Title | : | Once Upon a Login: How Logon Sessions Help Defenders See the Bigger Picture |
Duration | : | 39:43 |
Viewed | : | 779 |
Published | : | 01-12-2022 |
Source | : | Youtube |
Threat detection and response technologies are disproportionately process-centric, focusing primarily on isolated behaviors and parent-child relationships. Process-based, behavioral detection has been a vast improvement over the static signatures, hashes, and IP addresses we relied on previously, but adversaries are increasingly adopting evasive techniques that expose weaknesses in process-based detection. Although it won't replace process metadata altogether, logon session telemetry is a valuable, contextual data source for detection and investigation. It enables analysts and tools to trace a user's actions back from a suspicious process event to the initiation of their logon session, telling the whole story of everything an adversary might have done in an intrusion. This talk will explain what logon sessions are, how they expose adversary actions, where you can find them, how you can use them to improve threat detection and incident response. ABOUT THE SPEAKER Jonny Johnson is a security enthusiast who loves spending time with all things related to Windows Internals, reverse engineering, and data analysis. Jonny is a Consultant at SpecterOps where he applies threat research and low-level knowledge to defensive capabilities, arming defenders with the information and tools needed to cover defensive gaps. Jonny loves to share his actionable findings in blogs and is committed to helping defenders be effective, independent, and efficient. View upcoming Summits: http://www.sans.org/u/DuS Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE #BlueTeamSummit #BlueTeam #CyberDefense
Hunting for Suspicious HTTPS and TLS Connections 02:50 - 3,709 |
Threat Detection Trends 2023 11:07 - 1,574 |
Difference between cookies, session and tokens 11:53 - 521,085 |
Decoding Russian Propaganda, Disinformation & M... 32:03 - 325 |
Prioritizing Defensive Capabilities 36:55 - 997 |
Open-Source Intelligence [OSINT] | Inside a Cyb... 35:21 - 1,212 |
The Risk to Space: Satellite Communications Sys... 53:41 - 429 |
Uncovering Law Enforcement Activities: Darknet ... 44:47 - 603 |