DeepSec 2016 Talk: I Thought I Saw a |-|4><0.- Thomas Fischer
Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. “But what does this really mean?”, asks Thomas Fischer. “And what real impact does it have on the security team? Can we use threat hunting to provide a process to better detect and understand when you’ve been breached?”
More and more security data is being produced and usually aggregated into a central location or body to hopefully take quick and informed decisions on attacks or compromises amongst a mountain of data. When you start to include data gathered from your endpoints the amount of data starts to explode exponentially. This level of data provides us with a large amount of visibility. But is having visibility enough?
What if a more thoughtful and intelligent way of generating alerts could draw an analysts attention to the right place at the right time? This would provide context or even flag indicated suspicious behaviour that can become the starting point of a hunt.
In his talk Thomas Fischer will explore this theory and establish working foundations of what threat hunting is and look at some of the challenges associated with gathering large sets of data. This will give us a foundation to look at how we can improve and explore implementing an intelligent threat hunting model to drive the investigation process. We asked him some questions beforehand.
Please tell us the top 5 facts about your talk.
Threat Hunting is the new thing to detect malicious activities in your environment. In the talk we look at what it takes to do threat hunting, the challenges in putting into place, and how to deal with the volume of data. While most threat hunting pitches talk about using network based data, this talk looks at what kind of end point data can be used, the impact it can have on data volumes and what to look for to start the hunt.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
This talk is essentially a story about how to analyse a ton of data and what methods can help. It was born from my own experience into looking at what trends in IR are going on.
Why do you think this is an important topic?
It’s important because current automated solutions no longer suffice in detecting the “bad guys”. We need better methods and processes to combat these creative attackers.
Is there something you want everybody to know – some good advice for our readers maybe?
In this talk, I share some experiences in what and how to look at threat hunting as a method for detecting malicious activities. Threat hunting is becoming the current in-thing for marketing – hopefully this talk will clear up what threat hunting really means for incident response.
A prediction about the future – what do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?
Machine learning will play an important part of IR in the near future. As humans we won’t be able to process the volume of data being generated for IR. So machine learning is the natural next step to highlight “things” that need to be responded to…
With over 25+ years experience, Thomas has a unique view on security in the enterprise with experience in multi domains from policy and risk management, secure development, Incident response and forensics. Thomas has held roles varying from security architect in large fortune 500 companies to consultant for both industry vendors and consulting organizations. Thomas currently plays a lead role in advising customers while investigating malicious activity and analyzing threats for Digital Guardian. Thomas is also an active participant in the infosec community not only as a member but also as director of Security BSides London and as an ISSA UK chapter board member.