Tweet
Title: (Intermediate) Open-Source Tools for Hunting and Practical Intelligence
Description:
Organizations need to identify and disposition new threats to ensure active, adaptive defense. This workshop will walk through open source resources and freely-available techniques to identify new threats and attack trends, and how to then formulate defensive strategies for enterprise protection.
Open source intelligence and information gathering
Company blogs, articles, and media reporting
Distinguishing between technical reporting and pure marketing
"Reading between the lines" for search terms
Social media and Twitter
Suggested accounts
Source vetting and evaluation
Public threat feeds: AlienVault, IBM X-Force
Registration and data retrieval
Timeliness and value
Sample gathering and extracting information
HybridAnalysis, ANY.RUN, MalShare, VirusShare – VT (commercial)
Capabilities and limitations of free services
Evaluating different reporting types, extracting information for further searching
How to read an analysis or incident report
More reading between the lines
Going beyond hashes and IPs
Extracting information for use and application
Formulating information into hypotheses and pivoting
Network pivoting: DomainTools, RiskIQ, Censys, Shodan, Urlscan, VirusTotal (free)
The art of network pivoting without going 'too far'
Pivoting types: registration information, SOA leaks, infrastructure similarities, etc.
Host/Binary pivoting: VirusTotal, HybridAnalysis, ANY.RUN, etc.
File metadata and compilation artifacts
Identifying common tooling, techniques, and references to publicly-available projects
Overview and exercise:
Beginning with a single sample (malicious document file), extracting additional information
Identifying items of interest in document, identifying payload
Using information to identify general patterns, trends, and behaviors
Translating identified information into rules, hunting hypotheses, and defensive measures
Deliverable: Additional IOCs, brief report for review and feedback (after conclusion of workshop)
Speaker(s): Joe Slowik
Location: Blue Team Vlg / Blue Team Vlg - Workshop Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 16:30 (04:30 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 18:00 (06:00 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-02T22:55 (UTC).
Description:
Organizations need to identify and disposition new threats to ensure active, adaptive defense. This workshop will walk through open source resources and freely-available techniques to identify new threats and attack trends, and how to then formulate defensive strategies for enterprise protection.
Open source intelligence and information gathering
Company blogs, articles, and media reporting
Distinguishing between technical reporting and pure marketing
"Reading between the lines" for search terms
Social media and Twitter
Suggested accounts
Source vetting and evaluation
Public threat feeds: AlienVault, IBM X-Force
Registration and data retrieval
Timeliness and value
Sample gathering and extracting information
HybridAnalysis, ANY.RUN, MalShare, VirusShare – VT (commercial)
Capabilities and limitations of free services
Evaluating different reporting types, extracting information for further searching
How to read an analysis or incident report
More reading between the lines
Going beyond hashes and IPs
Extracting information for use and application
Formulating information into hypotheses and pivoting
Network pivoting: DomainTools, RiskIQ, Censys, Shodan, Urlscan, VirusTotal (free)
The art of network pivoting without going 'too far'
Pivoting types: registration information, SOA leaks, infrastructure similarities, etc.
Host/Binary pivoting: VirusTotal, HybridAnalysis, ANY.RUN, etc.
File metadata and compilation artifacts
Identifying common tooling, techniques, and references to publicly-available projects
Overview and exercise:
Beginning with a single sample (malicious document file), extracting additional information
Identifying items of interest in document, identifying payload
Using information to identify general patterns, trends, and behaviors
Translating identified information into rules, hunting hypotheses, and defensive measures
Deliverable: Additional IOCs, brief report for review and feedback (after conclusion of workshop)
Speaker(s): Joe Slowik
Location: Blue Team Vlg / Blue Team Vlg - Workshop Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 16:30 (04:30 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 18:00 (06:00 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-02T22:55 (UTC).