FloCon 2019 has ended
Back To Schedule
Wednesday, January 9 • 10:00am - 10:30am
Hunting Frameworks

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In this talk, I will be discussing the type of information that should be continuously collected and kept on-hand for investigative value in the case of a network compromise. I plan to address the value of such artifacts in an investigation. Additionally, I plan to note several open source solutions and resources that exist to assist in these endeavors. I will likely also touch on the different forms of "hunting" (indicator-based vs hypothesis-driven).

Hunting has been a buzz word for a few years. Talks abound on how to find anomalies within data-sets utilizing various methods. However, rarely does a talk present a framework for hunting. How do I actually get started within the field? What data should be collected and centralized? Can the data be enriched? How do you hunt with this data?

Fortunately, lots of great resources exist for building out a functional environment for hunting.  Once the environment exists, resources like Mitre's ATT&CK and testing tools like Red Team emulation tools allow teams to quickly build and validate capabilities. In this talk, we will put all these pieces together to establish a framework for hunting by discussing key points of hunt: the types of data that are important, how to learn from and enrich data in your own environment, and hunting concepts driven by various methods. This talk aims to empower operators everywhere in their network defense capacities.

Attendees will Learn:
* The benefits of holistic log aggregation for incident validation, incident response, and hunting
* Hunting concepts
* Resources available for hunting

avatar for David Gainey

David Gainey

Defense Information Systems Agency (DISA)
David Gainey has been responding to system and network compromises for 10+ years with DISA. His work involves analyzing isolated, compromised systems and malware; increasing defensive posture; maturing incident response tactics, techniques and procedures (TTPs); and sharing knowledge... Read More →

Wednesday January 9, 2019 10:00am - 10:30am EST
Grand Ballroom 300 Bourbon St, New Orleans, LA 70130