Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

A Year of Purple: Stories, Challenges and Lessons from the Frontlines

Ryan Shepherd

3 vote(s)

Having presented Threat Hunting 101: Become the Hunter at HITB GSEC SG 2017, this talk will be the continuation of this series where I will delve deeper into the topics of attack and defense simulation, attack detection, threat hunting and incident response, based on what my team and I have experienced at Countercept over the past twelve months. I was overwhelmed with the response I received last year and have taken note of what you want to hear about next. And so thanks to you, this next iteration of the talk also reflects a year of conversations and debates with individuals of all InfoSec backgrounds around the topics covered.

One of the key principles covered last year was that Threat Hunting uses technology to get the most of people and not the other way around. And so I will begin with the technical case study of two real world investigations we conducted, which embody this key principle from start to finish. The entire story line, challenges and lessons learned from this case study will set the tone and highlight key ways in which threat hunting continues to meet the real world challenges which impose themselves in unexpected ways.

And so based on my experience of many such case studies over the last year alone, there are two fundamental ways in which I have seen the attack detection and threat hunting landscape, as well as their practitioners, not only adapt but evolve.

Attack and Defense Simulation: Think of this as playing chess against yourself. A key part of threat hunting is not only the defensive knowledge involved, but also the offensive knowledge it requires to be effective. It brings the two together in a way that makes them two sides of the same coin. Attack simulation, in the way that traditional red teams operate, is something to be embraced and leveraged in order to further improve attack detection capabilities. In fact, I have seen a rise in the popularity of virtual simulation labs over the past year. Their increasing scale and complexity are of particular interest, especially since many of them are personal projects by individuals in the attack detection community. What’s behind this new development? In this part of the presentation we will have a demo of what a simple yet effective open source simulation lab looks like, how to deploy it, and then delve into the methodologies, implications and benefits of training yourself at attack detection inside a controlled environment. This will be contrasted with Red Teams exercises I have been a part of and how I see them bridge the gap between simulation and real world compromise.

Incident Response 2.0: Traditional incident response maintains a significant role in the current threat landscape. However, it has been allowed to evolve into something much more flexible and reactive with the rise of threat hunting. In fact, incident managers are finding that lines are becoming increasingly blurred between the two and they are becoming two sides of the same coin. Sounds familiar? Describing my experience alongside various Incident Response teams reveals exactly how this has taken place. The stories, as well as the challenges and lessons learned, are fascinating to say the least.

Being constantly immersed in our own area of expertise can make it difficult to see how everything around us is moving forward. I am very fortunate to have been able to experience the entire spectrum of our industry as a Threat Hunter over the past three years. While the scope of this discussion is somewhat broad and a little overwhelming at first, I will aim to layer the talk in such a way that seamlessly brings together the different aspects of the content within. You will find that there is an elegance in the way all of it is interconnected as well as a clear benefit to having the real world perspective presented in this talk when subsequently engaging with the wider InfoSec community.

===

Ryan is a Threat Hunter for Countercept since its inception in 2015. He is a strong advocate of Threat Hunting and a Purple Teaming enthusiast. Having led attack and defense simulation projects of his own, he has investigated countless incidents over the years, as well as having achieved both OSCP and CRIA accreditation during that time. Speaking at community driven conferences is his favorite way of giving back.