Dispelling the Myth of "Maturity" in Threat Hunting

all righty so I'm gonna start off with a quick statistic here in 2011 mandians entrance report said the average attackers well-timed environment was an astonishing 416 days out of all the IRS that they performed in 2020 that number was down to just 24 days one of the main contributions to that that everyone attributes is threatened so I think it's safe to say everyone in this room is here to bring back ideas on how to jumpstart their words or Kickstart their own knowledge so my name is Kelsey Seymour I've got about six beers in I.T cyber security overall and I've assisted with starting threat hunting programs in smaller orgs to White Smith So today we're going to

talk through a simple threat hunting program at a generic company any you know third normal legal disclaimers and all that any resemblances as interesting glad to hear you think of that otherwise let's just hold all the questions to the end I do have time built in there for questions and I absolutely love questions please try and insult me I enjoy the challenge so moving on we're going to do a little quick q a here we are not going to get the right answers that's for you to figure out later in the presentation so the first question I'm going to ask here is how many people do you need in your department to start a threat hunting

program so by a show of hands if you think it is a between one and five people in your department to start a proper threat hunting program raise your hand if you think between one and five okay how about B five to twenty High c 25 to 100 or D 100 plus so I think it's safe to say everyone kind of got the gist at the top and said hey congrats you're actually right I'll give you that one right now for free fun fact about Dave is the last time I gave it a similar presentation to this I had a saiso come up to me afterwards and say hey about two three years ago when I started

in my current position I was talking with Gartner about it maturing our own cyber security program I had 37 analysts on staff said when should I start a threat hunting program and they said at least five years don't worry moving on is another question I got here a little bit Oddball but you'll see how it comes back Microsoft has a native centralized log collection software that is not as calm and is not agent-based who here thinks that's true show of hands who here thinks that's just an outright why it's false I'm just I'm just telling you things that don't exist so any hands for true any hands for false okay so to jump right into it here today

we're going to do a couple things we're going to dispel the myths around maturity and threat honey I'm going to present to you guys an example fret hunting to detection engineering pipeline we're going to provide four practical example prep hunts and showcase some sort of infrastructure that you can use to help make this happen in organization without a lot of budget primer resources so to get right with it here what is thriving threat hunting is going to be proactive that's going to require some understanding of your own environment and require you guys to be Forward Thinking so get right to the lead of it here so there's no surprises list of spell submits first one is you need an army of

200 people guess what you'll need one or two of analysts some dedicated time in fact the 2020 sand strap Hunting report that I referenced earlier over 30 percent of organizations do not perform in-house threat money next one up here it is those animals will spend half of their work week just doing nothing but fret hunting so you're going to lose half your productivity right no about five hours a week in the programs that I was a part of is about how long the average analyst spends with this you're going to need specialized tool sets well guess what chances are you already have everything you need in your environment set up ready to go if not

you have some extra stuff and you're ahead of the game and you didn't know it and finally a lot of people say you need those leading experts you know what I say a little bit differently let's turn to members I'm your team and to The Experts for your own organization so getting right to it here for an example threat hunting pipeline because one of the other big things I often hear is cool traveling is great we're safe I just keep telling everyone we're seeing for doing this we're safe for doing this that's kind of hard to sell to my upper management my upper leadership because again what what's the point you're just saying we're good we already

knew we're good right so this is one way you can actually help provide real measurable tangible value out of your fret lines it is we'll start off with a fret hunt work a way through it and we'll end up as part of this debrief with some detections that you can integrate into your own scene or other platforms you have so generally I like to run this as a work week so we're going to start off with our hypothesis typically we'll do this during A Team stand up on a Monday stuff like that we're gonna all sit together we're going to talk and this is going to be a team-based discussion either split up in the groups or we have

individuals that have their own ideas go their own ways and we try and guide the you know hypothesis there so threaded tells a good thing um guess what you don't even need Kate thread Intel Fields there's plenty of blogs articles resources from both vendors and just other individuals in the community what are you seeing for example uh what was it I think it was the 31st the uh progress move it I.T vulnerability for any companies that use that and I see some people nod their heads going yeah no I'm too well aware of that that is an example of something that's newsworthy that hey we might use that organization or let's look at the attack

