2023-10-07 –, Track 2
Process Auditing is a powerful tool in the detection toolbox. According to @Cyb3rWard0g’s research, the vast majority of the adversarial techniques in the ATT&CK framework can be detected with process auditing. Unfortunately, this power comes with a price - process auditing generates a lot of results that can be overwhelming to sift through.
In this presentation, we will walk through a practical option to handle these problems using Security Onion’s Elastic Agent integration as an example. Specifically, we will use @SwiftOnSecurity Sysmon configuration as a source filter and convert it into a format that can be used by Security Onion to filter out known-good results.
Josh Brower has been crashing computers since his teens, and now feels fortunate to be doing it professionally. He has spent the last 15 years focusing on InfoSec, particularly network and endpoint detection. He also enjoys teaching around InfoSec issues, especially to non-technical learners - helping them to understand how their actions in the digital world have real-world consequences, as well as how to proactively reduce the risk.
You can catch him on twitter @DefensiveDepth.