Hunting on Amazon Web Services (AWS) - SANS Threat Hunting Summit 2017

While ‘hunting’ has come to mean targeted searches for IOCs, I always considered it operations that perturb the environment in order to illuminate adversary activity. For instance you might bounce a server and see if they try to reacquire. This was risky in a traditional datacenter, but the modern methodologies embraced at Netflix, such as microservices and Continuous Deployment, make it tractable. In this presentation they explore tools and tactics that enable a broad range of hunting activities on Amazon Web Services (AWS). We will discuss how to leverage native AWS APIs and services, as well as supplement them with Open Source tools on the host, and navigate the ‘shared responsibility model’ to hunt in a large scale production environment. Alex Maestretti (@maestretti) Engineering Manager, Netflix Forest Monsen (@forestm) Senior Security Response Engineer, Netflix

Join Today
Incident Response in the Cloud (AWS) - SANS Digital Forensics & Incident Response Summit 2017
▶︎

Incident Response in the Cloud (AWS) - SANS Digital Forensics & Incident Response Summit 2017

AWS re:Inforce 2019: Threat Detection on AWS: An Introduction to Amazon GuardDuty (FND216)
▶︎

AWS re:Inforce 2019: Threat Detection on AWS: An Introduction to Amazon GuardDuty (FND216)

Threat Hunting via Sysmon - SANS Blue Team Summit
▶︎

Threat Hunting via Sysmon - SANS Blue Team Summit

AWS Explained: The Most Important AWS Services To Know
▶︎

AWS Explained: The Most Important AWS Services To Know

Threat Hunting in Security Operation - SANS Threat Hunting Summit 2017
▶︎

Threat Hunting in Security Operation - SANS Threat Hunting Summit 2017

Keynote: Cobalt Strike Threat Hunting | Chad Tilbury
▶︎

Keynote: Cobalt Strike Threat Hunting | Chad Tilbury

AWS re:Inforce 2019: Security Best Practices the Well-Architected Way (SDD318)
▶︎

AWS re:Inforce 2019: Security Best Practices the Well-Architected Way (SDD318)

An Introduction to Threat Hunting With Zeek (Bro)
▶︎

An Introduction to Threat Hunting With Zeek (Bro)

Threat Intelligence At Microsoft: A Look Inside - Cyber Threat Intelligence Summit 2017
▶︎

Threat Intelligence At Microsoft: A Look Inside - Cyber Threat Intelligence Summit 2017

Threat Hunting Using Live Box Forensics - SANS Threat Hunting Summit 2018
▶︎

Threat Hunting Using Live Box Forensics - SANS Threat Hunting Summit 2018

ShimCache and AmCache enterprise-wide hunting - SANS Threat Hunting Summit 2017
▶︎

ShimCache and AmCache enterprise-wide hunting - SANS Threat Hunting Summit 2017

AWS re:Invent 2023 - Streamlining security investigations with Amazon Security Lake (SEC234)
▶︎

AWS re:Invent 2023 - Streamlining security investigations with Amazon Security Lake (SEC234)

How to Improve Threat Detection and Hunting in the AWS Cloud Using the MITRE ATT&CK Matrix
▶︎

How to Improve Threat Detection and Hunting in the AWS Cloud Using the MITRE ATT&CK Matrix

AWS re:Inforce 2019: The Fundamentals of AWS Cloud Security (FND209-R)
▶︎

AWS re:Inforce 2019: The Fundamentals of AWS Cloud Security (FND209-R)

ATT&CK™ Your CTI w/ Lessons Learned from 4 Years in the Trenches - SANS CTI Summit 2019
▶︎

ATT&CK™ Your CTI w/ Lessons Learned from 4 Years in the Trenches - SANS CTI Summit 2019

Cloud Security Monitoring and Threat Detection in AWS
▶︎

Cloud Security Monitoring and Threat Detection in AWS

Finding and Decoding Malicious Powershell Scripts - SANS DFIR Summit 2018
▶︎

Finding and Decoding Malicious Powershell Scripts - SANS DFIR Summit 2018

Threat Hunting AWS CloudTrail Logs with Microsoft Sentinel: Real-Time Attack Demo | Arijit Paul
▶︎

Threat Hunting AWS CloudTrail Logs with Microsoft Sentinel: Real-Time Attack Demo | Arijit Paul

How to Build Threat Hunting into Your Security Operations | Red Canary
▶︎

How to Build Threat Hunting into Your Security Operations | Red Canary

Taking Hunting to the Next Level: Hunting in Memory - SANS Threat Hunting Summit 2017
▶︎

Taking Hunting to the Next Level: Hunting in Memory - SANS Threat Hunting Summit 2017