First Post and Review of The Need for Pro-active Defense and Threat Hunting Within Organizations
Read Time: 5 Minutes
Welcome to my first blog post! I thought I would start off the blog by sharing thoughts on content that is publicly available on security topics that are of interest. Recently I viewed Andrew Case's The Need for Pro-active Defense and Threat Hunting Within Organizations posted by Adrian Crenshaw from the archive of recordings of presentations performed at BSides Tampa in 2015. This video highlights contemporary considerations with respect to hostile third parties, comprised of professionals that operate with a thought-out trade-craft, who are motivated to break into an organization via their IT infrastructure. Generally speaking the modern enterprise is faced with the Defender's Dilemma, blogged about by Richard Bejtlich, in which alert-centric security analytics fails to address in a timely manner the risk posed by these hostile third parties. Andrew Case's presentation addresses this by delving into Threat Hunting as a mitigating control.
Threat Hunting as a contrast, to alert-centric security analytics, can be scoped as "...Searching for adversaries without a particular indicator" through proper documentation and tooling. This creates a different paradigm for defenders where they can more quickly deal with abnormality as a starting point for finding bad within the enterprise. This new defensive paradigm is only possible by providing a separate segmented infrastructure that does not fit the homogeneous mold that is required to service regular enterprise users.
Recently, the Japan Computer Emergency Response Team(JPCERT) released a document called Detecting Lateral Movement through Tracking Event Logs. This document is interesting because if a defender were to have access to all the Windows Events cited the volume of data is quiet large. However, applying the message Andrew Case shares it is important to baseline normal to reduce this volume to a working subset of data that would allow an analyst to spot the tools cited in the release by JPCERT. This type of mitigation drives the costs of the would-be-intruder up, and reduces exposure, for the enterprise.
Please leave comments below and I look forward to sharing more experiences that I have on the daily with my readership.
Welcome to my first blog post! I thought I would start off the blog by sharing thoughts on content that is publicly available on security topics that are of interest. Recently I viewed Andrew Case's The Need for Pro-active Defense and Threat Hunting Within Organizations posted by Adrian Crenshaw from the archive of recordings of presentations performed at BSides Tampa in 2015. This video highlights contemporary considerations with respect to hostile third parties, comprised of professionals that operate with a thought-out trade-craft, who are motivated to break into an organization via their IT infrastructure. Generally speaking the modern enterprise is faced with the Defender's Dilemma, blogged about by Richard Bejtlich, in which alert-centric security analytics fails to address in a timely manner the risk posed by these hostile third parties. Andrew Case's presentation addresses this by delving into Threat Hunting as a mitigating control.
Threat Hunting as a contrast, to alert-centric security analytics, can be scoped as "...Searching for adversaries without a particular indicator" through proper documentation and tooling. This creates a different paradigm for defenders where they can more quickly deal with abnormality as a starting point for finding bad within the enterprise. This new defensive paradigm is only possible by providing a separate segmented infrastructure that does not fit the homogeneous mold that is required to service regular enterprise users.
Recently, the Japan Computer Emergency Response Team(JPCERT) released a document called Detecting Lateral Movement through Tracking Event Logs. This document is interesting because if a defender were to have access to all the Windows Events cited the volume of data is quiet large. However, applying the message Andrew Case shares it is important to baseline normal to reduce this volume to a working subset of data that would allow an analyst to spot the tools cited in the release by JPCERT. This type of mitigation drives the costs of the would-be-intruder up, and reduces exposure, for the enterprise.
Please leave comments below and I look forward to sharing more experiences that I have on the daily with my readership.
References
- The Need for Pro-active Defense and Threat Hunting Within Organizations by Andrew Case - https://www.youtube.com/watch?v=751bkSD2Nn8
- Iron Geek by Adrian Crenshaw - http://www.irongeek.com/i.php?page=videos/bsidestampa2015/mainlist
- Tao Security Blog by Richard Bejtlich - https://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html
- JP-CERT Blog - http://blog.jpcert.or.jp/2017/06/1-ae0d.html
- Detecting Lateral Movement through Tracking Event Logs - https://www.jpcert.or.jp/english/pub/sr/Detecting%20Lateral%20Movement%20through%20Tracking%20Event%20Logs_version2.pdf
Comments
Post a Comment