Watch the stream
In this talk the audience will see how a simple blog article (about an Outlook Persistence technique) can and should spark a whole chain of action from your security team.
For each of the applicable steps below, sample code will be provided.
1. The idea/hypothesis
○ You read a good blog on an technic and you hunt for the IOC
2. Converting the hunt query/analytics into detection in your SIEM
○ Nobody wants to run the same search over and over again
3. Make sure your detection is working
○ It's not because your query is good that you will find events
○ Make a Atomic Red Team (ART) test to mimic the attack on a test server
○ Submit a PR for your ART test
4. Share detection with the community
○ Make a Sigma rule and PR
○ Of course some of the exclusions are Org specific so be careful how/what you share
5. Make sure your detection pipeline is working
○ You need to make sure your whole pipeline is working.
○ Did the last update to your SIEM change something that prevents future events from triggering your alert?
○ Use Schedule Tasks, CI/CD pipeline, Docker, etc to launch the ART test on a regular basis
○ Remove the test system from the alert to avoid SOC Analyst fatigue
6. Create the IR Playbook
○ Before your SOC Analysts can actually handle this alerts, they need to have a step by step guide
○ Will try to base on a opensource project like https://github.com/atc-project/atc-react
○ There's also a good SANS presentation that propose a very clear Flow chart
○ I'm working on open sourcing some Playbooks I've built at work as well.
○ You should build a training for your current and future analyst.
○ Something that is easy to consume.
With all those steps you have come, imo, full circle on your detection.