07-25, 10:20–10:40 (US/Eastern), Room 1
An Indicators of compromise (IoCs) feed can be a useful tool in a defense in depth approach for security practitioners. IoCs help describe observed attacks in the wild, and are supposed to be validated by machines or humans before being disseminated for consumption. Creating, transforming, ingesting and disseminating IoCs is an industry in itself, and mostly focuses on artifacts seen in the network or host, which arguably exists solely in the data plane.
But what about IoCs for the control plane? In this talk, we’ll describe how IoCs are typically used, how there aren’t any good descriptions or resources for control-plane IoCs, and describe a methodology to shape control-plane IoCs into the MITRE ATT&CK Sightings format, ready to be consumed by cloud practitioners.
Zack Allen helps lead the Security Detection & Research efforts at Datadog. Previously, he worked in threat research for the US Air Force, Fastly, and ZeroFox. Outside of his professional life, Zack is a full-time dad and husband, MBA candidate at NYU Stern, a part time red teamer for security competitions such as CCDC and ISTS, and a part time independent researcher. He is also one of the founders of SPARSA, a 501(c)(3) non-profit organization dedicated to security education.