Taking Hunting to the Next Level: Hunting in Memory - SANS Threat Hunting Summit 2017
The vast majority of threat hunting takes place on easily visible and accessible system artifacts. These include log entries, network data, command line histories, persistence locations, and many other locations on a system or in the environment. Thanks to rule-based approaches and more advanced data analytics, it is relatively easy to detect outliers, surface suspicious artifacts, and discover anomalies on and across endpoints. Current hunt methodologies do a good job finding intrusions and reducing dwell times in many cases, but it still isn’t good enough. Traditional hunting methods don’t address one essential area: in memory-only attacks.
Today’s sophisticated adversaries are well aware of challenges in-memory only methods pose for defensive tools and methods (including threat hunting) and thus increasingly avoid disk
during operations. It is generally not possible with today’s tools to perform signature-less analysis of memory at the large scale necessary for effective hunting. Current memory analysis
methods usually require collection of very large amounts of data and entail intensive analysis. Memory is largely a place for forensics as opposed to a datasource for real threat hunting at
the speed and scale necessary for effective detection. We can do better. In this talk, we will describe both common and advanced stealth malware techniques which evade today’s hunt tools and methodologies. Attendees will learn about adversary stealth and understand ways to detect some of these methods. Then, we will demonstrate and release a Powershell tool which will allow a hunter to automatically analyze memory across systems and rapidly highlight injected in-memory-only attacks across systems at scale. This will help move memory analysis from the domain of forensics to the domain of detection and hunting, allowing hunters to close the detection gap against in-memory threats, all without relying on without signatures.
Jared Atkinson (@jaredcatkinson), Defensive Services Technical Lead, Veris Group
Joe Desimone (@dez_), Malware Researcher, Endgame
Видео Taking Hunting to the Next Level: Hunting in Memory - SANS Threat Hunting Summit 2017 канала SANS Digital Forensics and Incident Response
Today’s sophisticated adversaries are well aware of challenges in-memory only methods pose for defensive tools and methods (including threat hunting) and thus increasingly avoid disk
during operations. It is generally not possible with today’s tools to perform signature-less analysis of memory at the large scale necessary for effective hunting. Current memory analysis
methods usually require collection of very large amounts of data and entail intensive analysis. Memory is largely a place for forensics as opposed to a datasource for real threat hunting at
the speed and scale necessary for effective detection. We can do better. In this talk, we will describe both common and advanced stealth malware techniques which evade today’s hunt tools and methodologies. Attendees will learn about adversary stealth and understand ways to detect some of these methods. Then, we will demonstrate and release a Powershell tool which will allow a hunter to automatically analyze memory across systems and rapidly highlight injected in-memory-only attacks across systems at scale. This will help move memory analysis from the domain of forensics to the domain of detection and hunting, allowing hunters to close the detection gap against in-memory threats, all without relying on without signatures.
Jared Atkinson (@jaredcatkinson), Defensive Services Technical Lead, Veris Group
Joe Desimone (@dez_), Malware Researcher, Endgame
Видео Taking Hunting to the Next Level: Hunting in Memory - SANS Threat Hunting Summit 2017 канала SANS Digital Forensics and Incident Response
Показать
Комментарии отсутствуют
Информация о видео
27 сентября 2017 г. 0:30:01
00:31:24
Другие видео канала
Quantify Your Hunt: Not Your Parents’ Red Team - SANS Threat Hunting Summit 2018
Survival Heuristics: My Favorite Techniques for Avoiding Intelligence Traps - SANS CTI Summit 2018
Finding and Decoding Malicious Powershell Scripts - SANS DFIR Summit 2018
Getting Started with Threat Hunting Basics with Security Weekly and LogRhythm
SANS Webcast: Pen Testing with PowerShell - Data Exfiltration Techniques
GRR: Find All the Badness, Collect All the Things
T209 How to Hunt for Lateral Movement on Your Network Ryan Nolette
Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018
BSidesSF 2019 - How to Orchestrate a Cyber Security Incident Tabletop Exercise (Melanie Masterson)
Digital Forensics Truths That Turn Out To Be Wrong - SANS DFIR Summit 2018
CSS2018LAS8: Incident Handling Process - SANS
Triage Collection and Timeline Analysis with KAPE
Business Email Compromise; Office 365 Making Sense of All the Noise
Living in the Shadow of the Shadow Brokers - SANS DFIR Summit 2018
What Event Logs? Part 1: Attacker Tricks to Remove Event Logs
SOF ELK® A Free, Scalable Analysis Platform for Forensic, Incident Response, and Security Operation
Information Anarchy: A Survival Guide for the Misinformation Age - SANS CTI Summit 2018
ATT&CK™ Your CTI w/ Lessons Learned from 4 Years in the Trenches - SANS CTI Summit 2019
Threat Hunting via Sysmon - SANS Blue Team Summit
Tales from the Network Threat Hunting Trenches & AI Hunter Demo