The Myth of Automated Hunting in ICS/SCADA Networks - SANS Threat Hunting Summit 2017
Вставка
- Опубліковано 25 лип 2024
- Threat hunting is a human focused process. Automation is an important part to being able to hunt effectively and consistently over time but threat hunting cannot be fully automated.
The important part about threat hunting is pitting the best human defenders against the human threats we face. In this presentation the case will be made that threat hunting cannot be fully automated. This will be done through a discussion on where the approach should exist in an organization’s security maturity model and will be reinforced with examples of hunting inside of ICS/SCADA networks such as those that operate the power
grid, oil facilities, and petrochemical environments.
Robert M. Lee (@RobertMLee), CEO, Dragos Inc. - Наука та технологія
Links from the talk -
taosecurity.blogspot.com/2017/03/the-origin-of-threat-hunting.html
www.threathunting.net/
www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
Please understand any Automated System could be fooled let me explain ?
So you build an algorithm that when certain logs are generated block those connections or IP ( bad example )
So what's happening behind the scenes may calls being made on kernel level what if you exploited some calls ?
We all know about Log4J and it's used in many security tools .
So what's the idea build a system but have manual intervention every now and then .