vectors behind that and try and apply similar Concepts to our organization from there kicks off the rest of the work week and that's where we're going to go into the analysis phase this is going to be that Solo or paired up research you're going to let people deviate off on their own do their research do their learning ask questions of you know more senior members of their team they're going to start realizing okay how would this threat hunt look for organization what kind of tools do we have to get the log data how can I parse it how can I go through it and then we hit my favorite part which is the testing phase so I did this right now

raise it your threat Hunt is done when you hit that analysis stage so now we're under testing so this is trying to transform it more into the detection detection Engineering Process so here's the fun part does your query work so you know if you have some you know members of your team that are more Red Team friendly or stuff like that or even if it's something very basic and generic such as let's say outside connections from your servers into DMZ to the outside world those are relatively easy things to test so not only do you have your threat hunt let's make sure that all that analysis and that research and that planning and that testing actually was valid so let's

make sure that it's valid in your environment then we roll into Friday for the debrief it's just another team based discussion we sit there everyone gets a chance to present their Lessons Learned hey so I researched this here's what I did here's what I found and then here's my detection and then as a group we can take that detection go past you know the last 30 90 365 days whatever makes sense that the retention we have and the type of detection if we have low pulse positives good true positives from your testing we can now move that into production and guess what we just did friend hunting once that week and we gained a new detection so right there's

a nice kpi you can use to report up and say not only did we make sure we're safe we also implemented something to make sure we're monitoring this for the future so with that we're going to move into our example cases here so we're going to do some network based threat hunting now because I alluded to a little bit earlier an example hypothesis for this is our DMZ server should not make outbound internet requests the idea of posting something in DMZ is that something you're displaying to the Public Public should be reaching in you shouldn't necessarily be reaching out often if ever so we're going to move into the analysis stage so we use Network logs from our

firewall so you can use data transforms on things such as netflow some things we did notice in this analysis stage in this fictional organization as we did in fact have a lot of connections coming from our DMZ servers out to the actual internet now some of you might be thinking oh no that's bad but for example let's say you are a cloud scene product and you have a agent installed on that server how's those logs getting shipped up they gotta reach back out how about EDR or other compliance monitoring Suites DLP anything that actually has to talk back your rmm tools for patching Etc so those were actually really easy you reach out and grab the vendor

documentations these ports these addresses are these DNS entries guess what there's your exclusions so now comes again my favorite part how can we test this well hop on the server and he makes it outbound connections and see what happens so hopefully you know you run those same queries again and all the red lights are starting to flash and you're going yes I got it so we used netcat that's the the funny cat there um for testing that from one of our Linux servers and sure enough we rolled into Friday saying we got a new detection for all new unknown outbound network connection attacks this is great for things like web shells webshell gets dropped on your

DMZ server chances are it's going to reach out to C2 and boom now you got lights and Sirens going on if you're EDR platform didn't catch it already or if your firewall didn't block it so some of the tools we used here was we had a paid scene not gonna line we already had it we used it why not and we also use Network perimeter logs that were ingested into it so let's say you're a starting organization you have a young security program stuff like that there are still things you can leverage for example you already have a network monitoring solution that ingests the netflow data and assist log data chances are that gets dropped off in a database

you can query either undecider directly and then you set that up to schedule task crime job your favorite you know schedule one and there you go now you pay no money except for maybe a server to host the fastest off and you're all set and running or a good old classic is flat pile on your choice a graph set and or off you can just go through the plain syslog panels dump it on a Linux server with our assist logs as log Ng and you're Off to the Races so let's move into one a little bit more system server based here so in this case uh this one was done a couple years ago with all of the fun

with lapses and every executive and board members seeing all these big companies getting hacked going oh gosh that's a teenager hyper are we good are we safe from teenagers so one of the things that we picked up on that was the use of dc6 now not to pick on too many uni-r platform vendors and everything else I've yet to actually see a out of the box PC sync detection that you at least as the customer did not have to already somewhat customize to make it work right so for analysis of this we use successful Windows Event logins and optic access so when we went to go test this we actually realized as we're going through

