高保真威胁狩猎：揭示日志之外的内部威胁……双重身份规避技术.pdf

《高保真威胁狩猎：揭示日志之外的内部威胁……双重身份规避技术.pdf》由会员分享，可在线阅读，更多相关《高保真威胁狩猎：揭示日志之外的内部威胁……双重身份规避技术.pdf（17页珍藏版）》请在三个皮匠报告上搜索。

1、High-Fidelity Threat Hunting:Unveiling Insider Threats Beyond the Logs.The Dual-Identity Evasion TechniqueOscar CrcamoCybersecurity Sr ConsultantC:whoamiCybersecurity Sr Consultant at a Canadian firm(CTH,CTI,DFIR)FIRST Liaison and National Committee Member:One of the only first two Mexicans in histo

2、ry to achieve this official recognition by Forum Of Incident Response and Security TeamsFounder:HacktitudCybersecurity community with social impact supporting Latin America and Spanish-speaking countriesExperience Across Sectors:Financial,industrial,government,private industrySpeaker,contributor,res

3、earcherAcademicfirst.org/membxers/liaisons/oscar_edmundo_carcamo_ Threat ContextChallengesHigh Fidelity Threat HuntingUnveiling the Dual-IdentityConstraintsKey Takeaways1234567Background The initial engagement Cyber defense reality on daily basis Incidents expose blind spotsWe usually trust the SIEM

4、 to give us a full view of the organization but the reality is different.Telemetry gaps are very common,and right at the worst possible moment(when a critical incident occurs)those gaps become blind spots that make incident response much harder.Insider Threat Context The initial engagement Pre-hunti

5、ng A war room full of analysts Dual identity:Simplicity,maximum opacity Dashboards everywhere,no answersChallengesTelemetry challenges:Multiple log sources Telemetry chaos everywhere Inconsistent parsing Time drift across logs What the SIEM didnt sayDifferent technologies,same challengeHunting for s

6、ignals,finding noiseLimited retention,limited truthUnparsed logsHigh Fidelity Threat Hunting Beyond basics:fidelity over volume as mindset Fidelity begins at the source Correlation is only as good as ingestion Refinement turns chaos into clarity When business