threat tracking (3): from sans meeting, we can see the manufacturer - security village

Posted by millikan at 2020-03-06

(1) Introduction

The first article on threat tracking mainly introduces its basic concepts, why it needs to be tracked, when it needs to be tracked, how it matures, how to start and who is responsible for its implementation. The second part mainly introduces the first step of tracking "assumption", and introduces three typical sources of assumption: Threat Intelligence, situation awareness and domain expertise.

This article mainly introduces the schedule of sans's latest "thread hunting and IR summit" to see some major manufacturers of hunting in the United States.

(2) Thread hunting and IR meeting schedule

Thread hunting and IR Summit (April 2017) was held on April 18, 2017, which should be the latest meeting on threat tracking organized by sans. (PPT can be downloaded at

Hunting on AWSAlex Maestretti and Forest Monsen

So Many Ducks, So Little TimeMichel Coene and Maxim Deweerdt

Threat Hunting in Security OperationsChris Crowley

Biting into the Jawbreaker – Pushing the Boundaries of Threat Hunting AutomationAlex Pinto

The Myth of Automated Hunting and Case Studies in ICS-SCADA NetworksRobert M Lee

Toppling the Stack – Outlier Detection for Threat HuntersDavid J. Bianco

Hunting Webshells on Microsoft Exchange ServerJosh Bryant

Keynote Huntworld, Rob Lee

Enrich All the Things – The Future of Threat HuntingMark Kendrick

Framing Threat Hunting in the EnterpriseJoe Ten Eyck

Threat Hunting: From Fudd to TerminatorsHeather Adkins

Real-Time Threat HuntingTim Crothers

ShimCache and AmCache Enterprise-Wide HuntingMatias Bevilacqua

Sorry, but There is No Magic Fairy DustJJ Guy

Taking Hunting to the Next Level – Hunting in MemoryJared Atkinson and Joe Desimone

The Mind of a Hunter – A Cognitive, Data-Driven ApproachChris Sanders

Threat Hunting with Network FlowAustin Whisnant

Deriving Successful Hunting Strategies with the Diamond ModelSergio Caltagirone

Systemic Threat Hunting: Using Continuous Detection Improvement to Find Bad ThingsJoe Moles and Jared Myers

(3) Manufacturer introduction

3.1 SANS

Sans, as the organizer and chaired by Rob Lee, is the author of the who, what, where, when, what and how of effective thread hunting. He was formerly the computer forensics and Security Development Department of the government law enforcement agencies.

3.2 Target Corporation

Party A's representative is a retail department store group similar to Walmart

3.3 Niddel

This is the homepage of the company, which is the main threat of hunting. There is no specific product introduction and demo, but it refers to a research project, whose product should be converted from the mlsec project, which is a project using machine learning and data science to solve information security problems (

3.4  Carbon Black

A security company mainly engaged in terminal security

3.5 Dragos Inc.

A company that focuses on industrial control security mainly introduces tracking threats on the industrial control network.

3.6  Center for Cyber Security Belgium (CCB/CERT.BE)

It's Belgium's network security center, a government agency, and a speaker who advocates using elk as a free tool.

3.7 Netflix

This is similar to Youku

3.8 Microsoft

3.9 Mandiant

You don't need to introduce it. It was acquired by fireeye

3.10 veris group and Endgame

All information security service providers


It's a new intelligence manufacturer, which has invested a lot of money to release the free intelligence tool strax X

3.12  DomainTools

15 years of whois and domain information


This company is very interesting. The one I translated the other day who used the deceitful network to delay his competitors is also a large number of machine learning

3.14  Recorded Future

No need to introduce the famous intelligence related companies

3.15 FireEye

No introduction.

3.16 Software Engineering Institute

Academic research institutions

3.17 Google

Google is the pinnacle

(4) Sponsor

There are several sponsors that don't have them listed


Israel's security company, ranked 130 in cybersecurity 500

2, sqrrl

Ranking 409 in cybersecurity 500, the company's main business is hunting

3, Cisco

4. InfoArmor security


Ranked 189 in cybersecurity 500, the company mainly focuses on intelligence business, and raised 12 million yuan in round B in 2016.

6. Finally, add a company that is not a sponsor, but has occupied the first place in cybersecurity 500 all the year round. Root9b, one of its main products, Orion, is root9b's active Advisory pursuit (hunt) platform.