Utilizing Memory and Network Forensics for Scalable Threat Detection and Response

Tech 3 (801A) October 19, 2016 10:15 am - 11:15 am Feedback     

Bookmark and Share

Andrew Case

Modern threats necessitate active hunting for malware and attackers throughout an organization’s environment.  Unfortunately, traditional approaches to detection of this malicious activity are now inadequate as advanced malware and skilled attackers easily mislead them.  During this presentation attendees will learn how malware and attackers evade these traditional methods as well as how memory and network forensics can be used to give defenders an upper hand. Memory forensics, which is the examination of a system’s state through analysis of RAM, is much harder to fool as malicious applications necessarily create artifacts in memory in order to operate. Similarly, network forensics gives defenders a concrete look at data flowing throughout their environment, and it provides little room for attackers to hide their lateral movement and data exfiltration. Beyond initial detection, this presentation will also show how these types of analysis can also provide rapidly scalable triage of the rest of a potentially compromised network.  The scenarios presented in this talk will be based on real-world malware as well as real investigations performed on large networks throughout the world. Attendees will leave with the ability to start proactively detecting and triaging threats in their environment – all using open source tools.