Loading…
BruCON 0x0A has ended
View analytic
Thursday, October 4 • 13:30 - 17:30
Developing Resilient Detections (with Obfuscation & Evasion in Mind) FULL

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Limited Capacity filling up

WARNING: Heavy obfuscation, evasion and general offensive techniques will be demonstrated to challenge and improve attendees’ defensive thinking and detection approaches!

Offensive tradecraft and "living off the land" techniques are discovered, developed and released to the public at breakneck speeds. Attackers begin using these techniques within hours of their release. However, defenders often spend days, weeks or months identifying and reactively creating signatures for these techniques. Often these reactive signatures are overly rigid; therefore, they are easily bypassed by simple modifications to the command or technique.

In this workshop we will:
    * Develop multiple layers of resilient host-based and network-based detections for several relevant "living off the land" attack techniques
    * Introduce incremental layers of obfuscation and evasion techniques to the attacker commands and payloads to iteratively evade and harden our detection approach
    * Learn about numerous host-based artifacts we can use for detection purposes (process arguments, common persistence locations, image load events, prefetch files, Shimcache, Amcache, SRUM - System Resource Usage Monitor, etc.)
    * Implement detection logic in numerous formats including IOCs (Indicators of Compromise), YARA rules, and Snort signatures

The author has several years of real-world experience creating, tuning and enriching real-time detections that run on 10+ million endpoints in 100's of environments around the world. This firsthand experience will help facilitate conversations around false positives, detection performance and signal-to-noise ratios – concepts that are often overlooked (and sometimes less relevant) when dealing only with smaller environments.

Speakers
avatar for Daniel Bohannon

Daniel Bohannon

 Matthew Dunwoody (@matthewdunwoody) and Daniel Bohannon (@danielhbohannon) are Applied Security Researchers with FireEye’s Advanced Practices Team, where they research attacker activity and developing effective detection signatures and processes (among other things). Matthew previously... Read More →


Thursday October 4, 2018 13:30 - 17:30
03. Chimay Novotel

Attendees (29)