icon-carat-right menu search cmu-wordmark

Harvesting Logs for Enhanced Investigations

Presentation
In this talk, the author discusses the type of information that should be continuously collected and kept on-hand for investigative value in the case of a network compromise, and he addresses the value of such artifacts in an investigation.
Publisher

Defense Information Systems Agency (DISA)

Topic or Tag

Abstract

In this talk, the author discusses the type of information that should be continuously collected and kept on-hand for investigative value in the case of a network compromise. He addresses the value of such artifacts in an investigation. Additionally, he notes several open source solutions and resources that exist to assist in these endeavors. He also touches on the different forms of "hunting" (indicator-based vs hypothesis-driven).

Hunting has been a buzz word for a few years. Talks abound on how to find anomalies within data-sets utilizing various methods. However, rarely does a talk present a framework for hunting. How do I actually get started within the field? What data should be collected and centralized? Can the data be enriched? How do you hunt with this data?

Fortunately, lots of great resources exist for building out a functional environment for hunting. Once the environment exists, resources like Mitre's ATT&CK and testing tools like Red Team emulation tools allow teams to quickly build and validate capabilities. In this talk, all the pieces together to establish a framework for hunting by discussing key points of hunt: the types of data that are important, how to learn from and enrich data in your own environment, and hunting concepts driven by various methods. This talk aims to empower operators everywhere in their network defense capacities.

Part of a Collection

FloCon 2019 Presentations

This content was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.