Finding Haystacks in Your Needles: Threat Hunting Problems in Real World Data
Sara Miller at BSides Boston 2017
Resources such as SANS's "Know Normal, Find Evil" and MITRE's ATT&CK framework are a great starting point when looking for malicious activity on a host ... but what happens when you actually start diving into the data? Is finding malware really as easy as just looking for network connections from Notepad? (Spoilers: It isn't.) This talk goes through a number of real scenarios where legitimate applications behave just like malware, and how to improve behavioral detection.