Full Circle Detection: From Hunting to Actionable Detection

Back to the list of Speakers and Sessions
Watch the stream
How do you create new efficient, accurate, resilient detection rules? There is a lot of steps to follow. This talk will take you to what I call Full Circle Detection. Starting with where to get hunting ideas to giving a turnkey alerts for your Security Analysts using a real world step by step example.

In this talk the audience will see how a simple blog article (about an Outlook Persistence technique) can and should spark a whole chain of action from your security team.

For each of the applicable steps below, sample code will be provided. 

1. The idea/hypothesis
    ○ You read a good blog on an technic and you hunt for the IOC
2. Converting the hunt query/analytics into detection in your SIEM
    ○ Nobody wants to run the same search over and over again
3. Make sure your detection is working
    ○ It's not because your query is good that you will find events
    ○ Make a Atomic Red Team (ART) test to mimic the attack on a test server
    ○ Submit a PR for your ART test
4. Share detection with the community
    ○ Make a Sigma rule and PR
    ○ Of course some of the exclusions are Org specific so be careful how/what you share 
5. Make sure your detection pipeline is working
    ○ You need to make sure your whole pipeline is working. 
    ○ Did the last update to your SIEM change something that prevents future events from triggering your alert?
    ○ Use Schedule Tasks, CI/CD pipeline, Docker, etc to launch the ART test on a regular basis
    ○ Remove the test system from the alert to avoid SOC Analyst fatigue
6. Create the IR Playbook
    ○ Before your SOC Analysts can actually handle this alerts, they need to have a step by step guide
    ○ Will try to base on a opensource project like https://github.com/atc-project/atc-react
    ○ There's also a good SANS presentation that propose a very clear Flow chart
    ○ I'm working on open sourcing some Playbooks I've built at work as well.
7. Training
    ○ You should build a training for your current and future analyst. 
    ○ Something that is easy to consume. 
        § Video
        § Powerpoint
        § Wiki
        § etc.

With all those steps you have come, imo, full circle on your detection.