this there's another really easy low-hanging fruit detection which is the DC machine account use so in domain controller's machine account has 90 88 99 of the same Authority as a domain admin and just by a show of hands virtually in your head if you don't want to share how many of your organizations are already currently monitoring DC account usage to make sure they're being used by the right IP addresses to the right servers so when we rolled into debrief of that we had that run to include any and all abuse of DC machine accounts based on Source IP and other classifying information via those successful event sign ins and then it actually turned into just a secondary career uh dc6 we

actually found a lot more value out of the detections for abusive domain controller machine accounts because the next annual penetration test of that fictional organization went through that was in fact an attack method Tried by the pen tester and he was surprised when we texted him about two minutes later saying congrats so moving on from that again you know you haven't paid scene you might as well use it I can argue that and we just had basic domain controller logs that's often your first step of your first server logs you ingest now again got open source offerings so you can use things like you know onion security that's out there in the vendor Hall you can use elasticsearch which is

kind of Premium nowadays gray Loft whole bunch of options there or as I'm going to head to earlier you can use Windows Event forwarding with powershelling scheduled tasks guess what you have a spare Windows Server that's free you're already paying for it um you can I think the last time I looked at Microsoft documentation is they say four cores and 16 gig of RAM is sufficient for 2 000 servers to be monitored with reasonable filtering and everything else involved so there we go with that we're going to go on to endpoint based hunting I will give EDR platform some benefit here they're definitely catching up on this I can still let them out typically a

little bit with the amount of customization we can get with this style of button so guess what Office Products should not be spawning child processes that can execute Scripts so you think okay that's easy just put it in a flat roll right so you know we're going to use our EDR logs we're going to look at all the child process we're going to look at those job processes over the last 90 days we're going to see nothing right nope our two biggest culprits HR with the HR management integration with their HR System second worst compliance and DBS not compliance or was Finance in their VBS groups because everything runs in Excel with VDS So speaking of DBS

it's time for protection right sorry we're going to test this we're just gonna put a VBS macro in a word file email it across because why not we're going to get a double dip here get our email security vendor pick it up no sweet now we're just going to do everything every security professional is trained not to do and you're going to do with the smile on your face you're going to take that suspicious email download that word document double click it and hit run now and sure enough alarm Bells went off process got killed like that because it was going through the EDR platform and we rolled into Friday with the customized detection for all suspicious

children from all Office Products and we actually were able in that case to expand the scope to include Adobe Acrobat and again that's four or five hours of one analyst and we um actually turned the detection off on the EDR that our custom built one we ran it didn't catch a thing so with the end point hunting as you kind of heard we use the paint DDR 90 days retention now I'd like to Hope in 2023 don't worry you already have that you might just need an additional scoop now either for the 90 days retention either for the access to that data underneath the Hub but that's typically a very easy sell to offer leadership hey this much more and

then now we can do this across all our servers all of our endpoints that have the EDR agent installed and just in case you're worried about that cost let's just quick get a quote from Splunk and get a quote from Azure Sentinel and then you'll very quickly agree to it or you can use things like sysmon and then some agent-based systems like Velociraptor OS query or you can technically do web is interesting on endpoints because a lot of them like to move for example this laptop is not plugged into a land that can see a domain controller can see member servers so it's really hard to do Windows Event porting with that which is why I tend to go more towards the agent

base in that case so with that we're going to go on to the last of our four year which is going to be an application based hunting so kind of gonna blend a couple of these categories together here so this hypothesis was a pretty simple one web app should not be spawning native window shells or tools especially if they're installed on a Windows server and you could do the same thing for Linux with if you were out there on track one for the previous Talk of the GTFO base so analysis here we kept it simple 4688 with event logs or you could use syspon event number one or you have EDR installed guess what chances are process

creation events are already in there too the world's your oyster there's 20 ways to do it now we went to testing so here's here's where I got fun we had a lot of false positives in our environment I'm going to pick on manage engine because it's fun if you're running AP stealth Service Plus guess what that self-service password reset for ad cell service with manage engine about once a week will run Basics before encoded Powershell what's it doing it's making sure your DC machine certs are trusted on that in case it's not a domain join device it just does raw Health app back into your domain Contours or 80 audit plus is doing a lot of that

