DeepSec2019 Training: Incident Response Detection and Investigation with Open Source Tools – Thomas Fischer & Craig Jones

Sanna/ November 20, 2019/ Conference

Defences focus on what you know! But what happens when the attackers gain access to your network by exploiting endpoints, software or even you people. Under the assumption that you have been breached, how do you work backwards to gain knowledge of what happened? How can you find those adversaries in your infrastructure? IR detection and response relies on a structured process of identifying observables and collecting evidence. One aspect of this is the practice of proactively seeking out evil in your infrastructure, finding needles in haystacks that link to other needles and unveiling how an organization was compromised and possibly even answering the “why?”. This is commonly referred to as Threat Hunting. In this hands-on training participants will learn about the basic building blocks for an IR detection and investigation programme. The training will introduce the basics so that a participant will be able to take this knowledge and build up a programme in their own organisation. Using tools like ELK or HELK, Grr, Sysmon, and osquery, we will explore how to deploy and use these tools as basic free options to build the foundations of the threat hunting programme. The labs will look at how Mitre ATT&CK and things like sigma rules are used to help identify indicators of attack. With interactive labs on a simulated corporate infrastructure of both Windows and Linux client, we’ll explore the capabilities provided by these tools to hunt for common techniques used by Malware and threat actors.  Participants will walk away with a basic understanding of threat hunting and the tools needed to develop a hunting practice in their own organisation through the following agenda:

  • Intro to threat hunting

  • Threat hunting and the IR process

  • Understanding the requirements

  • Backend Tools

  • Detection/Reporting tools like Mitre ATT&CK and Sigma

  • Endpoint tools: osquery and sysmon

  • Hands on exercise will be spread across the 2 days

Participant Requirements

  • Working knowledge of Windows (no OSQuery experience required);

  • Working knowledge of the Linux shell (no OSQuery experience required);

  • Basic SQL,

  • Laptop with a SSH client

We asked Thomas and Craig a few more questions about their training.

Please tell us the top 5 facts about your training.

The training will provide the participant a forum to learn:

  • Some basic foundations of incident response versus threat hunting setting the picture for the days activities
  • Basics of what is key to building an incident response and threat hunting programme
  • Understanding of the importance of TTPs, IOCs and frameworks like ATT&CK
  • The open source tools that available for gathering data to start the hunting process
  • Deep dive into tools including osquery to gather and find threats

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

The original thought process started with both Thomas’ and Craig’s personal desire to learn about opensource tools that were becoming more common in the incident response field and to get more hands on experience. Both Thomas and Craig work in the field of incident response and regularly have to see what tools are available to improve workflows. The focus was on tools being promoted by organisations like SANS as well as tools developed by large companies like OSQuery.

Why do you think this is an important topic?

There is an increasing presence of sophisticated attacks in the wild from either criminal organisations or state actors. More and more attacks are hitting organisations and they need to be able to deal with this. Multiple reports have highlighted that over 60% of victims may not detect intrusion from 90 days to months and attackers can remain undetected for as many as 99 days if not more. So organisations need to find the right tools that fit their environment to be able to deal with intrusions and reduce the time to detect and how long organisations dwell in the infrastructure.

Is there something you want everybody to know – some good advice for our readers maybe?

There are many tools out there including some very expensive commercial ones. Press and marketing reference EDR as the way forward, this training takes a slightly different approach and looks at opensource tools or simple solutions that can help you improve your incident response posture.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise the topic of your training in particular?

As the level of attacks get more frequent and more complex, we are going to see a drive towards more and more automation. If you can leverage automated response for the known-knowns, you will be able to drive faster containment. At the same time allowing your SOC analysts, responders and threat hunters to concentrate on the more dangerous and advanced attacks. An important part of that strategy will be the endpoint whether the user’s computer or a server in your data centre or a cloud solution.

Having a clear picture of the organisation’s assets is going to be a big priority. Solutions that allow you to discover all of the organisation’s assets including those that are not managed will become an important part of the ability for InfoSec teams to respond.

Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.

Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.


Craig Jones is Senior Manager of Security Engineering in Sophos, responsible for detection engineering, IR and security infrastructure.​@albanwr​​​

Share this Post