valid shortly after the incidents happen. Modern threat hunting by doing things like reading recent and relevant security articles, pull out behaviors that attackers are doing like commands such as net group "domain admins" or RDPing from workstation to workstation and translating those to threat hunting queries. I will talk about how to start small and will give a few examples where we proactively found evil in our environment.
Segment Resources: https://www.scythe.io/library/operationalizing-red-canarys-2022-threat-detection-report https://www.itbrew.com/stories/2022/05/09/quantum-ransomware-can-now-move-from-entry-to-encryption-in-under-four-hours?utmcampaign=itb&utmmedium=newsletter&utmsource=morningbrew&mid=1e3360a49c0b72a4c0e4550356ffee54 https://www.cisa.gov/uscert/ncas/alerts/aa22-181a
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Guest
Ryan has 10+ years of experience in IT security ranging from compliance, analyst engineer, CISO and consultant. He also has taught cyber security at the community college level for the last 8 years. Ryan has most recently been leading initiatives such as SOAR, purple teaming, network segmentation, devsecops and cloud security posture management.