in the back end for scheduled tasks Etc that's built into that the other one was it's a long query there were a lot of apps I'd want to say the last time I touched a theory like that we had 29 LOL bins detected as part of it and it was about 15 or 16 exclusions but this also covered our entire environment for any Windows server to include IIs Apache and all that fun stuff so you roll into the debrief there all excited because we had new detections from suspicious activities for web servers we not only had our DMZ servers covered from the network perspective but hey let's say it didn't reach back out it was just a one-way in web shell we

were still pretty good and if your organization were to have done something like this in let's say 2021 and hopefully not too much PTSD by that getting shown on screen and a lot of us hopefully have already forgot about lock4j and the the months and months of where in the world is this in my environment for example if you were a VMware Horizon customer and running unified access gateways exposed to the public as they were designed to be as a DMZ web proxy server boxer J would come right in through the UAG hit your horizon connection server and install webshop there were plenty of awesome write-ups about that now if you're reading threat intelligence and going and following

along with the blocks going I'm glad we're good you would have seen there's a couple things that they did initially for Recon because there was that massive exploitation attempt so a lot of places got to chill not many of them were actually exploited past that website and then some people put up honey pots including Other Nation States and then they got web shell and realized oh hey here's how I can use the ones already installed by you know my adversary and then just from there about a month or two afterwards there's a mass amount of Recon so what commands are being run no snake who am I net commands and all that would have been triggered by a detection just like

this so again I'm not going to necessarily harp on this too much he's a big scene Windows event logs alternative so you can repeat with me open source offerings or web with Powershell unscheduled past now I'm going to take a quick pause break here because anyone have any questions about the last and full size we just went through okay so one thing that is often brought up is a lot of these exclusions and you're just going to see a lot of weird applications because app does honestly do weird things to make things work and their minds don't necessarily think like yours and vice versa thankfully someone and I forget their name off the top of

my head and I feel bad about it at least for a couple minutes is they created a website called WTF things to just document that now the URL just in case anyone needs it is WTF bins.wtf very fitting and they just document the odd behavior that was shock and surprising of applications for example Windows terminal by default will run WSL tact list to see if there's any potential profiles of Linux to add to that list automatically just runs it is you know a CMD line doesn't do any fancy API calls it just calls the command and says hey show me your WSL instances on this host and that's a very common Recon tool you will find a lot of vendors in there as

well um for example there are some endpoint protection platforms at a pongu or run who am I as NT Authority system why would the kernel need to know who itself is just to make sure it hasn't been tampered fixed and that will you know you're not alone here's some very common false positives if you ever get bored pull up the website you're going to see some fun ones there I promise you with that we're going to move on to some infrastructure ideas it's not cheap it's affordable so going right on with Windows Event forwarding guess what building the windows you can even run this on a Windows 10 higher Windows 7 client you don't necessarily need a server scoop

it is Deployable with a GPO and no agents guess what hey we're not asking for another agent we're just asking for GTO to go check out this one you know share and then just report back any data that has it's going to use native Windows tools it's windrim as a listener and then it's Kerberos sdns for Authentication it's pretty simple and if you're a wizard with XML or know someone who is you can get very granular and very specific with these filters to the point where you can actually have it filtered down to your detections are the filters themselves so the system will check in at whatever interval you set it will pull the filters it will go through its you know

history of event log since the last time it's pulled in hopefully it hasn't rolled over and then it'll just report back hopefully nothing or if you have your filter set right any event getting written back to the local log that's a detection now that's one way to do the filtering I recommend being a little bit more loose with the filtering especially if you don't have a seam because that's just one endpoint at a time so hey you know if someone's let's say in your environment there's a VLAN hop from your guest Wi-Fi to your corporate network but that never happens right but just Buffalo play pretend and say that actually is possible and someone figured that out and they're just going

through every single IP they can find and trying to log in with admin admin is that enough that trigger necessarily a failed body detection you're going to be boarding any single just generic build login from any machine probably not that's going to generate thousands of logs now that doesn't necessarily work for the you know I want to detect on every single field login with the highly filtered approach but what you can do is collect them anyway and use Powershell scripts and schedule tasks to correlate that so am I seeing the same username attempt from the same Source IP across multiple hosts and then you can start tying this into other log sources the other fun part

