Threat Hunting with Network Flow - SANS Threat Hunting Summit 2017
Вставка
- Опубліковано 26 лип 2024
- Advanced persistent threats often pass through standard network defense capabilities undetected, requiring significant manual analysis or specialized tools for detection. Many of these require full network packet capture, which is storage and processing intensive. Small record size and long storage time make network flow a great supplement to full packet capture. Furthermore, the ability to query on multiple fields in different combinations over a
long period of time makes network flow much more flexible than signature matching tools.
The focus of this presentation will be on how to incorporate network flow analysis into your threat hunting toolkit. We will cover topics such as anomaly discovery versus signature matching, IP expansion, longitudinal analysis of threat actors, how network flow relates to the Cyber Kill Chain, and where network flow analysis should sit in the threat hunting cycle. We will look at real world examples of the effects of these techniques in discovering malicious actors on networks.
Austin Whisnant
Member of the Technical Staff, Software Engineering Institute - Наука та технологія
Nice presentation on beginning to understand the concept of Netflow. It failed to deliver on the content in the description:
The focus of this presentation will be on how to incorporate network flow analysis into your threat hunting toolkit. We will cover topics such as anomaly discovery versus signature matching, IP expansion, longitudinal analysis of threat actors, how network flow relates to the Cyber Kill Chain, and where network flow analysis should sit in the threat hunting cycle. We will look at real world examples of the effects of these techniques in discovering malicious actors on networks.
This is really well done in terms of explaining flow for hunting
Great presentation.
Great.Thank you.
I hope I can watch/listen to it later but I'll have to deal with the echoing ring. This is not against the presenter but the audio could have been better.
Cool
Same shit as everywhere. Same diagams, same nothing-giving examples.