Join Core BTS and Cisco for a Threat Hunting Workshop on May 19th, 2020!
In the heat of a crisis, every keystroke counts and indecision could cost your organization millions. What separates security pros from security liabilities? A plan – and practice.
In this webinar you will uncover best practices for threat hunting, learn how to incorporate threat hunting into your daily workflow, network with your peers to share strategies and techniques, and execute five real-world lab scenarios:
The CIO saw a Twitter post mentioning a threat called “VPNFilter” that has infected over half a million routers worldwide. While none of our corporate routers should be affected, the CIO wants to know if there are any infected “Shadow IT” devices connected to our network – and if so, if our security products are blocking this threat or not.
Fish the Phish
One of our IT analysts noticed a phishing domain that was caught by Umbrella. We have decided to investigate further in our environment to see if we can determine the source of the offending URL. Unfortunately, we have not deployed AMP for Endpoints to this user’s computer, so we don’t have visibility on his machine. We were able to identify the specific link by looking at the user’s browser history, but unfortunately, the user has no recollection of where the link came from. Now we will investigate to determine the source and to see if we can identify any further steps to prevent this in the future!
One of your users was phished. The attacker was very careful, using a legitimate email account belonging to an employee of a catering company that you’ve done business with in the past. The email didn’t contain any active code or malicious attachments – just a link to a website that looked very similar to a portal that is sometimes used for invoicing, but in this case, the “invoice” was actually a powerful piece of malware. We were able to trace the name of the file that was downloaded by querying our firewall, which intercepted the file and sent it to the cloud sandbox for analysis. Unfortunately, the file was already on its way to the victim’s computer when the alert came back for a malware detection.
It’s early in the workday and you log into your AMP dashboard to check malware activity within your network. Right away, you can see that there are a large number of affected systems listed in the Inbox tab: Why were 65 incidents reported on this single system in 20 minutes? How can we find out what happened on this endpoint, and how to protect it?
John Doe from Human Resources is working on hiring additional security engineers for your department. Unfortunately, this morning John let you know that he tried to open a resume from an email attachment, but it did not open correctly – instead of a document, he saw a command prompt window pop up on his desktop. John doesn’t remember anything about the email message subject, sender, or file attachment name, but he did take a screen capture of his desktop…
(Tuesday) 9:00 am - 2:00 pm EDT