about using the Powershell for it is now you can do alert porting so you can do very fancy emails in Powershell that said hey I just detected on this here's a copy of the logs send it off to this disk or a list and raise the alarm you can use web hooks guess what Microsoft teams if you have a team site for your internal security team you can generate web hooks into it and get very nice and fancy alerts you can also have it call back to the server which gets flummed because believe it or not with just a simple Linux server and some spare time on your hands you can actually build your own sword platform within teams

and of course there's always the apis themselves here the welcome to use teams though our organizations already have it so that's one of the ones that's there it's already paid for and it exists use it all you can and then you know hey we're using teams now here's what we get we could go and jump over to this sword platform and look how much more we get but now we can justify it as a cost increase and then it's not we're going from nothing to this here is the exact things we increase on and that makes yourself the leadership all the more easier so another very popular one that is often a lot of practice

is using grip said and awk so just a quick primer for those that don't know rep is Redneck snatching good for one-off searches especially if your scene went down you had a hiccup with your adjustment pipeline you got the flat sis file sitting there from artists log assist log NG and you're just trying to figure out this one issue real quick it's real easy just to do you know grab space your regex base the file name hit enter and hopefully you get the results you're looking for right off the bat now you can get a little bit fancier and then from that you're going to move into sets so set is short for stream editor think about it like rep on

steroids not only is it just grab you can actually modify line by line based upon pattern matching so who here has ever looked at Apache Tomcat locks who here is crime looking at Apache time let's keep your hands up exactly so um there have been people definitely smarter than I that have written said commands to make those actually bearable to stare at the terminal window I keep them in a little notepad file very handy and very close to heart for those handful of times I need it and then if you really want to be a wizard that's the most powerful of them all it's a full programming language that you can use within CLI and its focus is a

hundred percent on data manipulation I have seen people do very impressive things with this this is a very fun area to explore and just in case here's some future reading there is a book data science at the command line you put that into Google and it's published by O'Reilly however the author has a contract with O'Reilly and they have the ebook for free online you can go browse it or download it I think as a PDF right now if you pull it up on your laptop even better he links to his githubber he has a Docker container preset with examples to follow along with the book and you can do it as you learned so with that I'm going to take a pause

again any questions so far from that last thing yes yes so for business even forwarding you mentioned you can use you're using Kerberos spns so yeah assuming name service accounts yes are you able to instead use group managed service accounts so the the way it sets up is um when you start the Windows Event collection service on that member server it will automatically create the ESPN as an HTTP site and it actually opens up um basically it's doing HTML over the winrn port and that's how it's doing the authentication so I have seen it in the past if it already at one point you're just repurposing a server and it was once IIs if Windows Event collection fails it's

always a good thing to check the spns and you just have to delete out that HTTP about 30 seconds later we can try it again anything else okay so now I'm going to move on a little bit to agent based here so these are some really cool projects to play around with if you haven't these are more to be honest more fitted for organizations that don't necessarily have a solid EDR platform however especially OS query and Velociraptor which I'll talk about a little bit here next they do fill some very nice niche fields which hopefully some of you guys can see some benefit here and bring that back with you so Oscar was created in 2014 by Facebook

regardless of your feelings on them I'd like to say this is generally a solid move by Facebook nonetheless it is now open source and it is run by the Linux foundation so it cut ties a lot of the same Dev to help out with it so what does OS query do fix your operating system and it's exposed to the sequel with API calls so you can make API calls to your endpoints and basically everything you're doing is just a SQL query against your endpoints and guess what Apple Linux Windows doesn't matter they have agents for them all in common table names now there are some that are windows specific especially around like name pipes we're

gonna have some that are more apple and Linux focused but a lot of these tables are going to be the same in fact on the OS query website you can go there view their schema and then you can actually say hey show me everything that's shared between Linux and windows and then boom you'll see I think it's around 75 tables and there's a lot of good data in there and the Beautiful part is you combine this with a Linux orchestration server for it there is a mix of premium and paid and Commercial and open source ones so whatever your budget is if you want to have paid support for it you can find commercial ones if that's something that

