Full Circle Detection: From Hunting to Actionable Detection

Back to the list of Speakers and Sessions

How do you create new efficient, accurate, resilient detection rules? There is a lot of steps to follow. This talk will take you to what I call Full Circle Detection. Starting with where to get hunting ideas to giving a turnkey alerts for your Security Analysts using a real world step by step example.

In this talk the audience will see how a simple blog article (about an Outlook Persistence technique) can and should spark a whole chain of action from your security team.

For each of the applicable steps below, sample code will be provided.

1. The idea/hypothesis
    ○ You read a good blog on an technic and you hunt for the IOC
2. Converting the hunt query/analytics into detection in your SIEM
    ○ Nobody wants to run the same search over and over again
3. Make sure your detection is working
    ○ It's not because your query is good that you will find events
    ○ Make a Atomic Red Team (ART) test to mimic the attack on a test server
    ○ Submit a PR for your ART test
4. Share detection with the community
    ○ Make a Sigma rule and PR
    ○ Of course some of the exclusions are Org specific so be careful how/what you share 
5. Make sure your detection pipeline is working
    ○ You need to make sure your whole pipeline is working. 
    ○ Did the last update to your SIEM change something that prevents future events from triggering your alert?
    ○ Use Schedule Tasks, CI/CD pipeline, Docker, etc to launch the ART test on a regular basis
    ○ Remove the test system from the alert to avoid SOC Analyst fatigue
6. Create the IR Playbook
    ○ Before your SOC Analysts can actually handle this alerts, they need to have a step by step guide
    ○ Will try to base on a opensource project like https://github.com/atc-project/atc-react
    ○ There's also a good SANS presentation that propose a very clear Flow chart
    ○ I'm working on open sourcing some Playbooks I've built at work as well.
7. Training
    ○ You should build a training for your current and future analyst. 
    ○ Something that is easy to consume. 
        § Video
        § Powerpoint
        § Wiki
        § etc.

With all those steps you have come, imo, full circle on your detection.


Mathieu Saulnier Sr Manager Incident Response, Syntax

Mathieu Saulnier is a Core Mentor member for Defcon's Blue Team Village. He has held numerous positions as a consultant within several of Quebec’s largest institutions. Since 2011, he has been focused on putting in place SOC and has specialized in detection (Blue Team), content creation and mentorship. He worked as a "Senior Security Architect" and acted as "Adversary Detection Team Lead" and "Threat Hunting Team Lead" for one of Canada’s largest carrier for more than a decade and he is now "Sr Manager Incident Response" at Syntax. He loves to give talk and had the honor to do so at Derbycon, Defcon’s BTV, NorthSec, BSidesLV, Grayhat, GoSec and BSidesCharm.