Threat Hunting & Triage in IR/SOC Operations

Introduction

This past May, I had the opportunity to attend OpenText’s Enfuse Conference 2018. Where one of the sessions I attended was “Threat Hunting and Triage in IR/SOC Operations”. This is my third year attending the conference and I couldn’t be more grateful for the experiences! The Enfuse Conference never ceases to amaze me. Its bring together such a fantastic group of industry professionals. I am lucky to be able to network with and learn from as an undergraduate student.
The most relevant topics our industry is facing, was hearing former FBI Director James Comey deliver the conference’s keynote. His words of wisdom and insights into our industry were captivating. I will always remember having the chance to hear him speak. The best part of this year’s conference by far was taking the written exam part of the EnCase Certified Examiner (EnCE) Certification. I am fortunate enough to say, that I was able to pass the exam!

 

Session Review

Threat Hunting & Triage in IR SOC Operations

One of my favorite sessions from this year’s conference was titled “Threat Hunting & Triage in IR/SOC Operations” and was presented by Michael Auger and Jessica Bair, two professionals from Cisco Systems Advanced Threats Solutions / AMP Threat Grid division. Michael and Jessica gave a compelling presentation on the offerings of Cisco’s Threat Grid for Law Enforcement Program. They offered the audience members free access to the program to understand its capabilities and test its features!

Michael discussed David Biano’s “Simple Hunting Maturity Model” and how important it is for IR/SOC Operations to be moving from a reactive triaging methodology to a proactive threat hunting model. Moreover, the presentation offered Michael’s solutions to reaching the more complex IR/SOC threat hunting models by automating certain tasks required in Incident Response / SOC Operations. Michael demoed his scripts. He explained how he wrote the scripts, what they were doing, and how they could easily be modified. Furthermore, Michael even shared his scripts with the group so that we could download and use them in our own IR/SOC Operations!

 

My biggest takeaway from this session was how useful automation can be in IR/SOC operations. Michael discussed different ways analysts can utilize automation. 

 

Conclusion

The Enfuse Conference provided me many opportunities to broaden my understanding of the Digital Forensic / Cybersecurity industry.  I made connections with others who are just as passionate about this work as I am. I was also able to explore and experience Las Vegas with my friends and colleagues! I’d like to thank OpenText and Champlain College for affording me the opportunity to attend Enfuse for the past three years. I can only hope to attend another conference next year!

To learn more about the LCDI  or our projects.  Follow us on our Facebook and Twitter pages or send an email to lcdi@champlain.edu!