When getting started with Detection Engineering and Threat Hunting, it can be overwhelming to get your hands around the many platforms and tools available. This presentation will provide a gentle introduction to a variety of detection platforms. I will provide an overview of the different detection domains (network, host, memory/file, cloud) and an example or two of each. During the workshop, participants will get started in actually performing detections, and can dive deeper by continuing on to other more in-depth workshops.

In our digital world, Cybersecurity is a growing concern, with Phishing Campaigns representing one of the biggest threats to both individuals and organizations. Most of the sophisticated attacks often begins with a typical Phishing email.

This hands-on Workshop focuses on delving into Phishing techniques and how to implement them using a variety of available tools. From crafting convincing emails to setting up fake login pages, participants will learn how to conduct Phishing Campaigns effectively. Through practical exercises, different tools and techniques will be explored, providing attendees with a comprehensive understanding of how phishing attacks are carried out, generating awareness. This workshop is ideal for Cybersecurity Professionals, System Administrators, and anyone interested in gaining a better understanding of current Cyber Threats.

Would anyone opt to wait and react to attacks if they had the ability to prevent them upfront? Personally, I wouldn't. Therefore, rather than emphasizing detection engineering, we should prioritize prevention engineering whenever feasible.

Domain Controllers represent the most critical servers in the organization, yet they are also the most vulnerable. Protocols like LDAP and RPC are accessible to any domain account, leaving them susceptible to numerous types of attacks: reconnaissance through tools like SharpHound & SOAPHound, NTLM relay via coercion attacks, lateral movement via PsExec/remote DCOM/remote scheduled tasks, and many others.

In this workshop, our focus will be on prevention engineering for domain controllers using our open-source tools: the RPC Firewall and the LDAP Firewall. As their names suggest, these tools act as firewalls for the extensively exposed LDAP and RPC protocols. We will demonstrate how these tools can be utilized to audit RPC and LDAP activities, generate fingerprints for various detections (including sigma rules), and effectively block and detect malicious activities.

You’ve participated in a CTF, you’ve analyzed that malicious binary, you’ve detected the threats, now tell the world! Attend this workshop to learn more about documenting your findings. Whether it be for an internal report to impress your peers or your personal blog so you can secure that role. A Microsoft Senior Technical Writer and Threat Intelligence Analyst in conjunction with the KC7 Foundation will walk you through report writing and demystify the process.

The workshop is aimed at anyone from entry level to seasoned researchers; however, if you really dislike writing this workshop is for you.

• The power of words – the importance of micro copy
• Who is reading? – how to write one report to suit everyone
• Accessibility – It’s easy to cater for everyone when we champion diversity
• Writing is stressful – hacks to get past the writer’s block
• Gathering your evidence – screenshotting and note taking during an intrusion or analysis
• BLUF and the inverted pyramid – organize your thoughts
• Templates – don’t have one? Create one
• Formatting – scrubbing PII, eliminating jargon, headings, and general housekeeping
• Sticky content – your audience will love you for this
• General tips – it doesn’t have to be perfect. It must be clear
• Work through a bespoke KC7 immersive threat intelligence module and produce your own threat intelligence report

Introducing "Empowering Research with Defensive Tooling," a workshop designed to show users how they can use a subset of tools I have created that help uncover telemetry capabilities often overlooked by mainstream vendors. Participants will delve into how these tools empower researchers to identify telemetry exposed by the operating system that can be used for detection efforts.

By analyzing real-world scenarios and engaging in hands-on exercises, attendees will unlock the untapped potential of OS telemetry, gaining insights that transcend conventional security measures. Whether you're a seasoned professional or a burgeoning enthusiast, this workshop offers invaluable resources for uncovering the hidden secrets within operating systems.

As cybersecurity threats evolve, the tools and skills required to combat these threats must also advance. Python has emerged as a critical tool in the arsenal of cybersecurity professionals due to its versatility and the powerful suite of libraries it offers for automating tasks, processing data, and interfacing with various cybersecurity services. This workshop aims to equip participants with the practical Python skills necessary for modern cybersecurity challenges.

