Presentation information

Threat hunting: from SolarWinds to Hafnium APT

Niv Yona (Cybereason) & Eli Salem (Cybereason)
live only
UTC on Day 3
FRIDAY 02 OCTOBER
Threat actors are continuously evolving and adapting their tactics and techniques to bypass security tools, and as threat hunters and incident responders we need to evolve fast. From the latest big events of the year, the SolarWinds supply chain attack and Proxylogon vulnerability exploitation by the Hafnium threat actor, we can learn how threat hunting can save organizations from a bigger breach.
In the past few years, we investigated a large number of activities from commodity malware to complex APT operations. One of the challenging things in those investigations is finding anomalies in an enterprise network and knowing how to differentiate between legitimate use of tools and abuse of legitimate tools for malicious activities.
Threat hunters proactively analyse process execution telemetry data to determine if an organization is coming under attack on an ongoing basis. Newly discovered techniques and behavioural patterns should be integrated into your security tools to enhance and enrich its automated detection capabilities if possible. In some cases, some techniques (such as living off the land binaries, a.k.a. Lolbins) will demand real eyes looking into the activity since they can create more noise than value.

In this session, we will describe our timeline from hour 0 of the SolarWinds supply chain attack and Hafnium exploiting the ProxyLogon vulnerability, and actions to identify the compromise in the first hours. You'll learn by example how to perform threat hunting using your security tools and why you should start doing it today using your telemetry data. We will share the methodologies we follow as threat hunters and incident response professionals and demonstrate the power of hunting.

Threat hunting is a very broad and dynamic subject and seeing our examples we hope to make it more accessible.
The goal of this talk is to empower security analysts to be able to threat hunt and share some easy methods, to begin with. Happy hunting!
Niv Yona
Cybereason Niv, IR Practice Director, leads Cybereason's incident response practice in the EMEA region. Niv began his career as a team leader in the security operations centre in the Israeli Air Force, where he focused on incident response, forensics, and malware analysis. In his past positions in Cybereason he focused on threat research that directly enhances product detections and the Cybereason threat hunting playbook.
Eli Salem
Cybereason Eli, Lead Threat Hunter and malware reverse engineer, began his career as a security analyst in the private sector. At Cybereason, Eli leads the threat hunting service in the EMEA region. During his work at Cybereason Eli has published research on various subjects such as advanced persistent threats groups (APTs), cybercrime, its effects on e-commerce and financial companies, and malware research.
arrow left Back

Threat hunting: from SolarWinds to Hafnium APT

Niv Yona (Cybereason) & Eli Salem (Cybereason)
Threat actors are continuously evolving and adapting their tactics and techniques to bypass security tools, and as threat hunters and incident responders we need to evolve fast. From the latest big events of the year, the SolarWinds supply chain attack and Proxylogon vulnerability exploitation by the Hafnium threat actor, we can learn how threat hunting can save organizations from a bigger breach.
In the past few years, we investigated a large number of activities from commodity malware to complex APT operations. One of the challenging things in those investigations is finding anomalies in an enterprise network and knowing how to differentiate between legitimate use of tools and abuse of legitimate tools for malicious activities.
Threat hunters proactively analyse process execution telemetry data to determine if an organization is coming under attack on an ongoing basis. Newly discovered techniques and behavioural patterns should be integrated into your security tools to enhance and enrich its automated detection capabilities if possible. In some cases, some techniques (such as living off the land binaries, a.k.a. Lolbins) will demand real eyes looking into the activity since they can create more noise than value.

In this session, we will describe our timeline from hour 0 of the SolarWinds supply chain attack and Hafnium exploiting the ProxyLogon vulnerability, and actions to identify the compromise in the first hours. You'll learn by example how to perform threat hunting using your security tools and why you should start doing it today using your telemetry data. We will share the methodologies we follow as threat hunters and incident response professionals and demonstrate the power of hunting.

Threat hunting is a very broad and dynamic subject and seeing our examples we hope to make it more accessible.
The goal of this talk is to empower security analysts to be able to threat hunt and share some easy methods, to begin with. Happy hunting!
Niv Yona
Cybereason Niv, IR Practice Director, leads Cybereason's incident response practice in the EMEA region. Niv began his career as a team leader in the security operations centre in the Israeli Air Force, where he focused on incident response, forensics, and malware analysis. In his past positions in Cybereason he focused on threat research that directly enhances product detections and the Cybereason threat hunting playbook.
Eli Salem
Cybereason Eli, Lead Threat Hunter and malware reverse engineer, began his career as a security analyst in the private sector. At Cybereason, Eli leads the threat hunting service in the EMEA region. During his work at Cybereason Eli has published research on various subjects such as advanced persistent threats groups (APTs), cybercrime, its effects on e-commerce and financial companies, and malware research.