search menu icon-carat-right cmu-wordmark

Harvesting Logs for Enhanced Investigations

January 2019 Presentation
David Gainey (Defense Information Systems Agency)

In this talk, the author discusses the type of information that should be continuously collected and kept on-hand for investigative value in the case of a network compromise, and he addresses the value of such artifacts in an investigation.

Publisher:

Defense Information Systems Agency (DISA)

Abstract

In this talk, the author discusses the type of information that should be continuously collected and kept on-hand for investigative value in the case of a network compromise. He addresses the value of such artifacts in an investigation. Additionally, he notes several open source solutions and resources that exist to assist in these endeavors. He also touches on the different forms of "hunting" (indicator-based vs hypothesis-driven).

Hunting has been a buzz word for a few years. Talks abound on how to find anomalies within data-sets utilizing various methods. However, rarely does a talk present a framework for hunting. How do I actually get started within the field? What data should be collected and centralized? Can the data be enriched? How do you hunt with this data?

Fortunately, lots of great resources exist for building out a functional environment for hunting. Once the environment exists, resources like Mitre's ATT&CK and testing tools like Red Team emulation tools allow teams to quickly build and validate capabilities. In this talk, all the pieces together to establish a framework for hunting by discussing key points of hunt: the types of data that are important, how to learn from and enrich data in your own environment, and hunting concepts driven by various methods. This talk aims to empower operators everywhere in their network defense capacities.