Harvesting Logs for Enhanced Investigations
Defense Information Systems Agency (DISA)
In this talk, the author discusses the type of information that should be continuously collected and kept on-hand for investigative value in the case of a network compromise. He addresses the value of such artifacts in an investigation. Additionally, he notes several open source solutions and resources that exist to assist in these endeavors. He also touches on the different forms of "hunting" (indicator-based vs hypothesis-driven).
Hunting has been a buzz word for a few years. Talks abound on how to find anomalies within data-sets utilizing various methods. However, rarely does a talk present a framework for hunting. How do I actually get started within the field? What data should be collected and centralized? Can the data be enriched? How do you hunt with this data?
Fortunately, lots of great resources exist for building out a functional environment for hunting. Once the environment exists, resources like Mitre's ATT&CK and testing tools like Red Team emulation tools allow teams to quickly build and validate capabilities. In this talk, all the pieces together to establish a framework for hunting by discussing key points of hunt: the types of data that are important, how to learn from and enrich data in your own environment, and hunting concepts driven by various methods. This talk aims to empower operators everywhere in their network defense capacities.