Threat Hunting with Network Flow - SANS Threat Hunting Summit 2017

Описание к видео Threat Hunting with Network Flow - SANS Threat Hunting Summit 2017

Advanced persistent threats often pass through standard network defense capabilities undetected, requiring significant manual analysis or specialized tools for detection. Many of these require full network packet capture, which is storage and processing intensive. Small record size and long storage time make network flow a great supplement to full packet capture. Furthermore, the ability to query on multiple fields in different combinations over a
long period of time makes network flow much more flexible than signature matching tools.

The focus of this presentation will be on how to incorporate network flow analysis into your threat hunting toolkit. We will cover topics such as anomaly discovery versus signature matching, IP expansion, longitudinal analysis of threat actors, how network flow relates to the Cyber Kill Chain, and where network flow analysis should sit in the threat hunting cycle. We will look at real world examples of the effects of these techniques in discovering malicious actors on networks.

Austin Whisnant
Member of the Technical Staff, Software Engineering Institute

Комментарии

Информация по комментариям в разработке