During this workshop attendees will gain an understanding of how to use MITRE Caldera and Atomic Red Team to perform effective and reusable threat emulation exercises. Attendees will be given a guided tour of both open-source projects before being walked through several examples as we put on both our red team and blue team hats.

We'll be executing atomic tests on a remote system via both the Caldera web GUI and it's API, viewing the generated artifacts in Microsoft Sentinel, crafting a detection to detect our test, and then re-testing our detection to ensure it functions correctly.

Attendees will also be given several project ideas on how they can take full advantage of MITRE Caldera, including:

• Testing detections at a regular interval to ensure effectiveness.
• Running more advanced adversary emulation plans with Caldera.
• How to bring your own atomic tests into Caldera.

In this workshop we'll explore how to develop and train a Graph Autoencoder to learn low dimensional representations (embeddings) from graph structures extracted from malware instances opcodes. Then, we'll show how to visualize those embeddings and effectively cluster them into groups of similar malware instances. This approach can be leveraged, for example, for Triaging, Threat Hunting, and Threat Intelligence.

Users will learn how to deploy and manage custom security rules using a Detections as Code (DaC) approach featuring Elastic Security and the detection-rules repo. You will quickly deploy a stack using the docker Elastic Container Project (ECP) and manage the rule life cycle from development to production.

The first portion of the workshop will be focused on the planning portion of a threat hunt which will involve identifying common event log sources and taking an intel report and extracting the interesting artifacts. We will then use these artifacts to create a hypothesis that will drive our threat hunting. These hypotheses should be general enough to be used in different situation or when hunting for different threats yet still be specific enough to capture a known tactic, technique, procedure, or behavior that has been observed in the past.

The second portion will involve the hunters applying their hypotheses to a set of data to find some interesting evidence using the Elastic SIEM. Since everyone may not be familiar with the tool of choice, there will be brief introduction portion to familiarize the hunters with the tool so they can use it effectively.

The goal of the workshop is to use the artifacts that they find a dataset to link to known MITRE Tactics, Techniques, or Sub-Techniques. This may involve some research of the artifacts that they find to identify their true nature or functions but the focus will be on successfully mapping artifacts to behaviors. The hunters will then document their findings and mappings and we will use that as a discussion point at the end of the workshop.

Attackers continue to evolve their tradecraft to successfully evade EDR preventions and SIEM detections. Defenders are continually trying to build high quality detections and prevention rules, but often times lack the ability to validate that the detections and prevention rules are working. The Adaptive Threat Simulation and Detection Engineering workshop will walk students through the process of creating attack playbooks and campaigns, how to build high quality detections, and how to validate the detections will detect the attacks. Students will have the opportunity to interact with a live lab environment for attack simulation and detection engineering.

In this course, participants will gain hands-on experience in setting up a virtual machine (VM) and creating a Graylog home lab environment. They will learn the step-by-step process of installing and configuring the VM, followed by the installation and setup of Graylog, a powerful log management and analysis tool. The course will cover how to effectively gather and ingest data into a Security Information and Event Management (SIEM) system, enabling participants to monitor and analyze security events. By the end of the course, learners will have a functional Graylog home lab and a solid understanding of SIEM data integration techniques.

As more and more organisations are migrating their workloads to containerised infrastructure, threat actors have shifted their focus to the orchestrator. But despite the rapid transition in technology, the human factor remains the weakest link, with operations teams struggling to adapt conventional security monitoring techniques. Fortunately, tried-and-true concepts like collaborative adversarial simulations can be applied to this new security realm.

In this workshop, we will demonstrate how defenders can build capability to detect Kubernetes attacks, and how to validate it in practice using the latest release of Leonidas, WithSecure’s cloud attack simulation framework. Students will be granted access to a Kubernetes environment, to practice attacks and familiarise with container security monitoring in a common SOC environment.

