2025-04-13 –, Track 2
The talk will outline detection and threat hunting strategies that could be easily adopted by a mature SOC to look for threats in their Cloud (O365 and AWS) environment. Session will use Jupyter notebook containing detections mapped to the MITRE ATT&CK framework and threat hunting methodologies backed by unsupervised machine learning to hunt for anomalies and visualize them.
The talk will hunt for anomalies in Cloud environments and these anomalies would be converted into High-Fidelity Detection, along with some ideas to extend this hunt to IAM Platforms like OKTA
Some of the hunts which would be explored during the presentation:
AWS - GuardDuty Detector Resource Recon
AWS - Publicly Exposed Database Instance
AWS - Bucket Versioning Suspended
AWS - S3 Bucket Delete Activity
AWS - S3 Bucket Encryption Modified
AWS - Non MFA Management Console
AWS - Changes made to AWS CloudTrail logs
O365 Phishing
O365 MFA Manipulation
O365 Exchange Safe Attachment Rule Disabled
O365 Exchange Management Group Role Assignment
Azure AD - Federated Service Manipulation
Azure Bulk Downloads
Azure Sign-Ins correlated with OKTA Logs
Security Engineer at Amazon's Enterprise Protection Program and a GIAC Certified Security Professional with extensive experience leading security engineering and applied machine learning teams to deploy production-scale, near-real-time threat hunting models. Passionate about leveraging advanced technologies to solve complex cybersecurity challenges, with a proven track record in areas such as purple teaming and incident response.