Jared Atkinson

Chief Strategist

Retour à la liste des conférenciers et sessions

Jared Atkinson Chief Strategist, SpecterOps

Jared is a security researcher who specializes in Digital Forensics and Incident Response. Recently, he has been building and leading private sector Hunt Operations capabilities. In his previous life, Jared lead incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks. Passionate about PowerShell and the open source community, Jared is the lead developer of PowerForensics, Uproot, and maintains a Detection Engineering focused blog at https://posts.specterops.io/on-detection/home.

Workshop: Malware Morphology for Detection Engineers

Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.

As Defenders it is easy to view attacker behavior through a Technique lens, but this perspective often causes us to forget about the diversity of implementation, morphology, that exists within a Technique. This often leads to detection rules that are more narrowly focused on specific tools instead of on the underlying behavior(s) themselves. MITRE ATT&CK provides a schema for evaluating inter-technique differences between tools, such as the differences between Kerberoasting and DCSync, but we currently do not have an industry-wide model for evaluating intra-technique differences, such as the how two tools performing LSASS Dumping might differ in approach and thus lead to evasion opportunities.

In this workshop, attendees will be presented with various tools that implement the same Technique, but use different approaches, or Procedures, to do so. We will then walk participants through the process of analyzing these tools to understand exactly where and by how much they differ. Participants will then learn how to model different Procedures to evaluate their similarity and determine the optimal events or logs to serve as a foundation for building resilient detection rules.

Participants should prepare by:

Familiarity with Windows Internals basics, programming experience is helpful but not necessary

Participants must have the following equipment:

A Windows laptop preinstalled with IDA 8.2 Free.

Discussion: Q&A Detection

This is a Q&A session. Moderators will take audience questions both remotely and on-site via sli.do.

Q&A Panel for the detection block