FloCon 2018 has ended
Tucson, AZ – January 8-11, 2018


Watch this space for details on the technical program for FloCon 2018. In the meantime, see the FloCon website at www.cert.org/flocon.
Back To Schedule
Wednesday, January 10 • 1:30pm - 2:00pm
How to Hunt for Lateral Movement on Your Network

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Once inside your network, most cyber-attacks go sideways. They progressively move deeper into the network, laterally compromising other systems as they search for key assets and data. Would you spot this lateral movement on your enterprise network?
In this training session, we review the various techniques attackers use to spread through a network, which data sets you can use to reliably find them, and how data science techniques can be used to help automate the detection of lateral movement.
Data science is particularly hard in the security domain because of the lack of labeled data and the rate of evolution. Clear examples of attacks are rare, and even with examples there are no guarantees that the next attack will have similar enough characteristics to make training useful. This limits the utility of traditional supervised learning. With a the rate of benign events there is also an extreme dependence on low false positive rates that exceeds many other domains. By structuring our approach to follow TTPs in an attack chain we can leverage a semi-supervised technique that combines unstructured anomaly detection with pattern matching. This allows our technique to automatically adapt to variable field conditions to reduce false positives while detecting a broad set of TTP-related behaviors. Our lateral movement detector applies this general strategy through a combining multivariate bayesian trained classifiers with a message passing algorithm for graph pattern search.
In this session, you’ll learn:
  •   How lateral movement works and why attackers carry it out
  •   Which datasets you can use to reliably hunt for it
  •   Common indicators that will often signal evidence of lateral movements
  •   Data science techniques that can be used to help automate its detection

Attendees Will Learn:

As Threat Hunting becomes the prominent proactive security activity for Security Operations across the world, many organizations don’t know where to start or how. In this presentation, we will show the attack stages, the defensive side, and show the data science tools and techniques we use to detect these types of activities. This methodology can be applied to multiple scenarios and attacks and will be something attendees can bring back with them after the conference.

avatar for Adam Fuchs

Adam Fuchs

Chief Technology Officer, Sqrrl
As the Chief Technology Officer and co-founder of Sqrrl, Adam Fuchs is responsible for ensuring that Sqrrl is leading the world in Big Data Infrastructure technology. Previously at the National Security Agency, Adam was an innovator and technical director for several database projects... Read More →
avatar for Ryan Nolette

Ryan Nolette

Security Technologist, Sqrrl
Ryan is Sqrrl's primary security technologist and expert. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With over a decade in the infosec field, Ryan has been on the product and operations... Read More →

Wednesday January 10, 2018 1:30pm - 2:00pm MST
Presidio III, IV, V