Blue-Team-as-Code: Lessons From Real-world Red Team Detection Automation Using Logs

Channel:
United States SANS Cyber Defense
Subscribers:
23,600
Published on ● Video Link: https://www.youtube.com/watch?v=fz6SYlfvc-Y


Category:
Vlog
Duration: 37:15
1,322 views
33

Building on last year's SANS blue team automation talk, we'll focus on some real-world examples of how implementing blue team detection automation in code can be leveraged to better detect attack/red-team activity in logs, including visualization, pivoting, and decoding of malicious activity. We will be using open source frameworks such as sigma as a basis for some hunting hypotheses along with python and Jupyter notebook-based automation. We will share some code examples as well as our experiences with blue team detection automation in code, including examples of some of the common blind spots, including an example of oath2 permission grants exploitation in O365, and how these blind spots can be addressed by a blue team. You'll also see a practical demo of blue team code automation helping detect a red team in action.

Oleg Kolesnikov, Vice President, Securonix; Cybersecurity Instructor, Northeastern University
Den Iuzvyk, Senior Security Researcher,, Securonix

View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE
#BlueTeamSummit #BlueTeamAsCode



Other Videos By SANS Cyber Defense


2021-12-13What do you need to know about the log4j (Log4Shell) vulnerability?
2021-11-22Get to Know SANS Instructor and SEC586 Course Author Josh Johnson
2021-11-22Bringing the Sexy Back to Blue Team, with Eric Conrad and Seth Misener
2021-11-17Modern Authentication for the Security Admin
2021-11-15DeTT&CT(ing) Kubernetes ATT&CK(s) with Audit Logs
2021-11-13Ransomware Preparation, Containment and Recovery Strategies
2021-11-12Building on the Foundations of OSINT with SEC587: Advanced Open-Source Intelligence
2021-11-12AI & ML in the Modern SOC
2021-11-11YARA for Mere Mortals
2021-11-09Threat Sightings: The Power of Observation for Driving Cyber Threat Detection Improvements
2021-11-07Blue-Team-as-Code: Lessons From Real-world Red Team Detection Automation Using Logs
2021-11-05Measuring Detection Engineering Teams
2021-11-02Monitoring and Incident Response in Azure AD
2021-11-01Threats & Challenges 2021: What Cyber Defenders Need to Know – and Do
2021-10-30Knocking on Clouds Door: Threat Hunting Powered by Azure AD Reports and Azula
2021-10-29Random Forests: Still Useful?
2021-10-28Data Science for SOC: A Practical Example of Detecting Advanced Credential Attacks
2021-10-26TShark: Leveraging statistics | Nik Alleyne
2021-10-26The Yellow Brick Road: Where Lions and Tigers and Bears Meet
2021-10-24Adversary Simulation: Measure and Close the Gaps in Your Security Posture
2021-10-22Can we REALLY 10X the SOC?


Tags:
sans institute
blue team
blue team operations
blue team summit
sans blue team summit
oleg kolesnikov
den iuzvyk
sans institute blue team summit
blue team as code
red team
red team detection
red team detection automation
logs