Full Circle Detection: From Hunting to Actionable Detection • NorthSec 2023

Retour à la liste des conférenciers et sessions
Écoutez la diffusion

How do you create new efficient, accurate, resilient detection rules? There is a lot of steps to follow. This talk will take you to what I call Full Circle Detection. Starting with where to get hunting ideas to giving a turnkey alerts for your Security Analysts using a real world step by step example.

In this talk the audience will see how a simple blog article (about an Outlook Persistence technique) can and should spark a whole chain of action from your security team.

For each of the applicable steps below, sample code will be provided.

1. The idea/hypothesis
    ○ You read a good blog on an technic and you hunt for the IOC
2. Converting the hunt query/analytics into detection in your SIEM
    ○ Nobody wants to run the same search over and over again
3. Make sure your detection is working
    ○ It's not because your query is good that you will find events
    ○ Make a Atomic Red Team (ART) test to mimic the attack on a test server
    ○ Submit a PR for your ART test
4. Share detection with the community
    ○ Make a Sigma rule and PR
    ○ Of course some of the exclusions are Org specific so be careful how/what you share 
5. Make sure your detection pipeline is working
    ○ You need to make sure your whole pipeline is working. 
    ○ Did the last update to your SIEM change something that prevents future events from triggering your alert?
    ○ Use Schedule Tasks, CI/CD pipeline, Docker, etc to launch the ART test on a regular basis
    ○ Remove the test system from the alert to avoid SOC Analyst fatigue
6. Create the IR Playbook
    ○ Before your SOC Analysts can actually handle this alerts, they need to have a step by step guide
    ○ Will try to base on a opensource project like https://github.com/atc-project/atc-react
    ○ There's also a good SANS presentation that propose a very clear Flow chart
    ○ I'm working on open sourcing some Playbooks I've built at work as well.
7. Training
    ○ You should build a training for your current and future analyst. 
    ○ Something that is easy to consume. 
        § Video
        § Powerpoint
        § Wiki
        § etc.

With all those steps you have come, imo, full circle on your detection.

Mathieu Saulnier Director Threat Research & Security Content, Sumo Logic

Bio Mathieu Saulnier is a “Security Enthusiast” and a Core Mentor for Defcon's Blue Team Village. He is currently "Director Threat Research" at Sumo Logic where he focuses on research, threat hunting and adversary detection. In the last 2 decades, he worked for one of the largest carrier in Canada as Sr Security Architect and held numerous positions as a consultant within several of Quebec’s largest institutions. Since 2020 he took his mentoring engagement to the next level by joining the Blue Team Village Mentor Program. He loves to give talks and has had the honor to do so at Derbycon, SANS DFIR Summit, Defcon’s BTV, NorthSec, GrayHat, GoSec and some BSides.