helps justify it for your organization but guess what velocity asks real real-time questions really quickly for example we're going to go into a handful of these here they're Windows focused but a lot of orders are running a lot of windows so I figured it was safe to stay here so we're going to start off with here's one we just had an acquisition we made sure this was pushed out via GPO it's a relatively lightweight engine what Security Solutions are registered amongst all of my windows endpoints guess what select asterisk from Windows security products that's it and you'll get back a table of oat's name security products when it was a registered what's the ID and they'll just spit it right out of

your terminal over the next you know two or three minutes as it queries all the end points or here's another good one how about Windows persist Ence via login script this one's a little bit longer but it's not bad select the name half date and then the date time there as time from the registry path where it has HP current user forward slash environment that's it you can very quickly just say okay show me everything that's set to auto run the original just like that in fact if you go to GitHub there is I think I saw right around 150 go-to ones just for that around threat height guess what threat hunting is good it's

important that's why we're all sitting here and listening to me just drone on about it first 30 minutes so far well there's other use cases for this how many times has compliance asked you and said hey you know we're doing a random audit of servers how many of them have Port 80 open how quickly can you answer that in your environment without having to touch mask scanner and wrap you asked something like this to play across all your windows and Linux servers very quickly you can run things like netstat a West Creek will translate your SQL query into NetSpend automatically do the parsing and return the data right back to you and say hey these host names are

have a recording video open and then depending on the tables and how much you want to play around the sequel you can even get the processes that spawn them and you can even keep pivoting and joining that at you really enjoy SQL that much to even get the path of installation what vendor sign the binary that's running it you can get really fancy with this really quickly and it's also written in SQL so while a lot of people you know will pick on kql or Splunk query language and stuff like that sequels are relatively General language that a lot of schools teach so your college grads will have at least unfamiliarity with it and anyone joining

cyber security from another IP adjacent field chances are they can at least look at that and understand what it's query so it's really easy to get new analysts onboarded quickly and it allows you to keep your knowledge at the level you are so it can be very simple like select from Windows security products just give me a list but hey you're learning SQL you're learning Windows internals a little bit more you can get a little bit deeper and then you can just keep that knowledge level going so with that and go on to Velociraptor here so that is uh their easiest websites about velociraptor.app it is a fully open source product and they partnered with rapid 7 in 2021 to

help with development it is still a fully open source product they just realized rapid7 has a lot of experience with helping maintain Open Source Products especially in the security states such as metasploy you can say hey you'd like some help and you know they thankfully agree so sorry to bring up bad memories already this quickly but they have something called artifact of change allows tons to be shared across Professionals for example 72 hours of the movement vulnerability for SQL injection they already had an artifact there it was about 30 or 40 lines you can pull it up throw it in your Velociraptor instance hit enter and then hit queries across your organization for all the iocs and other you know

indicators that were included with all those reports and if you look at it it is a very comprehensive very detailed and 72 hours response time for an organization that might not have these skills and everything in-house to be able to parse that and quickly respond send me two hours honestly isn't bad for some organizations especially on the smaller side and then this also allows you the full life cycle of security you can use Velociraptor for deeper work and there's a lot of pre-built artifacts around that you can use it for continuous monitoring where the Velociraptor server will reach out every so often and say hey here's what we're monitoring for please let me know if anything comes back from this

and then you can also use it with response you can for example if you have a network share that you can quickly control off even the Velociraptor server itself say you're in the middle of doing an investigation against the malware that's branding across your environment you realize through Velociraptor being able to query all the endpoints here is the persistence methods for those here's the process names in the rejects and you can play around with that so basically you can map out how that Mauser works and looks on a system write a quick Powershell script you know get processed where name is like this grab the pen kill it and then here's all the registry locations and

schedule tasks and everything else that it's using and kill those off too and once you get that script run you throw it in Velociraptor hit enter and within five minutes you just kill it off in your entire environment without having to leave your desk and my favorite thing about Velociraptor though it's super easy to deploy so I see one two three four laptops five laptops maybe six laptops sitting in here right now guess what Velociraptor it's a single binary server client CLI utilities yeah it's all to say binary you just download it for the platform you're using it on it's pretty awesome you got a full range of os supported Mac Linux Windows they even

