(1) Introduction
The first article on threat tracking mainly introduces its basic concepts, why it needs to be tracked, when it needs to be tracked, how it matures, how to start and who is responsible for its implementation. The second part mainly introduces the first step of tracking "assumption", and introduces three typical sources of assumption: Threat Intelligence, situation awareness and domain expertise.
This article mainly introduces the schedule of sans's latest "thread hunting and IR summit" to see some major manufacturers of hunting in the United States.
(2) Thread hunting and IR meeting schedule
Thread hunting and IR Summit (April 2017) was held on April 18, 2017, which should be the latest meeting on threat tracking organized by sans. (PPT can be downloaded at https://digital-forestry.sans.org/community/summers)
- Hunting on AWSAlex Maestretti and Forest Monsen
Hunting on AWSAlex Maestretti and Forest Monsen
- So Many Ducks, So Little TimeMichel Coene and Maxim Deweerdt
So Many Ducks, So Little TimeMichel Coene and Maxim Deweerdt
- Threat Hunting in Security OperationsChris Crowley
Threat Hunting in Security OperationsChris Crowley
- Biting into the Jawbreaker – Pushing the Boundaries of Threat Hunting AutomationAlex Pinto
Biting into the Jawbreaker – Pushing the Boundaries of Threat Hunting AutomationAlex Pinto
- The Myth of Automated Hunting and Case Studies in ICS-SCADA NetworksRobert M Lee
The Myth of Automated Hunting and Case Studies in ICS-SCADA NetworksRobert M Lee
- Toppling the Stack – Outlier Detection for Threat HuntersDavid J. Bianco
Toppling the Stack – Outlier Detection for Threat HuntersDavid J. Bianco
- Hunting Webshells on Microsoft Exchange ServerJosh Bryant
Hunting Webshells on Microsoft Exchange ServerJosh Bryant
- Keynote Huntworld, Rob Lee
Keynote Huntworld, Rob Lee
- Enrich All the Things – The Future of Threat HuntingMark Kendrick
Enrich All the Things – The Future of Threat HuntingMark Kendrick
- Framing Threat Hunting in the EnterpriseJoe Ten Eyck
Framing Threat Hunting in the EnterpriseJoe Ten Eyck
- Threat Hunting: From Fudd to TerminatorsHeather Adkins
Threat Hunting: From Fudd to TerminatorsHeather Adkins
- Real-Time Threat HuntingTim Crothers
Real-Time Threat HuntingTim Crothers
- ShimCache and AmCache Enterprise-Wide HuntingMatias Bevilacqua
ShimCache and AmCache Enterprise-Wide HuntingMatias Bevilacqua
- Sorry, but There is No Magic Fairy DustJJ Guy
Sorry, but There is No Magic Fairy DustJJ Guy
- Taking Hunting to the Next Level – Hunting in MemoryJared Atkinson and Joe Desimone
Taking Hunting to the Next Level – Hunting in MemoryJared Atkinson and Joe Desimone
- The Mind of a Hunter – A Cognitive, Data-Driven ApproachChris Sanders
The Mind of a Hunter – A Cognitive, Data-Driven ApproachChris Sanders
- Threat Hunting with Network FlowAustin Whisnant
Threat Hunting with Network FlowAustin Whisnant
- Deriving Successful Hunting Strategies with the Diamond ModelSergio Caltagirone
Deriving Successful Hunting Strategies with the Diamond ModelSergio Caltagirone
- Systemic Threat Hunting: Using Continuous Detection Improvement to Find Bad ThingsJoe Moles and Jared Myers
Systemic Threat Hunting: Using Continuous Detection Improvement to Find Bad ThingsJoe Moles and Jared Myers
(3) Manufacturer introduction
3.1 SANS
Sans, as the organizer and chaired by Rob Lee, is the author of the who, what, where, when, what and how of effective thread hunting. He was formerly the computer forensics and Security Development Department of the government law enforcement agencies.
3.2 Target Corporation
Party A's representative is a retail department store group similar to Walmart
3.3 Niddel
This is the homepage of the company, which is the main threat of hunting. There is no specific product introduction and demo, but it refers to a research project, whose product should be converted from the mlsec project, which is a project using machine learning and data science to solve information security problems (http://www.mlsecproject.org/).
3.4 Carbon Black
A security company mainly engaged in terminal security
3.5 Dragos Inc.
A company that focuses on industrial control security mainly introduces tracking threats on the industrial control network.
3.6 Center for Cyber Security Belgium (CCB/CERT.BE)
It's Belgium's network security center, a government agency, and a speaker who advocates using elk as a free tool.
3.7 Netflix
This is similar to Youku
3.8 Microsoft
3.9 Mandiant
You don't need to introduce it. It was acquired by fireeye
3.10 veris group and Endgame
All information security service providers
3.11 ANOMALI
It's a new intelligence manufacturer, which has invested a lot of money to release the free intelligence tool strax X
3.12 DomainTools
15 years of whois and domain information
3.13 ILLUSIVE
This company is very interesting. The one I translated the other day who used the deceitful network to delay his competitors is also a large number of machine learning
3.14 Recorded Future
No need to introduce the famous intelligence related companies
3.15 FireEye
No introduction.
3.16 Software Engineering Institute
Academic research institutions
3.17 Google
Google is the pinnacle
(4) Sponsor
There are several sponsors that don't have them listed
1、CYBEREASON
Israel's security company, ranked 130 in cybersecurity 500
2, sqrrl
Ranking 409 in cybersecurity 500, the company's main business is hunting
3, Cisco
4. InfoArmor security
5、THREATQUOTIENT
Ranked 189 in cybersecurity 500, the company mainly focuses on intelligence business, and raised 12 million yuan in round B in 2016.
6. Finally, add a company that is not a sponsor, but has occupied the first place in cybersecurity 500 all the year round. Root9b, one of its main products, Orion, is root9b's active Advisory pursuit (hunt) platform.