BruCON 0x0A

The cyber attack landscape has changed.  Malicious adversaries continue to enhance techniques used to exploit enterprise networks.  A key ingredient missing from our cyber experts is a better way to hunt for adversarial presence.  The purpose of this talk is to show how to engineer a brand new Cyber Threat Intelligence Detection System (CTDS) and release a new frameworks called Excalibur TIE Mark I, and Themis Network Analyzer that allows investigators to better way to hunt for new threats in real-time. This technical talk dives straight in to show how to engineer the intelligence engine and create autonomous network sensors that extract and analyze thousands of artifacts both from each host machine and directly from the enterprise network.  This system develops real indicators of compromise (IOC) from large data sets and then applies these IOCs to better protect your enterprise network from new attacks.

Novel approaches are presented with algorithms used to analyze, correlate, and produce IOCs allowing the investigator to better hunt for new threats, populate uniform data sets best for information dissemination and analysis, and create new visualization graphs used for the human to derive meaning from vast amounts of data aggregation.  Finally, this talk applies everything we’ve learned and shows how to create new distributed network sensors and deploy IOCs discovered from the Threat Intelligence Engine to better protect the enterprise network.  Rest assured, lots of live demos are included in this talk.  And of course, this talk comes with a new open-source tool release for the community to use!

Attacks of tomorrow will no longer be as effective if we have the right tools to better hunt for the adversary.  This involves a new set of thinking.  Threat Intelligence will be the next paradigm in computer security.  Allow me to show you how to engineer the entire framework and deploy it on your network.