Formulating An Intelligence-Driven Threat Hunting Methodology
Speaker: Joe Slowik (Gigamon, US)
About Speaker:
Joe Slowik has over 10 years experience in various roles within information security, spanning offensive and defensive perspectives. Following several years in the US Navy, Joe led the incident response team at Los Alamos National Laboratory, where he integrated threat intelligence perspectives into operational defense to improve defensive outcomes. After this period, Joe researched ICS threats for several years at Dragos and conducted wide-ranging intelligence analysis for DomainTools. Currently, Joe leads threat intelligence and detection engineering functions for Gigamon where he is able to apply insights into the threat landscape directly to customer-facing applications.
----
Consultants and marketing departments refer to "threat hunting" as a desired position for network defenders. By adopting this mindset, defenders can take a an active role pursuing intrusions. Yet precise methodologies for threat hunting are hard to come by, making the concept something amorphous. In this discussion, we will explore a methodology to standardize the threat hunting process, using an intelligence-driven, adversary-aware approach to drive investigation. This discussion will reveal a series of concrete steps or operational techniques that defenders can leverage to produce a measurable, repeatable, sustainable hunting process. To illustrate the concept, we will also look at several recent examples of malicious activity where an intelligence-driven hunting process allows defenders to defeat fundamental aspects of adversary tradecraft. Audiences will emerge with a roadmap for building a robust threat hunting program to improve the defensive posture of their organizations.