Through a hands-on walk-through, attendees following along will:

• Learn how to utilise Kubernetes audit logs, and how to forward them to an Elastic SIEM
• Deploy Leonidas within the cluster, and launch out-of-the-box attacks included in its test case database
• Write new Attack Definitions to extend Leonidas’ capabilities
• Organise and streamline simulation plans using Jupyter notebooks
• Experiment with detection building blocks, such as Sigma signatures

Tuning detections is by far the most time intensive and important part of Detection Engineering. We can't continue to add net-new content if we can't maintain and validate our existing detection coverage. In this lab, we will focus on how to conduct practical adversary emulation using well-known automated tools, but also dive into the realm of manual testing and discussing the shortcomings of these tools. In this lab, you will gain additional exposure to adversary tradecraft, limitations of our detections and emulation scripts, and how to begin the research to furthering our understanding of how we can create compensating controls to detect and eradicate threats that may evade some of our detections. This lab will expose you to the "Top 10" techniques commonly observed by adversaries and guidance on how to emulate these threats to improve your detection and response.

If you were to collectively ask any Windows penetration tester or “red teamer” to recount their most common “attack paths,” there is no doubt that many, if not all of them, will include Active Directory (AD) based attacks. It’s easy to understand both why AD has been commonly dubbed the “attacker’s playground” and why a defender could become overwhelmed by the vast AD attack surface.

The goal of this workshop is to provide the “blue team” with a greater level of understanding on how these attacks “may” operate, but also help identify where an adversary may be hiding and how to build detections that can detect this abuse in Splunk using Windows Event IDs.

This is inherently a Purple Team style exercise where students will perform the object/attribute misconfigurations, as well as perform the subsequent attacks and build SPL queries to detect them.

Based on the blog post series here:

• https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a
• https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-part-1b
• https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-part-2
• https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-part-3
• https://trustedsec.com/blog/a-hitch-hackers-guide-to-dacl-based-detections-the-addendum

Email remains the #1 initial access vector for commodity malware and nation state actors. Historically, tackling email-based threats has been considered the purview of black-box vendor solutions, with defenders having limited scope (or tooling!) to swiftly and effectively respond to novel offensive tradecraft.

In this training, attendees will be given detailed insight into the latest techniques used to deliver prevalent malware strains, including Pikabot and IcedID, and will hunt through email data to identify this malicious activity, developing rules to detect and block these attacks.

Initially attendees will be introduced to the foundational technologies that enable threat hunting and detection engineering in the email domain, before being given access to the email data of a fictitious company seeded with benign and real-world attack data.

Attendees will be guided through the rule creation process, utilizing free and open detection engines including Sublime and Yara, and will be introduced to the signals that can be used to craft high-fidelity rules, including sentiment analysis, domain age, and attachment analysis. Having completed the training, attendees will have a strong understanding of the tools and techniques at their disposal to defend their organizations from all manor of email threats.

Enterprises are starting to leverage more Detection-as-Code programs to scale their detection engineering efforts. These programs help scale deployments, but many organizations aren't using their CI/CD's to the fullest extent. To further "shift left", we need to also scale and automate validating our use cases.

In this workshop, you will learn how to create unit and integration tests using GitHub style runners for different use cases including: HIDS (OSSEC), NIDS (Suricata style), Synthetic testing of SIEM correlations (Splunk SPL) using GenAI (Poe.com), and integration testing in the AWS cloud

Technical Requirements:

• Unit Testing: GitHub Personal or Teams Account (Free Actions minutes for public repo usage. Or have at least ~10-20 minutes left in the month for private repo usage)
• Integration Testing: AWS account with admin access within the us-east-1 region
• Synthetic AI Testing: Poe.com Subscription for API access ($20 /month) or Trial
• Optional Color Coding Reading: VSCode or any other IDE of choice

It can often feel as though we are in the Middle Ages with our knowledge and tooling when discussing cloud security. In this workshop, Ushi will discuss cloud security basics and practical cloud threat hunting techniques so that participants can practice real world threat hunting in a cloud environment utilizing logs provided.