Professional Documents
Culture Documents
• Dedicated Hunters!
• Analysts with some dedicated time to hunt
• Analysts with a few hours on a Friday
• ShadowHunters
• Correlate
• SIEM (logs)
• Endpoint
• Network
• Same NTP
• Same TimeStamp
• Query
• Meta
• Raw
• Carving
• Visualizations
Network -> SIEM -> Carving
• Time
• Usually limited by SIEM speed
• Service
• Direction
• Entities
• What is this host and how critical is it?
• Remove vuln scanners
• Remove external web app scanners
• Visualizations
SYN
Poor Performing SIEM
We got people, tools, data
Now what?
• Be careful
• Not all hunts are passive
• Don't want to tip your
hand especially if there is
a compelling event
• XDR/EDR getting accused
on breaches
Network -> Hunting Benefits
• Source of truth
• Know your assets
• Doesn’t need an agent
• Orgs can’t install agents on some
devices or are not allowed to
• XDR/EDR can get disabled or
turned off by an attacker
• Is passive
SYN
Attackers Know ENV Better Than Defenders
What is normal for your env?
• For yourself
• For your team
• For your org
• External for all defenders
• 2 things to always record
• What led you down that path?
• What query did you end up on?
• Improve detections or report on enablers
SYN
Visibility Gaps
Visibility you think you have?
existing cloud
443
SYN
Too Regulated
Repent of Your SYN’s
● Operational Blindness
● Lack of People/Time
● No Data
● Poor Performing SIEM
● Attackers Know ENV Better Than Defenders
● Poor Documentation
● Visibility Gaps
● Cloud Posture Doesn’t Match On Premise
● Too Regulated
Side Benefits
Nominate today!
https://isc2-awards.secure-platform.com/site
Thank you for attending this webinar!
Please visit the
“Attachments” tab.
There you’ll find supporting
assets and speaker’s LinkedIn
information.
Please take a moment to leave your feedback &
comments in the “Rate This” tab
Stay Connected!
Update your email preferences to receive
news about upcoming (ISC)² webinars,
publications & more!
Current Members:
https://www.isc2.org/Dashboard/Preferences
Non-members:
www.isc2.org/preferences
New to (ISC)²:
https://www.isc2.org/connect
We apologize,
We are currently experiencing
technical difficulties.