Threat Hunting SANS: What is Detection Engineering?

Adversaries are highly-motivated, constantly expanding their tools and techniques. While the attack surface grows, SOC analysts and security teams are suffering from resource shortages. This has resulted in low performance for key metrics such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). The average SOC analyst or detection engineer doesn't know that if they're only hunting with hashes they are doing it wrong. As threat actors deploy new tools, they have different signatures. The higher up David J. Bianco's Pyramid of Pain (tools, TTPs) you can go the less likely those signatures are going to break. Detection engineering is not something being talked about enough. In this threat hunting SANS webcast we explain why detection engineering is the future — taking you through the NIST (National Institute of Standards and Technology) incident response life cycle, and why embracing an automation-first mindset can help you scale and accelerate rules creation, build more effective detections, and significantly improve your threat hunting techniques to keep up with attackers. Adversaries improving tools and techniques 2:03 What is detection engineering? Embracing an automation first mindset 3:35 Breaking a malware sample into different layers of detection 6:35 NIST Incident Response Life Cycle - Step 1 Preparation 9:43 Pyramid of Pain explained 13:08 Analysis of SysJoker malware 13:41 Intezer Detect & Hunt feature 14:06 NIST Incident Response Life Cycle - Step 2 Detection & Analysis 15:45 Threat hunting with Osquery to identify infected machines in your organization 24:05 NIST Incident Response Life Cycle - Step 3 Containment Eradication & Recovery 29:00 NIST Incident Response Life Cycle - Step 4 Post-incident Activity 35:00 Emotet back from the dead. Track malware families and get up-to-date detection content 41:09 Final thoughts 42:06 Q&A Is checking processes spawned by the process name of SysJoker be at high enough fidelity for the average SOC analyst? 46:16 Can we just check for processes spawned by SysJoker? 47:34 Does Intezer pull information from the endpoint or cloud? 51:29 Guidance around Windows 12, wmic, and other incident handling commands 52:30 What 1 or 2 sources of log and data should you prioritize in a new environment? 54:11 Which families or threats should I be prepared for? 55:22 Final advice 58:25 Resources https://www.intezer.com/blog/threat-hunting/scale-incident-response-detection-engineering/ https://www.intezer.com/blog/threat-hunting/intro-to-sigma-rules/ https://www.intezer.com/blog/threat-hunting/track-threat-families-detect-and-hunt/ Get IoCs, artifacts, and other detection opportunities for threats using Intezer. Sign up for a free account at https://analyze.intezer.com