SANS Threat Hunting and IR Summit
There is no such thing as the perfect intrusion. Attackers will always leave behind traces of their activity as they move from system to system, trying to reach their objective. Unfortunately, traditional detection is never perfect either and subtle signs are often missed by this technology. Adversaries can remain on your network for months or years, siphoning money or intellectual property, before they are eventually found. By adding a hunting program you stand a much greater chance of reducing dwell time and impact, but the question is, how do you wade through the vast amounts of log data to find the adversary in the haystack? Companies can consume enormous amounts of logs. Reviewing this data can be a daunting task when asked to find malicious behavior. This talk will focus on effective ways to implement hunts so that you can greatly reduce the amount of data you are analyzing while being more effective at finding bad.