Threat Modeling and Defensive Indicator Design
Does your organization want to start Threat Hunting, but you’re not sure how to begin? Do you find yourself in a cycle of creating “detections” without any strategic direction? In this talk, I focuses on building defensive indicators by starting with the attack in mind. Through the use of a case study, I will describe my process for researching a technique from the underlying technology all the way to the specific implementations. This case study will focus on Access Token Manipulation, a popular technique used by attackers to assume the identity of a different user account than their own. Along the way, I will describe how I research an attack technique’s technical details, my process for creating a proof-of-concept implementation of the attack technique, how I identify what data is necessary to collect for detection, and testing detection at scale.