Joey D Detection Engineering Lead, Canadian Centre for Cyber Security (Cyber Centre)
Joey is the lead of a detection engineering team at the Canadian Centre for Cyber Security. With a focus on Tactics, Techniques, and Procedures (TTP) analytics, he brings a decade of experience in blue-team roles to his position. He enjoys tackling high-profile cybersecurity events, such as his recent deployments to Latvia, where he supported the Canadian Armed Forces' Operation REASSURANCE in securing NATO's eastern front.
As the coach for Team Canada in CTF (CyberSci), he has enabled the team to win gold medals in the guest category at the European Cybersecurity Challenge (ECSC) for the past three consecutive years. He is also proud to deliver challenges for his fifth consecutive NorthSec CTF as a volunteer for the non-profit.
Talk: Noise Pollution is Damaging Your SOC: Prevent IoCs From Turning Into Indication of Cacophony
Talks will be streamed on YouTube and Twitch for free.
Noise pollution is linked to high blood pressure, headaches, fatigue, stress, and impaired focus, leading to decreased performance over time. This analogy accurately describes the impact of excessive obscure alerts and unlabelled data on SOC analysts. Awareness of noise pollution is crucial for both mitigating (blue team) and exploiting (red team) its effects.
This talk will explore the sources of noise and propose methods to reduce or transform it into music. The ultimate goals are to enhance how CTI analysts operationalize indicators of compromise (IoCs), prevent alert fatigue, and avoid the aforementioned health issues.
Attendees will step into the shoes of a SOC analyst navigating a high-severity alert on a Friday at 4 p.m. (as is tradition). The high-confidence IoC is linked to known malicious infrastructure, threatening to ruin weekend plans if confirmed malicious.
Spoiler Alert: The false positive turns out to be the Windows Delivery Optimization (DO) service functioning as intended on port 7680.
We will dig into this feature, revealing that Windows devices have participated in a peer-to-peer (P2P) network by default since Windows 10 to speed up updates delivery. A deep understanding of the DO ecosystem is necessary to interpret telemetry from XDRs and contextualize the noise.
Noise reduction strategies will be proposed at various stages of the telemetry lifecycle, applicable to other services, protocols, features, and XDR artifacts.