have some more specialty ones around Centos Ubuntu they just work it's simple guess what for those with the laptop sitting here right now guess what you can get that set up right now it's only 60 megabytes and how easy it to start it for example if you're on Windows just run to the Lost raptor.exe space GUI hit enter it'll automatically configure the server on your device it'll set it up to localhost only it'll guide you through creating the initial password it'll create a cell signed SSL cert and it will install the Velociraptor agent onto the device that you just ran that GUI command from and hook it into the Velociraptor server for you seriously like that's it all you have to do is

just face GUI enter make sure you have the appropriate admin rights of course and all that fun stuff there you go we just had a proof of concept set up by you know just one word space three letters enter and then answering some basic questions and you can already start showing the benefits of this to your organization and I mentioned it's lightweight it's literally under 60 May the largest tile for this is under 60 May uh the last time I tried deploying an eer agent over GTO that EDR agent was a whopping 158 megabytes it's under 60. you won't even notice it on most modern Network so if that we're going to start concluding up here

now what basically a lot of people in this room are going to sell fall into one if not two of these categories we're going to start with selling it to your leadership in your organization guess what major telling point this is my favorite this is my go-to talent retention is hard especially nowadays This research will turn your analyst into ninjas and guess what they're going to be happy they're going to want to stay because they're learning they're getting to execute exercise their expertise and they're growing as a professional and of course it's always good to be able to say hey I've got a constant stream of new and customized attractions for the environment let's go back to

those previous four we looked at DMZ servers well any network security vendor without a learning period automatically know what's the near environment what's installed once it's supposed to be reaching out to they can get close but you're still going to have that learning period so there's that let's see here we had the endpoint one again is enter EDR platform of choice is going to know about your finances VPS grip that somehow keeps the payroll going and no one dares touch it because the guy that made it left 30 years ago and stuff like that and guess what hey also if you have threat intelligence fees if you're a member of an ISAC for example they often

offer very cheap low-cost intelligence speeds part of your membership either via daily email bulletins or actual Integrations with sticks and Taxi integrate that inward for trout hunting we can start being able to say not only do we get this when we use it here's how we're using it and then that's turning into the detections and that's also helping further our own employees and making sure we keep that top talent now let's say you're on the leadership side and you want to help support your team how can you do that guess what you're going to spend money is probably the best answer you're going to get a lot of that's going to be improvements to your scene

the two most common asks are I need more storage and I need more retention so I need more stuff to put in it and I need to keep it longer because if I only have you know 30 days 90 days and I'm getting into some of these complex queries I might want one years two years five years seven years of data and then my personal favorite most common one to try and offer is training you know there's a lot of everyone knows Sans everyone loves Sands everyone hates dance pricing a couple thousand dollars for one course for one person is a very hard sell regardless of your career field there are other options out there that

are in the hundreds of dollars for a week's worth of training or you can get you know online courses that are at your own pace for hundreds of dollars per seed and there are quality training out there you just kind of have to look and ask around or more importantly guess what the easiest answer for you as a leader is to your team what are you doing every Monday and Friday you're sitting with them just ask them hey how can I help you guys we started this out we're doing it it looks like it's going well what do you guys think would make your life easier what are you wishing you had what you know hey maybe you know that layer

free firewall with a Ziploc is great and everything and all that fun stuff let's get something a little bit more let's get some of those layer 7 app ID in it and then start getting user identification all this other stuff set up and your log enrichment just went through the roof and you're going to be able to do a lot more of the fun queries so guys in conclusion the last you know 40 minutes here I hope that we were able to help this Bell the myths around strathpine you guys kind of have a good concept around an example threat hunting to detection engineering pipeline you've got some practical experiences around some fret hunts that

you can take home and start using next Monday and you kind of got an idea of maybe some tools you weren't aware of or concepts or ideas that you can help bring back to your own organization or try out in your own lab as you learn so through this I hope everyone has pages of on pages of notes and ideas that will keep you up at night and be able to take home with you and again in conclusion it's not rocket science at the end of the day it's mainly just statistics so with that there is the links to the 2021 Mania M print and the 2020 Sands rap hunting survey results there if you'd like to

grab that with your phone and please feel free to reach out to me I absolutely love questions and emails and I will respond as quickly as I can remember to I promise so with that does anyone have any questions will your slides be available I can definitely make them available okay any other questions thank you everyone

[Applause]